Android Phones - The New Corporate Espionage Tool

Alcatel-Lucent’s Kindsight subsidiary has released figures that show an increase in malicious software (malware) used by hackers to gain access to devices for corporate espionage, spying on individuals, theft of personal information, generating spam, denial of service attacks on business and governments and millions of dollars in fraudulent banking and advertising scams.

“Malware and cybersecurity threats continue to be a growing problem for home networks and mobile devices, particularly for Android smartphones and tablets which are increasingly targeted,” said Kevin McNamee, security architect and director of Alcatel-Lucent’s Kindsight Security Labs.

“A third of the top 15 security threats are now spyware related, up from only two spyware instances the last quarter,” said McNamee. “MobileSpy and FlexiSpy were already in the top 15 list, but SpyBubble moved up to take the 4th spot, while SpyMob and PhoneRecon appeared for the first time, ranking 5th and 7th respectively.

“Mobile spyware in the BYOD context poses a threat to enterprises because it can be installed surreptitiously on an employee’s phone and used for industrial or corporate espionage.”

McNamee said it is “surprisingly easy” to add a command and control interface to allow the attacker to control the device remotely, activating the phone’s camera and microphone without the user’s knowledge.

“This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device – all without the user’s knowledge.

“The mobile phone is a fully functional network device. When connected to the company’s Wi-Fi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. (more)

Security Directors: FREE Security White Paper - "Surreptitious Workplace Recording ...and what you can do about it."  

Mobile Security Apps Perform Dismally Against Spyware

via Josh Kirschner at Techlicious...

Mobile spyware can have a devastating effect on your life; the constant fear that a spouse, significant other or even employer is following your every move, knows everything about your life and has completely removed any vestige of privacy...

And spyware is not as rare as you may think. According to mobile security company Lookout, .24% of Android phones they scanned in the U.S. had surveillance-ware installed intended to target a specific individual. Sophos reports a similar .2% infection rate from spyware. If those numbers hold true for Android users in general, that would mean tens of thousands could be infected.

I set out to test the leading Android anti-malware vendors to see how they fared at protecting us against the threat of spyware...

The results, generally speaking, were dismal. Of twelve products I tested, none was able to detect more than two-thirds of the samples. Many missed half or more of the spyware apps. And, surprisingly, the potential spyware apps least likely to be detected were those widely available in Google Play. (more)

Josh did an excellent job researching this topic and we thank him for publicly exposing the flaws. 

Now, what can be done about really detecting spyware?

Murray Associates was approached by two clients several years ago who had come to the same conclusion as Josh via their own research. They asked us to develop a solution – based on the following conditions:
  1. The solution must make quick and reasonable spyware evaluations. 
  2. No special forensic tools should be required. 
  3. No special skills should be necessary.
  4. No assistance should be necessary once the initial training is over. The phone owner must be able to conduct the test him- or herself—anytime, anyplace.
  5. Advancements in spyware software and cell phone hardware should not render the test ineffective.

The results of this project are published in the book, "Is My Cell Phone Bugged?", and are used in SpyWarn 2.0, a unique Android spyware detection app.

Security Alert: 'Master key' to Android Phones Uncovered

If exploited, the bug would give attackers access to almost any Android phone.

A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.

Upon hearing the bad news Android wets itself.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system released since 2009.

Google said it currently had no comment to make on BlueBox's discovery...

The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves. (more)

The race is on between Google and The Cyber-thieves. We'll keep you posted. ~Kevin

The VD of Apple iOS Devices - Unsafe Charging

Using the bogus charger, a team from Georgia Institute of Technology managed to infect a phone with a virus in less than a minute.  

Any device using Apple's iOS operating system would be as vulnerable to infection, claim the trio. More details of their work will be given at the upcoming Black Hat USA hacker conference. (more)

But this will not surprise our regular Security Scrapbook readers... "Joseph Mlodzianowski and Robert Rowley, built a juice jacking kiosk at Defcon 2011 to educate the masses about the risks associated with blindly plugging in mobile devices." (more)

The Ratters - men who spy on women through their webcams

The woman is visible from thousands of miles away on a hacker's computer.  

The hacker has infected her machine with a remote administration tool (RAT) that gives him access to the woman's screen, to her webcam, to her files, to her microphone. He watches her and the baby through a small control window open on his Windows PC, then he decides to have a little fun...

Women who have this done to them, especially when the spying escalates into blackmail, report feeling paranoia. One woman targeted by the California "sextortionist" Luis Mijangos wouldn't leave her dorm room for a week after Mijangos turned her laptop into a sophisticated bugging device. Mijangos began taunting her with information gleaned from offline conversations...

