New Android malware could produce Chinese botnet, harvest personal data
Security experts are warning that newly discovered malware targeting Chinese users of Google's Android mobile operating system has "botnet-like capabilities" that could take control of an Android phone by communicating with a central command-and-control server.
The malware, which has been dubbed "Geinimi," is apparently being "grafted" onto repackaged legitimate Android apps and then posted on Chinese app stores, PC World reports.
San Francisco, Calif.-based security research firm Lookout discovered the malware after a concerned user posted to a forum. In its writeup of the Trojan, Lookup called it "the most sophisticated Android malware we've seen to date" and the first malware to display botnet-like capabilities in the wild. Once installed on a user's phone, the malicious software is able to "receive commands from a remote server that allow the owner of that server to control the phone."
Though Lookout admits that the purpose of the Trojan isn't clear, "the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet," wrote the company.
During its analysis, Lookout detected Geinimi sending location coordinates device identifiers, downloading and prompting the user to install an app, prompting the user to uninstall an app, and enumerating and sending a list of installed apps to the control server. However, app installations and uninstallations still need to be confirmed by the user.
"Geinimi?s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities," the post continued. "In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware."
No instances of the Geinimi Trojan have been seen in the official Google Android Market, as all affected apps have been discovered on third-party app stores in China.
Mobile security
As the sales of smartphones and other mobile devices have increased, security threats to mobile applications have increased as well. Earlier this month, security vendor AdaptiveMobile reported that mobile malware infections had grown 33 percent year-over-year. Google's Android platform saw the greatest rise, 400 percent, in targeted exploits, though Android's infection rate remained low compared to older platforms. Reported exploits aimed at the iPhone declined year over year.
In July, a study of over 300,000 free applications by Lookout revealed that applications for both iPhone and Android were regularly accessing the user's contact data. The study found that 14 percent of the surveyed applications from Apple's App Store, while 8 percent of tested applications on Android could view the contact list.
During the study, Lookout discovered that free wallpaper applications on Google's Android Market were collecting private user data and forwarding it to servers in China. Lookout asserted that there was "no proof of malicious intent," but cautioned that the apps had sent sensitive data, including "a device?s phone number, subscriber identifier, and currently programmed voicemail number" to the server.
Apple's approach of curating the App Store, though derided by some as "closed," has thus far proved successful at preventing iOS devices from having a live virus problem. The iPhone maker employs a strict vetting process for iOS apps before approving them for the App Store.
Google's Android Market app security, on the other hand, simply warns the user that an app needs permissions during installation.
iOS apps run in a discrete 'sandbox' environment that prevents them from infecting the system. And apps must be signed by a certificate from Apple, preventing the kind of third-party repackaging confusion that the Geinimi Trojan is currently exploiting in the Chinese market.
Privacy rights
After a report published by The Wall Street Journal earlier this month revealed that Android and iOS applications were sending unique device identifiers, location data, and even "age, gender or other personal details" to outside sources, one iPhone user sued Apple on behalf of all iPhone users over alleged violations of federal privacy laws. The lawsuit calls attention to the issue of user privacy rights, as advertisers have sought to glean increasing amounts of valuable information on users and their usage patterns.
Though Apple allows users to opt out of location sharing on its iAd network, it appears that Apple hasn't fully enforced rules meant to protect user privacy.
In October, a security report found that 68 percent of the App Store's top iPhone apps transmit unencrypted unique device identifiers, which can be easily linked to personal information.
Earlier this year, Apple CEO Steve Jobs called out one mobile analytics firm after learning that the firm was collecting device data in violation of Apple's privacy policy. The firm had used the data to reveal that Apple was testing a tablet device on its campus ahead of Apple's official reveal of the iPad. According to Jobs, Apple's employees went "through the roof" when they learned that device information was being collected without its knowledge.
The firm quickly responded that it would comply with the respective changes to the iPhone OS terms of service.
Apple was also the subject of a U.S. Congressional inquiry after an inaccurate and sensational LA Times report suggested that changes to the iOS privacy policy would result in Apple tracking iPhone users' locations. Apple promptly responded to the concerns in a letter.
"Apple does not share any interest-based or location-based information about individual customers, including the zip code calculated by the iAd server, with advertisers," the letter read. "Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive overly repetitive and/or duplicative ads for administrative purposes."
The malware, which has been dubbed "Geinimi," is apparently being "grafted" onto repackaged legitimate Android apps and then posted on Chinese app stores, PC World reports.
