Slashdot Mirror
Android Malware "Obad" Called Most Sophisticated Yet
chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."
Didn't they tell us that Android, being Linux based is very very safe compared to anything we'd ever seen?
Question is: Were we lied to or those who were talking about ths subject just didn't know what they were talking about?
This one should be pretty easy, no? Which premium numbers benefited from the text messages?
Obad is Bosnian (also Croatian and Serbian) for horse-fly.
Mit der Dummheit kämpfen Götter selbst vergebens
"A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device"
Yes, the vulnerability requires prompting the user to explicidly install the app and explicidly raise permissions.
"Do you want to install this application?"
"Activate device administrator?"
AccountKiller
Glad I still use my Crackberry! No worries here.
As if that would be of any defense against the malware.
NO normal user hesitates to click OK. Most won't even understand what the messages mean. Remember : most people are not geeks.
The fault is solely on Android for not properly sandboxing apps. It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.
Not so smart, are they? And out of our control. I can safely say, we made Android what it is today, another bloated mess, so we can play Angry Birds during our daily death march, I mean, commute..
“He’s not deformed, he’s just drunk!”
or a better Android phone.
Most sophisticated? Take that iOS!
Yeah basically this. When a user installs an app, they are told what permissions the app is asking for. You agree to to upon clicking ok. When creating these apps, it is as simple as putting a few lines of XML in the manifest for Resource to access here
it is as simple as putting a few lines of XML in the manifest for user-permissions to Resources
It's not about sandboxing, the malware uses a previously undiscovered privilege escalation exploit. It doesn't matter how good the design of your sandbox is, once that kind of exploit is found, the sandboxing is pointless.
I don't think this is going to change because Android programmers are sloppy. To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output. Google programmers have been known to publicly say bugs are no big deal. If that attitude has really spread around the company, how capable do you think they will be of writing secure sandbox code?
"First they came for the slanderers and i said nothing."
Really, is it that complex?
The method of obtaining install permissions and privilege escalation don't look particularly "unknown".
It seems as though the app just asks for it and waits for the user to say yes.
Did I miss something or does this look like every other non-event Android malware except with a new crypto scheme?
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan
When people ask if I'm an optimist, I say "I hope so". --Bill Bailey
One of the reasons why I despise Google and avoid their stuff at all costs. Except web search as there is no viable alternative.
...nothing!
What Happened?
Was it the fact that Android was built on Linux so they became complacent with the OS’s security policies?
Was it that they were so focused on taking the opposite approach to Apple’s curated store and seeming over-arching control that they went too far the other way?
Where did Google go so wrong? Have they gone wrong?
What will it take for them to finally do something about it because, up until now, they've barely paid lip service to the problem with their platform.
No one can say that iOS doesn’t have this problem because of a "security through obscurity" excuse as used for Mac OS when compared to Windows. iOS as a platform is just as large as Android when you count iPads and iPod touches along with iPhones.
Will Google finally break down and lock down their OS so that only curated apps can be installed? Can they after all this time?
Will they correct their broken permissions system that puts application permissions in the hands of the app developer rather than in the hands of the user where it belongs.
However, it is capable of downloading additional modules and of spreading via Bluetooth connections.
If that's what it looks like, it's the first I've heard of that doesn't need user interference to spread. That's a Big Deal, unlike anything in most of these stories.
To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output.
Can you give evidence of this? Not doubting you, just wondering what they were.
Can you give evidence of this? Not doubting you, just wondering what they were.
I have no doubt they are all over the place; every time I look into Android I see sad things like that. If you tell me that you've been looking and can't find anything, I'll give you some hints, but if you're not even willing to download Android and open it in Eclipse, then what's the point?
"First they came for the slanderers and i said nothing."
I have no doubt they are all over the place; every time I look into Android I see sad things like that. If you tell me that you've been looking and can't find anything, I'll give you some hints, but if you're not even willing to download Android and open it in Eclipse, then what's the point?
oh ok then, well i don't have the android packages or eclipse on this system, i was just wondering what sort of bugs they were and given that you said it happened to you today i figured you would just be able to rattle off at least one.
What will it take for them to finally do something about it because, up until now, they've barely paid lip service to the problem with their platform.
It will take them being held financially responsible for the damage caused by their lackadaisical attitude toward the issue.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
i was just wondering what sort of bugs they were and given that you said it happened to you today i figured you would just be able to rattle off at least one.
NPE, unclosed resources
"First they came for the slanderers and i said nothing."
Where?
Find your own! If you are having trouble, I can help you out, give you hints.
"First they came for the slanderers and i said nothing."
Phone companies that withold updates are to blame!
Often the holes have been patched but since they want to sell you a new phone and/or get you under a new contract, they refuse to update the software on older phones.
This is exactly like them pretending they can't track stolen phones and disable them. It's already done in other countries.
... where's the iOS version? Oh wait...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
So, so much this.
Relying on the end user to magically be aware that stuff they are signing is not trojaned, reputable, etc. is not going to work. As demonstrated by Microsoft for the last 30 years, and as demonstrated in the unix world since the 70s.
