Trojan Android games send expensive SMSs

Criminals continue to target the Android mobile platform churning out additional variants to line their pockets.
The latest sample pretends to be a legitimate Chinese game called "The Roar of the Pharaoh". The real game is not distributed on Google Play (the new name for the Android Marketplace).
This presents a challenge for people who wish to play the real game as the version we have in SophosLabs has a Trojan attached and is being distributed on unofficial download sites as well.
Sophos is detecting the malicious version as Andr/Stiniter-A. This Trojan is rather unusual as it doesn't ask for any specific permissions during installation, which is often an indicator an application is up to no good.
Once installed the malicious application gathers sensitive information (IMEI, IMSI, phone model, screen size, platform, phone number, and OS version) and sends it off to the malware's authors.
Like many other mobile Trojans, this one sends SMS messages to premium rate SMS numbers and is capable of reading your SMSs as well.
The malware masquerades as a service called "GameUpdateService", a very plausible name for a legitimate app if you went snooping around for what might be running on your device.
The malware also attempts to communicate with four .com domains with a path of "tgloader-android", leading some to refer to this Trojan as TGLoader.
Criminals love the free money laundering service provided by mobile phone providers. They can setup premium rate SMS numbers in Europe and Asia with little difficulty.
The mobile phone companies provide the payment processing and the bad guys have their money and are long gone before you ever receive the phone bill with the fraudulent charges.
As always, be sure to only install applications from official sources for the safest smartphone experience. While the sophistication of today's mobile malware is quite low, this won't remain true if there is a buck to be made.

Orbot: Mobile Anonymity + Circumvention

What is Orbot?

Orbot is an application that allows mobile phone users to access the web, instant messaging and email without being monitored or blocked by their mobile internet service provider. Orbot brings the features and functionality of Tor (read more below) to the Android mobile operating system.
Orbot 1.0.5.2 (packaging Tor 0.2.2.25) is currently available in the Android Market and from the Tor Project website.

About the Tor Project

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis. Learn more at https://torproject.org

Screenshots

Usage Notes
Orbot may request different configuration depending on the Android operating system version it is used on.
BROWSING

• You can use the Orweb Privacy Browser which we offer, which only works via Orbot and Tor.
• You can also try Firefox Mobile with our ProxyMob Add-On to browse via the Tor network.

INSTANT MESSAGING

• For Instant Messaging, please try Gibberbot which provides integrated, optional support for Orbot and Tor.

OTHER APPS 

• Transparent Proxying: You must root your device in order for Orbot to work transparently for all web and DNS traffic. If you root your device, whether it is 1.x or 2.x based, Orbot will automatically, transparently proxy all web traffic on port 80 and 443 and all DNS requests. This includes the built-in Browser, Gmail, YouTube, Maps and any other application that uses standard web traffic.

Developers

• Source code is available via Tor’s GitWeb > git clone https://git.torproject.org/orbot.git
• Orbot source code is available under the Tor License
• Come discuss on #tor, #tor-dev and #guardianproject on irc.oftc.net or #guardianproject on freenode.

New Android malware affecting users, connects to botnet

 new piece of Android malware is afflicting thousands of users. North Carolina State University professor Xuxian Jiang, who documented the nature and behavior of RootSmart last week, believes that between 10,000 to 30,000 user devices are connecting to a botnet without their knowledge everyday. Most of the affected users thus far are located in China and have installed the GingerBreak root access tool for Android 2.3 (Gingerbread).

Affected users have typically visited an unofficial Android app store and downloaded what might appear to be a legitimate app. Unbeknownst to the user, the RootSmart exploit will also be grafted into the app and detect the GingerBreak tool. It will also appear as a second settings icon. The malware then functions as part of a wider botnet and will force a users phone into sending premium messages and phone services generating a healthy income stream for the scammer, while emptying the pocket of infected users.

