FBI: Android Owners Beware!

By Jaan Seunnasepp - October 19, 2012 | Tickers: AAPL, GOOG, MSFT, SYMC | 0 Comments

• Email
• Print

On October 12, The FBI's Internet Crime Complaint Center (IC3) issued an "Intelligence Note" titled Smartphone Users Should Be Aware Of Malware Targeting Mobile Devices And Safety Measures To Help Avoid Compromise. It begins:

The IC3 has been made aware of various malware attacking Android operating systems for mobile devices… The malicious application steals contact details from the user's address book and the infected device's phone number.

Android is the popular mobile device operating system controlled by Google (NASDAQ: GOOG). The note makes no reference at all to iOS - the operating system of Apple's (NASDAQ: AAPL) iPhone.

According to the IC3 website:

The IC3 was established as a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C)…

The IC3's mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations.

The current note goes on to briefly feature two specific malware systems: Loozfon and FinFisher. It should be noted from the start that these or similar systems can be embedded in a variety of apps, so there are not just one or two Android apps that can be singled out and eliminated. Malware can even be embedded into phony updates for legitimate apps.

Loozfon

Security firm Symantec (NASDAQ: SYMC) gives details regarding this Trojan Horse:

• Updated: August 20, 2012 7:17:06 AM
• Type:Trojan
• Systems Affected: Android

• Permissions 
  When the Trojan is being installed, it requests permissions to perform the following actions:
• Initiate a phone call without using the Phone UI or requiring confirmation from the user.
• Open network connections.
• Check the phone's current state.
• Read user's contacts data.
• Access information about networks.

[abbreviated]

When executed, the app displays a message, collects some of your personal data, and sends this to a server.

Interestingly, Symantec on another page notes that Loozfon Malware Targets Female Android Users. (In this case, specifically Japanese women.)

When it comes to targeting the sexes, generally malware has targeted men by enticing them to view videos or pictures of sexual content-Android malware is no different. For instance, Android.Oneclickfraud attempts to coerce a user into paying for a pornographic service and certain Android.Opfake variants are designed to allow users to view adult videos, but secretly send SMS texts to premium-rate numbers in the background. Recently, however, Symantec discovered Android.Loozfon, a rare example of malware that targets female Android users.

It's appeal is to those wanting to make money by working from home. When the victim views a website on this subject, and clicks a particular link, the malware is downloaded. They also send spam offering to introduce women to wealthy men.

FinFisher

FinSpy is a field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries.

That is according to a brochure exposed by the controversial groupWikiLeaks. While this software package is designed to be used by law enforcement or government spy agencies (it has been used by oppressive regimes to spy on dissidents), it can also be used by cyber-criminals to infect phones and can gather a frightening amount of data, including turning on the microphone. Again, the method of injection is most likely to be malicious web links, or downloadable software or phony operating system updates.

According to the IC3 report:

FinFisher is a spyware capable of taking over the components of a mobile device. When installed the mobile device can be remotely controlled and monitored no matter where the Target is located. FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.

And finally:

Loozfon and FinFisher are just two examples of malware used by criminals to lure users into compromising their devices.

What about iPhone?

Many iPhone detractors decry Apple's "walled garden" app store model, where all apps must be approved by Apple. "I don't want someone telling me what apps I can put on my cell phone" is a frequent comment on blogs. This ignores the fact that the overwhelming majority of apps are approved without problem. More importantly, it ignores the fact the one of the most important purposes of this approach (which it seems has also been adopted by Microsoft (NASDAQ: MSFT) for their Windows Mobile OS) is precisely the protection from malware.

While it is true that no system is completely safe, that there are other avenues of attack, the fact remains that on an iPhone or iPad you simply cannot download a program from a website at all, you cannot be hoodwinked into installing a bogus iOS update because these operations MUST be done - can only be done - via the iTunes App Store.

Android's "Open" approach allows you to download and install software from any source. There have been cases in which normally benign apps have been hacked and offered on secondary sites. One thing you can do is to get all your apps from trusted markets such as Google's official App Market or Amazon's, where they do more serious vetting of the apps, although this is not necessarily fool proof either. (See this article for example.)

Recommendations

The IC3 note provides some recommendations for smartphone users (see full note at this link). I have selected the ones I find most important. Many apply to the iPhone as well as Android and Windows phone. [note: all bold below is added by the author]

• When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
• With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
• Review and understand the permissions you are giving when you download applications.
• Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware. [Author note: Especially for Android]
• Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
• Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
• Avoid clicking on or otherwise downloading software or links from unknown sources.
• Use the same precautions on your mobile phone as you would on your computer when using the Internet.

To me the third item is the most important, and is applicable to iPhones as much as the rest. Even "legitimate" apps may be asking for permissions that you do not want to give. If the app has nothing to do with location, then why does it ask your permission to access your location? What about access to your address book? Just because an app is not doing anything malicious does not mean it is not overly intrusive! Remember:

• These permissions were developed to help protect your privacy as well as your security. It is YOUR responsibility to use them wisely.

Most likely you spent a fair amount of time finding and downloading your app. Take just a single minute (or less) and pay attention when you first run it and think about the permissions it requests.

(BTW - this is precisely why I almost never approve Facebook apps. They always seem to be asking for more privileges than I think necessary!)

Implications for Google

It remains to be seen whether or not this will have any serious impact on Google or not, but there are potentially long term ramifications.

Google gets its revenue (almost all of its $43Billion (ttm)) from advertising. The whole point of the Android Operating System is to drive advertising their way. The whole ecosystem of the OS is geared towards doing this. If Android develops a reputation for being less secure than its competitors, then this could adversely affect sales and the revenue driven to Google. This is even more true now due to two factors:

1. Apple is developing alternatives to Google supplied technology with both Siri and Maps taking a lot of search traffic away.
2. Windows Phone 8 is expected to be provide the first serious contender for an alternative mobile OS to iOS and Android.

It should be noted that Microsoft has its own search engine, Bing, that will be standard on the Win8 platforms further cutting Google’s exposure.

It is, of course, the enterprise where security is the highest issue. Here, Android smartphones have grown to about 35% share, but for tablets they have a mere 6% (tabtimes). If security is seen as an real issue, and with Win8 coming as an alternative to iOS, there could be a very serious reduction of the market share for Android.

Remember, we are not talking simply of just two specific apps. If there ever comes a program that both spreads widely and seriously takes advantage of users, then Android could be seriously damaged in both the enterprise and the consumer realms.

Conclusion

You would not walk in a bad part of town at midnight with $100 bills hanging out of your pockets. You should not do the same with your smartphone. It is important to take precautions when buying apps and approving services for those apps no matter what mobile device you own. That said, there definitely is a higher level of security in iOS than in Android.

Google is at the top of mobile ad revenue list with a projected gross revenue of over $3.5 billion in 2014 according to eMarketer. This news leaves us with an important question to think about. Will a shift in the landscape be sufficient to put a serious dent in this?

=====

Malcolm Manness has a Masters degree in Computer Science, and worked for 14 years in development, technical publications and software quality assurance. He has been investing for 20 years. Currently, he does writing, and FileMaker Pro programming on contract.

His short fiction can be found (under pseudonym J. Seunnasepp) at http://50centflash.com/.

Previous Article: Understanding Apple: Of Cults and Cool...

Interested in Additional Analysis?

The stakes are high and the opportunity is huge after Apple’s introduction of the iPhone 5, so to help investors understand this epic Apple event, the Fool has released an exclusive update dedicated to the iPhone 5. By picking up a copy of this premium research report on Apple, you'll learn everything you need to know, and receive ongoing guidance as key news hits. Claim your copy today by clicking here now.

• Email
• Print
• Feedback