09.06.2011,

Author:  Eddy Willems

Mobile Payments, DroidDream and a Reactive Policy Add up to Major Headaches

Malware writers are entrepreneurs who are always looking for the best return on investment. The Android operating system, combined with the Google Wallet Service, will offer a record-setting ROI if current policies continue. Let’s look at why.

According to Gartner and IDC, Android is the market leader in mobile operating systems, so it is logical that cyber criminals will target the platform. Android malware can easily be spread through apps, which makes it an attractive target. Not only did the beginning of 2011 see the emergence of this trend, but soon Android will take the lead as the most targeted mobile operating systems in terms of malware.

A lot of problems result from the fact that apps can be distributed via different online shops and channels. And nobody, except for security experts, is looking for malware inside the apps.

The first proof of the official Android Market being interesting for cybercriminals was reported in March 2011, called DroidDream, a family of malware which uses a pair of exploits to gain root access on vulnerable Android devices. A large number of Android applications was reported to be infected and all were pulled from the Android Market after it was reported to Google. All of the applications were versions of legitimate programs that were Trojan-ised and rebuilt by the malware authors, loaded with malicious code. DroidDream sends a collection of information like IMEI, IMSI, OS version, etc. to the attacker and then attempts to download additional software and payloads.

So, Google took a couple of actions to remove, not prevent. They pushed out an “Android Market Security Tool March 2011”, specifically for DroidDream. Unfortunately, a Trojan-ised version of it soon popped up in various markets. They remotely uninstalled the malicious apps from some infected devices and suspended the developers in question as well as removing the malicious apps from the Android Market. All solid reactive steps.

Fast-forward several weeks, and we see a new DroidDream version hit the Android Market, again in a variety of re-packaged legitimate apps. Thousands of Android users downloaded infected applications from the official Android Market, again. The malware was found in about two dozen applications that Google has since removed from its mobile app store. It appears Google is not actively looking for malware inside the applications in the Android Market.

A reactive policy from Google, combined with the incredible growth in Android use and attractive Google Wallet Service will make you *smart* from your phone (def., to cause a sharp, usually superficial, stinging pain).

 

What can you do if you own an Android device and how can you protect your device?

Security layer 1: Install security software
Customers should install security software such as G Data MobileSecurity.

Security layer 2: App awareness
While apps from the official Android Market have been compromised, it is still the safer bet than other app listings around the Internet. Within the markets, read the reviews and comments, keep yourself informed. The Android Market also displays the permissions the app would like to obtain to function. Evaluate if you want to assign these permissions asked for. Security software like G Data MobileSecurity for Android can discloses these permissions even after the installation.

Security layer 3: Physical protection
Never leave your smartphone unattended and protect the phone from unauthorized access by setting a password – in case you lose your smartphone, the finder cannot easily access all your data. Use the lock functions built-in to Android devices, such as passwords and PIN codes as well as enhanced gesture-based screen lock.
(Settings > Location and Security > Set up screen lock)

Security layer 4: Protect the account data
It is vitally important to protect your Gmail account data. It pays off in many ways: To secure the telephone, the emails, the contact data stored online, etc.
A Gmail account is the core for the smartphone user. By knowing the log-in credentials it is possible to install software on the phone, without the need of physical contact between the phone and a computer. Example: On the one hand, this remote installation possibility is a plus for users who lost a smartphone – they can install a tool to determine the phone’s geo-location, but, on the other hand, someone with a certain degree of criminal energy can use the same feature to spy on the phone user.

Furthermore, it is obviously very important to protect the login credentials to other services and accounts like e.g. Facebook, Twitter, mail accounts, etc. also. Do not provide these credentials in every app that possibly asks for it – remember to be cautious regarding the apps’ permissions.



The G Data SecurityLabs will soon publish more details about recent findings. So stay tuned to this blog!

Search