From the GTC ‘Android’ archives

WeatherFist

Friday, August 13th, 2010

A.Fister.a(drs)

Affected Operating Systems: Android
Aliases: WeatherFist
Discovery Date: 2010-03-10
Overview: Proof-of-concept botnet application affecting Android
Detailed Information: Weatherfist was a Proof-of-concept application that was developed as a part of the MOBOTS presentation at the 2010 RSA Security conference.   Researchers attempted to determine if the typical “phone home”  characteristics of a botnet infected device would be able to function in the Android and iPhone platforms.  In doing so, the researchers developed a “weather” application that, instead of using a zip code for location, sent the device’s GPS location back to the “weather” servers.  This capability illustrated that applications in Android and iPhone platforms are certainly able to communicate with 3rd party servers, assuming the users either accepted the permission for it to do so or they could slip the code past the App Store review process.
The proof-of-concept revealed that there were nearly 700 unique Android downloads and 7,700 unique iPhone downloads of the application.  The proof-of-concept applications that were publicly distributed did not collect any type of personal data, nor did it allow any type of remote access or command and control functionality that is common among botnets.  The research team did, however, develop an additional application that was never publicly released and named “WeatherFistBadMonkey” that did contain the same command and control functionality of a regular botnet.  Again, this version of the proof-of-concept was never publicly released.
WeatherFist was not, in any way, a trojan or backdoor application and it could easily be deleted from the device by normal means.
Detection and Removal: Detected and removed with SMobile VirusGuard virus definitions from 2010-03-10

Filed Under: Android, Threats

GPS Spy

Tuesday, August 10th, 2010

A.GpsSpy.a(drs)

Affected Operating Systems: Android
Aliases: Tap Snake / GPS Spy
Discovery Date: 2010-07-21
Overview: GPS Spy is Android spyware disguised as a “snake” game
Detailed Information: GPS Spy comes in two separate pieces for the spyware functionality to work correctly.  On the victim’s device, the attacker would download and install the “Tap Snake” game either form the Android Market or by ADB push to the device.  Once installed, the first execution of the “Tap Snake” game would provide the attacker with the configuration interface necessary to setup the appropriate credentials that will be used in order to access the GPS location data that is being sent to an offsite webserver ever 15 minutes.  Every subsequent execution of the “Tap Snake” application would look and feel exactly like a snake game that the user would play, without knowing that the application is gathering and transmitting their current location every 15 minutes.  Details of the “Tap Snake” game are available here
On the Attacker’s device, the attacker would simply download and install the “GPS Spy” application to their device.  Once installed, executing the “GPS Spy” application and entering the corresponding credentials will allow the GPS Spy application to sync up with the location servers where the attacker can track the movements of the victim’s handset over a 24 hour period.  The GPS Spy application portion of the spyware costs $4.99.  Details of the “GPS Spy” application can be found here
Detection and Removal: Detected and removed with SMobile VirusGuard virus definitions from 2010-07-21

Filed Under: Android, Threats

SpyBubble

Wednesday, April 21st, 2010
Spybubble
Affected Operating Systems: Android, BlackBerry
Aliases:
Discovery Date: 2010-02-24
Overview: SpyBubble is a spyware application that affects Android and BlackBerry platforms
Detailed Information: SpyBubble is a spyware application that affects Android and BlackBerry platforms.  SpyBubble must be installed manually, therefore an attacker must gain physical access to the intended target device.  SpyBubble offers the following capabilities:
  • Call Monitoring
  • SMS/MMS Monitoring
  • GPS Location Monitoring

For Android, SpyBubble comes in the form of bubb.apk and is installed on the device as com.spybubble. SpyBubble successfully hides itself from casual detection by an unsuspecting user by not placing an application icon in the applicaton drawer.

For BlackBerry, SpyBubble arrives as a .zip file that contains the following files:

  • bubb.cod
  • bubb.jad

SpyBubble installs as “bubb” on BlackBerry devices.  As with Android, SpyBubble for BlackBerry successfully hides itself from detection by not supplying an application icon to the user.

