Freely subscribe to our NEWSLETTER

Fraudster’s Heaven: Google Android

Android’s security architecture is not currently up to the challenge. This is reflected mainly in the ease of generating powerful fraudulent applications and the ease of distributing these applications. Fraudsters can easily build applications that have access to sensitive operating system resources such as text messages, voice, web traffic, and more. Users installing these applications do get a message with a list of resources the app is requesting access to but would usually ignore it as many applications request access to an extensive list of resources. Building a powerful fraudulent Android application that steals and abuses your identity and your bank account is almost trivial. Distributing these applications on the Android Market is even more trivial. There are no real controls around the submission process that could identify and prevent publishing malicious applications on these stores. Compared to Apple’s App Store, Android Market is the Wild West. You can’t always trust applications you download from it.

Fraudsters have already started to abuse this big security hole. Dozens of malicious applications have already been identified on the Android Market. Google has removed most of them but more keep coming. Trusteer has identified malicious applications on the Android Market which have stayed there for weeks before being taken off by Google. The average user will find it hard to locate this page http://www.google.com/support/androidmarket/bin/request.py?contact_type=takedown which allows you to request Google to review and take down inappropriate applications from the Android Market. But don’t expect Google to react fast to anything you submit through this form. We used it a few times with no results. In order to take down an applications in Google Market we actually had to use contacts within Google which are not available to the average user. The process of identifying and removing malicious applications from the Android Market requires major improvements.

Most of the malicious applications which hit Android are not financial. However, in May this year we’ve seen the (already known) Man in the Mobile (MitMo) malware which has previously attacked Symbian, Blackberry, and Windows phones being ported to Android as well. This attack is designed to bypass banks’ SMS Out of Band (OOB) authentication and transaction verification processes. The proximity of this attack to the recent FFIEC guidance which advises banks to consider, among other, Out of Band to fight malware attacks is ironic. It demonstrates exactly why the fraudsters are two steps ahead.

For those of you who don’t know how OOB works here is a short description: The general idea is to fight malware that infects the user’s machine. Once the user browses to a bank’s website from a PC infected with financial malware such as Zeus or SpyEye, the malware takes over the web session and injects fraudulent transactions on behalf of the user. With OOB in place the bank sends a text message to the user’s pre-registered phone number. The message includes the transaction details and a verification code. The user needs to copy the verification code from the mobile device back to the browser on the PC. The assumption is that if the transaction was generated by malware the user will not complete the process and will not copy the confirmation code back to the browser and as a result the bank will not approve the transaction. The MitMo attack breaks this assumption by doing the following: Once the user gets infected and tries to access the bank’s website the malware kicks in and asks the user to download an authentication or security component onto their mobile device in order to complete the login process. The user wrongly assumes this message comes from the bank while in reality it comes from the malware. Once the user installs the malware on the mobile device the fraudsters control both the user’s PC and the user’s phone. Next the malware generates a fraudulent transaction on behalf of the user. The bank then sends a confirmation message to the user’s mobile device. The malware on the user’s device reads the confirmation message and sends it to the malware on the PC. It then deletes the confirmation message from the user’s mobile device so the user will not see it. The malware on the user’s PC enters the confirmation code and approves the transaction.

MitMo Attack Cycle

The Android malware that spread On May this year came in different flavors. One of the flavors was even using the Trusteer brand to gain users trust and convince them to download the application. The malware itself was used in conjunction with Zeus 2.1.0.10. The user was first infected with Zeus on their PC and then Zeus showed the message requesting the user to download the Android malware component.

MitMo fraudulent Android Application Abusing the Trusteer brand

People who had already downloaded Trusteer Rapport are protected from this type of attack.

Apple iOS is not as Secure as One May Think

iOS is the operating system of the iPhone, iPad, and iPod. With iOS malware, it’s a slightly different story. It’s not easy to create malicious applications that have access to device resources since iOS applies strict access control on applications. It’s also not easy to introduce malicious applications on the App Store as Apple conducts a manual review of each submitted application which allows them to detect abusing applications. However, there is a hole in this security architecture and it’s called jailbreaking. A jailbroken iOS device doesn’t enforce access control and basically allows any app to do whatever it wants on the device. Unfortunately many users jailbreak their devices as they want to run all sorts of applications that are not on the App Store. But what’s more unfortunate is that vulnerabilities in iOS could allow malicious websites to jailbreak a device and infect it with malware without the user’s consent or knowledge. Last week we saw a good example for that.

JailbreakMe.com published an exploit which allows the automated jailbreaking of iOS devices from a specially created Web site. PDF files that exploit this vulnerability are reportedly publicly available. Even clicking a crafted PDF document or surfing to a website with the PDF documents are sufficient to infect the mobile device with malware. Now the concept of malicious websites serving exploits to infect endpoint devices is well mastered by fraudsters. The notorious BlackHole exploit kit and other exploit kits such as Fragus and Neosploit provide automation of these processes. BlackHole is extremely dangerous and widely used as it is distributed for free. Millions of websites are being compromised to run these exploit kits. When users browse to one of these compromised websites they get infected with malware. Note that fraudsters can use the same exploit kit to serve any piece of malware they choose. Once the authors of BlackHole add iOS vulnerabilities to their kit we’ll start seeing a quick increase in malware distribution on iOS devices. This recent vulnerability is not the first which allows fraudsters to compromise iOS devices and it won’t be the last. We’re looking at just the beginning of this problem. Fraudsters will continue to research iOS and discover more vulnerabilities which will allow them to compromise devices and commit fraud. I hope I’m wrong, but a year from now this can become so common that it will not even hit the news.