Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Android (in)security

How smart a phone do you want in your pocket? How much do you want to be like a bug under microscope?

News

Android Recommended Links Recommended Books Email security Search engines privacy Spyware Malicious Web Sites
Internet as intelligence collection tool Privacy is Dead – Get Over It Blocking Facebook Total control: keywords in your posts that might trigger surveillance

SELinux

Malware Defense History
(ebook)
Humor Etc

Introduction

If you think of your smartphone as just a phone, rather than a very powerful mini-computer that happens to be able to make phone calls, think again. And the OS used on them, such as Android does not have a stellar security record. Also any security system is only as good as its weakest link, and humans are the weakest link.

Now smartphone is the greatest spying machine invented by mankind. And like Pc and tablet that you own it is spying on you in several areas, not limited to your shopping preferences (Google has this delusional idea that if they know more about you, you will click their ads more often ;-). What banal evil works in the hearts of men? What sites did you visited? What's on your Google Calendar? In Gmail inbox? What applications you downloaded and/or bought? The inquiring people from Google and three letter agencies want to know!

At the same time the amount of sensitive data many people store on their smartphones is truly staggering. In Eastern Europe smartphone often are used for direct access to bank accounts. As passwords are difficult to type the smartphone stores passwords to Facebook, Twitter, and our email accounts. The phone numbers and email addresses of all our friends and colleagues are readily available in the contacts directory and are open for grabs from Google (who provides backup), you telecom provider (which also offer a backup), government and malware on your phone.

Think about consequences if a thief gets his hands on all that data... And smartphone itself and smartphone data in particular aren’t especially hard to steal. Moreover smartphones are often simply lost. If one is not protected by password, then all data are exposed. Annually, thousands of smartphones are left in the backseat of a taxi, in Walmart and other stores, slip out the pocket when you are sitting somewhere, left in the seat pocket of a plane, in the bar, by the hotel pool, or on a conference table after a meeting.

But the most common security threat for Android devices is compromise via Windows-style infection of your phone OS by some malware. Often downloaded and installed on our phone by unsuspecting you. Android malware is a reality. Google does not release the number of infected smartphones, but it is expected to be in millions. Rooted phones are especially susceptible, as they are owned by people who try more things on the phone then an average Joe User.

Recently (2013) there was information about a botnet on Android phones. That means that Google fell under the spell of "Windows curse". And there is no easy way out of this trap.

Of course any user can easily wipe out their smartphone via "return to factory settings" operation available, but few do that unless the phone badly malfunction. The problem is that there is no clear segregation between user data and program in Android, like there is none in Unix. And wipe out of programs often means wipe out of all you data. Actually contacts are the easiest part to save by a user, as there is an export operation in Android contacts application.


Android security architecture

Android made several things right

What mistakes Android developers did

Updates problems and "Planned obsolescence" game

Updates are extremely weak spot of Android. Here Microsoft generally wipes the floor with Android developers. In comparison with Android, Windows 8 update process works like a clock. You can complain about quantity and quality, but there is no questions that in Windows patching mechanism is pretty robust and well debugged. Of course it can be hijacked, but that is mainly domain of three latter agencies. Parches are provided for Windows for free by Microsoft itself.

In Android this task is offloaded to the vendors. Google does not provide a patching framework and does not provide patches. Everything need to be done via vendors. And vendors are simply not interested. Some are better then others but generally with the average two-three year device update cycle there is a strong tendency to cut corners in order to save costs. And carries do not want to subsidize this process, unless absolutely necessary.

Sad status of Android updates by many Android smartphone and tablets vendors such as produced by Samsung has been widely criticized by consumer groups and the technology media. Backwards compatibility is a problem for other smartphone OSes, but it's worst on Android.

Some commentators have noted that the industry has a financial incentive not to update their devices, as the lack of updates for existing devices speed up the purchase of newer ones. Kind of "accelerated obsolesce" play... As the Guardian noted that the bizarre complicated method of distribution for updates is mainly due to the fact that manufacturers and carriers have great difficulties to cope with the extreme diversity of Android phones hardware. Acceptance testing it to make sure everything works on the phone after the update is an expensive and slow process. Cases when a perfectly good phone became unstable after the update from 4.0.x to 4.1.x are plenty.

In 2011, Google partnered with a number of industry players to announce an "Android Update Alliance", pledging to deliver timely updates for every device for 18 months after its release. As of 2013, this alliance has never been mentioned since (Ars Technica). The companies were happy to make noises about co-operating to make the situation better, they had no real incentives to do so.

A Nathan Eddy noted (Android Security Threats Rise, Online Banking Malware Jumps, EWeek, Aug 8, 2013)

"Due to the fractured nature of the Android network, it is very difficult for patches to reach all users in an effective timeframe. In some cases, users will never get patches as vendors leave their customers at risk of attack," JD Sherry, vice president of technology and solutions at Trend Micro, said in a statement. "Until we have the same urgency to protect mobile devices as we have for protecting PCs, this very real threat will continue to grow rapidly. At the rate this malware is accelerating–almost exponentially–we appear to be reaching a critical mass. To fight this, Android users need to take great care when using their devices and take the simple, but effective, step of adding security software to all mobile devices." - See more at: http://www.eweek.com/small-business/android-security-threats-rise-online-banking-malware-jumps#sthash.iIk4jLdy.dpuf

"Due to the fractured nature of the Android network, it is very difficult for patches to reach all users in an effective timeframe. In some cases, users will never get patches as vendors leave their customers at risk of attack," JD Sherry, vice president of technology and solutions at Trend Micro, said in a statement.

"Until we have the same urgency to protect mobile devices as we have for protecting PCs, this very real threat will continue to grow rapidly. At the rate this malware is accelerating–almost exponentially–we appear to be reaching a critical mass. To fight this, Android users need to take great care when using their devices and take the simple, but effective, step of adding security software to all mobile devices."

Here is one apt comment from Arstechnica forum:

Eventually the lack of security updates *is* going become an issue - at which point the whole ecosystem is going to be in serious trouble. Google is clearly buying into the "your phone is your wallet" metaphor - and "your phone is your wallet that practically anyone can steal from" isn't nearly as appealing a notion ;-)

Root access

Many users resent absence of root access to their devices and consider this to be an attempt to replicate Apple-style ecosystem: completely closed ecosystem that has implicit purpose to extract more money from users. I myself consider this situation unacceptable as you can't fully backup and restore the device yourselves. The only option availble for users is to restore the device to factory defaults. Which is better then nothing but far cry from modern OS standard capabilities.

Going to factory defaults for obvious reasons is "the last resort" solution although you can adapt to it backing up "user space" and reinstalling applications. The latter can be scripted. But like any situation with the severe restriction on user behavior it create similar to "Apple hate" wave of "Google hate" among advanced users.

As users are not allowed access to root, Android users have became hostages of malware developers. Backup and restore on android devices are primitive and are severely handicapped in comparison with Linux or Windows.

So restrictions to root access does not help unsophisticated users, who fall victims of malware anyway, and really handicap sophisticated users limiting their ability to backup and restore the system and fight malware. That's why rooting Android devices instead of hacker entertainment became a necessity for sophisticated users.

Windows effect and proliferation of Android malware

"Windows effect" means that as soon as OS became dominant in particular segment of the market, it became favorite target for malware attacks and hacking. At this point it became difficult to "defend the castle" independently of its technical qualities (not that Windows has a good security architecture). The rule 2:1 of regular warfare probably is applicable here: if the number of fighters on one side is at least twice larger then the amount of fighters on the other side, this numerically inferior side is in trouble.

Like for Microsoft in the past Google primary objective of initial Android development was gaining market share, security be damned. In other words Google from the beginning sold its soul to the devil ;-).

And if the major contingent of a complex and powerful OS are unsophisticated users, then the task of providing good security is really formidable and requires new architectural vision, and innovative solutions. Android make a few steps in a right direction, but generally it is bound by its Unix origin. The initial architectural compromises were structured for devices with very restricted computational capabilities. Then the situation drastically changes and devices became powerful enough to run full version of Unix. This is kind of replay of similar historical relationship between DOS and Unix.

As for really innovative solutions, Android has none. Moreover it is generally understood by users much worse then Windows 8, which creates additional security risks. Recently Dr. Web found a botnet that existed on Android smartphones. That information needs to be independently verifies buy it is not surprising to have all types of malware developed for Windows migrated to Android.

Google does not manually check applications before they get to the Google Play Store. Automatic checks are insufficient barrier for malware. In 2012 company removed nearly 60K malicious applications. Many Android applications are of dubious quality and/or contain spyware.

"The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. Recently the top downloaded Android application was busted by FTC as spyware:

The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace.

Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars.

The application, which is available for free, displays mobile advertisements on the devices it is installed on.

However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.'

As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

The problem with Android is that if your phone or tablet is "owned", you can do nothing other then restore it to factory defaults as you do not have access to root.

If the major contingent of a complex and powerful OS are unsophisticated users, then the task of providing good security is really formidable and requires new architectural vision

Some promising security approaches within the framework of classic Unix kernel design and some outside it are available, but were never used. For example, it would cost almost nothing (probably less then $5 per tablet) to provide all Android tablets with hardware-based token, implementing SecurID style authentication scheme. That was not done, and this fact enables banking fraud. So, if you bank does not support SecurID style authentication, you better do not access its Web portal from Android devices. Some banks try compensate for this sending SMC messages which initiate smart token functionality, but if the your smartphone or tablet is owned by some type of powerful malware this might be not enough. But it is definitely better then nothing.

In other words in its current form Android is unsecure for Web banking. As simple as that. Without such a token, interception of the passwords means the compromise of the account.

As Android kernel was based on Linux kernel 2.6 (and now 3.0) some vectors of attacks are related to this heritage. For example linux kernel like any classic Unix kernel has all-powerful root and underpowered regular user accounts. That means that process which, for example, needs to access low port (below 1024) need to became root at least on temporary basis to perform this part of the task.

In a similar way the ability to access Web and Web-based search engines expose Android user to malicious sites. Some of which can be created specifically to target popular smartphones such as Samsung Galaxy S III.

Being open source also does not help in this regard. It actually hurts as instead of disassembly you can just study the available codebase and try to invent some nasty exploit that allows you to become root. So in Android you from the beginning has capability which in Windows world have only three letter agencies and employees of large corporations which get Windows source code.

Instead of analyzing code trying to find exploit yourself you can buy a zero day exploit on the black market. Such a market exists for the most popular devices, and Android is no exception. Possession of not yet patched zero day exploit (and Android vendors are slow in providing patches) means that you are in, if the user replicates the conditions necessary for this exploit, for example access a certain ("inflected") Web site. As we discussed above, the problems with patching of Android are severe due to decentralization of the process.

Around 2012 Google realizes the situation with Android security is bad and can get worse. That's why it put in the kernel SE Linux framework. It's already exist in Android 4.2.2 but works in permissive mode. It is badly needed, although I would prefer Google to support AppArmor instead. SELinux is difficult to configure and that means troubles for both Android developers and Android users. AppArmor is a more elegant, more understandable and more robust way to provide SE-linux style functionality.

Any application that runs on the Android operating system must be signed. Android uses the certificate of individual developers in order to identify them and establish trust relationships among the various applications running in the operating system. The operating system does not allow an unsigned application to execute. At the same time, the use of a central certification authority to sign the certificate is not required, and Android will happily run any application that has been signed with a self-signed certificate.

Rooting the Android device

The unlocking (rooting) and "hackability" of smartphones and tablets remains a source of great tension between the community and industry.

Android applications run in a sandbox, an isolated area of the system that does not have access to the rest of the system's resources, unless access permissions are explicitly granted by the user when the application is installed. Before installing an application, the Play Store displays all required permissions: a game may need to enable vibration or save data to an SD card, for example, but does not need the ability to read SMS messages or access the phonebook. After reviewing these permissions, the user can choose to accept or refuse them, installing the application only if they accept.

This scheme is deeply defective and does not work for unsophisticated users. They are by definition are too naive to understand consequences of their actions. Theoretically both the sandboxing and permissions system lessens the impact of vulnerabilities and bugs in applications, but huge percentage of unsophisticated users creates an effect of "a second Windows". Moreover the developer confusion and limited documentation has resulted in applications routinely requesting unnecessary permissions and users happily granting them, reducing security to a minimum.

In a way Google proved to be completely incompetent to solve this difficult and important problem and decided just to "go with the flow". As a result Google by-and-large replicated the situation with malware that exists on Windows on a new platform.

Security industry already sensed the opportunity and the necessity to protect Android users from design defects inherent in attempt to provide powerful OS for unsophisticated users and from growing spectrum of Android malware. We can expect that generally there is will be a "security tax" on Android users, similar to "Windows insecurity tax."

Several Windows AV products vendors have already released antivirus software for Android devices. They need to run as root as otherwise sandboxing also applies to such applications

More about Android Malware

As Android became the mobile equivalent of Windows for hackers, there are several types of Android malware in the wild, with some closely resembling Windows malware.

Google engineers were caught without pants by recent revelation about banking Trojans on Android. They have argued that the malware and virus threat on Android is being exaggerated by security companies for commercial gains. They accused the security industry of playing on fears to sell virus protection software to users. Which is of course right take ;-). Google maintains that dangerous malware on Android is actually extremely rare (but then why they never disclose the data about the number of infections?). But the can't deny that it exists and is growing.

Google currently uses their Google Bouncer malware scanner to scan the Google Play store apps. It is intended to flag up suspicious apps and warn users of any potential issues with an application before they download it. Still there have been cases when Google has allowed infected apps into their store. So the fact that the majority of apps on Google Play are reasonably safe means nothing. But existence of malware in Google Play store serves and an indication Google vulnerability and impotence of Android designers to solve this problem. Now they need to confront the threat.

Android 4.1 (Jelly Bean) has enhanced security features, including a malware scanner built into the system, which works in combination with Google Play. It can scan apps installed from third party sources as well. There is also an alert system which notifies the user when an app tries to send a premium-rate text message, blocking the message unless the user explicitly authorizes it.

Android 4.2.2 and forthcoming version 4.4 includes SELinux in the kernel. It might be too little too late as ecosystem is pretty mature and bringing all the applications under SELinux umbrella is a formidable task.

Android Banking Malware

The Android operating system remains a prime target for cyber-criminals, as Android’s user base expands but security remains weak. - See more at: http://www.eweek.com/small-business/android-security-threats-rise-online-banking-malware-jumps#sthash.iIk4jLdy.dpuf

The Android operating system remains a prime target for cyber-criminals, as Android’s user base expands but security remains weak. - See more at: http://www.eweek.com/small-business/android-security-threats-rise-online-banking-malware-jumps#sthash.iIk4jLdy.dpuf

The Android operating system remains a prime target for cyber-criminals, as Android’s user base expands but security remains weak. - See more at: http://www.eweek.com/small-business/android-security-threats-rise-online-banking-malware-jumps#sthash.iIk4jLdy.dpuf

The Android operating system remains a prime target for cyber-criminals, as Android’s user base expands but security remains weak. Trend Micro (not a disinterested party ;-) projected that at the end of the year there will be around a million malicious and high-risk Android apps.

Trend Micro projected.

Smartphones and tablets are increasingly used to access banking portals. According to the Federal Reserve Board report “Consumers and Mobile Financial Services 2013,” in the United States “48 percent of smartphone owners have used mobile banking in the past 12 months, up from 42 percent in December 2011.” Of that 48 percent,

“Nearly half of mobile banking users appear to be using mobile apps to conduct their banking transactions, as 49 percent have installed such applications on their phones.”

Eset revealed that a bad app it discovered in September 2013 -- Hesperbot -- is actually a mobile banking Trojan along the lines of Zeus and SpyEye, but with significant implementation differences that make it a new malware family (Computerworld, Sept. 9, 2013)

According to F-secure (crn.com)

A banking Trojan believed to have stolen millions from victims' accounts also has surfaced on Android devices. The Carberp Trojan steals online banking credentials or usernames and passwords for other websites.

The mobile version, called Citmo.A, monitors incoming SMS and steals the mobile Transaction Authentication Number (mTAN) that banks send to customers to validate an online banking transaction. The cybercriminals behind the malware then use the stolen mTAN to drain victims' accounts, F-Secure said.

The technique is similar to the Zeus Man in the Mobile (Mitmo), an extension of the Windows-based Zeus Trojan, which records the mTAN number sent to Android users. The mobile version of Zeus surfaced in 2010. To get the malware on the user's device, the malware writers inject a phony security notice into the banking session asking the customer for their phone model and number. An SMS link is sent to the victim adding the malware component to the device, F-Secure said.

According to McAfee in June 2013 an Android banking Trojan that replaces popular South Korean banking apps with malware was found in the wild.

This threat steals sensitive information and banking credentials to perform financial fraud. Like other mobile threats in South Korea (like Smsilence), this one uses “smishing” (SMS phishing) attacks that employ fake messages from the Financial Services Commission asking users to install new antimalware protection. However, when the user clicks on the shortened URL, what it is being downloaded is in fact malware, which masquerades as the Google Play app, using the same icon (but without a label).

If the victim executes the malware, it checks whether any of the following South Korean banking apps are installed: KB Kookmin Card (from the biggest credit card company in the country), IBK (Industrial Bank of Korea), Shinhan Bank, Nonghyup Bank, Woori Bank, SC First Bank (currently not available in Google Play), Hana Bank and KFCC (Korean Federation of Community Credit Cooperatives). If the malware finds one or more of them, it whether the device is rooted–to perform a silent uninstall of the banking application by executing the following commands with root (superuser) privileges:

If the user does not have the device rooted (the su binary is not present), the fake Google Play app asks to uninstall the legitimate banking app and, in exchange, offers the installation of another app (even if the user already granted root privileges) with the same icon but requesting very suspicious permissions:

CASTILLO_Replacement

Privacy implications of Android smartphones and tablets: You are like a bug under the microscope

Android smartphones are very powerful devices and abuse of those devices capabilities both by the major players such as Google, Facebook, etc for their private gain and government, are serious concerns.

Stamrtphones have the ability to record the location of Wi-Fi access points, encountered as phone users move around, to build databases containing the physical locations of hundreds of millions of such access points. These databases form electronic maps to locate smartphones, allowing them to run apps like Foursquare, Google Latitude, Facebook Places, and to deliver location-based ads. Third party monitoring software such as TaintDroid, an academic research-funded project, can, in some cases, detect when personal information is being sent from applications to remote servers.

Recently another source of security problems for Android was revealed via publication of some materials about Prism program by Snowden. That undermines confidence in the platform as there is no guarantee that all your voice and data streams are not written on some remote NSA server and, adding insult to injury, not without Google help. That violates the idea of "no arbitrary searches", which is a cornerstone of Western law system.

That does not increase the confidence about the platform, but two other major platforms (iPads and Windows 8 based tablets) suffer from the same problem. all can contain NSA backdoors and Skype monitoring tools installed without user consent. See Cloud providers as intelligence collection hubs

Those activities raise question of human rights. According to the article Human rights in the United Kingdom(Wikipedia)

No arbitrary searches or seizures

Protection against arbitrary searches and seizures overlaps with the rights to liberty, privacy and natural justice. In English law, the right to be free of arbitrary searches and seizures is found mainly in the legislation regulating the powers of the police to conduct searches and take evidence. Therefore, under the Police and Criminal Evidence Act 1984, a constable's right to stop and search persons and vehicles is limited by section 2, as are the powers of a Justice of the Peace to authorise the entry and search of premises. In addition, section 60 of the Criminal Justice and Public Order Act 1994 allows a senior police officer to authorise all police officers in a locality to stop and search any pedestrian or vehicle where the officer has grounds for believing that the individual is carrying an 'offensive weapon' or a 'dangerous instrument'. In 1998 this legislation was extended to allow the officer to require the person to remove clothing worn for the purpose of concealing his identity, and to confiscate that article of clothing. Special extended powers also apply in the case of terrorist suspects.

In civil cases, a judge may grant an Anton Piller order authorising the search of premises and seizure of evidence without prior warning. The order's purpose is to prevent the destruction of incriminating evidence, particularly in cases of alleged intellectual property infringement (see the French Saisie-contrefaēon, which has the same purpose).

Right to respect for private and family life

An individual's right to respect for his or her private or family life is protected insofar as the activity being pursued has not been outlawed or restricted by the state. In that respect, the fact that an individual has consented to the performance of an act which would otherwise be unlawful does not change the status of the act; thus, in a case involving acts of sado-masochism committed in private between two consenting adults, the House of Lords held that the victim's consent to the acts did not afford their author a defence to charges under the Offences against the Person Act 1861.[13]

Similarly, an individual is free to make choices as to his private life, for example in pursuing homosexual relationships, but the law may not in certain circumstances intervene to ensure that his status and rights are not affected as a result of these choices. In R v. Ministry of Defence, ex p. Smith the Court of Appeal upheld the Ministry of Defence's policy not to admit homosexuals to the armed forces;[14] the claimants later brought a case before the European Court of Human Rights which found violations of Articles 8 and 13. The Court of Appeal held in another case that it was reasonable for the parents of a child up for adoption to refuse consent to adoption on the ground that the proposed adopter is a lesbian.[15]

The right to respect for family life is qualified by the broad principle that the welfare of the child is paramount and parental rights must take second place. As expressed by Lord Scarman, "parental rights are derived from parental duty and exist only so long as they are needed for the protection of the person and property of the child", and by Lord Fraser, "parental rights to control a child do not exist for the benefit of the parent".[16] The effect of this is to allow state intervention in family life where justified in the interests of the child in question, and the Children Act 1989 gives effect to this by providing a basis on which decisions relating to a child's welfare are made. Section 1 of the Act provides that a court must, when taking a decision with regard to a child, take into account the child's wishes and feelings.

There is no general right to marry.[17]


Top updates

Bulletin Latest Past week Past month
Google Search


NEWS CONTENTS

Old News ;-)

[Sep 22, 2018] Google admits it lets hundreds of third party apps read your emails by Valentin Wolf /

Notable quotes:
"... "so long as they are transparent with the users about how they are using the data." ..."
"... In practice, this means that any app that shares your private data with advertisers must disclose this fact in their privacy policy. This is seen first in a pop-up box that includes a note that the app wants permission to "read, send, delete and manage your email." However, information about the marketers this data is shared with can often be more difficult to find. ..."
"... In their letter to the company, the senators claim that one marketing company, Return Path Inc, read the private contents of 8,000 emails to train its AI algorithms. ..."
"... "not limited to your name, email address, username and password." ..."
"... At least 379 apps available on the Apple and Android marketplaces can access users' email data. In Google's letter to Congress, the firm declined to say when, if ever, it has suspended an app for not complying with its rules. ..."
"... Google itself has mined users' emails since Gmail was launched in 2004, but announced last year that it would stop the practice, amid privacy concerns and a federal wiretapping lawsuit. ..."
"... "discuss possible approaches to safeguarding privacy more effectively." ..."
"... Everything you've ever searched for on any of your devices is recorded & stored by Google https://t.co/8KGgO0xT92 ..."
"... Like this story? Share it with a friend! ..."
Sep 20, 2018 | www.rt.com

Omnipresent tech giant Google told US senators that it lets third-party apps read data from Gmail accounts and share this information with marketers, even though Google itself allegedly stopped this practice last year. In a letter sent to the lawmakers in July and made public on Thursday, Google said that developers may share your data with third parties for the purposes of ad-targeting, "so long as they are transparent with the users about how they are using the data."

In practice, this means that any app that shares your private data with advertisers must disclose this fact in their privacy policy. This is seen first in a pop-up box that includes a note that the app wants permission to "read, send, delete and manage your email." However, information about the marketers this data is shared with can often be more difficult to find.

Read more Google lets 3rd-party app developers read your emails - report

Google's letter came in response to a request by Republican senators for information about the scope of the email content accessible to these third parties. In their letter to the company, the senators claim that one marketing company, Return Path Inc, read the private contents of 8,000 emails to train its AI algorithms.

Return Path told the Wall Street Journal at the time that, while it did not explicitly ask users whether it could read their emails, permission is given in their user agreements, which state that the company collects personal information including but "not limited to your name, email address, username and password."

At least 379 apps available on the Apple and Android marketplaces can access users' email data. In Google's letter to Congress, the firm declined to say when, if ever, it has suspended an app for not complying with its rules.

Google itself has mined users' emails since Gmail was launched in 2004, but announced last year that it would stop the practice, amid privacy concerns and a federal wiretapping lawsuit.

Now, privacy officials from Google, Apple and Amazon are preparing to travel to Capitol Hill next week, for a Commerce Committee hearing . There, the tech companies will be asked to "discuss possible approaches to safeguarding privacy more effectively."

Everything you've ever searched for on any of your devices is recorded & stored by Google https://t.co/8KGgO0xT92

-- RT (@RT_com) March 30, 2018

The hearing is another in a series of grillings faced by the tech industry since the Cambridge Analytica privacy scandal revealed in March that Facebook allowed a third party to collect personal information on millions of users. Google CEO Larry Page was invited to a Senate Intelligence Committee hearing on political bias, foreign interference and privacy on tech platforms earlier this month, but declined to show up, sending a written testimony instead.

Like this story? Share it with a friend!

[Sep 07, 2018] Android Bug Allows Geolocation Tracking of Users

Sep 07, 2018 | yro.slashdot.org

(duo.com) 46 Trailrunner7 writes: Researchers have discovered a weakness in all version of Android except 9 , the most recent release, that can allow an attacker to gather sensitive information such as the MAC address and BSSID name and pinpoint the location of an affected device. The vulnerability is a result of the way that Android broadcasts device information to apps installed on a device. The operating system uses a mechanism known as an intent to send out information between processes or applications, and some of the information about the device's WiFi network interface sent via a pair of intents can be used by an attacker to track a device closely.

A malicious app -- or just one that is listening for the right broadcasts from Android -- would be able to identify any individual Android device and geolocate it. An attacker could use this weaknesses to track a given device, presumably without the user's knowledge. Although Android has had MAC address randomization implemented since version 6, released in 2015, Yakov Shafranovich of Nightwatch Cybersecurity said his research showed that an attacker can get around this restriction.

[Oct 21, 2017] Samsung DeX Promises to Bring the Linux PC Experience to Your Mobile Device

Oct 21, 2017 | news.softpedia.com

Samsung announced Samsung DeX earlier this as a way for users to transform their mobile phones into full-fledged desktops or workstations by attaching a monitor, mouse, and keyboard. DeX is currently limited the Galaxy S8 and S8+, as well as Note 8, bringing you a desktop-like experience powered by your smartphone.

And now, Samsung wants to expand the DeX's capabilities by introducing "Linux on Galaxy," a new concept promising to bring the Linux PC experience to your mobile device. Linux on Galaxy comes in the form of an app that you can install on your smartphone to run multiple Linux-based operating systems.

"Although it's in a trial phase, Linux on Galaxy is our innovative solution to bring the Linux experience on PC to mobile, and then further onto a larger display with Samsung DeX. Now developers can code using their mobile on-the-go and with Samsung DeX, and can seamlessly continue the task on a larger display," says Samsung.

Developers will be able to use their favorite GNU/Linux distro

With the Linux on Galaxy app, developers will be able to use their favorite GNU/Linux distribution on their mobile devices. When using Samsung DeX with Linux on Galaxy, users can also run Linux apps that aren't available on their smartphones, which run Google's Android mobile operating system, also powered by the Linux kernel.

Best of all, Samsung Linux on Galaxy will enable developers to use a fully functional development environment to create content on a big screen, all powered by their Samsung S8/S8+ or Note 8 devices. At the moment, Linux on Galaxy is in heavy development, but you can find out more about it at seap.samsung.com/linux-on-galaxy .

[Sep 17, 2017] Android stops glitchy apps by detecting your panicky presses

Notable quotes:
"... So far the feature, spotted by XDA Developers , has appeared in some, but not all devices with Android 7.1 Nougat. ..."
"... Google hasn't said anything about the feature-- XDA just happened to discover the code in a recent build of Android 7.1. Essentially, it listens for back button presses, and if enough of them happen (four to be exact) in rapid succession (with less than a third of a second delay) then Android will override the app and bring back the home screen. This could apply to apps that just freeze, but also to rogue software that tries to intercept any and all actions, like malware or adware. ..."
Jul 11, 2017 | access.redhat.com
If you can't dismiss an app by pressing the "back" button, it may just be a glitch or crappy app, but it could also be something much worse . That's why Google has quietly slipped in a new Android feature called "panic detection" that can preemptively close an app if you stab at the back button multiple times. So far the feature, spotted by XDA Developers , has appeared in some, but not all devices with Android 7.1 Nougat.

Google hasn't said anything about the feature-- XDA just happened to discover the code in a recent build of Android 7.1. Essentially, it listens for back button presses, and if enough of them happen (four to be exact) in rapid succession (with less than a third of a second delay) then Android will override the app and bring back the home screen. This could apply to apps that just freeze, but also to rogue software that tries to intercept any and all actions, like malware or adware.

It's a smart idea, because what's the first thing you do when you can't make an app go away? Frantically pressing the back key is probably the first thing, so that will kill the app and allow you to uninstall or disable it until you figure out the problem.

You'll have to enable the feature to get it to work, apparently. Google seems to be rolling it out on a limited basis, and may in fact just be testing it, so it may be some time before it ends up on your device.

[Aug 11, 2017] Amazon Takes Privacy Stand by Slapping Down Blu for Pre-Loading Spyware by Brady Dale

Notable quotes:
"... it detected devices sending data about call history, text messages, the unique identifier of the mobile service subscriber, the device's unique identifier and call histories. ..."
"... It also found evidence that the software specifically searched text messages for key words and sent full text messages back to Adups servers in China. ..."
"... In May 2017 on the Cubot X16S device, we observed the user's call log, text message metadata, browser history, list of installed apps, list of apps used and unique device identifiers being exfiltrated by Adups," Kryptowire's Tom Karygiannis wrote the Observer in an email. ..."
Aug 01, 2017 | observer.com

In its November report, Kryptowire wrote that it detected devices sending data about call history, text messages, the unique identifier of the mobile service subscriber, the device's unique identifier and call histories.

It also found evidence that the software specifically searched text messages for key words and sent full text messages back to Adups servers in China. These messages were encrypted, but Kryptowire was able to find the key and decrypt them.

Since the Kryptowire finding, Adups has reported that it is no longer collecting personally identifiable information, but Kryptowire told Black Hat attendees that it has continued to observe the same behavior, though more carefully hidden and not necessarily on Blu devices.

In a November statement , Adups explained the searching and parsing of users' text messages by saying it had created an application to screen and block promotional messages. It wrote, "In response to user demand to screen out junk texts and calls from advertisers, our client asked Adups to provide a way to flag junk texts and calls for users. [The] application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."

Blu devices aren't the only ones to carry the Adups software, and Kryptowire has noted that it behaves differently from device to device. Another maker of cheap Android phones, Cubot, also uses Adups software. " In May 2017 on the Cubot X16S device, we observed the user's call log, text message metadata, browser history, list of installed apps, list of apps used and unique device identifiers being exfiltrated by Adups," Kryptowire's Tom Karygiannis wrote the Observer in an email.

On Wednesday, Kryptowire released additional technical details, describing tests from May on Blu Grand M, LifeOne X2 and Advance 5.0 devices.

Subsequent to the Black Hat presentation, Amazon has closed off sales for the complete line of Blu Android phones ...

[Jul 28, 2017] Google Uncovers, Blocks Malware Possibly Used To Spy On Android Users

Jul 28, 2017 | www.msn.com
discovered and blocked a new family of Android malware developed by a cyber arms company that may have its roots in state-sponsored spying efforts.

The malware!known as Lipizzan!contained references within its code to an Israeli tech firm called Equus Technologies, which offers "tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations."

In the Android Developers Blog , Megan Ruthven of Android Security and Ken Bodzak and Neel Mehta of Google's Threat Analysis Group detailed the malicious software, which they called a "multi-stage spyware product."

The researchers found Lipizzan had the ability to monitor and steal communications from the device. The malware could hijack a user's email, SMS messages, location information, voice calls and local media. It could also snap screenshots of the user's device and hijack the camera to take pictures or record video.

When active, Lipizzan could steal data from a number of apps including Gmail, Google Hangouts, LinkedIn, Facebook Messenger, Skype, Snapchat, popular messaging platforms like WhatsApp and Viber and encrypted communications app Telegram.

Most troubling about Lipizzan was that it was found in apps on the Google Play Store disguised as legitimate apps. The malware was most often found in apps posing at popular utilities with names like "Backup" or "Cleaner." A second wave of apps containing the malware posed as notepad, sound recorder, and alarm manager apps.

When a user would install one of the infected apps, the app would begin to download a "license verification" that would examine the device. If the handset met certain criteria, the second stage of Lipizzan would kick in and root the device while establishing a connection to the Command and Control server operated by malicious actors to send back files and recordings.

While the spyware was available to download through apps in the Google Play Store, Google reported very few instances in which infections were found. According to the company's findings, fewer than 100 devices had the malicious apps installed on their devices. Google claimed that would make the infection rate only 0.000007 percent.

Lipizzan and the apps that contain it have been removed from the Google Play Store, and Google recommends users make use of Google Play Protect , a security suite for Android devices.

Google also advised users to download apps exclusively from the Google Play Store rather than from third-party app stores and to disable installations from unknown sources. The search giant also suggested keeping devices up to date with the most recent security patch.

While Google may have caught and eliminated Lipizzan, the company has run into a fair amount of malware slipping through the cracks of its Google Play Store. Earlier this year, an adware scheme managed to infect 40 million phones through Google's official marketplace.

[Jul 11, 2017] no title

Jul 11, 2017 | www.msn.com
If you can't dismiss an app by pressing the "back" button, it may just be a glitch or crappy app, but it could also be something much worse . That's why Google has quietly slipped in a new Android feature called "panic detection" that can preemptively close an app if you stab at the back button multiple times. So far the feature, spotted by XDA Developers , has appeared in some, but not all devices with Android 7.1 Nougat.

Google hasn't said anything about the feature-- XDA just happened to discover the code in a recent build of Android 7.1. Essentially, it listens for back button presses, and if enough of them happen (four to be exact) in rapid succession (with less than a third of a second delay) then Android will override the app and bring back the home screen. This could apply to apps that just freeze, but also to rogue software that tries to intercept any and all actions, like malware or adware.

It's a smart idea, because what's the first thing you do when you can't make an app go away? Frantically pressing the back key is probably the first thing, so that will kill the app and allow you to uninstall or disable it until you figure out the problem.

You'll have to enable the feature to get it to work, apparently. Google seems to be rolling it out on a limited basis, and may in fact just be testing it, so it may be some time before it ends up on your device.

[Jun 17, 2017] How governments devise custom implants to bug smartphones

Jun 17, 2017 | arstechnica.com
Citizen Lab, the University of Toronto group that monitors government surveillance in the digital age, analyzed the recently discovered instance of the fake Qatif Today app in a blog post headlined Police Story: Hacking Team's Government Surveillance Malware . The account provides a rare glimpse into malware developed by "Hacking Team," a highly secretive outfit based in Italy that charges governments top dollar for extremely stealthy spyware that's often referred to as a "lawful intercept" program.

The Trojan is known as an Android implant because it cloaks itself inside a legitimate third-party app. People who are infected with it must first be tricked into obtaining the Android installation package (APK) from a non-authorized source, which in this case was this now-shuttered Dropbox location . Aside from that, victims may have little indication anything is amiss. To lend it legitimacy, the malicious APK was signed by a digital certificate that appeared to be related to Java and its original creator Sun Microsystems. Citizen Labs identified six other samples signed by the same certificate.

Once installed, the app establishes contact with command and control servers located at 91.109.17.189 and 106.186.17.60, which are addresses Citizen Lab has seen used in previous Hacking Team campaigns. The implant also attempts to break out of its Android-imposed security sandbox by exploiting a vulnerability in older Android versions on specific handsets that allows apps to gain unfettered root privileges.

The trojan next tries to access local files stored by a variety of social media, chat, and call apps including Facebook, Viber, WhatsApp, Skype, LINE, and QQ. The app has audio recording, camera, video, key logging, and "live mic" capabilities, as well as a "crisis" module that provides anti-analysis functionality. The researchers also found evidence of what appears to be location, screenshot-taking, and browsing activity modules. The implant even seems to have a filter to specify date ranges to narrow the mail and text messages it sends back to the control servers. (It's not clear what happens when the app runs on Android versions that have patched the rooting vulnerability.)

"We also see information about how the implant exfiltrates data, along with its C2 servers," Tuesday's post reported. "Interestingly, it appears that the implant is capable of monitoring the devices' connectivity (e.g. Wi-Fi, cellular network), choosing connection type, and rate limiting the bandwidth. Note that these are the same servers we observed in the implant's network communications."

The Citizen Lab researchers provided an overview of the remote control system (RCS) architecture that works with Android trojans and trojans for other platforms. The architecture relies on a series of system administrators, technicians, and analysts to funnel information pulled off an infected device to the interested parties. Unverified screenshots an anonymous person provided to Citizen Lab show RCS works on computers running Windows, Mac OS X, or Linux.

Citizen Lab

It comes with a dazzling number of capabilities, including:

Citizen Lab researchers wrote:

The implant ("agent") offers one-click functionality for requesting information from target devices. Technicians are encouraged to add functionality as needed.

... ... ...

Selection of available surveillance modules Other Capabilities

Once an implant is operational its collection operations can be updated. In addition files can be sent to and received from the device.

In addition, implants have a default cap on "evidence" space of 1GB on the target device. Recording of new material stops when the space is reached. Operators also have the ability to delete not-yet-transmitted data on the device.

Programs such as RCS are marketed to governments as legitimate wares, but Citizen Lab points out that many countries have few legal guidelines and little oversight for the way they're used.

"In light of the absence of guidelines and oversight, together with its clandestine nature, this technology is uniquely vulnerable to misuse," the report warns. "By analyzing the tools and their proliferation at the hands of companies like Hacking Team and Gamma Group, we hope to support efforts to ensure that these tools are used in an accountable way, and not to violate basic principles of human rights and rule of law." , Jun 24, 2014 9:47 PM

Quote:
The implant also attempts to break out of its Android-imposed security sandbox by exploiting a vulnerability in older Android versions that allows apps to gain unfettered root privileges.

According to your link Dan, this affects only the Samsung Galaxy S3 or anything with Samsung's Exynos chipset. It isn't an Android root exploit in general. It's already been patched a year ago. blockquote

This is more interesting because all android apps are signed and if an app wished to update an app already installed (and with the same name, otherwise it will show up as a separate app), it has to have a matching signature.

MatthewSleeman , Ars Praetorian Jun 24, 2014 10:34 PM
aleph_nought wrote:
When does lawful intercept cross the line into total surveillance? Post-Snowden, the concept of lawful intercept has no meaning when everything can be intercepted and used at a later time.

Better question: How is this lawful to begin with? Unless they set things up so that, in theory, only terrorists and other *valid* targets of surveillance download then app, I don't see how it could be given the uproar over the stuff Snowden released
goretsky , Smack-Fu Master, in training Jun 25, 2014 12:33 AM
Hello,

The SHA-256 hash for the file is 8e64c38789c1bae752e7b4d0d58078399feb7cd3339712590cf727dfd90d254d .

According to this VirusTotal report, this program is currently detected by the following programs:

Avira AntiVir - Android/FakeInst.ES.4
Baidu-International - Trojan.Android.FakeInst.bES
ESET - a variant of Android/Morcut.A
Kaspersky - HEUR:Trojan-Spy.AndroidOS.Mekir.a
ThreatTrack VIPRE - Trojan.AndroidOS.Generic.A

Five out of fifty-three program, or a little under 10%. I'm sure the detection rate will go up in the next 24 hours to (or at least, near) 100%, though.

Regards,

Aryeh Goretsky

Pueo , Smack-Fu Master, in training Jun 25, 2014 3:48 AM
MatthewSleeman wrote:
aleph_nought wrote:
blockquote
Better question: How is this lawful to begin with? Unless they set things up so that, in theory, only terrorists and other *valid* targets of surveillance download then app, I don't see how it could be given the uproar over the stuff Snowden released

Consider the likely target of the malware. It is someone using a news app focusing on a Saudi Arabian province. It assumes that the target will be connected in social media (Facebook and Whatsapp) and making international calls (Skype, QQ, and Viber). It was spread through twitter. This app is not targeting terrorists, it is targeting journalists and activists. Most likely it was produced for the security services of Saudi Arabia. If it's "lawful" for Saudi Arabia to jail and torture human rights activists I have no doubt they consider it "lawful" to spy on them as well. I doubt the monarchy is concerned with adding spying to its long list of human rights violations.

julienm , Wise, Aged Ars Veteran Jun 25, 2014 9:39 AM
Ostracus wrote:
show nested quotes
MatthewSleeman wrote: blockquote aleph_nought wrote: blockquote
Better question: How is this lawful to begin with? Unless they set things up so that, in theory, only terrorists and other *valid* targets of surveillance download then app, I don't see how it could be given the uproar over the stuff Snowden released

Consider the likely target of the malware. It is someone using a news app focusing on a Saudi Arabian province. It assumes that the target will be connected in social media (Facebook and Whatsapp) and making international calls (Skype, QQ, and Viber). It was spread through twitter. This app is not targeting terrorists, it is targeting journalists and activists. Most likely it was produced for the security services of Saudi Arabia. If it's "lawful" for Saudi Arabia to jail and torture human rights activists I have no doubt they consider it "lawful" to spy on them as well. I doubt the monarchy is concerned with adding spying to its long list of human rights violations.

True, although I doubt they're the only country that would benefit from such a tool.

BTW when is the IOS version coming out? I can't image just running a different brand would provide the needed security?

there has been several stories about iOS malwares used by government agencies.

some are using public jailbreak exploits to install:
http://blog.kaspersky.com/iphone-spyware/

others, aimed at high value targets, would use 0day flaws (browser exploits, PDF exploits,...).

so far, haven't heard of any such malware targeting WP7/8, but that's probably due to market share. Interestingly, such spying toolkits still have modules for Windows Mobile 6 (that might be explained by the fact it was much easier to develop malware on that old platform without sandboxing or modern memory protection features)

nonars , Smack-Fu Master, in training Jun 25, 2014 10:16 AM New Poster
All of these app permissions are shared by and android app named "MobileTracker 1.0", which comes with many of the cell phones straight from the manufacturers. The full list of MobileTracker 1.0 is scary and this app cannot be disabled. It smells a lot like another CarrierIQ to me. Be aware of this app.

[Jan 26, 2017] That Old Phone Trump Uses for Twitter Could Be an Opening to Security Threats by CECILIA KANGJAN

And what about regular users android insecurity? Is not this is a huge problem with Google serving as as a channel for spying on us?
Notable quotes:
"... "The absolutely minimum Trump could do to protect our nation is to use a secure device to protect him from foreign spies and other threats," said Senator Ron Wyden, a Democrat from Oregon on the Intelligence Committee. "It would be irresponsible in the extreme for the commander in chief to use an unsecure device that could be easily hacked or intercepted." ..."
"... "There are a lot of questions, but it is clear there are often vulnerabilities in our phones and internet systems - and it is critical that people take precautions to ensure their sensitive information is protected from hackers and other malicious actors," said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union. ..."
"... In 2009, President Barack Obama fought to become the first president with a smartphone; though he won, the use of a White House-issued secure device came with many rules. ..."
Jan 25, 2017 | www.nytimes.com

President Trump has carried his Twitter habit into his presidency. He has also brought with him another tech habit that is causing concern.

Mr. Trump has been using his old, unsecured Android phone to post on Twitter since moving to Washington late last week.

The president's desire to use his old, personal smartphone raises concerns that its use could be exposing him and the nation to security threats.

He is using the Android smartphone mainly to post on Twitter, not to make calls. But it's unclear what security measures have been put in place on the device and how vulnerable he could be to someone stealing data or breaking into his Twitter account.

The White House did not respond to a request for comment.

Twitter requires a connection to the internet, which exposes the device to security vulnerabilities if proper measures like two-factor authentication - a password and a code texted to a phone, for example - are not in place. If he uses the smartphone on an unsecure Wi-Fi network, he could be exposing his location and other personal information on the device.

"The absolutely minimum Trump could do to protect our nation is to use a secure device to protect him from foreign spies and other threats," said Senator Ron Wyden, a Democrat from Oregon on the Intelligence Committee. "It would be irresponsible in the extreme for the commander in chief to use an unsecure device that could be easily hacked or intercepted."

Among the concerns by security experts:

"There are a lot of questions, but it is clear there are often vulnerabilities in our phones and internet systems - and it is critical that people take precautions to ensure their sensitive information is protected from hackers and other malicious actors," said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union.

The president's use of the personal device is particularly notable given his criticism of Hillary Clinton for using a personal email address and server when she was secretary of state.

In 2009, President Barack Obama fought to become the first president with a smartphone; though he won, the use of a White House-issued secure device came with many rules.

"As president, he is the biggest sitting target in the world," said Kevin Bankston, the director of New America's Open Technology Institute.

[Dec 26, 2016] Malware Found In the Firmware of 26 Low-Cost Android Models

Dec 26, 2016 | it.slashdot.org
(bleepingcomputer.com) 60 Posted by msmash on Tuesday December 13, 2016 @11:12AM from the security-woes dept.

An anonymous reader writes:

Security researchers have found malware hidden in the firmware of several low-end Android smartphones and tablets , malware which is used to show ads and install unwanted apps on the devices of unsuspecting users. 26 Android device models have been found to be vulnerable. The common link between all these devices is that all are low-cost devices, mostly marketed in Russia, and which run on MediaTek chipsets.

