Slashdot Mirror
Massive Android Mobile Botnet Hijacking SMS Data
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
Put it on some dodgy mobile cracked app site and have it perform some trivial functionsfunctions, post about it in a conspiratorial tone in some forums and watch the cheap bastards come rolling in. There are a million cheapskates for every real customer of android apps.
Sig Battery depleted. Reverting to safe mode.
Well, First there's Linux. Which is fine, except it's out of date, and thus can be compromised trivially. Then there's the device drivers which frequently have exploits due to the rapid progression of mobile platforms, being built by the lowest bidder, and the lack of consumer desire to pay a premium for security.
At this point we interact with the other small separate OS for the cellular radio -- It doesn't really validate inputs well and can be compromised trivially.
Moving on, we have an excellent application of user / group privileges which constrict application. Really would love actually a bit more than the level of control this has on desktops; Eg: Firefox runs as its own user on my desktop system and the Firefox user has access to its settings folder and is in the "Internet" group, so it can access the web. "sudo" is nice, but we need such a thing for granting user-level access to user-agents such as Firefox; It's one reason I'm developing an Agent Oriented OS and programming language... Anyhow, since the granularity is utterly shite it's basically pointless on mobile systems.
Then we have the Application. Note, this is not plural. We have the Davlik VM aka Java, but register based (faster, more memory use) instead of stack based (slower, less RAM use). There's some great stuff in the install process here whereby linkage occurs and the byte orders of values in the images are translated to machine order. Prior to running on Android the complied Java bytecode is translated into Davlik bytecode -- Unfortunately, there is no copy of this bytecode kept around in case you want to copy it to another device. I'm a firm believer of link on install, but they've done it horribly wrong: My OS links programs on install into MACHINE CODE... ugh. This is mobile so, yeah, let's use what little CPU we got to run a VM -- er, a just in time compiler for a VM.
Now, on desktop systems such as 80486, you'll have up to 4 different execution permission rings to leverage, but on the ARM and other systems you get 2: Kernel or Not. This really messes up the fact that you are running a VM atop a kernel. Well, Linux moronically doesn't reserve a ring level for applications to use against their plugins the same way the kernel isolates itself from user-land applications, so the hardware makers have adopted the monolithic kernel approach. Hey, guess what? We're running a monolithic VM atop a monolithic kernel! Yay! It's like Exploit HEAVEN! Remember how in 16 bit DOSs your program could access any other "TSR" program's memory, or even the OS / BIOS itself and wreak havok? Oh, man. It was great! Mobile has brought this back!
Then we have the app ecosystem, which is actually the strong point IMO. It at least gives you a chance to let other suckers become victims of an exploit and hope it gets pulled / blacklisted from the markets before you try it out. Also, 64GB micro SD's exist now... but a lot of new devices don't have SD card slots, so fuck 'em.
Finally we have the Carriers. They dig down deep into the nether regions of shit that shain't be shat around with, and do just that to create the UI's and app launchers high atop the software stack. Noticeably, desktop OSs have less overhead for doing things than the mobile methodology, but that's the sacrifice you make to have idiots develop you tech on the cheap.
I think you are missing the more important information here, malware like this and Linux servers being targeted for attack finally drive a stake through the lie that just because you have source that magically makes it more secure. As we see its just as many of us have been saying for years that once Linux reached a level of popularity it too would fall, no different than windows and OSX.
All having the source does is make it so that 1.- if you have the money, or 2.- if you have the coding talent, that you can continue to have that older piece of hardware or software supported...that's it, that's all it does, it keeps you from ending up with software or hardware being unsupported because everybody moved on because you can pay to keep it going or fix it yourself. I mean if anybody even thought about it for more than 30 seconds it would be plain as the nose on your face why "many eyes" is a myth, how many tens of millions of loc is in your average distro? How many programs and/or components are updated/upgraded on that distro per quarter? This is why every bug tracker has bugs going back several years, for the vast majority of any distro I seriously doubt anybody other than the guys that actually work on the project look at it with any regularity and you can be damned sure the majority of it isn't getting a security audit, it simply changes too fast.
But of course I'll be modded off the page for daring to point out what TFA clearly shows, but IRL Linux is just as complex as any other modern OS and where there is complexity there is flaws, simple as that.
Linux vulnerabilities have nothing to do with this, since users are willingly installing the apps and granting them permission to do these things (whether there is a better way of doing the aforementioned things in Android is moot since you decided to attack Linux). The one thing you missed is that when the source is open, the discovery of a vulnerability doesn't have to wait for the corporate "is it worth it to fix it" cycle. Anyone with a smidgen of coding talent can dig in and take a swing at it, which doesnt decrease 0-days but does decrease 180-days or 360-days that we have seen in many closed platforms. You might also want to investigate the fact that it's not a "distro" that needs to be secure at all, it's the individual, visible things (network stack, plus firewalling applications and finally the internet-facing applications) that consist of a much smaller and better reviewed set of code. But have fun getting modded.