- Log In
The accessibility service in Android helps give the disabled and individuals with restricted access to their phones alternative ways to interact with their mobile devices. It also has unintentionally opened the door for Japanese surveillanceware to steal data from LINE, the most popular messaging service in Japan.
After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat.
AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is commercially sold under the name “AndroidAnalyzer” and is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data.
It targets the Japanese market and can collect a broad amount of data from infected devices, including LINE messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location. Given the scope of the data collected, the threat to both individuals and enterprises is clear.
AndroRATIntern must be locally installed and therefore requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.
If a person reads a message within an app, the content is protected and generally unavailable to other apps because the app lives in a sandbox. The accessibility service, however, can provide an app with access to other app’s data when accessed by the device user. This enables specific accessibility features such as text-to-speech, which can help visually-impaired users. In the case of AndroRATIntern, the use of the accessibility service enables the threat to capture LINE messages when they are opened by the victim on an infected device.
One of the risks associated with surveillanceware like AndroRATInternisn’t just that the person who installed the threat on your device has your data, but that company that offers the surveillanceware may have your data as well and itself become a target of attack.
In May 2015, for example, malicious actors compromised the commercial surveillanceware product mSpy stealing Apple IDs and passwords, tracking data, and more from hundreds of thousands of victims, according to Brian Krebs. A surveillanceware service provider can have a veritable warehouse of valuable data collected from successfully-infected devices and this warehouse can be an attractive target for attackers.
Mobile devices clearly house a lot of interesting data on an individual or a company. You can come to know who a person talks to, what they’re talking about, where they go, and what they’re saving to their phone.
AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service.
As an Android system service, the accessibility service operates outside of the normal app permission model and AndroRATIntern abuses this ability to circumvent app sandboxing measures intended to protect mobile data.
However, following some simple tips can dramatically help keep your data safe:
This week, former Cigna CISO Craig Shumard (who is also a consultant for Lookout) published an article in CSO explaining what the mobile threat landscape really looks like in reaction to a number of reports suggesting that mobile malware is no problem.
His biggest takeaway? Where the market for mobile malware is still maturing, the overall mobile device is not a perfectly secure piece of technology to be put in a drawer and worried about later.
We’ve received a number of queries regarding these reports, and we believe Craig’s article is a great explanation of the mobile threat landscape.
Shumard writes, “The [Verizon] report clearly highlights that malware infections are low, but it also shows two issues with direct impact to consumers and enterprises alike: vulnerabilities and data leakage.”
Read the article in full here.
Why should I, as an enterprise, care about mobile security?
It’s a question I’ve heard a lot since Lookout started developing Mobile Threat Protection, our brand new product announced today that will protect large, global enterprises from mobile threats using our predictive technology.
It’s been more than three years now since Lookout opened its doors in Europe. The team counts tremendous success, including building EMEA into the largest market for Lookout outside of North America and developing partnerships with major carriers including Deutsche Telekom, Orange, and EE. Now, it’s time to dig our heels in even more as we welcome Gert-Jan Schenck as VP of EMEA.
Lookout today announced the findings of its Mobile Privacy IQ study, a survey of smartphone owners in the United States, that examines data-based trends about our privacy mindsets and how they inform our perceptions, behaviors, and feelings toward privacy when using mobile devices.
What we found is that despite being increasingly tuned in to the importance of protecting the data on their mobile devices, a clear disconnect exists between people’s understanding of what it means to be privacy conscious and the actions they take in the real world.
Key findings include:
Interested in learning more? Read the full findings of Lookout’s Mobile Privacy IQ study.
FREAK is the latest in a line of recently uncovered vulnerabilities affecting the way communications are secured over the Internet. Specifically, it impacts SSL/TLS and stands for “Factoring attack on RSA-EXPORT Keys”. The bug allows an attacker to sit between your HTTPS connection and the vulnerable client or server and force you to use a less secure version of encryption. This downgraded encryption may allow an attacker to obtain your data.
No, Lookout’s infrastructure is not impacted by the FREAK vulnerability. Users are not at risk through Lookout’s product, however, that does not mean that your device itself is not otherwise vulnerable.
Unfortunately, like the Heartbleed and POODLE vulnerabilities, people need to wait for a patch from their carrier or device manufacturer to be released. Apple has released a patch for Safari on iOS and Mac OS. Google has promised a patch, but has not yet released one.
If you’ve received an official manufacturer or carrier update to your operating system, install it!
In the continued quest to build out the best leadership in the industry, Lookout has hired a chief marketing officer, Deb Wolf, and vice president of platform products, Santosh Krishnan.
Deb and Santosh will help Lookout seize the opportunity we have across both consumer and enterprise businesses by accelerating our ability to deliver innovative products and develop successful relationships with our customers. But what was it that brought these accomplished leaders to Lookout? It’s always best to hear directly from the source.
Unfortunately, even official app stores’ app-vetting systems are not perfect. Lookout has found 13 instances, or apps, with adware in Google Play, some of which pretend to be Facebook and have malware-like characteristics making it difficult to remove from the phone.
We alerted Google to these 13 instances and the company quickly removed them from the store. All Lookout users are protected against this threat.
Spring is here, which means it’s time to roll up your sleeves and do some serious cleaning. There’s more to tidy up than your house, though; your phone is probably overflowing with photos, apps and clutter you could do without. Here are six tips to help you freshen up your phone — once you’re done, your phone will thank you!
But we can’t do it without your help. We need your votes for Aaron’s RSA talk and here’s why: