Video Screencast Help
Security Response
Showing posts tagged with Android
Showing posts in English
Val S | 23 May 2012 23:08:34 GMT

Contributor: Branko Spasojevic

A recent post on Pastebin revealed that a simple command can provide root access to the ZTE Score mobile device. This escalation of privilege can give you full control of a ZTE Score M phone running Android 2.3.4 (Gingerbread). We analyzed both the MetroPCS and Cricket Wireless versions of the device and we were able to reproduce the privilege escalation.

The Android security model sandboxes applications so they cannot interact with other applications nor directly perform system level commands without specific authorization preventing undesired affects. The privilege escalation allows one to bypass the default Android security model and run any code on the device and make any modifications unchecked.

The privilege escalation was not a bug in code on the device, but instead likely a design feature for carrier administration purposes or troubleshooting. Unfortunately, irrespective of the reason this code was included, by...

Irfan Asrar | 24 Apr 2012 18:18:20 GMT

When pop icon Björk, in an interview with the press, invited hackers and pirates to adapt her app from iOS to other platforms, it seems that some people who rose to the call had a hidden agenda in mind: to distribute malware. The evil twin routine, where an author creates a malicious doppelganger or pirated version of a popular app, seems to be the in vogue scam of late when it comes to malware for Android.

Last week, authors in Eastern Europe were targeting the Instagram and Angry Birds fanbase with a fake apps (detected by Symantec as Android.Opfake) which resulted in premium SMS text charges. The authors even went to the extent of creating a dummy site to make the scam appear more...

Joji Hamada | 16 Apr 2012 07:36:33 GMT

Over the past week or so, there has been an ongoing discussion on the Internet about some Android applications that looked suspicious. Most of the apps were supposedly designed to mimic popular games in Japan or play a video in relation to the game. However, users who installed the apps questioned their legitimacy.

Symantec has so far identified 29 apps belonging to seven developers with these characteristics and has confirmed they are malicious. The apps share common programming code so we can assume it is a sole individual or an organization who is committing the crime. The very first app we confirmed appeared on Google Play around February 10 and more followed until late March. Originally the apps posted were not game related, but were random ones including apps of an erotic nature, a contact management app, a recipe app, and a diet assistant app to name a few. But the number of downloads were low. Then in late March, a bunch of apps with names ending in “the Movie...

Irfan Asrar | 28 Mar 2012 02:31:21 GMT

It was only a few weeks ago that concerns were raised about the lack of restrictions on photo access on the Android platform. That is, no permissions were required to read an image file, which could lead to privacy leaks from unwitting users installing apps with malicious intent. It seems that a new variant of Android.Oneclickfraud identified in the wild proves that these concerns should not be underestimated.

As previously described, this type of fraud is an extortion scam that uses pornography to lure users into downloading a smart phone app. Once installed, the app harvests personal information and then opens a Web page. This page displays a fake registration, containing the harvested personal...

Irfan Asrar | 27 Feb 2012 19:33:30 GMT

When you know that the goal of a piece of code is to ultimately result in monetary gain for the author, analysis becomes a lot easier; it is a matter of just putting the pieces together until you can figure out how the payload is translated into tangible value. But take away the monetary gain element and, even if you are able to find out what makes something tick in minute detail, you are never quite sure what the final intent of the author was.

However, in the case of Android.Moghava, while there appears to be no monetary gain involved, I would describe it as a juvenile stunt with slight overtones of political satire.

From our analysis of an Iranian recipe app infected with this threat (distributed from a third party and not the Android market), the malware is embedded as an additional package called Moghava. Moghava in Farsi translates as “cardboard...

Joji Hamada | 10 Feb 2012 18:48:23 GMT

We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.

A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.

...
Cathal Mullaney | 08 Feb 2012 21:14:37 GMT

Thanks to Eric Chien for his assistance with this research.

Introduction

We recently came across a new piece of Android malware, first highlighted by NC State’s Xuxian Jiang, and began investigating the command-and-control (C&C) servers associated with the threat. The malware was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application.

Analysis of these servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands. The number of infected devices able to generate revenue on any...

Symantec Security Response | 01 Feb 2012 23:53:57 GMT

For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.

The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.

Opfake...

Fred Gutierrez | 24 Jan 2012 19:11:40 GMT

Contributor: Masaki Suenaga

We certainly are! It is American football season and the Super Bowl is right around the corner. Apparently, so are the malware authors. It would not be the first time they took advantage of this sporting event. Back in 2007, the Dolphins (hosts for Super Bowl XLI) had their website compromised by links to malicious JavaScript. Several visitors looking up Super Bowl information on this site were hit with an exploit pack designed to attack their Web browsers and install hidden malware. Taking a page out of their playbook, Android malware authors this season bring us a fake version of the popular gaming franchise, Madden NFL 12. Being over 5 MB in size, it certainly looks like a game worth trying! Once installed, it will even display the following icon:

After the user launches the app, there is, unfortunately, no...

Joji Hamada | 12 Jan 2012 22:10:29 GMT

During the summer of 2011, one-click fraud targeting smartphones was discovered. One-click fraud has now become so common that doing a quick search for certain keywords on the Internet using a smartphone leads to a high possibility of coming across one of the scam sites. The typical attack simply attempts to trick users into registering for a paid service. Details of the users and their phones are displayed on the page in an attempt to convince them that the site owners may take legal actions if the user does not pay them a certain amount of money.  There were no malicious files involved. More details are available in this blog.

Now, in 2012, one-click fraud for smartphones has evolved  and begun to use applications.  File usage for the fraud is common on the Windows platform and has been used for years.  When users attempt to view a video on a computer, they...