For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter... (more) (sing-a-long)

That's "old news".
The story really begins here...
The hack follows the path of most hacks. It started as a challenge, became video voyeurism, and evolved into blackmail. Hackers eventually smell money in their hacks. 

While you read about "ratters" today, today's hacker-criminals are sniffing in deep pockets - businesses. Eavesdropping on corporate meetings and watching executive computer screens makes more sense financially. Next year the media will be printing stories about that. Meanwhile, you have them scooped.

Q. So, why don't we notice?
A. “The more cameras we see in our environment, the less we see them.” 

When electronic cameras were new, you noticed them. Now they are everywhere. You pay no attention. The same is true with microphones. The weird logic continues... If one isn't noticing cameras and microphones, one tends to either think they don't exist, or are not being manipulated as surveillance devices.

Many business executives know better. They know the reality of business espionage and electronic surveillance. Their mental Achilles Heel... If you don't see where your stolen conversations, strategies, ideas, etc. are going, well they are probably not going anywhere. Think of that the next time you go car shopping, and they all look like Tesla's... or vice versa. Then, call me.

Cautionary Tale - Unsafe Sex, USB Style

Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.

Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter... (more) 

(reiteration time) - "If you are not sure where it has been, don't stick it in." 
~ Kevin

One in Four Android Apps Pose "High Risk" to Security

Almost 25 percent of Android apps feature code that can access application permissions and cause security vulnerabilities, according to a new study by mobile security firm TrustGo.

Of the 2.3m Android apps analysed by TrustGo in the fourth quarter of 2012, 511,000 were identified as high risk, defined as being able to make unauthorised payments, steal data or modify user settings.

Not all of the apps are universally available. For example, just 10 percent of apps in the US and Western Europe had a high risk for causing security issues. While China was reported to have the most high risk apps available for download. (more)

See Two App Store Icons on Your Phone? Beware.

New spyware Trojan – Android.DDoS.1.origin – silently takes over your phone.
 
via Dr. Web...
Android.DDoS.1.origin creates an application icon, similar to that of Google Play. If the user decides to use the fake icon to access Google Play, (Google Play) will be launched, which significantly reduces the risk of any suspicion.

When launched, the Trojan tries to connect to a remote server and, if successful, it transmits the phone number of the compromised device to criminals and then waits for further SMS commands...

Activities of the Trojan can lower performance of the infected handset and affect the well-being of its owner, as access to the Internet and SMS are chargeable services. Should the device send messages to premium numbers, malicious activities will cost the user even more.

It is not quite clear yet how the Trojan spreads but most probably criminals employ social engineering tricks and disguise the malware as a legitimate application from Google. (more)

Android Virus Uses Your Phone to Spread Spam

Android smartphone users alert...
Spammed text messages have begun circulating that can infect your handset, causing it to continually send virulent text messages to thousands of live phone numbers each day.

That discovery comes as hackers continue to probe the Android platform, in particular, for security holes with no slowdown expected in 2013...

Messaging security firm Cloudmark Research recently discovered a virulent spam campaign that is sending text messages to Android users offering free versions of Need for Speed Most Wanted, Angry Birds Star Wars, Grand Theft Auto and other popular games.

By installing the free app, the user actually downloads a hidden program connecting their handset to a command and control server in Hong Kong, says Cloudmark researcher Andrew Conway. The Hong Kong server next sends the handset a list of 50 phone numbers, copies of viral messages and instructions to begin sending the messages to each of the numbers. (more)

Result...
If victims don't have an unlimited texting plan, the next phone bill could be a whopper because each infected phone can blast thousands of viral text messages a day.

Security Flaw – Samsung Handsets & Tablets

A suspected fault in Samsung's implementation of the Android kernel could result in malicious apps gaining control over user devices... 

"You should be very afraid of this exploit -- any app can use it to gain root without asking and without any permissions on a vulnerable device," the forum use wrote. "Let's hope for some fixes ASAP."...affected devices include the Samsung Galaxy S2, Samsung Galaxy Note 2, Samsung Galaxy Note 10.1 and Samsung Galaxy Tab Plus.

The community says that it has informed Samsung of the flaw, and so we can hope a fix will soon be issued if the claims ring true. With so many apps floating around the Internet, the Android operating system has become an increasing target for hackers, who can slip malicious code into seemingly innocent applications which end up stealing data or taking control of your device.

