August 31, 2010

Malware from Computers Spreading Through Smartphones

A recent report by Panda Security found that 25 percent of new worms in 2010 were designed to spread via USB storage devices connected to computers. We, at Lookout, have observed that the types of viruses spread through USB or storage devices can also spread via smartphones. As a result, we have taken steps to protect against this propagation.

Phones are often overlooked as a type of storage device.  In fact, any device that can store information (external hard drive, flash drive, MP3 Player or even DVD player) can carry a virus without the user’s knowledge.  Because phones hold a lot of information, they too, are susceptible to acting as a “carrier” and transferring viruses from one computer to another. From what we’ve seen so far, the PC malware doesn’t directly put your phone at risk. It is the carrier, but because it was written for PC’s, smartphones seem to be immune from these viruses.

How it happens: When someone plugs their smartphone into a computer that has been infected with a virus, the virus can be transferred onto the smartphone and then act as the carrier to infect any other computer to which the phone connects. So, for example, if your home PC has a virus and you connect your smartphone to it, and then bring your phone to work and connect to your work PC, you have just infected your work PC with that same virus.

Some examples of PC viruses we’ve seen on smartphones include the Mariposa botnet that was discovered to be preloaded on Vodaphone Android phones earlier this year as well as instances of the PC virus Win32/Hamweq.A.

How to Stay Safe:

  1. Only connect your phone to a computer that you trust. For example, if you are on a public computer at a library, internet café or airport kiosk, avoid connecting your phone to the computer.
  2. If you need to use your computer to charge your phone, pay attention to the settings to ensure that you do not activate the phone to act as a “USB device.”
  3. Have up to date security software running on your computer. Consider downloading security software for your smartphone as well. We’re partial to Lookout, and it currently warns users of any autorun files that exist on your phone.

If you think this has happened to you, contact us at security-at-lookout.com and tell us about it.

Category:   Uncategorized
August 20, 2010

Security and Privacy at Lookout

At Lookout, we’re committed to building products and services that we help make the mobile experience a safe one. We are committed to security and are strong privacy advocates. To this end, we’ve recently updated our Privacy Policy in order to underscore our focus on keeping you and your information safe. We’ve also added a set of Security and Privacy Principles to help users easily understand what we use to guide the decisions we make at our company.

Here are our Security and Privacy Principles.

We welcome your feedback and want to ensure we are clearly communicating to you our customers and the broader community, the commitment we have to security and privacy.

Should you ever have any questions on our policies, feel free to contact us at privacy-at-lookout.com.

Category:   Uncategorized
August 17, 2010

It’s No Game—Tap Snake is a Spy App for the Phone

The Threat: Last week, a new spy app was identified in the Android Market that enables a would-be spy to track a phone’s location through a game called Tap Snake. Lookout has protected against this threat since August 10th. Today the app was removed from the Android Market.

How it Works: To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to  gain access to the victim’s uploaded data.

GPS Spy costs $4.99 and until today could be purchased through the Android Market or other Android stores. Once on the phone, the application instructs the purchaser to download and install the Tap Snake game to the phone they want to spy on. The would-be spy does need to have physical access to the phone they want to monitor.

Phones it Affects: Tap Snake is only available for Android phones.

How to Tell if You Are Affected: Look to see if you have the Tap Snake game on your phone. If it is on your phone, you can download a mobile security app to remove the software.

How to Stay Safe:

  • Don’t let others download apps onto your phone. Keep in mind, a would-be spy needs physical access to your phone in order to install Tap Snake and enter the code that enables tracking.
  • Don’t let your phone out of your sight and keep control of your phone at all times.
  • Download a mobile security app for your phone that scans every app on your phone.   We’re partial to Lookout.

Lookout has protected against Tap Snake since August 10th. If you already have Lookout on your phone, you don’t need to do anything–you are automatically protected. If you don’t yet have Lookout on your phone, you can download it here.

Category:   Uncategorized
August 12, 2010

Mobile Malware: From Fame to Fortune?

Earlier this week the first SMS Trojan that infects Android smartphones was discovered in the wild. We see this as a significant event for several reasons. First, this is first instance of a Trojan on the Android platform which, to date, has mainly been affected by spyware and phishing attacks. Second, the motive behind this attack is profit, carried out through charges from premium-rate SMS messages, (see graphic below) and it may portent a broader shift towards profitable cybercrime on phones, as it has on PCs.

