Android Malware "Obad" Called Most Sophisticated Yet 117
chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."
Re: (Score:2)
...or perhaps "anything we'd ever seen" was a low bar?
Re:So who lied? (Score:4, Informative)
Bingo!
The Australian Communications and Media Authority's statistics breakdown shows of about 16,500 infected devices online at any one time, 20 Windows viruses make up more than 16,400 of the active IPs. Rarer Windows viruses, and Mac, iOS, Linux and Android infections all total less than 100 infections.
http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_600121 [acma.gov.au]
Kasperky says:
Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan [securelist.com]
So to put this all in perspective, this new super-virus made up less than 0.15% of the attempts to join the 0.1% of infections that aren't Windows viruses.
If you read the Kaspersky analysis of the "super-malware", you'll see why. It ASKS for permission to install and to elevate privileges. If the user says "No", it doesn't happen.
Re: (Score:2, Insightful)
What percentage of ACs are Google employees making excuses?
Re: (Score:2)
I reserve discussion for people who have the decency to stand by their words, and not hide behind AC posting.
Re: (Score:2)
I'm not sure that is any more noble. My user ID definitely does not connect to anything in the real world (except when it comes to women, I tend to be a real dumb-ass on a consistent basis).
If I can translate your comment, it might be something along the lines of, I don't have anything but I'll act as if I do in order to avoid being called into question. the emperor really has no cloths on- But perhaps that is because he is taking a shower at the moment.
Re: (Score:2)
No it doesn't connect you to the real world. But it connects you to what you've said before.
More importantly it means a discussion can take place because I can know that the series of replies in the same thread labeled "sumdumass" comes from the same person. Discussion is quite literally impossible with an AC, because you never know when a series of messages in a thread is the same person.
Re: (Score:2)
No problems here, no crazy SMS bills, etc.
Re: (Score:2)
It is. More secure != unbreakable.
Re: (Score:3)
And yet the malware numbers clearly show that Android is less secure than iOS.
Re: (Score:2)
And use the right language, it should be "less insecure". Anything else promotes the fallacy you fell in to.
Re: (Score:2)
You might find that software to be open source as well. What was all that bluster about OSS being "inherently more secure"?
The major security flaw that has yet to be patched on any system is the user. When security experts talk about secure systems they are talking about gaining access without the user doing something stupid, like downloading and installing a trojan then giving it elevated permissions.
Re: (Score:3)
The major security flaw that has yet to be patched on any system is the user. When security experts talk about secure systems they are talking about gaining access without the user doing something stupid, like downloading and installing a trojan then giving it elevated permissions.
Only ones that are making excuses for ill-thought out security. If the security relies on users to be informed enough to answer questions they won't understand then that's a security design fault.
The iOS system of having a single point for download of apps, and having them vetted in advance is a far better security design.
Re: (Score:2)
Android has the same fucking thing. Except that the user can make the choice to disable that restriction and install from any source if they'd prefer.
Then it's not the same thing. It's not protecting the system from the security vulnerability the GP mentioned: "the user doing something stupid, like downloading and installing a trojan then giving it elevated permissions."
And iOS apps aren't vetted for shit.
Sure they are. That's why iOS has a tiny fraction of the malware that Android does. But more significantly is that a single point of download means that as soon as any malware is identified, Apple can stop anyone else downloading it. Android has no such safeguard.
I can see the fact that i
Re: So who lied? (Score:2)
Re:So who lied? (Score:4, Funny)
Nonono. Google is god (no spelling mistake), Apple is evil and always wrong, Microsoft irrelevant. That's the official policy. Haven't you got the memo?
Having a different opinion to that is forbidden - as per protocol.
Re: (Score:2)
Re: (Score:3)
Re:So who lied? (Score:4, Insightful)
Didn't they tell us that Android, being Linux based is very very safe compared to anything we'd ever seen?
You may have been modded down but I do see a point with your post, everybody (but not the sort of people that frequent sites like this) has been told how secure Linux systems are and since Android is a Linux system I doubt you'd find many non-techs would understand why Android being a Linux system doesn't necessarily make it secure. Any application on any system (not just Android) that can access system resources - like SMS functionality - is going to have the capacity to act maliciously so it really is up to the user to decide whether to allow that sort of access to the application, this is even more difficult if the application has a legitimate purpose in accessing such functionality.