As with most Android malware, the steps to avoid it include visiting only known and trusted official Android markets when downloading apps (although these have also been purveyed malicious apps at various times). Checking reviews and rating is also advised as is reviewing an apps permissions and observing and acting on any unusual behavior exhibited by a phone. Prof. Jiang also recommends that users install antivirus software on their Android phones and keep it updated against the latest threats. [via The Verge]

Android Botnet Exploits Gingerbread Root Access

Malware grabs rootkit exploit code to obtain temporary access privileges, poses a "serious threat," says researcher.
The mobile malware state of the art continues to improve, as demonstrated by the emergence of a new Android threat that's been dubbed RootSmart.
According to Symantec, the malware interfaces with a bonet that it's dubbed "Android.Bmaster." That botnet appears to have active connections with about 11,000 Android devices, and is likely generating daily revenue between $1,600 and $9,000 for its controller, or botmaster.


 RootSmart is designed to escape detection by being named "com.google.android.smart," which the same name as a settings app included by default with Android operating systems. The malware can gain root access to phones running versions of Android Gingerbread before 2.3.4, or Android 3.0, as well as "phone home" to a command-and-control (C&C) server for instructions. More than half of all Android smartphones are now running some version of Gingerbread.
[ Google's effort to stop bad apps is a step in the right direction. However, Google Bouncer Won't Block All Android Malware. ]
When first installed, RootSmart lies dormant, waiting for some type of trigger, such as an outgoing phone call. Once triggered, however, "RootSmart will connect to its C&C server with various information collected from the phone," said Xuxian Jiang, a computer science professor at North Carolina State University, in a blog post. "Our analysis shows that the collected information includes the Android OS version number, the device IMEI number, as well as the package name." To make it more difficult for security vendors to block the software, it also obfuscates the URL of the C&C server that it contacts.
After RootSmart phones home, it then downloads exploit code known as GingerBreak from the server, and uses it "to obtain root privilege on infected phones," said Jiang. Next, RootSmart attempts to download additional malicious applications--including malware known as DroidLive--which it installs in the device's system partition. "It's worth mentioning that if RootSmart fails to obtain the root privilege, it will still attempt to install the downloaded apps," said Jiang. "However in this case, it cannot install the apps silently. Instead, a pop-up window will be shown for [the] user's approval."
"Due to the fact that RootSmart utilizes the GingerBreak root exploit and can be remotely controlled, we believe it poses serious threats to mobile users," said Jiang.
What's RootSmart's purpose? Like so many types of malware, it's designed to earn money for its botmaster. According to Symantec, it pursues that goal by primarily targeting users of two Chinese mobile phone carriers. "For example, an infected device can be configured to send messages to a particular premium SMS number at a specific rate (three a day, for instance) for a certain number of days," said Cathal Mullaney, a security response engineer at Symantec, in a blog post. "Devices connecting to premium video or telephony services can also be configured for how long they should connect to a premium phone number or pay-per-view website." The malware can be set to block incoming emails containing specified keywords, which attackers could use to try and prevent mobile subscribers from receiving "unusual activity" alerts from their carrier.
How might RootSmart end up on an Android device? The software comes bundled "with a legitimate application for configuring phone settings," said Mullaney. "Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application."
Thankfully, however, the N.C. State researchers found the malware not in the official Android Market, but rather on third-party download sites. Accordingly, Jiang recommended avoiding such download sites whenever possible. But in some countries, including China, access to the official Google Android Market is blocked. Thus it's no surprise that, according to Symantec's study of RootSmart, "the vast majority of infected devices belonged to Chinese customers."
In terms of mitigation strategies, Jiang also recommended keeping a close eye on the permissions being requested by apps, as well as any unusual device behavior, and finally, running mobile security tools to keep devices safe. 

Symantec Releases Free Parental Monitoring App for Android

If you worry about your children’s Internet habits, you have to consider their mobile Internet habits as well.
Fortunately Symantec has just released a free mobile parental control app for Android called Norton Safety Minder, which you can download from the Android Market. It's free to use after you sign up for a Norton Online Family account, a free parental control suite for desktops.
Norton Safety Minder lets parents openly track and block websites their children access on an Android device, similar to McAfee Family Protection. It does so by attaching itself to the default browser in their child's mobile device and blocking sites based on an age category or customized list. Your child will not be able to use any other browser.
The app also lets parents see their child's entire search history and a list of attempted visits to websites, which McAfee Family Protection does not offer.
The app offers more features for Norton Online Family Premier holders ($49.99/year or $29.99/year for the first year, direct). Premier members can also see whom their children text or MMS, plus the contents of these conversations, which sit in Symantec's servers for up to 90 days. From the Web-based control panel parents can create a white-list of approved contacts and a black-list of people to block.
The Premier version also includes app monitoring so parents can see what apps their kids have installed and uninstalled. This report includes a time stamp and a description of each app.
Norton Safety Minder isn't a stealth monitoring app like SpectorSoft's eBlaster Mobile, which performs similar monitoring functions but is virtually undetectable on the child's device.
Norton Safety Minder only works on Android 2.2 and 2.3 devices for now. Symantec also offers Norton Online Family To Go, a similar mobile monitoring app for iOS users.