I've been saying for some time that Android is the Windows of the mobile world. Not because of the code-base or even quality of the code-base, but due to the design decision to push security back on the end user. 99.999% of us are not security experts.
Virus scanners are a waste of resources (cpu/storage and thus, battery).
Vet executables at the source. If the user wants to run their own code, provide a code signing mechanism (this can be done on iOS with a dev account, sure there is a cost argument but the technical benefit is huge. if it was free and there was sufficient verification of an individual's identity to prevent issuing multiple certs to the same person, the money issue could go away. at the moment the cost is there to make obtaining thousands (say) of code-signing certs impractical for a malware author). If apple included a code-signing cert for the end user to "bless" their own (or downloaded) code with for use on their own devices, would people's bitching about not "owning" their iOS device change?
This is the single biggest reason I am an iOS user. I've been around long enough to know not to trust myself or any of my users to vet apps themselves (no one has the time or skillset or tools to do it anyway). I have no faith in the security of a device which can run any code from anywhere being in the hands of an end user (including myself) who is not capable of verifying whether or not code is malicious.
No it is not a 100% solution and there is every chance that malware slips through, however once it has been reported to the distribution point, its cert can be revoked to stop it spreading any further.
Yes, exploits can be created if the signing mechanism is secure, but that is an implementation issue, not a core design issue, and can be fixed.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
If you're willing to give hints, you might as well be willing to give a few file/line pointers - even without downloading the source and Eclipse, people could look at the claimed Google's incompetence here, for example. You could also submit bug reports/patches.
As it is now it sounds like karma-whoring without anything to back your words up.
They're MY bugs! MINE! MY OWN!
I see why these bugs arent getting fixed when google has to deal with fucktards like you.
hehe because Google can't afford their own QA? AOSP has caused me so much pain I owe them nothing, especially if they are too lazy to check compiler warnings. Let them rot in their own stew of incompetence.
"First they came for the slanderers and i said nothing."
I know, but I feel confident enough in my own knowledge that I don't have to prove it to every AC who comes along.
People who care will find them, people who only care enough to read the comment will get only that.
"First they came for the slanderers and i said nothing."
It seems as though the app just asks for it and waits for the user to say yes.
Did I miss something or does this look like every other non-event Android malware
The frightening thing is that you actually believe this to be a non-event.
You sit in your high tower built atop the bones of those unfortunate enough not to understand if they should say yes or not. But hey the system lets you change wall paper really easily, so fuck the 100 million people or whatever that must perish so you can have full flexibility.
This kind of attitude is what will really kill Android, the thought that people who are too "stupid" to know when to say yes deserve what they get. Why will people stick around on a platform that continuously punishes them - by design?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable. Okay, it can spread through BlueTooth but that requires you have already paired your device with an infected one manually. Most people pair their devices with things like their car and headset, not other random phones.
Then when you do install the app the warning message that appears is very different to the one you see on Google Play and explains that you should not trust unknown sources. It's not like "oh another UAC prompt, click yes to continue", it is a different and more scary warning that most users will never have seen before.
It's basically like Mac or Linux malware. It exists but you have to be incredibly dumb to fall victim to it. There isn't really much more anyone can do to help people who are that stupid.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
When showing colleagues how to use their new Android phones I always explain the permissions to them, especially the Contacts, SMS and Calling permissions. The wording I use is "If it's something like Skype, it needs to read your contacts. If it's a football game, it doesn't - don't install it"
On more than one occasion I've been told "how am I supposed to remember that?", to which reply (I work in a motor-trade related business, so I use an obligatory car analogy) "When you drive into a petrol station, do you just blindly pick the nearest pump and start filling up?"
Most of the people who say "I'm not a geek, I can't do that" aren't stupid, they're lazy, ignorant and simply don't want to learn. I tend to try helping them, but if they show no willingness to take in what I say, I tell them that if they're not going to listen, I see no point in wasting my time.
NO normal user hesitates to click OK. Most won't even understand what the messages mean. ...
It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.
I'm sorry but the solution to a user clicking OK to an indecipherable message is to provide an indecipherable message to the user?
If Microsoft's UAC has taught us anything it is to NOT bombard the user with "Click here to make your system work" messages which only desensitize them to actual warnings.
Where does Google sit in the Android heap? They don't sell the phones, they don't take responsibility for the impact of the Malware? Oh yeah! That's right, they just develop the software then 'give it away' to the world .. warts and all.
.. they can write the software which mines whatever information is useful to their behaviour analysis software without taking any responsibility for the damage they do.
.. corporations need to understand that there is no competition, just compromise.
It sickens me a great deal to see the Google's, Facebooks & Microsoft's of the world just sit back in their soft leather sided armchairs watching other people to discover the security flaws in their software. Microsoft has done it for years with the third party 'Virus Scanner' software providers. Now Google has picked up on the trend
This is what I call an unsustainable business practice. People have to wake up to the understanding that they're being abused. But far, far more importantly
Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable.
Uhh, excuse me, Mr. Ignorant, but Google Play isn't available in some markets, such as China. So, you might want to go back and check your 99.9% figure again.
So based on this rationale, do you only talk to people on the street who are "pre-screened"?