For at least some tech enthusiasts it's fine to say 'just make it open source' and the individual can vet it - but of course the vast majority will not do that - so trusting a generally (yes none is absolutely guaranteed and some are better than others) well-vetted marketplace (Google Play, iOS App Store, Windows Store, Amazon Store?) seems to be the best bet for most people.
Re: (Score:2)
Re: (Score:2)
Yeah, but thta's because there'll be practically no Android apps at all. Sure you'll get ports of common GNU/Linux apps and utilities, but that's about it.
And nevermind the fact that GPLv2 and GPLv3 are completely incompatible. GPLv2+ and GPLv3 are fine for obvious reasons, though some of
Re: (Score:2)
What they neglected to say was, because phones are very tightly tied to a paid service, criminals would focus on it as soon as they realised it was worth their time to do so. Few systems have stood up to financially motivated professional crackers for very long. I would go as far as to say that promoting Android on it's Linux security aspects has probably been counter-productive with users assuming it's safe to take fewer precautions, if any at all (although I would qualify that by saying anti-virus on smar
Follow the Money? (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
by adding a few unrelated accounts alongside the malware author's accounts, he now has plausable deniability to say he was also just a random person targeted.
Re: (Score:2)
Plausible deniability.
Re: (Score:2)
Re: Follow the Money? (Score:2, Informative)
The latest version of cyanogen actually has this feature. Anytime a text is attempted to be sent to a premium number or service the OS itself blocks it then prompts the user and asks if they wish to allow it to be sent. It also gives the option to always allow or just allow once and no matter which you choose it will prompt any time a new number is used in the recipients field. Google should merge that code into aosp
Re: Follow the Money? (Score:4, Insightful)
The latest version of cyanogen actually has this feature. Anytime a text is attempted to be sent to a premium number or service the OS itself blocks
Until the malware removes the block of course... If it can escalate permissions it can probably also take out a lot of system safeguards.
Re: (Score:1)
Until the malware removes the block of course... If it can escalate permissions it can probably also take out a lot of system safeguards.
And can the malware do this, or is this just uninformed conjecture masquerading as "insight" coming from an Apple troll?
--Jeremy
Re: (Score:2)
A fitting name... (Score:4, Informative)
Obad is Bosnian (also Croatian and Serbian) for horse-fly. [wikipedia.org]
Re: (Score:2)
stupid birther, Obad was born in Hawaii.
Vulnerability extends application's permissions? (Score:5, Informative)
Yes, the vulnerability requires prompting the user to explicidly install the app and explicidly raise permissions.
"Do you want to install this application?"
"Activate device administrator?"
Re: (Score:3, Insightful)
As if that would be of any defense against the malware.
NO normal user hesitates to click OK. Most won't even understand what the messages mean. Remember : most people are not geeks.
The fault is solely on Android for not properly sandboxing apps. It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.
Re:Vulnerability extends application's permissions (Score:5, Interesting)
I don't think this is going to change because Android programmers are sloppy. To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output. Google programmers have been known to publicly say bugs are no big deal [google.com]. If that attitude has really spread around the company, how capable do you think they will be of writing secure sandbox code?
Re: (Score:1)
Can you give evidence of this? Not doubting you, just wondering what they were.
I have no doubt they are all over the place; every time I look into Android I see sad things like that. If you tell me that you've been looking and can't find anything, I'll give you some hints, but if you're not even willing to download Android and open it in Eclipse, then what's the point?
Re: (Score:1)
I have no doubt they are all over the place; every time I look into Android I see sad things like that. If you tell me that you've been looking and can't find anything, I'll give you some hints, but if you're not even willing to download Android and open it in Eclipse, then what's the point?
oh ok then, well i don't have the android packages or eclipse on this system, i was just wondering what sort of bugs they were and given that you said it happened to you today i figured you would just be able to rattle off at least one.
Re: (Score:2)
i was just wondering what sort of bugs they were and given that you said it happened to you today i figured you would just be able to rattle off at least one.
NPE, unclosed resources
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
People who care will find them, people who only care enough to read the comment will get only that.
Re: (Score:2)
Re: (Score:1)
Yeah, it's almost like this is a discussion forum or something.
Or, you can continue being anti-social...
Re: (Score:2)
Or, you can continue being anti-social...
Thanks for giving me permission.
Re: Vulnerability extends application's permission (Score:2)
Re: (Score:2)
Re:Vulnerability extends application's permissions (Score:5, Informative)
Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable. Okay, it can spread through BlueTooth but that requires you have already paired your device with an infected one manually. Most people pair their devices with things like their car and headset, not other random phones.