San Francisco, Calif.-based security research firm Lookout discovered the malware after a concerned user posted to a forum. In its writeup of the Trojan, Lookup called it "the most sophisticated Android malware we've seen to date" and the first malware to display botnet-like capabilities in the wild. Once installed on a user's phone, the malicious software is able to "receive commands from a remote server that allow the owner of that server to control the phone."
Though Lookout admits that the purpose of the Trojan isn't clear, "the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet," wrote the company.
During its analysis, Lookout detected Geinimi sending location coordinates device identifiers, downloading and prompting the user to install an app, prompting the user to uninstall an app, and enumerating and sending a list of installed apps to the control server. However, app installations and uninstallations still need to be confirmed by the user.
"Geinimi?s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities," the post continued. "In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware."
No instances of the Geinimi Trojan have been seen in the official Google Android Market, as all affected apps have been discovered on third-party app stores in China.
Mobile security
As the sales of smartphones and other mobile devices have increased, security threats to mobile applications have increased as well. Earlier this month, security vendor AdaptiveMobile reported that mobile malware infections had grown 33 percent year-over-year. Google's Android platform saw the greatest rise, 400 percent, in targeted exploits, though Android's infection rate remained low compared to older platforms. Reported exploits aimed at the iPhone declined year over year.
In July, a study of over 300,000 free applications by Lookout revealed that applications for both iPhone and Android were regularly accessing the user's contact data. The study found that 14 percent of the surveyed applications from Apple's App Store, while 8 percent of tested applications on Android could view the contact list.
During the study, Lookout discovered that free wallpaper applications on Google's Android Market were collecting private user data and forwarding it to servers in China. Lookout asserted that there was "no proof of malicious intent," but cautioned that the apps had sent sensitive data, including "a device?s phone number, subscriber identifier, and currently programmed voicemail number" to the server.
Apple's approach of curating the App Store, though derided by some as "closed," has thus far proved successful at preventing iOS devices from having a live virus problem. The iPhone maker employs a strict vetting process for iOS apps before approving them for the App Store.
Google's Android Market app security, on the other hand, simply warns the user that an app needs permissions during installation.
iOS apps run in a discrete 'sandbox' environment that prevents them from infecting the system. And apps must be signed by a certificate from Apple, preventing the kind of third-party repackaging confusion that the Geinimi Trojan is currently exploiting in the Chinese market.
Privacy rights
After a report published by The Wall Street Journal earlier this month revealed that Android and iOS applications were sending unique device identifiers, location data, and even "age, gender or other personal details" to outside sources, one iPhone user sued Apple on behalf of all iPhone users over alleged violations of federal privacy laws. The lawsuit calls attention to the issue of user privacy rights, as advertisers have sought to glean increasing amounts of valuable information on users and their usage patterns.
Though Apple allows users to opt out of location sharing on its iAd network, it appears that Apple hasn't fully enforced rules meant to protect user privacy.
In October, a security report found that 68 percent of the App Store's top iPhone apps transmit unencrypted unique device identifiers, which can be easily linked to personal information.
Earlier this year, Apple CEO Steve Jobs called out one mobile analytics firm after learning that the firm was collecting device data in violation of Apple's privacy policy. The firm had used the data to reveal that Apple was testing a tablet device on its campus ahead of Apple's official reveal of the iPad. According to Jobs, Apple's employees went "through the roof" when they learned that device information was being collected without its knowledge.
The firm quickly responded that it would comply with the respective changes to the iPhone OS terms of service.
Apple was also the subject of a U.S. Congressional inquiry after an inaccurate and sensational LA Times report suggested that changes to the iOS privacy policy would result in Apple tracking iPhone users' locations. Apple promptly responded to the concerns in a letter.
"Apple does not share any interest-based or location-based information about individual customers, including the zip code calculated by the iAd server, with advertisers," the letter read. "Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive overly repetitive and/or duplicative ads for administrative purposes."
Comments
So, if I'm understanding this correctly, after I, of my own volition, check the option to download from unknown sources in the settings, I probably shouldn't download apps from a no name Chinese web site. Got it.
Nope, you just download any app and it has access to do pretty much anything it wants to do.
Honestly, just look at those permissions for simple apps... Any rational person would question
the whole scheme of Android permissions. The dialog box should just read:
"Would you like to give everything about yourself away to everyone and anyone? Click OK to proceed.