Life involves risk.
I don't get it, if the malware has the ability to "exploit vulnerabilities in Google’s mobile operating system to extend the application’s permissions on the infected device" then why does it need to ask for a bunch of obviously suspicious permissions?
Seems like whatever vulnerability they're discovered must be relatively minor or they wouldn't need to ask for any additional permissions.
It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.
http://forum.xda-developers.com/showthread.php?t=1719408
Read about OpenPDroid and PDroid. Too bad it doesn't come installed by default, you have to patch your Firmware. But it works all right.
If anyone was still in the dark, he's lying out of his ass atm.
NFC usually does a quick bluetooth pair when transmitting small bits of data like contacts, some text, or even an image. larger files, NFC will create a simple ad-hoc wifi network. someone correct me if im wrong.
That's your best rebuttal? ...that.
he made an informed and honest post
and your response is
It's obvious which people don't try for themselves.
"First they came for the slanderers and i said nothing."
This is the single biggest reason I am an iOS user.
Oh, good for you. And many of the rest of us have either weighed the benefits/potential drawbacks and seen that there is effectively no difference between the two approaches, except that Android's approach gives the user far more control; OR, the the case of the vast majority of people, have given it no thought, and went with whatever device they thought looked prettiest and ended up with an iPhone or an Android phone.
If you enjoy your walled garden -- fine. Hang out in there and talk about how beautiful it is. There might be a few more weeds out here in the rest of the world, but they aren't common and aren't particularly dangerous. I'm sorry that you've convinced yourself that they are and that it has made you too fearful to try something different, instead rationalizing your restrictive choices.
--Jeremy
Jesus was a liberal
Yeah, it's almost like this is a discussion forum or something.
Or, you can continue being anti-social...
What Google should do is set up an online store for their apps like Apple has done with the iPhone. Then Android users could finally have a safe, trusted source of vetted apps so they won't have to risk infection~
Or, you can continue being anti-social...
Thanks for giving me permission.
"First they came for the slanderers and i said nothing."
Say someone plans to compile AOSP with warnings treated as errors. Can you give hints on how to get out from under the single digit GB/mo cap of certain satellite and microwave ISPs so that downloading Eclipse and AOSP doesn't cause someone to lose Internet access for the rest of the month?
If you want Apple-style vetting on Android, install Amazon Appstore. It requires "Unknown sources" unless you're on a Kindle Fire tablet, but if you accept installation only if you just bought the app from Amazon, you should be fine.
Even if Apple were to include a 3-year developer certificate with the purchase of an iDevice, someone would still have to wait until his computer is old enough to be worth replacing with a Mac. Google has made the business decision to make Android developer tools available for both major proprietary personal computing platforms and one Free platform; Apple has chosen make the signing tool for iOS available only for computers that it manufactures.
lol go to Starbucks
"First they came for the slanderers and i said nothing."
If you go to Play Store settings, you can uncheck the box you inadvertently checked at some point; automatically update apps over wifi. It is NOT checked by default, unless you have a very strange ROM indeed, but it is very easy to fix.
Yes, and so do you. If you were to see a guy in a hood brandishing a pistol and running away from the police, would you talk to him? You pre-screen people you deal with whether you will admit it or not.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
And that's fine. Good for you. It doesn't change the fact that allowing end users to install unsigned code from anywhere has been demonstrated to NOT WORK for the past 30 years. As I said, the certificate issue / xcode issue is not a technical problem, and iOS is merely an example of where I think we need to go with security.
We already rely on SSL certs to decide whether or not to trust a website with our password, yet most people will freely download and install (and grant privileges - whatever they have to do to make the shiny work) unverified code from untrusted sources that can then do anything it likes with their system.
It's insane.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
True. Lets assume for the sake of argument that we are talking about Google adopting the code-signing policy, and giving out free code-signing certs with the device with a 10 year expiry date. Is this acceptable?
It is my firm belief that we need some sort of third party verification because end users are simply easily fooled, and even if the app store is fooled, at least if code is signed they can turn the cert off after the software is in the wild.
The issues people have with Apple's code signing requirement are not insurmountable, if apple or another company was to attempt it. I just don't think the current Google approach of allowing any unsigned code to be verified by the end user is a solution. This is what we've had with Windows for the past 2-3 decades...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Lets assume for the sake of argument that we are talking about Google adopting the code-signing policy, and giving out free code-signing certs with the device with a 10 year expiry date. Is this acceptable?
For the most part, yes. And that's similar to what users had under AT&T-customized versions of Android prior to Amazon Appstore: "Unknown sources" is hidden, but adb install still works. But I'm also assuming that unlike Apple, Google will continue to refrain from using a monopoly on SDKs targeting its mobile platform to push sales of its own branded personal computer hardware. And there's still a problem with the "non-compete" provision of the Google Play distribution agreement. If someone were to make an Android application for developing simple video games and sharing them with friends, similar to The Games Factory or Game Maker or Nintendo's WarioWare DIY for Nintendo DS, I'm afraid Google might see that as an attempt "to facilitate the distribution of software applications and games for use on Android devices outside of the Market".