As malicious apps begin to send unauthorized premium-rate SMS messages and steal user bank data, keeping our devices secure is now just as important as being careful when we surf the web on our desktops. (more)

How to secure your Android phone - 14 Tips

via Gary Sims, Spybusters and SpyWarn...
Tip #1 – Never leave your phone laying around where uninvited guests can access it.
Tip #2 – Use a lock screen.
Tip #3 – Set a PIN to protect purchases on Google Play.
Tip #4 – Install a phone location app / security app with an anti-theft component.
Tip #5 – Don’t install apps from dodgy third party sites.
Tip #6 – Always read the reviews of apps before installing them.
Tip #7 – Check the permissions. Does the "game" really need to send SMS messages?
Tip #8 – Never follow links in unsolicited emails or text messages to install an app.
Tip #9 – Use an anti-virus / anti-malware app.
Tip #10 – Don’t root your phone unless absolutely necessary.
Tip #11 – If your device has valuable data on it, use encryption.
Tip #12 – Use a VPN on unsecured Wi-Fi connection.
Tip #13 – Read "Is My Cell Phone Bugged?"
Tip #14 – Use SpyWarn (freemium) periodically to help determine if your phone has been infected with spyware.
(more)

Cyber Espionage Infographic

Click or download to enlarge.

Infographic courtesy F-Secure

Government Strength Mobile Spyware

In the secretive world of surveillance technology, he goes just by his initials: MJM. His mystique is such that other security professionals avoid using wireless Internet near him...

MJM -- Martin J. Muench -- is the developer of Andover, U.K.-based Gamma Group’s FinFisher intrusion software, which he sells to police and spy agencies around the world for monitoring computers and smartphones to intercept Skype calls, peer through Web cameras and record keystrokes...

Of Gamma’s products, FinFisher has become the flashpoint. It represents the leading edge of a largely unregulated trade in cybertools that is transforming surveillance, making it more intrusive as it reaches across borders and spies into peoples’ digital devices, whether in their living rooms or back pockets...

...researchers including Claudio Guarnieri of Boston-based security risk-assessment company Rapid7; Bill Marczak, a computer science doctoral candidate at the University of California Berkeley; and Marquis-Boire, whose day job is working as a security engineer at Google Inc., found computers that appeared to be command servers for FinSpy in at least 15 countries.

They also documented FinSpy’s ability to take over mobile phones -- turning on microphones, tracking locations and monitoring e-mails...


On Oct. 12, U.S. law enforcement officials warned smartphone users to protect themselves against FinFisher, calling it malware, or malicious software.

“FinFisher is a spyware capable of taking over the components of a mobile device,” the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and National White Collar Crime Center, said in a Website alert to the public. “FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.”

FinSpy Mobile can infect almost every kind of device, including Apple Inc.’s iPhones and smartphones running Google’s Android or Microsoft Corp.’s Windows systems, according to a pamphlet Muench provides. (more)

FBI Issues Warning Regarding Android Malware

The FBI's Internet Crime Complaint Center has issued a warning alerting users about malware that targets the Android mobile operating system. 

The intelligence note from the IC3 was issued last week, and highlighted on Monday by Apple 2.0. It noted there are various forms of malware out in the wild that attack Android devices.

Two forms of malware cited byt he IC3 are Loozfon, which steals information from users, and FinFisher, which can give nefarious hackers control over a user's device. 

Loozfon can lure in victims by promising users a work-at-home opportunity in exchange for sending out an e-mail. Visiting a link in the e-mail will push Loozfon to the user's device, allowing the malware to steal contact details from the device's address book.

The FinFisher spyware highlighted by the IC3 allows for a mobile device to be remotely controlled and monitored from anywhere. FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update. (more)

Experimental App Sends 3D Photos of Your Office to Spies, Your Home to Burglars*

via MIT Technology Review...
...smartphones are increasingly targeted by malware designed to exploit this newfound power. Examples include software that listens for spoken credit card numbers (Soundminer malware) or uses the on-board accelerometers to monitor credit card details entered as keystrokes (steal keystrokes).

Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information. (It even turns of the shutter noise when taking photos.)

Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system. (more)

* Just two scary imagined use for this app.
Want to know more?
We've got their paper right here. 

Mobile malware up 2,180% - Threats to mobile devices rocket and set to rise further.

Between Q1 2011 and Q2 2012 ABI Research found that unique malware variants grew by 2,180 percent reaching 17,439. 

And these threats are set to increase significantly.

"With the increasing popularity of smartphones, mobile threats are on the rise. This has implications for security at the corporate level as well as for individual privacy," says Michela Menting, senior cyber security analyst. 