Oh, BTW, we will have full access to making your phone do whatever we want without you knowing."
Nope, you just download any app and it has access to do pretty much anything it wants to do.
Honestly, just look at those permissions for simple apps... Any rational person would question
the whole scheme of Android permissions. The dialog box should just read:
"Would you like to give everything about yourself away to everyone and anyone? Click OK to proceed.
Oh, BTW, we will have full access to making your phone do whatever we want without you knowing.
The SMS app looks like it needs access to all those services, especially Your Messages.
The My Tracks app looks like it needs all those services for tracking... unless that is music player app j/k.
The only one that sticks out is the Wallpaper app. Surely it needs storage access. I guess network if it updates through the app or has ads, since it?s free. The need to read phone calls is a stumper, though.
So, if I'm understanding this correctly, after I, of my own volition, check the option to download from unknown sources in the settings, I probably shouldn't download apps from a no name Chinese web site. Got it.
Well, you could choose to live in a walled garden...
The SMS app looks like it needs access to all those services, especially Your Messages.
The My Tracks app looks like it needs all those services for tracking... unless that is music player app j/k.
The only one that sticks out is the Wallpaper app. Surely it needs storage access. I guess network if it updates through the app or has ads, since it’s free. The need to read phone calls is a stumper, though.
I'm obviously being a bit tin-foil hat here, but once you provide permissions to those apps, the app doesn't have to ask you anymore to do certain things.
In the case of the SMS app, of course, it needs that access when you are using it. But after you give it permission, it could conceivably "directly call phone numbers", "send SMS", "read contact data", etc. *behind your back*.
I'm surprised the whole Android app system isn't more abused, maybe we'll discover more as time goes by.
I'm obviously being a bit tin-foil hat here, but once you provide permissions to those apps, the app doesn't have to ask you anymore to do certain things.
In the case of the SMS app, of course, it needs that access when you are using it. But after you give it permission, it could conceivably "directly call phone numbers", "read contact data", etc. *behind your back*.
Yeah, they could, but at least you know what they could do. Obviously, you need to pay attention to what it is asking permissions for.
Consider the flashlight app that enabled tethering, if you noticed that a flashlight app was asking network permissions your radar must ping. If that developer had malicious intent, you might be able to protect yourself.
Yeah, they could, but at least you know what they could do.
The point is that you never know when or why they're doing it. There is no data security whatsoever once you give permission. And there's no app screening process, so there's no way to know which apps might have a secret back door. It's really scary, actually, especially when your most personal data is in the mix.
I'm very happy with the level of control under iOS, TYVM. I don't need the security mess that is Android.
Though Lookout admits that the purpose of the Trojan isn't clear, "the possibilities for intent range from a malicious ad-network to an attempt to create an Android bonnet," wrote the company.
That little green robot will look cute on Easter.
Posted a comment about this a week ago, and this mood has been floated around a lot. Basically Android's "openness" also makes it more vulnerable to malware. Look for to Norton Mobile for Android in a few months.
That little green robot will look cute on Easter.
Well, you could choose to live in a walled garden...
I've always been stumped as to why the term "walled garden" is bad. Does anyone else here plant food? Without some type of protection the rodents (squirrels and chipmunks along with many others) take everything you've worked for. All of your hard efforts get eaten by something that didn't put in the labor to have it.
I would love for someone to explain to me how a 'walled garden' is a bad thing... the plants can actually 'fruit' or the flowers will actually blossom?...
Help me out here please.
I've always been stumped as to why the term "walled garden" is bad. Does anyone else here plant food? Without some type of protection the rodents (squirrels and chipmunks along with many others) take everything you've worked for. All of your hard efforts get eaten by something that didn't put in the labor to have it.
I would love for someone to explain to me how a 'walled garden' is a bad thing... the plants can actually 'fruit' or the flowers will actually blossom?...
Help me out here please.
So you see my irony.
So you see my irony.
All too well.
I always thought Google OS might replace Microsoft for the masses, it seems it is in more ways than I had imagined. How soon before they will need a version of that Norton type crap on them?
Been saying this for months now. All you had to do was look at the way apps are 'approved' and you know that malicious code is being written and downloaded on Droid phones. The problem will only get worse as time goes on, unless Google does something to police their apps.
Droid app store might as well by synonymous with Limewire, Pirate Bay, etc...
That little green robot will look cute on Easter.
haha, thanks for catching that. stupid autocorrect. I caught it in the headline, but missed it farther down.