Category: Mobile Computing

A weakness in the Android security model that validates mobile applications could be used by an attacker to turn a legitimate Android app into a dangerous attack platform, according to a security firm that discovered the vulnerability.

The weakness, discovered by San Francisco-based mobile security startup Bluebox Security, was reported to Google (NSDQ:GOOG)and has been corrected, but the firm said millions of Android devices remain vulnerable. The flaw enables an attacker to bypass the Google Play security mechanism designed to review changes to applications before they are sent to users.

Bluebox Chief Technology Officer Jeff Forristal will present the details of the vulnerability later this month at the 2013 Black Hat conference in Las Vegas.

The Android flaw, which has been in the firmware since 2009, enables an attacker to modify the mobile application code without breaking its cryptographic signature, wrote Forristal. In an alert to Android owners last week, Forristal said application changes could be made without being noticed by the app store, device or end user.

“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” Forristal wrote.

Digital signatures are used by both Google and Apple to determine the validity of a mobile application. The flaw enables the digital signature to remain intact even if modifications are made, Forristal said. Bluebox showed a screenshot of an HTC device showing how the manufacturer’s software can be modified to access all permissions on the device.

An attacker can program a legitimate app to make phone calls and record them, send text messages or turn on the camera. “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Forristal wrote.

Millions of mobile phones could continue to be at risk because security updates pushed out by Google must go to individual handset makers before being pushed out to device owners through their mobile carrier.

Breaking or cheating the cryptographic signature used to validate applications is a potentially serious issue opening up device owners to a wealth of serious problems, said Cameron Camp, a security researcher, at Bratislava, Slovakia-based antivirus vendor ESET. Code signing and application isolation or sandboxing are among the security measures used to make mobile devices safer.

“If you can break the crypto or cheat the crypto into thinking it’s something that it’s not then that is a dangerous problem,” Camp said.

Google did not respond to a request from CRN for comment. The company has reportedly updated its official app store, Google Play, to thwart attempts to cheat the app verification process. But Camp said mobile malware writers bypass Google altogether, getting malicious applications onto devices by using third-party app stores.

Android malware has increased significantly, with more than 92 percent of mobile malware targeting the platform, according toJuniper Networks (NSDQ:JNPR), which released its annual mobile threat report last week. Other reports found a precipitous increase in mobile attacks targeting Android devices. Google has been adding improvements, Camp said, including the addition of Bouncer, a malware scanner that vets apps before they are officially released to Android device owners.

“There are still an awful lot of apps to be analyzing on a daily basis, so determining with any degree of assurance that no malicious code out there is going to be difficult,” Camp said.

Originally posted here: http://www.crn.com/news/security/240157895/serious-android-flaw-could-turn-mobile-apps-malicious.htm?cid=nl_sec

It’s not a surprising finding and one that experts have been predicting, but data being collected by antivirus vendors is revealing a rising number of threats targeting Apple (NSDQ:AAPL) users. While malware growth is relatively flat, phishing sites designed to trick users into giving up their account credentials is on the rise.

Threat detection data collected by Kaspersky Lab shows a significant increase in phishing sites attempting to trick users into giving up their Apple account credentials, according to Nadezhda Demidova, who recently provided analysis of the Apple phishing threat data. Apple iCloud and iTunes accounts can be lucrative to cybercriminals, Demidova said.

In addition to information stored in the Apple account, “many malicious users go further and try to the steal bank card details used to pay for those purchases,” Demidova wrote.

Phishing attacks targeting Apple users increased from 1,000 detections per day on average in 2011 to about 200,000 detections per day today, according to the Kaspersky Lab data. Many of the sites attempt to mirror the official Apple store or an official-looking Apple credential reset page. A user who doesn’t pay attention to the location of the Web page can easily be tricked into giving up information.

Fake Apple.com phishing sites rose and declined throughout the year, but some significant surges can be traced to Apple events. Demidova noted that some of the surges in phishing can be attributed to iTunes store unveilings in Russia and more than 50 other countries in 2012.

The Mac malware threat, meanwhile, remains low. Only 2.5 percent of threats encountered by Mac users were written specifically for Macs, according to statistics from Symantec (NSDQ:SYMC). The latest Threat Report from McAfee supports Symantec’s findings and noted that malware growth was flat throughout much of 2012, with no growth in the first quarter of 2013.

Much of the Apple malware being detected stems from attack toolkits that continue to use the Flashback Trojan, which was behind an advertising click fraud campaign that targeted a Java error to infect Macs. Statistics vary but most experts say that Flashback infected about 600,000 Macs. Flashback may have served as a wake-up call to Apple users that they are not immune to malware attacks despite the lower risk of infection.

Graham Cluley, a U.K.-based security expert, said Mac threats are lower in number but include many of the standard problems encountered by PC users. Fake antivirus software has been configured to target both Mac and PC users and malicious software also targets browser components regardless of the platform the user is running, Cluley told CRN.

“I think you would be very foolish to not run an antivirus on your Mac,” Cluley said. “Mac malware in the last couple of years has moved from being experimental to having clearly been built with financial and spying motivations.”

Originally posted here: http://www.crn.com/news/security/240157681/apple-users-beware-phishing-sites-are-after-account-credentials.htm?cid=nl_sec