Then when you do install the app the warning message that appears is very different to the one you see on Google Play and explains that you should not trust unknown sources. It's not like "oh another UAC prompt, click yes to continue", it is a different and more scary warning that most users will never have seen before.
It's basically like Mac or Linux malware. It exists but you have to be incredibly dumb to fall victim to it. There isn't really much more anyone can do to help people who are that stupid.
Re: (Score:1)
Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable.
Uhh, excuse me, Mr. Ignorant, but Google Play isn't available in some markets, such as China. So, you might want to go back and check your 99.9% figure again.
Re: (Score:2)
When showing colleagues how to use their new Android phones I always explain the permissions to them, especially the Contacts, SMS and Calling permissions. The wording I use is "If it's something like Skype, it needs to read your contacts. If it's a football game, it doesn't - don't install it"
On more than one occasion I've been told "how am I supposed to remember that?", to which reply (I work in a motor-trade related business, so I use an obligatory car analogy) "When you drive into a petrol station, do y
Re: (Score:2)
NO normal user hesitates to click OK. Most won't even understand what the messages mean. ...
It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.
I'm sorry but the solution to a user clicking OK to an indecipherable message is to provide an indecipherable message to the user?
If Microsoft's UAC has taught us anything it is to NOT bombard the user with "Click here to make your system work" messages which only desensitize them to actual warnings.
Re: (Score:1)
Re: (Score:1)
Another Example of Apple's Crumbling Empire? (Score:5, Funny)
Most sophisticated? Take that iOS!
Just require authentication to install anything (Score:2)
Really, is it that complex?
Re: (Score:2)
Re: (Score:3)
As per my other post, an end user, prompted for authorisation to install something they downloaded (even if it is malicious) is going to click "yes" or enter their password. Without a development background, the source code, possibly a debugger and a few days up their sleeve, the choice to install or not is entirely uninformed.
It is blind luck as to whether or not the app they have downloaded is trojaned or not, unless it has been vetted upstream in some manner.
Re: (Score:2)
I was thinking more along of the lines of don't allow the installation of anything unless the user punches in some always varying pin code that's sent along a different channel. It's not a wonderful fix but the simple act of forcing someone to wait and then do a few manual things might address part of the issue. After all it's not precisely that people are blindly allowing things on their phones, it's the privileges on their account that allow them to do that. At work in the Linux world if your company is g
Re: (Score:2)
Most Sophisticated Yet? (Score:2)
It seems as though the app just asks for it and waits for the user to say yes.
Did I miss something or does this look like every other non-event Android malware except with a new crypto scheme?
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan
The Doom Of Android (Score:1, Troll)
It seems as though the app just asks for it and waits for the user to say yes.
Did I miss something or does this look like every other non-event Android malware
The frightening thing is that you actually believe this to be a non-event.
You sit in your high tower built atop the bones of those unfortunate enough not to understand if they should say yes or not. But hey the system lets you change wall paper really easily, so fuck the 100 million people or whatever that must perish so you can have full flexibility
Re: (Score:2)
Maybe, at most 1000 people in china infect their device by manually enabling side-loading for pirated apps and the rest of the world gets on with life.
I'm suggesting its not sophisticated or unknown because it just asks for permission through the intended API, i.e Not A Bug. I didn't mention anything about how the user perceives the question, that comple
Re: (Score:2)
As I've said previously, most people who this will happen to are lazy, and for some inexplicable reason, proud that they don't know anything about "computers". I'm not defending the GP, it's a shit attitude for those people to have, and it's a shit attitude to say "they deserved it".
However, in my office I explain permissions (with examples) to people with new Android phones. Some make a show of saying they'll never remember that. I use a car analogy (which I've already posted [slashdot.org] - not a karma whore) which goe
Re: (Score:1)
What will it take for them to finally do something about it because, up until now, they've barely paid lip service to the problem with their platform.
It will take them being held financially responsible for the damage caused by their lackadaisical attitude toward the issue.
Re:2 decades of Windows being pwned and Google lea (Score:5, Insightful)
So, so much this.
Relying on the end user to magically be aware that stuff they are signing is not trojaned, reputable, etc. is not going to work. As demonstrated by Microsoft for the last 30 years, and as demonstrated in the unix world since the 70s.
I've been saying for some time that Android is the Windows of the mobile world. Not because of the code-base or even quality of the code-base, but due to the design decision to push security back on the end user. 99.999% of us are not security experts.
Virus scanners are a waste of resources (cpu/storage and thus, battery).
Vet executables at the source. If the user wants to run their own code, provide a code signing mechanism (this can be done on iOS with a dev account, sure there is a cost argument but the technical benefit is huge. if it was free and there was sufficient verification of an individual's identity to prevent issuing multiple certs to the same person, the money issue could go away. at the moment the cost is there to make obtaining thousands (say) of code-signing certs impractical for a malware author). If apple included a code-signing cert for the end user to "bless" their own (or downloaded) code with for use on their own devices, would people's bitching about not "owning" their iOS device change?
This is the single biggest reason I am an iOS user. I've been around long enough to know not to trust myself or any of my users to vet apps themselves (no one has the time or skillset or tools to do it anyway). I have no faith in the security of a device which can run any code from anywhere being in the hands of an end user (including myself) who is not capable of verifying whether or not code is malicious.
No it is not a 100% solution and there is every chance that malware slips through, however once it has been reported to the distribution point, its cert can be revoked to stop it spreading any further.
Yes, exploits can be created if the signing mechanism is secure, but that is an implementation issue, not a core design issue, and can be fixed.
Re: (Score:2)
Re: (Score:1)
This is the single biggest reason I am an iOS user.
Oh, good for you. And many of the rest of us have either weighed the benefits/potential drawbacks and seen that there is effectively no difference between the two approaches, except that Android's approach gives the user far more control; OR, the the case of the vast majority of people, have given it no thought, and went with whatever device they thought looked prettiest and ended up with an iPhone or an Android phone.
If you enjoy your walled garden -- fine. Hang out in there and talk about how beautiful
Re: (Score:2)
And that's fine. Good for you. It doesn't change the fact that allowing end users to install unsigned code from anywhere has been demonstrated to NOT WORK for the past 30 years. As I said, the certificate issue / xcode issue is not a technical problem, and iOS is merely an example of where I think we need to go with security.
We already rely on SSL certs to decide whether or not to trust a website with our password, yet most people will freely download and install (and grant privileges - whatever they
Re: (Score:2)
What Google should do is set up an online store for their apps like Apple has done with the iPhone. Then Android users could finally have a safe, trusted source of vetted apps so they won't have to risk infection~
Re: 2 decades of Windows being pwned and Google le (Score:2)
Re: 2 decades of Windows being pwned and Google le (Score:2)
Re: (Score:2)
True. Lets assume for the sake of argument that we are talking about Google adopting the code-signing policy, and giving out free code-signing certs with the device with a 10 year expiry date. Is this acceptable?
It is my firm belief that we need some sort of third party verification because end users are simply easily fooled, and even if the app store is fooled, at least if code is signed they can turn the cert off after the software is in the wild.
The issues people have with Apple's code signing re
Non-compete (Score:2)
Lets assume for the sake of argument that we are talking about Google adopting the code-signing policy, and giving out free code-signing certs with the device with a 10 year expiry date. Is this acceptable?
For the most part, yes. And that's similar to what users had under AT&T-customized versions of Android prior to Amazon Appstore: "Unknown sources" is hidden, but adb install still works. But I'm also assuming that unlike Apple, Google will continue to refrain from using a monopoly on SDKs targeting its mobile platform to push sales of its own branded personal computer hardware. And there's still a problem with the "non-compete" provision of the Google Play distribution agreement [google.com]. If someone were to make
Spread via bluetooth? (Score:1)
However, it is capable of downloading additional modules and of spreading via Bluetooth connections.
If that's what it looks like, it's the first I've heard of that doesn't need user interference to spread. That's a Big Deal, unlike anything in most of these stories.
so... (Score:1)
I was prompted .. so I came xD (Score:2, Interesting)
It sickens me a great deal to see the Google's, Facebooks & Microsoft's of the world just sit back in their soft leather sided armchairs watching other people to discover the security flaws in their software. Microsoft has done it for years with the third party 'Virus
Yet it still lists all the obvious permissions (Score:2)
I don't get it, if the malware has the ability to "exploit vulnerabilities in Google’s mobile operating system to extend the application’s permissions on the infected device" then why does it need to ask for a bunch of obviously suspicious permissions [wp.com]?
Seems like whatever vulnerability they're discovered must be relatively minor or they wouldn't need to ask for any additional permissions.
Re: (Score:3)
or a better Android phone.