Detection and Removal: Detected and removed with SMobile VirusGuard virus definitions from 2010-02-24

Filed Under: Android, Blackberry, Threats

MobiStealth

Wednesday, April 21st, 2010
MobiStealth
Affected Operating Systems: Android, BlackBerry
Aliases:
Discovery Date: 2010-01-13
Overview: MobiStealth is a spyware application for Android and BlackBerry platforms
Detailed Information: MobiStealth is a spyware application that currently runs on Android and BlackBerry devices.  MobiStealth has the ability to completely hide itself from detection by the intended user.  MobiStealth has the following capabilities:
  • Call Recording
  • Call History
  • Call Duration
  • On Demand Surround Recording
  • Location History
  • On Demand Location Information
  • Alternative Location Retrieval Method
  • Email Logging
  • Web History
  • Bookmarks
  • Picture Logging
  • Video Logging
  • Contact Details
  • Text Message / SMS Logging
  • Reverse Phone Lookup
  • SIM Change Notification (Only Applicable to GSM Phones)
  • Encrypted Communication
  • Phone Wipe

For Android, MobiStealth arrives as mobistealth.apk and installs on the device as EmailClient.  MobiStealth hides itself from detection by the intended target in that no application icon is visible in the application drawer on the device.  However, viewing the list of installed applications through Settings > Applications > Manage applications will reveal the existence of the EmailClient application. For BlackBerry, MobiStealth arrives as .zip file that contains the following files:

  • EmailClient.cod
  • EmailClient-1.cod
  • mmv2.jad

Once installed, MobiStealth exists on the device as EmailClient and does not offer an application icon as it is completely hidden from the user. MobiStealth can only be installed on a target device with physical access. Detection and Removal: Detected and removed with SMobile VirusGuard virus definitions from 2010-01-13

Filed Under: Android, Blackberry, Threats

SMobile GTC Sees Android Malware Coming

Friday, March 12th, 2010

Open source versus closed source.  It’s a discussion that often leads to heated arguments and one that will likely continue well beyond its usefulness.  The discussion began before many of us realized there would need to be terms such as “malware” and the often incorrectly used “hacker”.  Regardless of what side of the discussion you come down on, the term Android has not helped to lessen the veracity of the debate.  Since Google released the first Smartphone operating system that was supposed to be completely open source, the debate between BlackBerry, Windows Mobile, iPhone and Symbian users continues to get louder.

Whether you’re new to the Smartphone revolution or are an Android convert from some other platform, there is a reason that you chose Android.  Some wanted to break the stuffy business-like feel of the BlackBerry.  Others were excited about the possibilities that an operating system built on a Linux kernel with incredible customization capabilities brings.  Some wanted something that was friendly or easier to use than the Windows Mobile or their Symbian device.  Then there are the ones that just want to be anti-Apple.  There are just as many anti-everything-Apple as there are Apple “fanboys” in the world.  There are also those that just got a deal from their provider that they couldn’t refuse.  Regardless of the reason, Andriod’s market share is growing….

To continue reading, download the full Android Malware Whitepaper

pdfAndroid Malware Whitepaper

Filed Under: Android, Feature, GTC Blog

Android Security Chief: Mobile-phone Attacks Coming

Wednesday, August 12th, 2009

Robert McMillan
PC World

As smartphones become more popular, they’re going to get some unwanted attention from criminals, Google’s head of Android security said Wednesday.

“The smartphone OS will become a major security target,” said Android Security Leader Rich Cannings, speaking at the Usenix Security Symposium. Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger. “Personally I think this will become an epiphany to malware authors,” he said.

Microsoft’s Windows operating system is the prime target of criminal attacks today, and hackers have generally steered clear of mobile devices. Security experts say that this is because mobile phones haven’t traditionally stored a lot of sensitive data, and because there are so many different devices to attack, it’s hard to create a single virus that can infect a large number of users.

more>>

Filed Under: Android, News