According to security researchers from Dr.Web , a Russian antivirus vendor, the malware appears to have been added to the firmware by "dishonest outsourcers who took part in [the] creation of Android system images decided to make money on users." The security firm has informed MediaTek and the device vendors about this issue so the affected companies can inspect their distribution chain and find the possible culprits.

[Dec 26, 2016] Barnes Noble's Latest Tablet Is Running Spyware From Shanghai

Dec 26, 2016 | news.slashdot.org
(linuxjournal.com) 63

Posted by BeauHD on Tuesday December 20, 2016 @07:45PM from the buyer-beware dept. Long-time Slashdot reader emil writes about how ADUPS , an Android "firmware provisioning" company specializing in both big data collection of Android usage and hostile app installation and/or firmware control, has been found pre-loaded on Barnes and Noble's new $50 tablet :

ADUPS was recently responsible for data theft on BLU phones and an unsafe version of the ADUPS agent is pre-loaded on the Barnes and Noble BNTV450 . ADUPS' press releases claim that Version 5.5 of their agent is safe, but the BNTV450 is running 5.2. The agent is capable of extracting contacts, listing installed apps, and installing new apps with elevated privilege. Azzedine Benameur, director of research at Kryptowire, claims that " owners can expect zero privacy or control while using it ."

[Dec 26, 2016] More Than 1 Million Android Devices Rooted By Gooligan Malware

Dec 26, 2016 | tech.slashdot.org
(onthewire.io) 42 Posted by msmash on Wednesday November 30, 2016 @12:25PM from the security-woes dept. Reader Trailrunner7 writes: A new version of an existing piece of malware has emerged in some third-party Android app stores and researchers say it has infected more than a million devices around the world , giving the attackers full access to victims' Google accounts in the process. The malware campaign, known as Gooligan, is a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that's not the main concern for victims. The Gooligan malware also employs exploits that take advantage of several known vulnerabilities in older versions of Android, including Kit Kat and Lollipop to install a rootlet that is capable of stealing users' Google credentials.Although the malware has full remote access to infected devices, it doesn't appear to be stealing user data, but rather is content to go the click-fraud route. Most users are being infected through the installation of apps that appear to be legitimate but contain the Gooligan code, a familiar infection routine for mobile devices.

[Dec 12, 2015] Top Tips For Android Security By Matt Hartley

sep 21, 2015 | Datamation

My recommendation is doing this with the apps that will never need to connect to the Internet when not at home. This includes file managers and apps that you would never think to connect to the Internet in the first place. While it doesn't prevent malware or data leaks specifically, this practice can help you to troubleshoot potentially bad apps.

As a general rule, I recommend always restricting apps from using mobile data unless it's necessary. Others might point you to using software firewalls. Instead I prefer using carefully thought out hardware firewall on my LAN with logging. If something besides allowed ports are being used for that device, the ports will be blocked. This practice might not stop crazy ads and other ad related weirdness, but it could prevent other more dangerous surprises by restricting port access at the network level.

The problem I have with Android firewalls is that many of them are by no-name companies which I've never heard of. They ask for heavy permissions and their support email is an @gmail.com address. Personally, I don't find all that secure. I'd much rather have some control over which apps are connecting to the Internet. I may grant some exceptions (SMS apps, etc), but I keep a tight leash otherwise.

Restricting application installation

I'd love to tell you that every single application on the Google Play Store is well vetted. The truth is that isn't true – period. This means it's easier to get applications with more features than you might find on other platforms, but it also means you need to be careful about what you're installing.

The first rule of installing Android applications is to only do so from trusted sources. I'm not talking about installing apk packages vs Google Play. You need to know the source and company behind the application before trusting it completely. Like many of you, I've been known to make exceptions...but even then I'm careful about the permissions I grant the software.

To be clear, I would trust an apk package from a vendor's website I trust more than I would some random Google Play app that I know nothing about. Why? Because Google Play on its own merit doesn't promise security. There is still some user responsibility for maintaining a secure Android experience. That said, I would suggest you're safer downloading random apps on Google Play than some mysterious forum page's listed apk packages.

Public wifi and VPN

No matter what software you choose to install, more often than not the biggest security threat comes from your browser. When you're using a public wifi access point, you're taking a significant risk each time you login to anything important. Much of this is mitigated thanks to SSL and https secured websites, such as banking and some email websites. But there are still countless other sites out there where you could be sending your login credentials to anyone around you monitoring your connection.

I suggest looking into a reliable VPN service. There are some good ones, but I suggest doing your own research. Some might question how a VPN tunnel secures your Android device. I would submit that it provides an added layer of encryption to your online web browsing activities. And while the encryption ends on the other end of the tunnel, at least your activity isn't broadcasted to other users sharing the same public wifi access point.

... ... ...

Cassie October 26 2015 07:37 PDT

I am glad you mentioned that nothing is 100% secure as well. I think so many people expect to make their device completely hack-proof and that just cannot happen. As you mentioned, anything connected to the internet can be hacked, but you can do many things to make them harder to hack.

SecureThoughtsC October 05 2015 02:03 PDT

Great point about using a VPN, a lot of people don't know how vulnerable they are doing their banking at the local coffee shop. I do think security software is worth it, I am in the same camp as you there. It might not be bulletproof but I do believe something is better than nothing.

[Dec 06, 2015] Smartphone Secrets [Must Watch] - YouTube

The dangers of selling you old phone. The advice of experts is never cell you old smart phone.

[Dec 06, 2015] Detecting And Removing Cell Phone Spyware

Old school phones are much safer bet...

[Dec 06, 2015] How to tell if your cell phone has spyware on it

Factory reset might help in case you have something suspicious. Attention to checking your bills is also very important.
YouTube

Karen Handy 1 year ago

Mines is constantly turning on by itself, even had apps turn on, my data has been used up since the 1st and it takes me 3 wks to do that, it calls people on it's own, I have 2 security apps and sometimes it's icon disappears from the top of screen, my browser constantly fail, I can't access my employee email from my cell anymore, when I'm on FB I often have to "like" a post several times for it to take, same with sharing??

I've changed my sims card and battery and am still having problems??

And it goes completely bonkers around my place of employment to the point that I either can't make or receive calls?? I just bought this phone in Feb/14 and it's the exact same one I had before that lasted a year!

I even got a call a month later telling me that my email had been hacked and got disconnected, when I called back it was one of those numbers that doesn't allow you to call back.....

Kasandra 4 months ago

+Karen Handy Hi Karen,

Did the issue get solved? What and who was it? If you don't mind my asking? Do you have any recommendations? Such as things to avoid? Some apps are pretty dodgy and also I accidentally click on ads that pop up often, especially from links on Facebook. Also I'm sure there are many people who can hack than we think, I think if you have your bluetooth on it makes it easier?? Obviously they're not going to let on because then what would be the point in hacking. Are there any sure signs? Yours seem pretty legit.

Eddie Leal 1 year ago

Please forgive my ignorance folks but I am not up to speed with all the latest apps/gadgets and widgets for cell phones but don't some cell phones come with the capability of re-formatting it to factory default status. I always thought this meant that any/all programs that were not part of the original package with the phone would be wiped out from the phones memory. I guess if you feel nervous about doing this yourself you could take it to a service center and pay through the nose to have this done. Heck! YouTube and google are full of instructional videos/pdf files how to accomplish this on your particular model phone. As far as what the gentlemen in the video stated, I am not quite sure it is accurate to say that the carrier will do this for you.They typically sell you the phone but if you need technical support you have to go elsewhere...right?? Any ideas from the tech savvy folks out there? Please advise.

LTraveler83 3 years ago in reply to Виктор Марков

Check your phone bill when it comes in for any weird messages or downloads or even phone calls during that time. Treat electronic devices like the ears and eyes of your grandmother. This means if you wouldn't say it to her, you probably should type it or say it too close to anything that could be spied upon.

[Dec 06, 2015] Richard Stallman Freedom In your computer and in the net - YouTube

Some thought of RMS about modern situation software spying on users.

Farzin F 5 months ago

To the uploader: Regarding CC BY ND: the MIT Open Course Ware videos on YouTube use CC by NC. Yet, since there is no option for this, MIT chooses the standard youtube license. That's probably the best choice. Not CC BY

New Android Trojan Fakes Device Shut Down, Spies On Users

February 19, 2015

An anonymous reader writes A new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks, has been discovered and analyzed by AVG researchers. They dubbed it, and AVG's security solutions detect it as PowerOffHijack.

[Jul 18, 2014] Psst! Your phone is snooping on you. What you need to know and how to stop it – video

The Guardian

Revelations about the detailed location records stored on smartphones indicates just how much information companies including Apple and Google are able to gather. \

But it's not just the phone-makers – apps on your phone are hungry for your personal info too. So is your phone snooping on you?

Here, we reveal what you need to know – and whether you can do anything about it

Dogoodnow, 16 July 2014 12:04pm

Another problem with Android (as far as I can see, as implemented on an early Samsung Note) is that it keeps turning on apps that you have or think you have turned off or force closed.

Especially true of all the Google related material?

StockBet -> Dogoodnow, 16 July 2014 1:16pm

Watch the PBS documentary called "United States of Secrets" and what they said about Google.

fragilegorilla -> StockBet, 16 July 2014 1:23pm

There's also a very good documentary available on Netflix right now called "terms and conditions may apply".

It covers this constant snooping and what we actually sign away when we tick those little 'I accept' boxes.

http://www.imdb.com/title/tt2084953/

dourscot -> Dogoodnow, 16 July 2014 1:36pm

You can't stop or de-install Google's core apps on any mainstream Android device.

The only way around this is to use an open install like CyanogenMod.

tr1ck5t3r -> dourscot, 16 July 2014 2:04pm

CyanogenMod has had its own bugs will facilitate snooping though. However as the Play store app is not installed by default, its worth checking the terms and conditions when a CyanogenMod user install it.

supermarine -> fragilegorilla, 16 July 2014 7:37pm

I've watched it…I was tickled by the revelation that a number of people had signed their souls to the devil.

Fred1, 16 July 2014 12:09pm

I really can't see the point of most Apps.

Sure WhatsApp and Viber are useful but the vast majority are just websites made for phones. And they're free so there's a catch.

I hate using WhatsApp and Viber because I know they're as about as secure as using a microphone on a busy high street and the people behind it our mining the shit out of my data. However I use them because they're a useful.

I just wish you could choose. Whore your data or pay for the service. The internet should be about getting £1 from billions of people but instead nowadays its just about whoring data. It's most likely all bull shit like investing in sub-prime mortgages but hey lets pretend this data has any value.

My approach is to download very few apps, never give my location, never use social media (because I don't understand why it exists) and never say anything vaguely interesting on WhatsApp, Viber or indeed CIF. If you don't believe me read this comment.

Westmorlandia -> KatyEB, 16 July 2014 12:12pm

Yes, and so many pre-installed, that you can't delete. Still I prefer it to my old iPhone.

This is easily the worst thing about Android - endless unwanted apps that take up storage space, use memory, and can't be removed. It's incredibly annoying - it's like they're stealing part of the phone I paid for.

Westmorlandia, 16 July 2014 12:11pm

Because of the opacity of the system, it's crying out for consumer protection regulation.

Unfortunately governments like collecting our data too, so are actually quite keen for this sort of data collection to go on.

pretendname -> Westmorlandia, 16 July 2014 12:24pm

Any reasonable left or right centre government, would move to ban Google Glass immediately. But our government has tipped into fascism.

There is a reasonable argument that banning these devices would not be 'progressive'. By which they mean, you can't put a genie back in the bottle. But this is simply rationalising away fascism.

We ban or blacklist new technologies all the time, it's just that we've chosen not to deal with this one because it helps our government suppress anything they might see as seditious.

This wholesale surveillance of citizens is simply wrong. Just like secret trials and detention without charge.. is simply wrong.

afinch -> pretendname, 16 July 2014 1:23pm

Any reasonable left or right centre government, would move to ban Google Glass immediately.

Eh? Do you think concealed cameras should be illegal? Telephoto lenses? Small microphones? Spy equipment far more covert, and far cheaper, than Google glass has been available for decades.

What's liberal about banning an underpowered wearable camera that costs too much?

pretendname -> afinch, 16 July 2014 1:29pm

It's not the camera that's the problem with Google glass.. It's that it's a network enabled camera which is permanently switched on and recording, and is reporting your location and everything you see and hear to the government, and worse, a company.

Now if you restricted yourself to looking at members of your own family that's ok.. but if you're going to wear it on a bus, it's going to record not just your movement, but through facial recognition, the moments of everyone you see.

Can't you see any danger in that?

fallenrider -> pretendname , 16 July 2014 3:09pm

But it doesn't actually do that though does it?!

It records when you tell it to record, not constantly. But don't let facts get in the way or your paranoia hey.

pretendname -> fallenrider, 16 July 2014 3:35pm

Have you been asleep for the last 2 years. Google, have been actively working with the NSA to provide every single piece of information about you that they can.

But of course... I'll have to take your word for it because you are clearly a Google Employee on the Glass project.

Otherwise.. how would you know what it does or doesn't do?

LegoRemix -> pretendname, 16 July 2014 4:21pm

As has been repeated over, and over again. No tech company is actively working with the NSA. What happened is they got served National Security Letters that *force* their cooperation with government demands. If they don't comply, their businiess is shut down.

You can moan about a lot of other things tech companies do, but this is literally a 'gun to the back of the head' scenario for them

pretendname -> LegoRemix , 16 July 2014 4:26pm

I'm not sure...
Eric Schmidt has been attending Bilderberg for the last few years.
From that I surmise that he is fully on board.

But.. even if tech companies are forced into this, the result is the same. It is a bizarre situation in which, given full details and facts, people still deny reality.. even while it's happening.
You couldn't make it up.

Google glass has a camera which is potentially permantently switched on.
That camera can be picking out faces, mapping those faces to some sort of engram, and http posting them off to gootle with a location and date stamp, or storing that list of information locally for later upload.

If it can do it... Recently revelations seem to suggest, it is doing it.

MtnClimber -> afinch, 16 July 2014 5:47pm

It's far worse now than before "smart phones" Before, spying was done on an individual basis. One person wanted to spy on another.

Now, with smartphones, everyone is under surveillance. Google glass is an extension of the spy phones that we all carry. It is getting worse by the day.

robinaldlowrise -> LegoRemix, 16 July 2014 10:18pm

No tech company is actively working with the NSA.

Of course they aren't (cough). Nobody is working with the NSA. The NSA is an evil unto itself alone (cough).

Bluecloud, 16 July 2014 12:14pm

My Android tablet came with Google Maps, which requires permission to access all my contacts, all my WLAN info as well as my location (of course, it's satnav device) and lots of other personal info. Their demand for ever greater intrusion into my life increases with every update.

This is a high price to pay for such apps. Beware!

swishy -> Bluecloud , 16 July 2014 12:25pm

I can see a future not too far ahead where these phones will be the only available option which will basically trap people in the system. Permission to access personal info may not necessarily be requested and ability to turn off GPS might not be possible. There's a gloomy picture to be going on with.

beedoubleyou -> Bluecloud , 16 July 2014 12:29pm

I don't understand the price. Nobody has anything to gain by knowing any of my contacts, especially me.

Nialler, 16 July 2014 12:14pm

My experience with the Galaxy was that in order to use a lot of the functionality I had to register with Google. This gives them my e-mail, my network, my location (if using the GPS) my buying preferences etc.

Sod that.

My wife used the GPS to find an address and when we arrived a photo of the house popped up on the screen. I find all this terribly intrusive.

If someone stopped you on the street and asked you those questions you'd tell them to fling their hook.

tilw -> Nialler, 16 July 2014 12:44pm

My way of handling Google and similar accounts is to give Google my email address at another on-line "everything including the kitchen sink" service and vice versa.

Both the email addresses are eminently disposable and neither of them point to any of my actual "real" email addresses. It can be a bit of a pain keeping track of which service has which disposable address, but it's worth it.

This technique also pretty quickly reveals which "services" have passed email addresses on to spammers either knowingly or otherwise.

blipvert -> tilw, 16 July 2014 12:55pm

Google started to get a bit sniffy about this kind thing a while ago, and Boss Man Schmidt declared Google+ to be an identity service, and only real names would do.

Fortunately, they have recently abandoned this Big Brother approach in a desperate attempt to actually get customers to use Google+.

MasterPale -> Nialler, 16 July 2014 1:35pm

Registering with Google is only necessary in order to buy apps from Google's app market.

There are other sources of apps such as Samsung, Amazon, app developers websites, app review websites. Of course you have to register with these sources too but the process is generally less intrusive.

You can disable and uninstall Google apps such as Gmail, Google search, Maps etc.

And install alternatives which do not gather your data such as Hotmail, Hushmail, Firefox browser with ad-blockers and anti-trackers, DuckDuckGo or StartPage search engines, and Bing maps or TomTom (if there is no app use your phone browser to access the websites - create a bookmark and you have instant map service).

People are often afraid to edit their phone/tablet, a fear promoted by the dire pop-up warnings that if you turn off x it will melt your phone. No it wont!

Do not install junk apps. You can expect them to be infested with spyware and to involve 'in-app purchases'. Choose quality apps, recommended by reliable reviews. When installing an app, buy the paid version and save money on data long-term.

'Free' apps invade your privacy, keep data turned on to feed you a stream of adverts. You pay in lots of ways. It costs 69p for an app or maybe £2.99 for the expensive apps? And how much is privacy worth to you? How much do you pay for data?

If you have not seen an Adam Curtis documentary nor watched the BBC's current documentary series 'Meet the Men Who Made Us Spend' (on iPlayer) then I recommend them. They are light and fluffy, not overly intellectual, but they review the history of the last fifty years and the growth of consumption and offer an explanation of why so many people are obese, we spend too much time and money on pointless consumption, and are politically oppressed. It might make you decide you don't need so many gadgets or that you don't need so many apps on your gadgets. It will certainly make you reject 'smart things' and the continuing infantilisation and passification of the population.

dourscot -> Nialler, 16 July 2014 1:41pm

But you can log out of Google. This doesn't solve your problem with other apps but it's not as bad as you suggest.

ConanOB -> Nialler , 16 July 2014 4:48pm

You buy an iPhone, apple asks for you credit card number, expiration date and you need to create and email account and use a back up email account if you are imperfect and might someday forget your password.

Everything comes at a price, the more secured and locked down you want your smartphone to be, expect to pay a premium price for it.

It is not difficult for phone companies to retrieve text messages etc and time, date and duration of calls you made every day.

Just stay away from apps like the flashlight app that needs access to your microphone or any app that request access to your contacts.

NotANumbers -> MasterPale, 18 July 2014 1:05am

I use F-Droid. It is a repository of free and open source applications. If you don't trust one, you can just have a look at the source code, providing you can understand it, and heck, even if you can't, you could still download, safe in the knowledge that there will inevitably be more eyes viewing the code and therefore less chance you'll have a malicious or snooping application.

swishy, 16 July 2014 12:18pm

I have one of those Samsung Galaxy Note phones. It's a work phone so doesn't actually belong to me. I just switch off the WIFI and GPS which is hopefully enough to stop my location being tracked.

ThisFieldIsBlank -> swishy , 16 July 2014 12:26pm

No it isn't! You will still be tracked as the phone continuously send signals to the network to check for signals. Even Brick phones do it, it is an inherent feature of mobile or cellular phones.

bargepoled2, 16 July 2014 12:19pm

With android kit kat 4.4 you can activate or deactivate each apps location settings.

dont want an app to use your location or know it?

turn of its ability to do that in app settings.

[Jul 12, 2014] Whistleblower: NSA stores 80% of all phone calls, not just metadata - full audio by Pawel Kopczynski

July 12, 2014 | rt/ Reuters

At least 80 percent of all audio calls are gathered and stored by the NSA, whistleblower William Binney has revealed. The former code-breaker says the spy agency's ultimate aim is no less than total population control.

The National Security Agency lies about what it stores, said William Binney, one of the highest profile whistleblowers to ever emerge from the NSA, at a conference in London organized by the Center for Investigative Journalism on July 5. Binney left the agency shortly after the 9/11 attacks on the World Trade Center because he was disgusted at the organizations move towards public surveillance.

"At least 80 percent of fiber-optic cables globally go via the US," Binney said. "This is no accident and allows the US to view all communication coming in. At least 80 percent of all audio calls, not just metadata, are recorded and stored in the US. The NSA lies about what it stores."

Binney has no evidence to substantiate his claims as he did not take any documents with him when he left the NSA. However, he insists the organization is untruthful about its intelligence gathering practices and their ultimate aim. He says that recent Supreme Court decisions have led him to believe the NSA won't stop until it has complete control over the population.

"The ultimate goal of the NSA is total population control," Binney said, "but I'm a little optimistic with some recent Supreme Court decisions, such as law enforcement mostly now needing a warrant before searching a smartphone."

During his speech at the conference, Binney praised spy-turned-whistleblower Edward Snowden for disseminating the classified documents that revealed the NSA's global spy programs. The latest revelations showed that contrary to the NSA's claims, the majority of information the agency gathers is from ordinary citizens with no connection to terrorism.

NSA gathered 'startlingly intimate' data on ordinary citizens, Snowden data reveals

Washington has defended its spy programs, claiming that the NSA targets individuals with connections to known terrorist groups to thwart attacks. Binney said this was a lie and the NSA had stopped "zero attacks" with its intelligence gathering programs.

One of the main factors that has allowed the NSA to increase its spy programs is the lack of oversight in the US, argues Binney. In particular, he took issue with the Foreign Surveillance Court (FISA), which oversees the issue of search warrants against people suspected of terrorism. Binney believes the court is meaningless and always sides with the US government.

"The Fisa court has only the government's point of view," he said. "There are no other views for the judges to consider. There have been at least 15-20 trillion constitutional violations for US domestic audiences and you can double that globally."

Revelations about US global spy programs have sparked mass indignation, with one American judge saying the surveillance was almost Orwellian in nature. German Chancellor Angela Merkel also compared US intelligence policy to the antics of the Stasi secret police in the former East Germany.

See also: Federal judge says NSA's phone surveillance program is likely unconstitutional


Selected Comments


jeff strehlow 13.07.2014 00:48

Toni Lehto 12.07.2014 17:02

I'm as against NSA surveillance as the next guy, but I say BS.
Why? Consider a 1 minute phone call at 50 kbps would require storage of 3MB. Further assume an "average" phone call is 3 mins and there are 12.4 BILLION phone calls per day worldwide, capturing 80% of that traffic for 365 would require 33 MILLION terabytes of storage PER YEAR.

Your calculation is much higher than the actual requirements for 2 reasons:

1. 50 kbps isn't needed for voice communications. 5-6 kbps is enough.

2. You didn't take data compression into account.

Sunshine 12.07.2014 20:31

The current security/intelligence services are a vile stain on the memories and sacrifices of those who fought and died in the hope of preserving the freedoms that this country was founded upon and we cherish(ed) in our hearts.

Its the height of irony....you want to pull out all the stops to defend our country and way of life by destroying it....

Remember, the greatest trick the devil ever pulled was convincing the world he did not exist.....we did not know (for sure) the devil was walking amongst, and destroying our way of life, until Snowden, Drake and Binney opened our eyes and minds.....

Otto Moser 12.07.2014 19:31

SUPER !

So that Austrian radio comedian, who phoned the US Embassy, asking for a back-up of his daughter's birthday party video, because he claimed to have inadvertently deleted it, was absolutely within reality !

Naturally, the Embassy was not amused !

Fįbio O. Ribeiro 12.07.2014 14:47

iPhone deserves a new name: iNSAmike. Ha, ha, ha... I will not have one.

Emmett 12.07.2014 14:23

NSA is doing what Hoover did as the long time US FBI director. He spied on and blackmailed US presidents and other politicians so they could never oust and with all the dirt he had on those politicians masquerading as pillars of the community he forced them to do what he wanted them to do.
We see proof on a massive scale the NSA uses the Hoover blueprint to blackmail politicians but have take it a step further with technology to gather information on even more people.

Kenneth T. Tellis 12.07.2014 12:35

What the NSA is now doing, was what the U.S. government accused the Soviets of doing. If that be the case how is it legal? Which means that Obama Regime is in violation of both the U.S. Constitution and Civil Rights. No nation can ever trust the good intentions of the present U.S. government. So much for Democracy in America, an absolute FARCE!

[Dec 30, 2013] Glenn Greenwald The NSA Can Literally Watch Every Keystroke You Make By Diane Sweet

December 30, 2013 | Crooks and Liars

The German publication Der Spiegel has revealed new details about a secretive hacking unit inside the National Security Agency called the Office of Tailored Access Operations, or TAO. The unit was created in 1997 to hack into global communications traffic. Hackers inside the TAO have developed a way to break into computers running Microsoft Windows by gaining passive access to machines when users report program crashes to Microsoft. In addition, with help from the CIA and FBI, the NSA has the ability to intercept computers and other electronic accessories purchased online in order to secretly insert spyware and components that can provide backdoor access for the intelligence agencies. American Civil Liberties Union Deputy Legal Director Jameel Jaffer and journalist Glenn Greenwald join Democracy Now! to discuss the latest revelations, along with the future of Edward Snowden.

Glenn Greenwald:

"I think everybody knows by now, or at least I hope they do after the last seven months reporting, that the goal of the NSA really is the elimination of privacy worldwide-not hyperbole, not metaphor, that's literally their goal, is to make sure that all human communications that take place electronically are collected and then stored by the NSA and susceptible to being monitored and analyzed. But the specifics are still really important to illustrate just the scope and invasiveness and the dangers presented by this secret surveillance system.

And what the Der Spiegel article details is that one of the things that the NSA is really adept at doing is implanting in various machines-computers, laptops, even cellphones and the like-malware. And malware is essentially a program that allows the NSA, in the terminology that hackers use, to own the machine. So, no matter how much encryption you use, no matter how much you safeguard your communication with passwords and other things, this malware allows the NSA to literally watch every keystroke that you make, to get screen captures of what it is that you're doing, to circumvent all forms of encryption and other barriers to your communications."

v [Dec 30, 2013]Glenn Greenwald The NSA Can Literally Watch Every Keystroke You Make

Democracy Now!

AMY GOODMAN: So, I mean, just to be really specific, you order a computer, and it's coming UPS, or it's coming FedEx, and they have it redirected to their own-you know, to the NSA, and they put in the malware, the spyware, and then send it on to you?

GLENN GREENWALD: Correct. That's what the Der Spiegel report indicates, based on the documents that they've published. But we've actually been working, ourselves, on certain stories that should be published soon regarding similar interdiction efforts.

And one of the things that I think is so amazing about this, Amy, is that the U.S. government has spent the last three or four years shrilly, vehemently warning the world that Chinese technology companies are unsafe to purchase products from, because they claim the Chinese government interdicts these products and installs surveillance, backdoors and other forms of malware onto the machinery so that when you get them, immediately your privacy is compromised. And they've actually driven Chinese firms out of the U.S. market and elsewhere with these kinds of accusations. Congress has convened committees to issue reports making these kind of accusations about Chinese companies.

And yet, at the same time, the NSA is doing exactly that which they accuse these Chinese companies of doing. And there's a real question, which is: Are these warnings designed to steer people away from purchasing Chinese products into the arms of the American industry so that the NSA's ability to implant these devices becomes even greater, since now everybody is buying American products out of fear that they can no longer buy Chinese products because this will happen to them?

... ... ...

AMY GOODMAN: Let's get back to Glenn Greenwald. Glenn, I just read the first couple of paragraphs of the piece in Der Spiegel about the garage doors that wouldn't open because the garage door openers were actually operating on the same frequency of the NSA, which was really vastly expanding in San Antonio at the time. But could you take it from there? The significance of this and this Tailored Access Operations, this particular unit, and how significant it is?

GLENN GREENWALD: Yeah, one thing I think that it underscores, this was in a community that had no idea that there was this gargantuan NSA hacking unit that had sprawled up in its community, and it shows just the power of how much they're doing, that they just simply shut down the electric devices of an entire community that didn't know that they were even there.

But the TAO, the Tailored Access Operations unit, is really remarkable because the government, the U.S. government, has been warning for many years now about the dangers of hackers, both stateless hackers as well as state-sponsored hackers from China and from Iran and from elsewhere. And the reality is that nobody is as advanced or as prolific when it comes into hacking into computer networks, into computer systems, than the NSA. And TAO is basically a unit that is designed to cultivate the most advanced hacking operations and skills of any unit, any entity on the Earth. And so, yet again, what we find is that exactly the dangers about which the U.S. government is shrilly warning when it comes to other people, they're actually doing themselves to a much greater and more menacing degree than anybody else is. And that's the significance of this particular unit inside of the NSA, is they do all of the most malicious hacking techniques that hackers who have been prosecuted by this very same government do and much, much more.

[Dec 30, 2013] How The NSA Hacks Your iPhone (Presenting DROPOUT JEEP)

It's logical to assume that similar capabilities exist for Android, possibly co-developed with Google... In other words smartphone is nothing, but a gateway to peruse everyone's "private" data at will.
12/30/2013 | Zero Hedge

Following up on the latest stunning revelations released yesterday by German Spiegel which exposed the spy agency's 50 page catalog of "backdoor penetration techniques", today during a speech given by Jacob Applebaum (@ioerror) at the 30th Chaos Communication Congress, a new bombshell emerged: specifically the complete and detailed description of how the NSA bugs, remotely, your iPhone. The way the NSA accomplishes this is using software known as Dropout Jeep, which it describes as follows: "DROPOUT JEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted."

The flowchart of how the NSA makes your iPhone its iPhone is presented below:

And visually:

What is perhaps just as disturbing is the following rhetorical sequence from Applebaum:

"Do you think Apple helped them build that? I don't know. I hope Apple will clarify that. Here's the problem: I don't really believe that Apple didn't help them, I can't really prove it but [the NSA] literally claim that anytime they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. Not sure which one it is. I'd like to believe that since Apple didn't join the PRISM program until after Steve Jobs died, that maybe it's just that they write shitty software. We know that's true."

Or, Apple's software is hardly "shitty" even if it seems like that to the vast majority of experts (kinda like the Fed's various programs), and in fact it achieves precisely what it is meant to achieve.

Either way, now everyone knows that their iPhone is nothing but a gateway for the NSA to peruse everyone's "private" data at will. Which, incidentally, is not news, and was revealed when we showed how the "NSA Mocks Apple's "Zombie" Customers; Asks "Your Target Is Using A BlackBerry? Now What?"

How ironic would it be if Blackberry, left for dead by virtually everyone, began marketing its products as the only smartphone that does not allow the NSA access to one's data (and did so accordingly). Since pretty much everything else it has tried has failed, we don't see the downside to this hail mary attempt to strike back at Big Brother and maybe make some money, by doing the right thing for once.

We urge readers to watch the full one hour speech by Jacob Applebaum to realize just how massive Big Brother truly is, but those who want to just listen to the section on Apple can do so beginning 44 minutes 30 seconds in the presentation below.

fuu:

"This functionality includes the ability to remotely push/pull files from the device."

Bad Attitude

Very good points. I hope criminal defense attorneys are paying attention. Evidence collected from phones or computers cannot be trusted.

Forward (over the cliff).

DaveyJones

Great comment. And the best example of how "modern technology" is a blessing and a curse. A despot's wet dream to track everywhere you go, everything you say, and when you say something wrong, to correct your "criminal record"

It' a nightmare

Dave Thomas

Remember that pesky national ID card they kept talking about 2005~2008? Guess we don't need one now lol.

sleigher

It is just complete and total own! That is all... They have to survive across reboots/rebuilds and access "new" deployments. Can't do that with just the software.

I just like the sound of the thousands of voices screaming out from the conspiratard websites across the planet for total vindication. I have read about hacks like these for years and seen many shoot them down about tin foil hats and all that nonsense.

Just wait til we hear about the built in radios in all modern cpu's that can be activated by satellite. Then will people get mad? no...

tip e. canoe

BUT BUT BUT, if BB is compromised, that would mean that all the Truly Useful Idiots that have been using BB phones thinking they were secure are compromised too!!! that would mean the entire System could be manipulated by anyone who has access to that closet full of dirty secrets!!!

Holy Spitzer, Batman!!!

NoDebt

I've always assumed my cell phone was an open book to government agencies just like I've always assumed that Social Security won't be there for me when I retire.

The only thing left in both cases is the proof.

In the cell phone/computer tracking stuff... we'll know soon enough. It's heading to the Supreme Court where Roberts will likely be the deciding vote, as he was on Obamacare. Then we won't have to argue whether it's Constitutional or not. It will be deemed Constitutional, with few if any limits, and that will be the end of the discussion.

[Dec 06, 2013] FTC Drops the Hammer On Maker of Location-Sharing Flashlight App

A top download from Google Play, the main Android marketplace is a spyware...
December 06, 2013

Soulskill&

chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners.

The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace.

Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars.

The application, which is available for free, displays mobile advertisements on the devices it is installed on.

However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.'

As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

http://www.independent.co.uk/life-style/gadgets-and-tech/malicious-software-hijacks-your-phones-microphone-and-camera-to-record-your-pin-8936619.html

A research paper from the University of Cambridge has outlined how PIN numbers used on smartphones can be recorded by hijacking the device's camera and microphones.

The news is especially worrying as the rise of mobile banking means that PIN numbers entered into smartphones are often used to secure more than just the phone's basic functionality.

The researchers, Laurent Simon and Ross Anderson, used a custom piece of software called PIN Skimmer to grab the PIN numbers. This program hijacks phones' microphones to detect when you tap the touchscreen and then syncs this with data from the camera to work out where on the screen you pressed.

For example, when right-handed individuals press a button in the top left hand corner of their phone's screen they often tilt the phone towards their thumb with their supporting fingers. This changes position of the user's face as recorded by the front-facing camera, giving the program a unique marker that corresponds with a number on screen.

The research was carried out on a pair of Android-powered smartphones, a Nexus S and Galaxy S3, and under test conditions PIN Skimmer was able to work out more than 50 per cent of four digit PIN numbers after five attempts and 60 per cent of eight digit numbers after ten attempts.

One step in the malware's process even presents users with a game where they have to match pairs of icons that appear onscreen. The program can record data from the camera during the game and then use this as a reference guide, matching how the user appears in the camera to where they've touched the screen.

The researchers suggested methods of obstructing the malware, but noted that randomising the order in which numbers appear on an onscreen keypad would "cripple usability" whilst employing longer PIN number would affect "memorability and usability".

More "drastic" solutions included getting rid of passwords altogether in favour of face recognition or fingerprint scanners, although neither of these methods are yet common.

"If you're developing payment apps [for mobiles], you'd better be aware that these risks exist," Professor Anderson told the BBC.

[Oct 22, 2013] Google-backed BitTorrent client spread malware to Windows PCs and Android devices by Samuel Gibbs

The Guardian

Xunlei - a BitTorrent service primarily used in China and backed by Google - was caught spreading malware to both Windows PCs and Android devices

A Google-backed file sharing service has been discovered spreading malware to thousands of Windows and Android users.

An investigation by security company Eset has revealed that Xunlei has been spreading malware named "Win32/Kankan" to Windows and Android users, signed with the company's security certificate.

The malware is classed as a Trojan, and only affected Chinese users, according to Eset.

"The company officially admitted during a press conference that some of its employees have used company resources to create and distribute this program. The degree to which Xunlei Networking Technologies is implicated is hard to tell from the outside," said Joan Calvet from Eset in a blog post.

The Xunlei software is very popular in China and has about 30% of world BitTorrent users, making it the most used BitTorrent client for the service, which allows peer-to-peer file sharing. The BitTorrent protocol breaks each file to be shared into small chunks and sends them across the internet between computers. Parts of the complete file can be hosted on many different computers, and the whole reconstructed by pulling the parts from different machines.

Effectively evading detection

It is unclear how the malware, which was specifically programmed to avoid detection by security software and analysts, was initially spread.

A "dropper" program named "INPEnhSetup.exe" posed as a Windows installer, which once activated contacted a server across the internet – a domain owned and operated by Xunlei - and "dropped" or installed three further malicious programs onto the system.

One of the programs, a plugin for the Microsoft Office applications Word, Excel and PowerPoint, then installed itself within the Windows Registry, ensuring that it was loaded every time an Office application is run.

When run, the Office plugin scanned the computer for analysis tools such as the Windows task manager, and quickly shut down if one was found running on the system, effectively evading detection by the computer user or a security analyst.

If the program failed to detect any running computer analysis tools, it began sending user information such as the version of Windows being used to a remote server.

Silently installing applications onto Android phones

The malware also included an updater that automatically checked a server for new versions of the programs, installing updates when they became available.

Another application installed alongside the Office plugin silently installed applications onto Android phones that were connected to the infected computer.

Using the USB connection, the "installphoneapp" installed applications, including three separate Chinese app stores, and a phone call app that claimed to offer cheap phone calls.

Chinese Android programs installed by the malicious applications.
Chinese Android programs installed by the malicious applications. Photograph: Eset

"Overall, the motivation behind the installation of these particular mobile applications remains unknown," said Calvet.

The applications were only installed if the Android phone connected had a security setting disabled, which enables developer actions over USB on the phone – something often required for Android software modifications and operating system customisation, as well as by certain Android backup programs.

"We've seen desktop malware attempt to install Android malware before, but not through the application of Android's ADB. Pushing it to Android phones like that is novel," said Rik Ferguson vice president of security research at Trend Micro.

A lot of mobile malware is specific to China

The focus on China meant that the risk of the Trojan spreading was low, according to Ferguson.

"Of course, the risk of Android malware infection is massively increased by rooting, which this malware example partly targeted, because you are specifically disabling crucial built-in security services," he said.

More rooted phones exist in China, mainly due to the restrictions on apps and services, which require users to circumvent blocks to get access to many of the applications freely available in the UK and the US.

"We see a lot of mobile malware that is specific to China, like a lot of other malware," explained Ferguson. "For example, we see malware targeted at stealing virtual goods in gaming environments only in China."

According to data collected by Trend Micro, there are 1.15m malicious or high-risk Android apps currently circulating as of 12 October, which is significantly higher than estimates based on malware growth seen in 2012, showing that the problem is increasing dramatically.

Pushing the installer out to infected machines

It remains unclear whether Xunlei's BitTorrent client was used to spread the malware. Since August, Xunlei made available an uninstaller application, which users could download and remove the problem manually.

Using the company owned and operated servers, which the malware automatically contacted, Xunlei also pushed out the installer to infected machines.

The daily number of infections has dropped dramatically, according to data from Eset.
The daily number of infections has dropped dramatically, according to data from Eset.

According to Eset's data, the daily number of infections has dropped significantly since Xunlei's remedial actions.

• In August, Windows malware was found lurking within the KFC app for Android.

• Malware named "Zeus" was discovered in 2011 to infect both Windows and Android devices, stealing banking details.


[Oct 22, 2013] Dr.Web - innovation anti-virus security technologies. Comprehensive protection from Internet threats.

October 16, 2013

Russian anti-virus company Doctor Web is warning users about a new Trojan for Android that is stealing confidential information from South Korean users. It is similar to other Trojans for Android, but unlike other malignant programs with a comparable payload, it exploits an Android vulnerability to bypass anti-virus scanning, which significantly increases the potential risk for Android device owners. Currently, the program's main home turf is South Korea; however, its future modifications will likely spread to other countries.

The new Trojan, dubbed by Dr.Web as Android.Spy.40.origin, is spread by means of unwanted SMS messages containing a link to an apk file. Among cybercriminals in Southeast Asia (mainly South Korea and Japan), it is currently one of the most popular techniques for spreading Android malware. Once Android.Spy.40.origin is installed and launched, it requests access to OS administrative features, removes its icon from the main screen, and covertly maintains its operation in the system.

Then the Trojan connects to a remote server from which it receives further instructions. In particular, Android.Spy.40.origin can perform the following tasks:

This malicious program can pose a severe threat because it intercepts messages that may contain confidential information, personal and business correspondence, bank account information and mTAN-codes used to verify transactions. In addition, the contacts list acquired by cybercriminals can then be used to send bulks of SMS spam and mount phishing attacks.

However, Android.Spy.40.origin's principal distinguishing feature is its ability to exploit an Android vulnerability to avoid detection by anti-viruses. To conceal the malware, attackers modified the Trojan's apk file (an apk file is a standard zip archive with a different extension).

According to the zip file's format specification, the archive header for each compressed file within it includes the field 'General purpose bit flag'. A zero bit fixed in this field indicates that the files in the archive are encrypted (password protected). In other words, despite the absence of a password, when a bit is set to 1, the file must be treated as encrypted.

As you can see in the picture above, under normal circumstances, a password prompt is displayed when one tries to unpack such zip files, but due to a flaw in Android, the zero bit is ignored, which allows a program to be installed. In contrast with an operating system that has this vulnerability, various anti-virus programs are obligated to correctly handle the field 'General purpose bit flag', and as such, assume that the file is password-protected and thus not in need of scanning even if the definition for the malicious file contained in the apk package is in the virus database.

Doctor Web's engineers promptly made adjustments to its Dr.Web for Android anti-virus so that it successfully detects malware that makes use of the exploit described above. However, Android users are strongly recommended to exercise caution and refrain from installing suspicious applications and clicking on links in unwanted SMS messages.

[Oct 14, 2013] Exclusive Inside Android 4.2's powerful new security system by JR Raphael

November 01, 2012 | Computerworld Blogs

Android 4.2 marks the launch of a powerful new security system built right into the platform. The key component is a real-time app scanning service that instantly checks apps put on your device for any malicious or potentially harmful code.

The feature is an extension of the security technology Google introduced for the Play Store this past February. While that technology worked exclusively on the server side, analyzing apps that were uploaded to the Play Store, the new system works with your device and scans any apps you install from third-party sources (a process known as "sideloading").

"We view security as a universal thing," Android VP of Engineering Hiroshi Lockheimer tells me. "Assuming the user wants this additional insurance policy, we felt like we shouldn't exclude one source over another."

Android 4.2 Security: Verify AppsFollowing typical Google fashion, the new scanning service is completely opt-in: The first time you install an app from a source other than the Play Store -- including a third-party app market like Amazon's app store -- Android pops up a box asking if you want such applications to be checked for "harmful behavior." (There's also a checkbox in the "Security" section of the 4.2 system settings that lets you turn the service on or off at any point.)

Initial confirmation aside, everything with the new security system happens seamlessly and almost instantaneously behind the scenes. Whenever you sideload an app, your phone sends identifying information about the program to Google's servers. Google's servers then analyze the info and compare it with the company's database of known applications.

"We have a catalog of 700,000 applications in the Play Store, and beyond that, we're always scanning stuff on the Web in terms of APKs that are appearing," Lockheimer says. "We have a pretty good understanding of the app ecosystem now, whether something's in the Play Store or not."

If Google's servers recognize the app as a known safe program, your installation will continue uninterrupted. If it matches it to an app that's known to be dangerous, meanwhile -- a designation Lockheimer says is extremely rare for the platform -- the system will prevent you from installing it. And if the app raises some red flags but no definite evidence of harm, the system will alert you of the situation and let you decide whether you want to proceed.

All of that happens in a split second. I tried sideloading some apps onto my Nexus 4 review unit, and following the initial opt-in confirmation, I couldn't detect any noticeable delay in the process compared to what happens on pre-4.2 devices.

"The server does all the hard work," Lockheimer explains. "The device sends only a signature of the APK so that the server can identify it rapidly."

(Incidentally, Lockheimer tells me the new functionality is not related to Google's recent acquisition of VirusTotal, a startup focused on online malware scanning; rather, it's based completely on the app-scanning technology announced for the Play Store back in February.)

Accompanying the system is a new and improved app permissions screen -- the screen that shows up anytime you install an app from outside of the Play Store. The new Android 4.2-level screen is cleaned up and far easier to read than what we've seen in the past.

Android 4.2 App Permissions

And last but not least, Android 4.2 has an added behind-the-scenes feature that alerts you anytime an app attempts to send a text message that could cost you money. If an app tries to send an SMS to a known fee-collecting short code -- a number that'd automatically bill your carrier when it receives a message -- the system jumps in and alerts you to the action. You can then opt to allow or deny the process.

[Sep 26, 2013] Android 4.2 introduced SELinux enabled by default on kernel

Apr 5. 2013 | stackoverflow.com

Q:

As I have understood correctly, Android 4.2 introduced SELinux enabled by default on kernel. am I right? Is there anyway to disable it?

There are some of the apps might not work correctly.

Ex. Use mount command system wide stopped working

Is there anyway to disable it ? I check on VZW Galaxy Nexus - build JDQ39 - I am not sure what is the Linux version - Either SELinux or Linux.

What is the benefit of using SELinux VS Linux on android device.

A:

No, it isn't enabled by default. There really isn't such a thing as enabled by default on Android, each handset manufacturer sets the configuration and makes modifications when they make a new device. Even if AOSP had it enabled by default in their kernels (which it doesn't) manufacturers would have to enable it in their kernels.

SELinux is Linux, with mandatory access controls. Please read up on SELinux.

Even devices that will ship with SE Android (SELinux + Android middleware MAC) soon (e.g., the Galaxy S IV) has it in permissive mode by default. You'd need an MDM client to set it to enforcing.

It is possible to bypass the mount issue.

The trick is to use adb on the device itself to connect locally to the device and issue the mount command through that. When running in adb you seem to get out of whatever jail prevents mount from working in apps. I don't think it's SELinux releated, it seems to have something to do with multiuser security and apparently lives mostly in the Android api's rather than at the kernel level (console apps should access the mounts fine).

With 4.2.2 it's a bit harder as you now need a key setup for adb.