We’ve seen the progression of threats from novelty to profit before. To see where we’re heading, we need only to look to the desktop. Looking back over the last twenty years, the evolution of malware on the PC has hit three relatively distinct milestones that we could classify as Ego, Profit, and Political. This cycle looks like it will repeat itself for mobile phones, only significantly accelerated.

In the 1990s and early 2000s, PC malware was typically written more for the ego boost of fame and notoriety than for other motives. Melissa, ILOVEYOU, and MSBlast grabbed headlines, but not sensitive data. In recent years that has changed. In 2008, the Torpig Trojan was released into the wild and has stolen at least half a million online banking account credentials, credit card numbers, and debit card numbers. We’re also at the early stages of PC malware used for political purposes, such as recent denial of service attacks against Estonia and the Georgian president.

A similar evolution is happening within mobile malware. We are already well into the Ego phase and now perhaps poised to move into the profit phase. Consider the 2005 Symbian-based Cabir worm that did little more than spread to other devices via Bluetooth or the ikee worm that changed the wallpaper of jailbroken iPhones with default passwords to a photo of Rick Astley because its author, an Australian hacker, was just curious as to how far it would spread. Both were more of a nuisance than an actual threat; however, shortly after the ikee worm was released, the Duh worm in the Netherlands used the same mechanism to propagate and attempted to steal banking credentials from ING banking customers. Furthermore, with the recent Android SMS Trojan, we think we’re seeing early steps toward the profit phase which means both more sophisticated malware and more organized perpetrators.

As always, there are some steps that consumers can take to keep themselves safe.

  • Only download applications from trusted sources. Remember to look at reviews and star ratings.
  • Always check the permissions an app is requesting when downloading apps. Use common sense to ensure that the permissions match the type of app you are downloading.
  • Download a mobile security app for your phone that scans every app you download. We’re partial to Lookout.

We’ll be routinely sharing data as to how the world of mobile malware and spyware is evolving—whether it be for fame or fortune.

Category:   Uncategorized
August 10, 2010

Security Alert: First Android SMS Trojan Found in the Wild

UPDATE:  Lookout has pushed an over-the-air (OTA) update to automatically protect all Lookout Android users from this newly reported Trojan. If you already have Lookout installed, the update will be automatically pushed down to your device. If you don’t have Lookout, go to www.lookout.com from your phone to download it now or find Lookout in the Android Market.

==============================================

Today, Kaspersky Labs reported the first SMS Trojan that infects Android smartphones.

The Threat: The Trojan is hidden inside an application called “Movie Player.” Users are prompted to install an application that looks like a media player of just over 13KB to their phone from a website.  Take note that the app does list “Services that cost you money (send SMS messages)” as one of the required permissions prior to installation.

How it Works: Once installed, the Trojan proceeds to send SMS messages to premium-rate numbers charging several dollars per message without the owner’s knowledge or consent.

Phones it Affects: So far this has only affected Android smartphone users in Russia and only works on Russian networks. As far as we know, there is no indication that this app is in the Android Market.

How to tell if you’re affected:

  • Review your phone bill for any premium SMS messages you did not send
  • If you have recently downloaded a media player, check the permissions to ensure it does not have the ability to send SMS messages. (Go to Settings, Applications, Manage Applications)

Lookout is tracking this threat and we will have an update out to our users shortly. In the meantime, we recommend the following:

How to Stay Safe:

  • Only download applications from trusted sources. Remember to look at reviews and star ratings.
  • Always check the permissions an app is requesting when downloading apps. Use common sense to ensure that the permissions match the type of app you are downloading.
  • Download a mobile security app for your phone that scans every app you download. We’re partial to Lookout.

As we’ve previously noted, with the discovery of this new Android Trojan, it is more important than ever to pay attention to what you’re downloading. This Movie Player app directly lists permissions to access “Services that cost you money” before you install. Stay alert to ensure that you trust every app you download and stay tuned for more details on this threat.





Category:   Uncategorized
August 7, 2010

New Way to Jailbreak iPhone Opens the Door to New Security Threats

Since the first version of the iPhone—and now the latest versions of both the iPhone and iPad—users have used a technique called jailbreaking to override the software sandbox on their devices in order to gain full control of the operating system and install applications that Apple has not approved. This week a site called jailbreakme.com made news by enabling users to jailbreak an iPhone or iPad in a matter of minutes by simply visiting a web page. The latest jailbreak technique has resulted in significant security concerns because the jailbreak uses a pair of recently discovered vulnerabilities on the iPhone and iPad itself (iOS) in order to perform the jailbreak on the device.

While there have not yet been reports of these exploits being used maliciously, the security implications are significant. Now that the exploits are publicly known, they can be easily modified for malicious purposes, creating a big potential risk for iPhone and iPad users. All that is needed to exploit an iPad or iPhone is for the browser to visit a maliciously crafted web page; from the PC world, we know that there are a variety of ways to do this. For example a bad actor could propagate an email or SMS that encouraged users to visit a link that would result in their iPhone being exploited without their knowledge. While the currently-known exploit in the wild jailbreaks your phone, the resulting vulnerability allows an attacker full access to do anything.

What can attacker do with full access (called “root”) to your phone? Perhaps the least-nasty result is that your phone becomes jailbroken; however, full access allows attackers to do virtually anything on the device. It is possible for malicious code to steal data, capture online banking and account credentials, make charges to your phone bill, and do anything else your phone is capable of. Apple has been quoted saying they are aware of the issue and are working on a fix.

How does this affect the average iPhone or iPad user?

First, you shouldn’t jailbreak your phone unless you have experience securing Unix systems. If you don’t know what this means, don’t even think about jailbreaking your phone.

Second, to avoid having your phone exploited without your knowledge, follow these tips:

1. Don’t visit any suspicious web sites from your iPhone or iPad.
2. If you receive an email or text message from someone you don’t know, avoid visiting any links they ask you to visit.
3. Don’t open any PDF files from people you don’t know on your iPhone or iPad.
4. Pay attention to any new attacks that are discovered in the wild.
5. Be sure to update your phone as soon as Apple makes a patch available.

Finally, if you do want to jailbreak your phone, make sure to install this tool to warn you every time an application on your phone attempts to open a PDF.

Be sure to check back often, as we’ll be posting updates as this security issue develops.

Category:   Uncategorized
August 4, 2010

Tips for Developers to Safeguard User Data

Hello.  I’m Tim, and I lead the Security Response Team here at Lookout.

Last week, we talked about a series of Android wallpaper apps that were collecting the phone number, IMSI, and voicemail number from devices and sending them to a remote server over insecure communication channels.  As reported today, Google released these apps back into the Android Market as “there is no obvious malicious code … though the implementation accesses data that it doesn’t need to.”

We’ve been in touch with the developer, and shared with him some recommendations to better protect his users’ privacy.  As we’ve seen, it’s entirely possible to inadvertently put sensitive data at risk without malicious intent.  Rather, developers sometimes do not understand the sensitivity of data that they collect, or the risks inherent in handling that data.

Mobile platforms grant developers access to sensitive data about users, their devices, and their associates. Developers must maintain awareness and act as responsible stewards of the data they’re granted access to.  This is not a new problem — application developers have to contend with handling sensitive data on any platform they develop for.  Smartphone platforms make it easier than ever to access caches of sensitive information, though, and it’s easy to make mistakes.  We’d like to suggest a few “best practices” developers should keep in mind as they create new mobile apps.

  • Know exactly what private user and device data you are collecting and understand what that data is.
  • Only collect the data you need for your app.
  • If you use an advertising SDK, analytics SDK or other 3rd party code in your application, make sure you understand what information it collects and transmits.
  • Do not transmit private user or device data over an unencrypted communications channel.  Always use HTTPS/TLS to secure network communications when private data is in motion.
  • Consider alternatives to using private user data where possible.  For instance, if you are collecting the device’s primary phone number, IMEI, or IMSI as a unique identifier to save user settings, consider using a one-way hash or a Globally Unique Identifier (GUID) generation scheme that is related to, but does not directly disclose these pieces of data.

Finally, be careful that you don’t disclose data via inappropriate side channels such as shared system logs.  Check logs and audit debug statements to make sure you are not inadvertently disclosing user or device data in released code.

Consider the following code that interacts with Android’s device location provider:


As developers, we often use logging APIs as an easy means to monitor an application’s execution state while debugging.  Access to shared logs on Android is governed by a completely different permission than, for example, access to coarse or fine location data.  Putting that information into shared logs leaks data across boundaries established by the permission model.  Logging data about contacts, browsing history, call history, SMS, and other sensitive user/device data similarly violates the permission model and developers should be extremely careful not to do so.

The world of mobile app development is experiencing explosive growth.  Smartphone platforms are new and exciting and (in some respects) make application development easier than ever before.  As we dive into these new platforms, we need to be aware of the sensitive data we’re accessing and handle it with care.  We all share responsibility for keeping the mobile ecosystem safe and secure.

Category:   Uncategorized