"The mobile application security market is rife with vendors offering their wares. The priority now for end-users is understanding the issue at hand and finding the right offering that best suits their needs," said Menting. (more) (SpyWarn)

Outrageous - Anyone else would have landed in prison.

Companies agree to stop spying, taking secret photos on rented home computers
 

The US Federal Trade Commission has reached a settlement with seven computer rental companies and a software firm over what the agency said was flagrant computer spying on customers of the rental stores.

In a statement Wednesday, the FTC said that DesignerWare LLC and seven rent-to-own computer stores agreed to cease using malware-like monitoring software to track rental PCs and from using information gathered by the spying software for debt collection purposes.

According to the FTC, the software captured screenshots of confidential and personal information, logged users' keystrokes, and in some cases took "webcam pictures of people in their homes, all without notice to, or consent from, the consumers."

The settlement stems from what an FTC complaint (PDF link) says was a years-long campaign of electronic spying by PC rent-to-own firms against customers using PC Rental Agent, a remote monitoring application made and marketed by DesignerWare that can disable or remotely wipe a rented computer, but also monitored a user’s online activity and physical location using a feature called "Detective Mode." (more) (sing-a-long)


P.S. It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.

Security Alert: Conference room reservation system - Arrive® InfoPoint™

Affected Murray Associates clients can receive special attention due to our working relationship with DigitalSecurus.

DigitalSecurus has discovered that some touch screen smart devices for conference rooms have arrived in the United States infected with a computer virus/malware (malicious software).

The infection was discovered during a recent investigation into suspicious activity on a network belonging to a DigitalSecurus client. Further analysis in a lab environment by DigitalSecurus revealed a variant of the malware known as “Downadup/Conficker” virus in unopened InfoPoint AI-101 touch screen computers. DigitalSecurus contacted the manufacturer of the device, Arrive Systems, and has been working with them closely to investigate the circumstances surrounding the infection.

This malware is particularly dangerous to a network environment as it will attempt to spread itself to other computers. The virus also attempts to communicate with unauthorized computers on the Internet, possibly allowing unauthorized access to corporate files and other sensitive data.

The infection appears to have been installed onto the devices prior to shipping into the United States...

Companies using the InfoPoint AI-101 devices are advised to consider removing them from their network until they can be properly analyzed, made harmless, and patched with software updates. For further instructions on specific steps that can be taken users are encouraged to contact the manufacturer, Arrive Systems, at this link.

DigitalSecurus is an Alaskan based network security consulting firm that provides computer security consulting, analysis, forensics, security training, and computer incident response to corporations and organizations in the United States.

DIY - Android Cell Phone Spyware Kit Coming Soon

Android continues to prove irresistible to the hacker community, which seems intent on finding ever newer, more innovative ways to exploit security holes in the open source mobile platform.

Now a new threat to Android may be on the horizon: A pair of security researchers are planning to make public next month a modular, open source framework called AFE (Android Framework for Exploitation) that bad guys can use to build and tailor Android malware to suit their tastes...

With AFE, according to the duo's description, a hacker can quickly cobble together malware capable of at least 20 different feats, including retrieving a user's call logs, contact information, and the content of his or her mailbox; swiping SD card contents; sending text messages; viewing browsing habits; recording phone conversations; capturing images with the affected device's camera; running root exploits; accessing the device's GPS location; and remotely dialing any number from the hijacked device.

In addition, the duo have created templates to mask the malware as legitimate apps such as File Explorer, Tic Tac Toe, and a jokes app. Users of the framework can add their own.

"For a basic effort at writing malware, that's not even really trying hard, you can make $10,000 a month," Gupta told SC Magazine. (more)  

...and for the price of a book it can all be thwarted.

Few CPR Their Firmware Against Printer Hack Attacks

Despite staged malware attack seven months ago, one in four HP laser jet printers still have default password settings.

Using freely available information and a budget of $2,000 (£1,280), professor Salvatore Stolfo and researcher Ang Cui from Columbia University's appropriately named Intrusion Detection System Laboratory used the printer's remote firmware update to install potentially crippling malware that could even be targeted to destroy the device itself. 

While HP did challenge what turned out to be aspects of the way the demonstration was reported, the company took the conclusions seriously, acting quickly and with "diligence" to issue more than 56 firmware updates.

However, seven months later... only 1–2% (of printers connected to the Internet) have been updated. Of those, one in four is still using default password settings for printer updates.

...other brands may be just as vulnerable...

The key flaw comes because printers now have capabilities that let them receive documents from the cloud – in effect, emails. 

...perhaps the "the safest bet is just not to be connected to the internet in the first place." (more)