Symantec Identifies Android Trojans That Mutate With Every Download

← Back to Stories (view on slashdot.org)

Symantec Identifies Android Trojans That Mutate With Every Download

Posted by samzenpus on Monday February 6, 2012 @01:04AM from the learning-at-a-geometric-rate dept.

angry tapir writes "Symantec researchers have identified a new premium-rate SMS Android Trojan that modifies its code every time it gets downloaded in order to bypass antivirus detection. This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it."

22 of 97 comments (clear)

Min score:

Reason:

Sort:

New movie by X.25 · 2012-02-06 01:05 · Score: 3, Funny

X-Men: Androids
1. Re:New movie by SJHillman · 2012-02-06 01:11 · Score: 3, Funny
  
  Teenage Mutant Ninja Androids
Avast runs fine thanks... by ewanm89 · 2012-02-06 01:11 · Score: 4, Funny

I do not need Norton Mobile, Avast is cheaper and just as good, so Symantec, stop using your fear tactics for advertising.
1. Re:Avast runs fine thanks... by Anonymous Coward · 2012-02-06 01:36 · Score: 2, Insightful
  
  If your running Anti-virus on a your phone, you've already lost the game...
2. Re:Avast runs fine thanks... by ewanm89 · 2012-02-06 01:53 · Score: 3, Informative
  
  Considering I don't get popups to start with. And lets look at every study done on desktop antivirus solutions and you'll find Avast and AVG tend to come pretty high up the list in hit rate and lack of false positive rate (I also think at last check avast had the fastest on access scanning).
3. Re:Avast runs fine thanks... by L4t3r4lu5 · 2012-02-06 02:14 · Score: 4, Insightful
  
  And independent testing proves they're mostly pretty useless.
  
  As with all things, only install apps from trusted sources, don't click accept on every pop-up box, and check the permissions requested are consistent with the functionality of the app. The same as with any other application on any other OS.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
4. Re:Avast runs fine thanks... by Canazza · 2012-02-06 03:28 · Score: 2
  
  I prefer "If you don't want to catch AIDS why are you sticking your hands in that bag of used syringes?"
  
  --
  It pays to be obvious, especially if you have a reputation for being subtle.
5. Re:Avast runs fine thanks... by BasilBrush · 2012-02-06 04:04 · Score: 3, Informative
  
  http://techfragments.com/news/982/Software/Apple_iPhone_Virus_Spreads_By_SMS_Messages.html
  http://www.tomshardware.com/news/iphone-virus-botnet-bank-details,9136.html
  http://www.mactrast.com/2010/07/iphone-virus-discovered-be-vigilant-and-seek-advice/
  https://discussions.apple.com/thread/3573755?start=0&tstart=0
  
  1) A vulnerability with a demo. There was never any malware written to exploit it, and as it was long since fixed, there never will be.
  2) Only affects jailbroken iPhones.
  3) You're the victim of an APRIL FOOL! From 2 years ago!
  http://vimeo.com/10587301
  4) Is nothing more than a user with a problem and no tech knowledge blaming his problem on a virus. There is no virus.
  
  While reasonably rare, iPhone viruses and malware do exist in the wild.
  No they don't. At least not on non-jailbroken iPhones.
6. Re:Avast runs fine thanks... by hairyfeet · 2012-02-06 05:09 · Score: 2
  
  Most likely he doesn't want to play hardware roulette or keep a second machine with a different OS for Googling why the first machine crapped itself when some DE dev decided he didn't like the way things were and caused his video to take a crap, or the PukeAudio guys gave him a Goatse. There was a time, around 06-07, when i would have supported you on that McGrew but Canonical has done infected the ecosystem with "Lets throw everything out and add more bling! Blingapaloza baby yeah!" and now if anything Linux is more unstable than a bog standard Windows. Oh and before anybody says Debian, that's a workstation OS and about as designed for home users as an HPC server makes a good phone OS. Its support for the stuff you buy in walmart is non existent and its plug and play sucks. you had better REALLY know what you are doing before you make Debian stable your main OS or be ready for pain.
  Now as for AV I agree completely, in fact with a few simple tools I am able to make a modern Windows machine pretty much dumbass proof. How? Simple replace IE with Comodo Dragon with ABP, that gives them a low rights mode browser that blocks the nastier ads which is the biggest source of drivebys, add Avast Free or Comodo CIS, both free and which have default sandboxing and scan before load for all webpages and new code. I've been using avast for home users and Comodo for businesses but i'm starting to use Comodo for home again because they have made it less "chatty" on initial setup which used to scare new users, and finally if I want it so nothing other than hardware failure is gonna break that sucker Comodo Time Machine set to do a daily snapshot. With CTM if their kid gets on and manages to pwn a machine so bad it can't even boot all they do is click the home key on start and voila! takes less than 15 minutes to get them back before the trouble. you can even tell it to pay extra attention to certain folders like my pics so they don't have to worry about losing that pic of grandma if they go back.
  Now how much time does that take me to setup Mcgrew? Thanks to Almeza Multiset which i got free from Giveawayoftheday.com it takes less than 20 minutes and a grand total of 2 clicks, one to launch the automated installer, the other to click the "yes you can reboot now' button. Compared to the 4 and a half hours i spend on the forums trying to figure out why the last upgrade took a giant dump on my sound and left me nothing but static there really is NO comparison. Quick, where is the list that will tell me EXACTLY which devices sold in walmart are supported under distro X? Most of the lists are badly out of date IF you can find them, and if you DO find a device all you get is a cryptic "Distro S, version number, kernel foo" which might as well be in Chinese for home users. With Windows all they do is look for the Winflag as every device comes with support for XP/Vista/7 by default and frankly most don't even need a disc now, Windows Update will install the drivers when you plug it in.
  So while it is pointless to pay for AV it is NOT pointless to pay for Windows. Linux is ONLY for those with the skills to do a systematic step by step troubleshooting diagnosis on error, thanks to Torvalds thinking his shit don't stink and that he is smarter than every other OS developer on the planet the driver situation has gotten so bad users will honestly tell you "Just do a clean wipe and reinstall' which is something they made fun of Windows for back in 05. which wouldn't be bad if we were talking once a decade but the max support is five years IF you plan your installs and sales around LTS, but who the fuck can do that other than enterprise buyers? I have machines in the field going on 9 years with ZERO need for reinstall or even tweaking, that's two service packs, countless updates and ZERO broken drivers. Linux is still too unstable and everything from DE to sound to kernel has been going through rapid and major changes the past 5 years. And in Linux you have the choice: Bleeding edge or no support for modern hardware unless you can c
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
7. Re:Avast runs fine thanks... by madmark1 · 2012-02-06 05:50 · Score: 2
  
  Why, I believe you are right, Ubuntu IS the only Linux distro available now. I thought there were more, that didn't involve Canonical at all, but after absorbing your wisdom, I went and looked, and sure enough, all gone! Red Hat, Mint, Fedora, Arch... Gone!
Turn it off! by ArcherB · 2012-02-06 01:12 · Score: 5, Informative

I had my carrier, Sprint, turn "premium rate" text messaging off completely. My phone is clean, but I don't have to worry about it anyway.
Also, it's worth noting that these guys don't need a virus to charge you for this stuff. About 2-3 times a year, I would get some charge on my bill from a joke line, horoscope line or whatever that I never signed up for through text messaging or any other way. The last time it happened, I explained to the customer service rep that I would never use this type of service and she suggested that I block it. I have not had another charge since.

--
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
1. Re:Turn it off! by Aladrin · 2012-02-06 01:31 · Score: 4, Interesting
  
  This is my only complaint about T-Mobile's customer service. The only way to block this is to pay $5/month and then micromanage your lines. -sigh-
  I had this problem with my father's line. He somehow got signed up for all kinds of garbage, and we didn't figure it out until later. (Really gotta watch that bill better.) They reversed a few months' charges, but they're only willing to go back so far. (I don't blame them, there.)
  But I did expect them to help me prevent the charges in the future, without me paying for the service.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
2. Re:Turn it off! by Anonymous Coward · 2012-02-06 02:55 · Score: 2, Funny
  