New Android malware downloads malicious code days after installed, could go undetected by Google’s Bouncer

A North Carolina State University professor has discovered new type of malware that could possibly evade Google’s malware-detecting Bouncer service. The new type of malware, called “Rootsmart” uses a process called “privilege escalation” to malware scanners such as Google’s Bouncer.
When a Rootsmart malware is first installed on a user’s phone, it contains no malicious code, making the app appear harmless. Since no malicious code is available on the app when it is first installed, it can bypass scans that could detect its true intentions. Once the app has been installed for hours (or days), it is then capable of downloading new code from remote servers to fulfill its malicious intent.
The malicious code that is downloaded to the device is the famous “Gingerbreak” exploit that is used to root many devices running Android 2.3 to 3.0. With the Gingerbreak exploit running on the user’s phone, the attacker can then call paid numbers, read data, listen through the microphone, and silently install other apps on the device.
Although this new type of malware was found, it was not found on Google’s Android Market. Instead, it was found on a Chinese app download website. However, this method of delaying malicious code from appearing on an app could make it possible for malicious apps to make their way to the Android Market.
Last week, Google announced a service called Bouncer that scanned all Android Market apps for malware, trojans, and viruses. In addition to scanning apps, Bouncer also simulates running apps on a device, so it’s possible that it could detect these malware apps that use privilege escalation to download malicious code.

Symantec warns of Android Trojans that mutate with every download

A new Android Trojan employs server-side polymorphism to generate unique variants

Researchers from security vendor Symantec have identified a new premium-rate SMS Android Trojan horse that modifies its code every time it gets downloaded in order to bypass antivirus detection.

This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it.

A special mechanism that runs on the distribution server modifies certain parts of the Trojan in order to ensure that every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed.

Symantec has identified multiple variants of this Trojan horse, which it detects as Android.Opfake, and all of them are distributed from Russian websites. However, the malware contains instructions to automatically send SMS messages to premium-rate numbers from a large number of European and former Soviet Union countries.

In some cases, especially when security products rely heavily on static signatures, detecting malware threats that make use of server-side polymorphism can be difficult.

"As with malware that affects traditional computing devices, the level of sophistication of the polymorphism used can affect how easy or difficult the threat is to detect," said Vikram Thakur, the principal security response manager at Symantec. "More complicated polymorphism requires more intelligent countermeasures."

In the case of Android.Opfake the level of polymorphism is not very high, as only some of the Trojan's data files are being modified by the distribution server.

"If antivirus vendors place their detection on the executable and non-changing sections, all files would be successfully detected," said Tim Armstrong, malware researcher at Kaspersky Lab. However, if the Trojan's executable code were also polymorphic, the challenge of detecting it would be more difficult, he said.

According to Armstrong, server-side polymorphism is not very widespread on the Android platform at the moment because most users get their apps through official channels and the current structure of the Android Market does not allow for a malware distribution scheme like this one.

However, he agrees that polymorphic Android malware could force antivirus vendors to step up their game in the future. "I think many of the features that are currently available on traditional platforms will start to arrive on these mobile platforms out of necessity as the criminals change their attack methods," Armstrong said.

There have been many new developments on the mobile threat landscape recently and increasing their attention towards smartphones is a logical move for malware writers, because they usually go where the money is, said Jamz Yaneza, research manager at antivirus company Trend Micro.

Users should become more aware of this fact and the capabilities of their mobile devices, which are now similar to those of mobile PCs, Yaneza said. "They should treat app downloads with the same caution as they do on desktops," and install or make use of whatever security add-ons they can as this creates another protective layer.