Have a look here, it's for the Nexus 10 but the basic principles should work on anything.

[Sep 26, 2013] Android botnets on the rise - case study

July 1, 2013

Cybercriminals adopt commercial availability DIY Android application decompiler/injector developed to work exclusively with a publicly obtainable Android-based trojan horse, security expert Dancho Danchev explains how it is possible to manage Android botnets in a recent post, using commercially available tools it is possible to inject a pre-configured Android trojan client into any applications.

The diffusion of malicious agents is possible in various ways depending on attackers, the botmaster could spread the malware using compromised Web servers or through DIY Google Dorks based hacking tools "and instead of monetizing the traffic by serving client-side exploits, they can filter and redirect all the mobile device traffic to a fraudulent/malicious Android application."

The offer is very attractive also due the cheap price, only $37 for this injector tool, in the following image a few screenshots of the application in action.

Android botnets malware injector

Android botnets malware injector 2

Android botnets malware injector 3

Apparently the Android trojan has been designed by a group of four students for a university project and has all the feature for this category of malware. Fortunately the malware has an hardcoded reference to a centralized C&C infrastructure that make it easy to trace and bring down. The malware uses no-ip.org as Dynamic DNS services to address to its control infrastructure.

It could be activated both via phone call or SMS and according the post it has the following features:

An interesting phenomenon observed by security researchers is the cybercriminal ecosystem is that criminals are also showing an increasing interest in buy verified Google Play accounts, exploiting their reputation in fact they could distribute Android bots to the users who trust/recommend a particular developer.

Mobile malware black market is still not well developed for now, because cybercriminals mostly use to directly attack mobile platforms instead to sell exploit toolkits and mobile malware. Andrey Komarov from security firm Group-IB told me in a previous interview that the key properties of mobile malware for cybercrime are:

Security Expert are sure that we will assist to an explosion in the diffusion of mobile malicious infrastructures and in particular for Android botnets, we must be prapared.

Android Trojans gain botnet distribution, new code by John P. Mello Jr

September 06, 2013 | CSO

A dangerous Trojan that targets Google's Android mobile operating system has gained new nefarious capabilities even as a new banking malware takes aim at the OS, according to security researchers.

Kaspersky Lab reported that mobile botnets are being used to distribute the Obad.a Trojan, which can gain administrative rights on an Android device -- allowing its masters to do pretty much anything they want with a handset.

Meanwhile, Eset revealed that a bad app it discovered earlier this month -- Hesperbot -- is actually a mobile banking Trojan along the lines of Zeus and SpyEye, but with significant implementation differences that make it a new malware family.

The Obad.a Trojan has been closely watched by Kaspersky since the beginning of the summer, but it wasn't until recently that researchers uncovered the unusual distribution method its handlers have been deploying.

"For the first time, malware is being distributed using botnets that were created using completely different mobile malware," Kaspersky researcher Roman Unuchek wrote in a blog.

Such distribution techniques are common in the desktop world, but their arrival in the mobile space is another indicator that Android is becoming the mobile equivalent of Windows for hackers.

"This approach, like other aspects of the Obad operation, mimics what we've been seeing in the desktop ecosystem," Roel Schouwenberg, a senior researcher at Kaspersky, said in an email.

"In the Windows and Linux world, it's very common for malware and botnets to install other types of malware for pay," he added. "So it's likely that we'll see further adoption of this strategy in the mobile space as well."

Handsets are initially infected with the botnet software SMS.AndroidOS.Opfake.a through a poisoned link in an SMS message.

The link promises to deliver a new MMS message to the target. If clicked, the botware will be downloaded and the target asked to run it. If the target complies, SMS messages with the same MMS pitch will be sent to everyone on the target's contact list. In addition, the botware will download Obad.a, which sets up a backdoor on the handset that allows a botmaster to remotely control the device.

Other more conventional means are also used to distribute Obad.a, including SMS spam, links to fake Google Play stores and redirection from poisoned websites.

That kind of multi-vector infection strategy isn't common yet in the mobile world. "Right now, Obad is setting a new standard," Schouwenberg said. "We're still quite a bit away from multiple infection vectors being the norm rather than the exception."

Up to now, Obad.a activity has been directed at populations in the states of the old Soviet Union, although there has been some spillover into other countries. "For now, other countries are not where the attackers' focus seems to be," Schouwenberg said.

Hesperbot also appears to have a limited geographic distribution -- primarily Turkey and the Czech Republic. However, the campaign, may expand. "It's quite likely we'll see more instances of this as time goes by," Eset Security Evangelist Stephen Cobb said in an interview. "I would expect we'll see more attacks in more countries."

Hesperbot is spread by luring targets to an infected website with a poisoned link embedded in an email or SMS message. The Czech scam sent targets to a website closely modeled on the landing page of the country's postal service.

"The aim of the attackers is to obtain login credentials giving access to the victim's bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone," Eset researcher Robert Lipovsky wrote in a blog.

He described Hesterbot as a very potent banking Trojan with features such as keystroke logging, creation of screenshots and video capture, setting up a remote proxy, creating a hidden VNC server on an infected system, intercepting network traffic and HTML injection.

Other banking Trojans, like Zeus and SpyEye, perform those functions, too; what sets Hesperbot apart is its use of new code to do those tasks. "It's not made with SpyEye or Zeus code," Evangelist Cobb said. "That might sound like a technical distinction, but the fact that someone went to the trouble to write a brand-new banking Trojan is indicative of the appeal that remains for the software."

That appeal will likely grow. "As more mobile capabilities are rolled out and mobile payments become more widespread and ubiquitous, malware is going to follow," said George Tubin, senior security strategist at Trusteer, an IBM company. "We're right at the beginning of it now."

He explained that improved security measures at larger banks have been driving cyber robbers downstream to mid- and small-sized banks. "Now, they'll also be moving into the mobile channel, because banks haven't deployed very sophisticated fraud detection technologies there yet," Tubin said.

Nevertheless, mobile infections can be avoided if a user is willing to avoid high-risk behavior. "They're not going to get infected if they stick to downloading apps from Google Play or their employer's app store," Randy Abrams, a research director at NSS Labs, said in an interview.

"There have been exceptions, and Google has allowed infected apps into their store," he continued, "but the majority of apps on Google Play are going to be very safe -- as long as you don't consider compromising your privacy a safety issue."

[Aug 13, 2013] Malware taps mobile ad network to siphon money By Antone Gonsalves

Congratulations, in addition to all our troubles, advertisement networks can now be used as hidden channel for installing spyware. In other words, adware provides a channel for installing malware.
August 13, 2013 | Network World
Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims.

The new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the perfect backdoor for downloading code.

"It's a very, very clean infection vector," said Wade Williamson, a senior security analyst at Palo Alto Networks who discovered the new trickery.

In legitimate partnerships between ad distributors and developers, the latter embeds the former's software development kit (SDK) into the app, so it can download and track ads in order to split revenue.

Unfortunately, how well developers vet the ad networks they side with varies from one app maker to another. If the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network is high.

Wiliamson found one such network's SDK embedded in legitimate apps provided through online Android stores across Asian countries, such as Malaysia, Taiwan and China. Once installed, the SDK pulls down an Android application package file (APK) and runs it in memory where the user cannot easily discover it.

The APK typically waits until another app is being installed before triggering a popup window that seeks permission to access Android's SMS service.

"It doesn't have to go through the whole process of doing a full install," Williamson said. "It just sits there and waits on the smartphone to install something else and then piggybacks in."

Once installed, the APK takes control of the phone's messaging service to send text to premium rate numbers and to download instructions from a command and control server. The majority of Android malware today, 77 percent, wring money from victims through paid messaging services, said Juniper Networks' latest mobile threat report.

Williamson has seen more than a half dozen samples of the latest malware, which he believes is coming from one criminal group, while acknowledging multiple groups is possible.

Android users in Asia and Russia are more susceptible to Android malware, because many apps are downloaded from independent online stores. In the U.S., most Android users take apps from the Google Play store, which scans for malware and malicious ad networks.

Because of the effectiveness of the latest malware, Williamson expects criminals in the future to use the same scheme to download more insidious malware capable of stealing credentials to online banking and retail sites where credit card numbers are stored.

The same pathway could also be used to steal credentials for entering corporate networks.

"As soon as you have a vector like this, the difference between creating malware that sends spoof SMS messages versus looks for the network and tries to break in is just malware functionality," Williamson said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

[Jun 14, 2013] U.S. Agencies Said to Swap Data With Thousands of Firms

Corporatism is on the march...
Bloomberg

Microsoft Bugs

Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government "an early start" on risk assessment and mitigation.

In an e-mailed statement, Shaw said there are "several programs" through which such information is passed to the government, and named two which are public, run by Microsoft and for defensive purposes.

Willing Cooperation

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge's order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. Company executives are motivated by a desire to help the national defense as well as to help their own companies, said the people, who are familiar with the agreements.

Most of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.'s major spy agencies, the people familiar with those programs said.

... ... ...

Committing Officer

If necessary, a company executive, known as a "committing officer," is given documents that guarantee immunity from civil actions resulting from the transfer of data. The companies are provided with regular updates, which may include the broad parameters of how that information is used.

Intel Corp. (INTC)'s McAfee unit, which makes Internet security software, regularly cooperates with the NSA, FBI and the CIA, for example, and is a valuable partner because of its broad view of malicious Internet traffic, including espionage operations by foreign powers, according to one of the four people, who is familiar with the arrangement.

Such a relationship would start with an approach to McAfee's chief executive, who would then clear specific individuals to work with investigators or provide the requested data, the person said. The public would be surprised at how much help the government seeks, the person said.

McAfee firewalls collect information on hackers who use legitimate servers to do their work, and the company data can be used to pinpoint where attacks begin. The company also has knowledge of the architecture of information networks worldwide, which may be useful to spy agencies who tap into them, the person said.

McAfee's Data

McAfee (MFE)'s data and analysis doesn't include information on individuals, said Michael Fey, the company's worldwide chief technology officer.

"We do not share any type of personal information with our government agency partners," Fey said in an e-mailed statement. "McAfee's function is to provide security technology, education, and threat intelligence to governments. This threat intelligence includes trending data on emerging new threats, cyber-attack patterns and vector activity, as well as analysis on the integrity of software, system vulnerabilities, and hacker group activity."

In exchange, leaders of companies are showered with attention and information by the agencies to help maintain the relationship, the person said.

In other cases, companies are given quick warnings about threats that could affect their bottom line, including serious Internet attacks and who is behind them.

... ... ...

The information provided by Snowden also exposed a secret NSA program known as Blarney. As the program was described in the Washington Post (WPO), the agency gathers metadata on computers and devices that are used to send e-mails or browse the Internet through principal data routes, known as a backbone.

... ... ...

Metadata

That metadata includes which version of the operating system, browser and Java software are being used on millions of devices around the world, information that U.S. spy agencies could use to infiltrate those computers or phones and spy on their users.

"It's highly offensive information," said Glenn Chisholm, the former chief information officer for Telstra Corp (TLS)., one of Australia's largest telecommunications companies, contrasting it to defensive information used to protect computers rather than infiltrate them.

According to Snowden's information, Blarney's purpose is "to gain access and exploit foreign intelligence," the Post said.

It's unclear whether U.S. Internet service providers gave information to the NSA as part of Blarney, and if so, whether the transfer of that data required a judge's order.

... ... ...

Einstein 3

U.S telecommunications, Internet, power companies and others provide U.S. intelligence agencies with details of their systems' architecture or equipment schematics so the agencies can analyze potential vulnerabilities.

"It's natural behavior for governments to want to know about the country's critical infrastructure," said Chisholm, chief security officer at Irvine, California-based Cylance Inc.

Even strictly defensive systems can have unintended consequences for privacy. Einstein 3, a costly program originally developed by the NSA, is meant to protect government systems from hackers. The program, which has been made public and is being installed, will closely analyze the billions of e-mails sent to government computers every year to see if they contain spy tools or malicious software.

Einstein 3 could also expose the private content of the e-mails under certain circumstances, according to a person familiar with the system, who asked not to be named because he wasn't authorized to discuss the matter.

AT&T, Verizon

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn't be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn't meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

[Jun 06, 2013] Banking Malware, Under the Hood

Slashdot

"What is your computer actually DOING when you click on a link in a phishing email? Sherri Davidoff of LMG Security released these charts of an infected computer's behavior after clicking on a link in a Blackhole Exploit Kit phishing email. You can see the malware 'phone home' to the attacker every 20 minutes on the dot, and download updates to evade antivirus. She then went on to capture screenshots and videos of the hacker executing a man-in-the-browser attack against Bank of America's web site. Quoting: 'My favorite part is when the attacker tried to steal my debit card number, expiration date, security code, Social Security Number, date of birth, driver's license number, and mother's maiden name– all at the same time. Nice try, dude!!'"

3.5 stripes

Well, you were dumb enough (Score:1, Insightful)

to click on the attachment in the first place, you've already set the bar for your intelligence

minstrelmike

Re:Well, you were dumb enough (Score:5, Insightful)

Actually, there are two different populations of phish messages going around now. One of them surprisingly enough is full of misspellings and odd grammar in a tale about a Nigerian prince. If folks click on that, the senders know they have a live one.

But the other phishing schemes are subtle. I think reasonably intelligent folks who skim emails (instead of read them), especially on a tiny smart-phone/blackberry screen, are just liable to click to someplace nasty. After all, ain't no one 100% right 100% of the time.

Synerg1y

Re: Well, you were dumb enough (Score:4, Insightful)

There's a very basic question that needs to be asked by people: why am I getting this email? If you can't figure it out, a siren should go off in your mind as to what this could be.

I do feel bad for anybody that's been caught by this, technical ineptitude is not a valid reason to get your money stolen, especially considering the average age of the victims (it's up there).

Kenja

Re:Nice try? (Score:4, Informative)

BofA actually has VERY good online security.

If setup right, you should be shown a picture you choose to confirm that you are on the legit site. Then in addition to your password, you can setup a system where a six digit numeric token is sent to your cell phone which is also needed to authenticate.


Anonymous Coward

It's Quite A Bit More Than That (Score:1)


So a link in a malicious email can compromise my Windows box and cause my web browser to navigate to addresses in a local hosts file. Welcome back to 1997.

It's quite a bit more than that. Perhaps you should RTFA.

stewsters

Re:Most of the exploits.. (Score:5, Informative)

Don't use IE6. Don't use IE7. Don't Use IE8. Its 2013. Use Chrome, Firefox, or IE 10+

Install chrome, chrome://plugins/ , block automatic execution of java and flash. Make it so you need to click. Install an adblocker to reduce driveby downloads. Install noscript + ghostery if you are wearing aluminum foil on your head.

Auto install security updates. If something disables it most likely you have a virus. Keep everything up to date. Don't install toolbars or weather apps from unknown sources.

CAOgdin

I Fixed One Of These Recently (Score:5, Interesting)

This malware (which puts up the appearance of a credit/debit card and asks for all you information) calls a server in the Ukraine. It was delivered by eMail (to a naive user) and intercepts attempts to reach your financial institution via their website. It presents, after login (did they capture the login info?), a panel looking like the credit/debit card, asking for the user to fill in all information, including account number, CVC, address, and other personal information (why anyone would fill in that data is beyond me!)