  You can call and ask for it and they will do it.
  Have you ever tried actually *calling* tmobile, dumbass?
  I'm sure he called them a lot of things, but it didn't help. :-)
notnews by Cyberax · 2012-02-06 01:12 · Score: 4, Informative

So they've discovered polymorphic viruses? You know, like in good old days of DOS where viruses were real viruses and not simple worms.
http://en.wikipedia.org/wiki/Polymorphic_code
1. Re:notnews by gl4ss · 2012-02-06 01:28 · Score: 4, Interesting
  
  it's not as elegant as polymorphic on it's own virus. it's server side generated, the server adds some randomization to the code changes classnames, adds'/removes unneeded code and then builds a new package. meaning the signature changes. Now, it's perfectly possible to build a binary and a new package _on_ device too, it just doesn't seem that any malware does it, polymorphic on device _and_ spread through bluetooth would be newsworthy I'd think(it needs the victim to press yes about 3 times and to open the file though - and the user to keep bt on too.. as it happens, you can't on android keep just the handsfree parts of bluetooth on, if you got bt on then obex is on, but you'll still need to accept the incoming files as said).
  
  --
  world was created 5 seconds before this post as it is.
2. Re:notnews by Anonymous Coward · 2012-02-06 01:35 · Score: 2, Funny
  
  it needs the victim to press yes about 3 times and to open the file though - and the user to keep bt on too..
  No problem; to see cute bunny, press yes 3 times.
3. Re:notnews by martin-boundary · 2012-02-06 02:00 · Score: 2
  
  Sounds complicated and fairly limited. They'd be better off encrypting the package, and using a salt that changes with each download. That'd work really well for dumb filters that match binary signatures.
  
  polymorphic on device _and_ spread through bluetooth would be newsworthy
  
  Does bluetooth transmit processes for running remotely? The way viruses worked in the ol' DOS days is that the front section of an executable file was overwritten and the virus code was appended at the end of the file. Then instead of the OS loading the program straightaway, the virus code was loaded, which then loaded the program seamlessly.
  That kind of thing wouldn't really be possible with data sent over the network, unless it was directly executable code on the target machine. With current client/server specializations (consumer device == always client, company hardware == always server), a virus couldn't spread far unless it could inject executable code both ways, from client to server and from server to client.
  I guess server to client is the easiest, it could be injected javascript in an infected web page. But client to server would require an exploit, and then figuring out where to put the malicious code so that it shows up on the next client's web browser.
WOLF! by Anonymous Coward · 2012-02-06 01:16 · Score: 2, Funny

cried Symantec...
Nothing to see here by Anonymous Coward · 2012-02-06 01:58 · Score: 3, Informative

"According to Armstrong, server-side polymorphism is not very widespread on the Android platform at the moment because most users get their apps through official channels and the current structure of the Android Market does not allow for a malware distribution scheme like this one."
Server-Side Grammar Polymorphism? by ScentCone · 2012-02-06 02:16 · Score: 4, Funny

You get what you pay for so think about why your still getting those pop-up porn ad's.
Never mind pop-ups. I want to know which virus it was that yanked out the comma from your first clause, changed "you're" to "your" and turned "ads" into "ad's." These make-me-type-like-a-12-year-old malware infestations have really taken over. Because there's certainly no other explanation.

--
Don't disappoint your bird dog. Go to the range.
Why don't we address the source of the problem by Rix · 2012-02-06 05:20 · Score: 4, Insightful

Has anyone, anywhere ever intentionally used a "premium" SMS service?
Telecoms obviously need a regulatory smackdown requiring them not to act as payment processors.
1. Re:Why don't we address the source of the problem by KhabaLox · 2012-02-06 06:35 · Score: 3, Informative
  
  Quite a lot of people used them to donate to the Haiti Earthquake relief effort.
  http://abcnews.go.com/Politics/HaitiEarthquake/haiti-earthquake-donations-haiti-relief-efforts-text-message/story?id=9551199#.TzAdM8XQInE
  http://www.snopes.com/inboxer/charity/haiti.asp
  
  --
  Ceci n'est pas un sig.