Slashdot Mirror
Android Malware "Obad" Called Most Sophisticated Yet
chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."
This one should be pretty easy, no? Which premium numbers benefited from the text messages?
Obad is Bosnian (also Croatian and Serbian) for horse-fly.
Mit der Dummheit kämpfen Götter selbst vergebens
Nonono. Google is god (no spelling mistake), Apple is evil and always wrong, Microsoft irrelevant. That's the official policy. Haven't you got the memo?
Having a different opinion to that is forbidden - as per protocol.
"A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device"
Yes, the vulnerability requires prompting the user to explicidly install the app and explicidly raise permissions.
"Do you want to install this application?"
"Activate device administrator?"
AccountKiller
As if that would be of any defense against the malware.
NO normal user hesitates to click OK. Most won't even understand what the messages mean. Remember : most people are not geeks.
The fault is solely on Android for not properly sandboxing apps. It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.
Most sophisticated? Take that iOS!
Didn't they tell us that Android, being Linux based is very very safe compared to anything we'd ever seen?
You may have been modded down but I do see a point with your post, everybody (but not the sort of people that frequent sites like this) has been told how secure Linux systems are and since Android is a Linux system I doubt you'd find many non-techs would understand why Android being a Linux system doesn't necessarily make it secure. Any application on any system (not just Android) that can access system resources - like SMS functionality - is going to have the capacity to act maliciously so it really is up to the user to decide whether to allow that sort of access to the application, this is even more difficult if the application has a legitimate purpose in accessing such functionality.
For at least some tech enthusiasts it's fine to say 'just make it open source' and the individual can vet it - but of course the vast majority will not do that - so trusting a generally (yes none is absolutely guaranteed and some are better than others) well-vetted marketplace (Google Play, iOS App Store, Windows Store, Amazon Store?) seems to be the best bet for most people.
It's not about sandboxing, the malware uses a previously undiscovered privilege escalation exploit. It doesn't matter how good the design of your sandbox is, once that kind of exploit is found, the sandboxing is pointless.
I don't think this is going to change because Android programmers are sloppy. To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output. Google programmers have been known to publicly say bugs are no big deal. If that attitude has really spread around the company, how capable do you think they will be of writing secure sandbox code?
"First they came for the slanderers and i said nothing."
Bingo!
The Australian Communications and Media Authority's statistics breakdown shows of about 16,500 infected devices online at any one time, 20 Windows viruses make up more than 16,400 of the active IPs. Rarer Windows viruses, and Mac, iOS, Linux and Android infections all total less than 100 infections.
http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_600121
Kasperky says:
Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan
So to put this all in perspective, this new super-virus made up less than 0.15% of the attempts to join the 0.1% of infections that aren't Windows viruses.
If you read the Kaspersky analysis of the "super-malware", you'll see why. It ASKS for permission to install and to elevate privileges. If the user says "No", it doesn't happen.
So, so much this.
Relying on the end user to magically be aware that stuff they are signing is not trojaned, reputable, etc. is not going to work. As demonstrated by Microsoft for the last 30 years, and as demonstrated in the unix world since the 70s.
I've been saying for some time that Android is the Windows of the mobile world. Not because of the code-base or even quality of the code-base, but due to the design decision to push security back on the end user. 99.999% of us are not security experts.
Virus scanners are a waste of resources (cpu/storage and thus, battery).
Vet executables at the source. If the user wants to run their own code, provide a code signing mechanism (this can be done on iOS with a dev account, sure there is a cost argument but the technical benefit is huge. if it was free and there was sufficient verification of an individual's identity to prevent issuing multiple certs to the same person, the money issue could go away. at the moment the cost is there to make obtaining thousands (say) of code-signing certs impractical for a malware author). If apple included a code-signing cert for the end user to "bless" their own (or downloaded) code with for use on their own devices, would people's bitching about not "owning" their iOS device change?
This is the single biggest reason I am an iOS user. I've been around long enough to know not to trust myself or any of my users to vet apps themselves (no one has the time or skillset or tools to do it anyway). I have no faith in the security of a device which can run any code from anywhere being in the hands of an end user (including myself) who is not capable of verifying whether or not code is malicious.
No it is not a 100% solution and there is every chance that malware slips through, however once it has been reported to the distribution point, its cert can be revoked to stop it spreading any further.
Yes, exploits can be created if the signing mechanism is secure, but that is an implementation issue, not a core design issue, and can be fixed.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable. Okay, it can spread through BlueTooth but that requires you have already paired your device with an infected one manually. Most people pair their devices with things like their car and headset, not other random phones.
Then when you do install the app the warning message that appears is very different to the one you see on Google Play and explains that you should not trust unknown sources. It's not like "oh another UAC prompt, click yes to continue", it is a different and more scary warning that most users will never have seen before.
It's basically like Mac or Linux malware. It exists but you have to be incredibly dumb to fall victim to it. There isn't really much more anyone can do to help people who are that stupid.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC