Архив метки: Vanja Svajcer

So Much For Bouncer: New Android Malware Uses Facebook To Spread


Even though Google recently introduced a malware-blocking system called Bouncer to keep the Android Market safe from malicious software, crafty spammers and fraudsters are still managing to find ways around the restrictions to get their software onto users’ phones. The latest example? A malware program disguised, innocuously, as an Android app called “any_name.apk.” And it appears the malware is using Facebook’s app on Android phones in order to spread.

The software was discovered by security firm Sophos, which came across the malware after receiving a Facebook friend request. When checking out the user’s profile, the researcher, Vanja Svajcer, found a link posted to the requester’s Facebook profile page that, when clicked, directed the browser to a webpage which started an automatic download of an unknown software application to the device.

The software installed and downloaded immediately, without any request for authorization or input from the end user. However, although Svajcer doesn’t mention this in his analysis, for software to automatically install from outside the Google Android Market, the phone’s default settings must have been changed. Typically, Android phones are shipped with a setting switched on that prevents mobile apps from installing from sources besides the official Android Market. Many savvy Android users switch this setting off, though, because they enjoy the freedom that Android provides in discovering apps from alternative app stores and download locations – like the treasure trove that is the XDA Developers forum, for example.

Unfortunately, malware like this is the nasty side effect. And there’s nothing Bouncer can do about it. The link the researcher clicked did not appear to be an APK file by nature of its URL, just a typical website. And it was placed into the user’s About Me section on Facebook, as if it was a link to that person’s homepage.

Of course, many folks would simply ignore a friend request from someone they didn’t know, but curiosity often gets the better of us. (Do I know them? Did we meet at some point, and I forgot?) One errant click, and oops, you’re infected.

In this particular case, the malware in question appears to be a program designed to earn money for fraudsters through premium rate phone services, a scam popular outside the U.S. for the most part, which involves having unsuspecting users send out text messages to premium rate numbers (those that charge). The scammers, who are operating the numbers, end up collecting the money from the victims’ accounts.

The app attempts to associate itself with the Opera browser, and an encrypted configuration file contains the dialing codes for all the supported countries where the premium rate numbers are hosted.

As a side note: a few days later, the researcher visited the same URL, but was directed to an all-new website where another APK file was automatically downloaded (hilariously called “allnew.apk”). This one was functionally similar, but different on the binary level, indicating it was a new variant of the same malware.

Maybe it’s time for Android’s Bouncer guy to get pre-installed on handsets, too?

So Much For Bouncer: New Android Malware Uses Facebook To Spread

Google Adds A New Security Layer To The Android Market… A “Bouncer,” If You Will


Android malware has been an issue over the past year. Granted, most of the numbers we see out of security software companies are inflated — including malicious apps from third-party sources and ignoring small download figures — but that’s not to say that we can just brush that dirt off our shoulders.

Google knows this, and has for a while. Despite the fact that downloads of malicious apps are down 40 percent between the first and second half of 2011, seeing that 14,000, 30,000, or even 260,000 devices have been affected by this or that malicious app requires action. That said, Google is adding a new security layer to the Android Market: codenamed Bouncer.

Originally, the Android market implemented three different methods for ridding the market of malware: sandboxing, permissions, and malware removal. Sandboxing keeps one app from infiltrating another, with one very important exception: permissions. Google sees its permissions system as a layer of security in and of itself, but permissions can actually be seen as a vulnerability. In some cases, the reasons behind the permissions a developer asks for aren’t immediately obvious to the user, and it can be tough to check everything, especially to the novice user.

Past that, Google’s always been good about removing malware from the market as soon as the company becomes aware of it, and in some cases, has even remotely wiped affected devices of malicious apps. The tool is a useful one to say the least, but it’s not enough.

Bouncer adds another level of security to the platform, automatically scanning new and existing apps for known bits of malicious code. Google has actually been scanning apps whenever new malicious code is discovered, but Bouncer will automate the process, scanning for known spyware and trojans, too. Bouncer runs every new application on Google’s cloud infrastructure and simulates how it’ll run on a device. That way, Google can see straight away whether an app is misbehaving and flag it accordingly.

Another smart feature is that Bouncer isn’t 100 percent automated. Once something is flagged, there’s a manual process for confirming the app is indeed malicious, reducing the risk of false positives.

To be quite honest, the Android platform is way more secure than most people think. I spoke with Android VP of engineering Hiroshi Lockheimer, and he seems to feel the same way. “There’s this impression that Android is a huge target for malware, and I really don’t think that’s the case,” said Lockheimer. Google polices the Market, scans for known malicious code (though most instances of flagging in the past have been from users notifying Google), and is quick to act when an issue pops up. But where the platform has fallen short (in one respect), is the developer registration process.

Becoming an Android developer is as easy as pie. I actually did it myself just to see how easy it is, and it literally takes five minutes and $25. After clicking accept a few times, you’re good to go. In fact, developers can register under pseudonyms if they’d like.

From a certain perspective, this is amazing. It allows young entrepreneurs to offer a product to millions of users for a very low cost, lowering the bar for developers who can’t afford to jump through Apple’s hoops. At the same time, it makes it easy for malware writers to get the ball rolling.

Sophos blogger Vanja Svajcer said it best:

The requirements for becoming an Android developer that can publish apps to the Android Market are far too relaxed. The cost of becoming a developer and being banned by Google is much lower than the money that can be earned by publishing malicious apps. The attacks on the Android Market will continue as long as the developer requirements stay too relaxed.

With Bouncer, Google is recognizing this issue without making things difficult on developers. Devs will still be able to submit an app and see it in search results within minutes — Bouncer’s scanning process only takes seconds — and they’ll still be able to register for $25 and a few clicks on “Accept.”

But… now that Bouncer is in place, previous offenders will have a much more difficult time sneaking back on to the platform by registering under a new name. According to Google’s blog post, the search giant will be “analyzing new developer accounts to help prevent malicious and repeat-offending developers from coming back.”

This is what I believe will make the biggest difference when it comes to the threat of Android malware, and I’m more than thrilled that the company is making it a priority moving forward.

Google Adds A New Security Layer To The Android Market… A “Bouncer,” If You Will