After much gnashing of teeth, I discovered it was undetectable by any known virus checker I use (AVG, Malwarebytes, Spybot), so I had to dig deeper. It turned out that the malware was using any references to 127.0.0.1 (local machine) for it's hook. All I had to do was edit the HOSTS file and add the domain names of the miscreant with a reference to a different IP address that is known to be a deadend (you could, for example, use 127.7.7.7).

When the malware couldn't execute, it couldn't disable the various malware detectors, and several files were then identified and removed.

Google under fire for sending users' information to developers by Thom Holwerda

02/15/13
"Sebastian Holst makes yoga mobile apps with his wife, a yoga instructor. The Mobile Yogi is sold in all the major mobile app stores. But when someone buys his app in the Google Play store, Holst automatically gets something he says he didn't ask for: the buyer's full name, location and email address.

He says consumers are not aware that Google Inc. is sharing their personal information with third parties. No other app store transmits users' personal information to third-party developers when they buy apps, he said." Oh Google.

UltraZelda64

Hopefully this applies only when "buying" an app.

If so, then I should be safe. This kind of privacy violation is just... wrong. Google seems to think that their customers automatically trust third parties or something... if anything, this demonstrates that Google themselves should not be trusted.

darknexus

RE[2]: Obviously a bug by darknexus

"If it had been a certain fruit company everyone would be rioting.

Man, it's so hard to be persecuted, eh? "

Much as I hate to be defending Apple this time, the OP is absolutely correct. There's definitely a double standard in place for Apple in the tech media, particularly though not exclusively when compared to Google.

If Apple had been the one doing this, everyone would have been up in arms, torches lit, ready to burn down Apple HQ and any other buildings around them just to make sure the deed was done.

When Google does it, not only do we get some people giving them the benefit of the doubt but we even have some that claim Google are in the right to do this. If that's not a double standard, I don't know what is. For myself, I say no app store should give

[Feb 16, 2013] The Antivirus Industry's Dirty Little Secret

Video, you need Adobe Flash to view it...
Feb. 14, 2013 | Businessweek

-- Bloomberg Businessweek's Jordan Robertson discusses why the antivirus industry has so many customers in the face of its ineffectiveness. He speaks on Bloomberg Television's "Market Makers." (Source: Bloomberg)

[Feb 13, 2013] Welcome to the Malware-Industrial Complex By Tom Simonite

February 13, 2013 | MIT Technology Review

The U.S. government is developing new computer weapons and driving a black market in "zero-day" bugs. The result could be a more dangerous Web for everyone.

Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven't been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a "zero-day" vulnerability, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran's nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet's many striking features.

Since then, more Stuxnet-like malware has been uncovered, and it's involved even more complex techniques (see "The Antivirus Era Is Over"). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects' computers or mobile phones.

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero day vulnerability receives a monthly payment as long as a flaw remains undiscovered. "As long as Apple or Microsoft has not fixed it you get paid," says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok-based security researcher who goes by the name The Grugq tweets about acting as a middleman and has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In an argument on Twitter last month, he denied that his business is equivalent to arms dealing, as critics within and outside the computer security community have charged. "An exploit is a component of a toolchain," he tweeted. "The team that produces & maintains the toolchain is the weapon."

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it

"provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions."

Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google's Chrome browser, but they turned down Google's offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.

General Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, told a symposium in Washington last October that the United States is prepared to do more than just block computer attacks. "Part of our defense has to consider offensive measures," he said, making him one of the most senior officials to admit that the government will make use of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing "Cyberspace Warfare Attack capabilities" that could "destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage." And in November, Regina Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal about the direction U.S. defense technology is heading. "In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs," she said, announcing that the agency expected to expand cyber-security research from 8 percent of its budget to 12 percent.

Defense analysts say one reason for the shift is that talking about offense introduces an element of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S. politicians and defense chiefs have talked mostly about the country's vulnerability to digital attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure was being targeted by overseas attackers and that a "digital Pearl Harbor" could result (see "U.S. Power Grids, Water Plants a Hacking Target").

Major defense contractors are less forthcoming about their role in making software to attack enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. "It's a growing area of the defense business at the same time that the rest of the defense business is shrinking," says Peter Singer, director of the 21st Century Defense Initiative at the Brookings Institution, a Washington think tank. "They've identified two growth areas: drones and cyber."

Large contractors are hiring many people with computer security skills, and some job openings make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman posted ads seeking people to "plan, execute and assess an Offensive Cyberspace Operation (OCO) mission," and many current positions at Northrop ask for "hands-on experience of offensive cyber operations." Raytheon prefaces its ads for security-related jobs with language designed to appeal to stereotypical computer hackers: "Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies."

The new focus of America's military and defense contractors may concern some taxpayers. As more public dollars are spent researching new ways to attack computer systems, some of that money will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.

"Every country makes weapons: unfortunately, cyberspace is like that too," says Sujeet Shenoi, who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program trains students for government jobs defending against attacks, but he fears that defense contractors, also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences of active strikes against infrastructure. "I think maybe the civilian courts ought to get together and bar these kinds of attacks," he says.

The ease with which perpetrators of a computer attack can hide their tracks also raises the risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware is unsuccessful, there's a strong chance that a copy will remain somewhere on the victim's system-by accident or design-or accidentally find its way onto computer systems not targeted at all, as Stuxnet did. Some security firms have already identified criminal malware that uses methods first seen in Stuxnet (see "Stuxnet Tricks Copied by Criminals").

"The parallel is dropping the atomic bomb but also leaflets with the design of it," says Singer. He estimates that around 100 countries already have cyber-war units of some kind, and around 20 have formidable capabilities: "There's a lot of people playing this game."

A new Android spam botnet has been discovered across all major networks that sends thousands of text messages without a user's permission, TheNextWeb reported. The threat, which is known at SpamSoldier, was detected on December 3rd by Lookout Security in cooperation with an unnamed carrier partner. The malware is said to spread through a collection of infected phones that send text messages, which usually advertise free versions of popular paid games like Grand Theft Auto and Angry Birds Space, to hundreds of users each day.

Once a user clicks on the link to download the game, his or her phone instead downloads the malicious app. When the app is downloaded, SpamSoilder removes its icon from the app drawer, installs a free version of the game in question and immediately starts sending spam messages.

The security firm notes that the threat isn't widespread, however it has been spotted on all major carriers in the U.S. and has potential to do serious damage if something isn't done soon to stop it.

Android Malware Botnet Claims Doubted as Researchers Review Evidence - Security - News & Reviews - eWeek.com

Initial reports earlier this week of a new Android malware botnet could now be erroneous, according to follow-up interviews with the security researchers who made the original claims.

Two Internet security researchers who recently reported their findings of an Android botnet that pushes spam to users' Yahoo email accounts now say they might have jumped the gun.

In an update from The Wall Street Journal, the two researchers aren't as sure that their original claims about the alleged Android malware and botnet are correct.

"Chester Wisniewski, senior security adviser at Sophos, said he is rechecking his findings after Google and some other security researchers disputed findings of an Android 'botnet,' or a cluster of computers hijacked by hackers," The Journal reported in its Digits blog. "In an interview Thursday, Mr. Wisniewski said that the spam he identified generated by Yahoo??s free Web-based email service was different than normal patterns of email spam but 'we don??t know for sure that it??s coming from Android devices.'"

The other security researcher, Microsoft engineer Terry Zink, also backtracked on his original report about the alleged Android malware, stating in a follow-up post "that he also didn??t know for sure that Android devices had been compromised," according to The Journal. ??Yes, it??s entirely possible that bot on a compromised PC connected to Yahoo Mail' and inserted the 'Yahoo Mail for Android' tagline at the bottom of the spam messages 'to make it look like the spam was coming from Android devices,' he wrote."

Google, which owns and develops the Android mobile operating system, continues to deny the researchers' claims since the first reports were released. ??The evidence we??ve examined does not support the Android botnet claim," the company said in a statement through a spokesman. "Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they??re using. We??re continuing to investigate the details.?¯

The original reports from the two security researchers stated that the alleged malware would get into a user's smartphone through a rogue app, which then used users?? Yahoo free email accounts to send out spam, according to an earlier story on eWEEK.com. "Microsoft engineer Terry Zink said he found spam samples coming from compromised Yahoo email accounts, but then noted that they were being sent from Android mobile devices."

??We??ve all heard the rumors, but this is the first time I have seen it?�a spammer has control of a botnet that lives on Android devices,?¯ Zink originally wrote in a blog post July 3. ??These devices log in to the user??s Yahoo Mail account and send spam. ?¦ The messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we??ve seen for years.?¯

Huge Android Botnet Threatens the Security of Chinese Smartphone Users

15 Jan 2013

Chinese security researchers have issued a public warning about a botnet comprised of a hazardous 1 million smartphones running Android, writes the local Xinhua News Agency.

With over 150 million Android users out of a total of 420 million mobile users, China has serious reason to fear they are in great danger of getting mass-infected with the Android.Troj.mdk backdoor.

The Trojan that apparently has already compromised some 7,000 popular software pieces gives the attacker remote control over the victim's handset, collects contact lists, phone numbers, message details, geo-location data, photos or videos and pretty much whatever is stored on the compromised device. Plus, without the user's consent, it downloads useless applications that slow down the smartphone, drain the battery or generate aggressive adware.

The fact that this botnet already includes some 1 million devices means that people are not fully aware or concerned about the dangers of purchasing or downloading apps from unlicensed third-party app stores. China went so far as to ask operators to check their stores for vulnerability to protect their clients.

To protect themselves from this menace, Chinese Android users are urged to install a mobile security solution, regularly check the data traffic and call history and make sure they know and approve the permissions required by some apps they acquire from non-authorized sources.

Rise Of Android Botnets - Security - Mobile Security - Informationweek

Damballa found that in the first half of this year, the number of compromised Android devices communicating with known criminal command and control (C&C) networks grew significantly, topping out at 20,000 devices on two particularly nasty weeks. This marks a disturbing milestone in the evolution of mobile malware, since until recently, mobile exploits typically didn't involve a persistent takeover of the device and active communication with a C&C botnet. As the report concludes, "two-way Internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices."

Magnifying the risk is the fact that, as Damballa points out, many of these devices also join corporate Wi-Fi networks, where they are largely flying under the radar of existing security protocols and thus are ready agents for spreading malware to other internal systems, even PCs.

Just how easy is it to create and control an Android botnet? This was demonstrated last winter at ShmooCon by Georgia Weidman (watch an interview describing the technique here and download her presentation here).

Weidman's code inserts itself into the phone's modem driver and the rest of the telephony stack, ingeniously using the SMS messaging protocol to control the underlying malware. SMS makes a great C&C channel, according to Weidman, since it's fault-tolerant (SMS queues messages for later delivery if the network is unavailable), hard for security teams to monitor (since it's operated by the telecom carrier), and, perhaps most importantly, power-efficient. That's critical because IP traffic, over Wi-Fi or 3G, is one of the biggest smartphone battery drains. By using a lightweight protocol like SMS, botnet operators can have a relatively chatty dialog with their slave devices without tipping the owners off that something might be amiss on their phones. The downsides are that SMS instructions are limited to 160 characters, and users may eventually notice messaging charges on their phone bills.

Installation follows the typical path of getting someone to install a Trojan app. Weidman sums up the significance of this attack vector: "If attackers can get the bot installed, they can remotely control a user's phone without giving any sign of compromise to the user." The malicious beauty of a smartphone or tablet bot is the very mobility of the host; its nomadic network transience exposes the malware to more victims ... sort of like a traveling salesman with tuberculosis.

With mobile devices the new frontier for cybercrime, some basic security advice bears repeating. Mobile malware is primarily spread through native apps, which largely explains why iPhone and iPad users are less vulnerable, shielded by Apple's curated App Store. In contrast, IT should educate Android aficionados to curb urges toward download promiscuity, since the Android Marketplace is open to anyone and doesn't perform any security checks before publishing an app. Sure, Android forces apps to inform users of the phone features it needs, but there is nothing to prevent it from abusing the privilege. Even seemingly benign capabilities, like being able to send SMS text messages, can be deviously employed, as Weidman's botnet software makes abundantly clear.

But iPhone users shouldn't get complacent. Apple's curated App Store provides a useful shield to native malware apps, but as the drive-by JailBreakMe exploit exposed, even iOS can be compromised.

Aside from being wary of new apps from unknown sources, it's also important to maintain good mobile device security hygiene:

-- Store as little data as possible locally -- it's impossible not to have your contact list and cached email and browser sessions on a smartphone, but avoid storing copies of sensitive business documents.

-- Encrypt data in storage and transit; use file encryption (or an encrypted file system as in iOS) for local storage and VPNs for network connections on unsecured links, namely public Wi-Fi hotspots.

-- Finally, use a mobile device management service, either an enterprise product such as AirWatch, MobileIron, or Zenprise, or a consumer-oriented service like Apple's Find My iPhone or Lookout for Android, that can track and remotely wipe a lost or stolen device.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

[Dec 16, 2012] Sophisticated botnet steals more than $47M by infecting PCs and phones

"Zeus in the mobile" (ZITMO) malware -- a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. The malware then intercepts the confirmation text message sent by the bank, forwarding it to the Trojan's command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.
Dec 5 2012 | ArsTechnica
A new version of the Zeus trojan-a longtime favorite of criminals conducting online financial fraud-has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks' use of two-factor authentication for transactions by intercepting messages sent by the bank to victims' mobile phones.

The malware and botnet system, dubbed "Eurograbber" by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims' bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday (PDF).

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack.

Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim's browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a "security upgrade" from the site, offering to protect their mobile device from attack.

The JavaScript captures their phone number and their mobile operating system information -- which are used in the second level of Eurograbber's attack.

With the phone number and platform information, the attacker sends a text message to the victim's phone with a link to a site that downloads what it says is "encryption software" for the device. But it is, in fact, "Zeus in the mobile" (ZITMO) malware -- a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software.

With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim's balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan's command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.


Recommended Links

Top Visited

Bulletin Latest Past week Past month
Google Search



Attacking android insecurity

Amphion Forum Understanding Android Secuity

http://selinuxproject.org/page/SEAndroid

Security Enhancements for Android™ (SE for Android) is a project to identify and address critical gaps in the security of Android. Initially, the project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the project is not limited to SELinux.

... ... ...

Android 4.3 is the first Android release version to fully include and enable the SELinux support contributed by the SE for Android project. The Android 4.3 SELinux support is discussed in https://source.android.com/devices/tech/security/se-linux.html. Prior versions such as Android 4.2 included a subset of the SELinux support but not a complete, functional set, and the code was disabled by default in the build (wrapped with HAVE_SELINUX conditionals).

You can build Android 4.3 and drop in a SELinux-enabled kernel without requiring further changes if you only want the core SELinux functionality. You will still need to put the device into enforcing mode, which under Android 4.3 you can do temporarily via an adb shell su 0 setenforce 1 or permanently by putting setenforce 1 into the init.rc file (make sure the device boots and operates without denials first, as per Getting Started).

Botnet - Wikipedia, the free encyclopedia

[PDF] Android Botnets on the Rise: Trends and Characteristics

Android Botnets on the Rise: Trends and Characteristics Heloise Pieterse Defence, Peace, Safety and Security Council for Scientific and Industrial Research
[PDF] A study of mobile botnets: analysis of attack strategies

Android botnets on the rise – case study " Arie's World July 1st, 2013



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September 23, 2018