New Android malware should be wake-up call for security admins

Takeaway: Security firm Kaspersky reported on a new malware threat that it calls the most sophisticated it has seen in targeting Android phones

IT pros in the enterprise rely on a wide array of tools needed to keep users secure: firewalls, intrusion detection systems, centralized software updates, anti-malware definition updates, policy statements, and so on. But when it comes to mobile security, quite often many businesses do not hold the same strict policies as they do for desktops, despite the clear evidences that smartphones are now just as powerful as a full computer, and bad guys are out there targeting them.
 
Just last week, security firm Kaspersky published a report about the most complex Android malware they have found so far. In many ways, it mimics what a modern desktop worm would have to do to infect computers. The first surprising finding is how many unknown vulnerabilities that this single malware was exploiting. Typically, most worms and viruses are created to exploit a single security
hole. As soon as a Java or Flash exploit is found, for example, hackers go out and create code that can take advantage of it, and then try to get as many people as possible before a fix happens. But the serious desktop threats are those pieces of malware which are sophisticated enough to use many paths of entry, and complex enough to remain undetected via multiple means of stealth. This is what this particular malware is doing.

Backdoor intruder

Nicknamed Backdoor.AndroidOS.Obad.a, this malware used a hole in the code packing system to create an executable that should be found invalid, but still gets processed on an Android smartphone, by planting deliberate errors in the AndroidManifest file. Once there, it can get elevated to the Device Administrator status, but using a security hole in Android, it will not get listed in the apps listing, making it impossible to remove. And the complexity doesn’t stop there. The malware uses a lot of encryption to keep all of its variable names secret, and it will go out through a network connection, downloading a part of the Facebook home page, and use that as its encryption key, to ensure it is truly online and able to connect to its control servers.
 
Once it has set itself deep in your phone, it starts receiving commands from the command and control system to update itself, download more malware, and start sending expensive SMS messages to foreign numbers. All of this means that it was hard to find, hard to analyze, and could be modified on the fly to thwart attempts to remove it. In this particular case, right now the infection rate is still very low, with most victims being in Russia. Mobile antivirus software are also being modified to detect it. But the fact remains that this sort of complex malware was not seen before on mobile phones, only on desktops. It proves that smartphones have become a big enough target for even the most sophisticated criminals to go after them.

Be more aggressive on the mobile front

The problem with all of this is that according to a recent report, 63% of businesses do not manage corporate information on devices. With the latest BYOD trend, people are being allowed to bring their own devices, which may be compromised, into the office without any check or balance. 67% of respondents say that employees have personal devices at work that connect to their corporate networks, and 79% said they have had some type of mobile security incident in the past.
 
Fortunately, the lessons of the desktop have been learned by modern mobile platforms. All of the popular devices including iOS, Windows Phone, BlackBerry, and Android have a much higher security threshold from the get go. Apps are sandboxed against each other, the user does not run with administrator privilege by default, and a centralized store system means that apps can be killed remotely, and devices wiped. Still, what else can you do as an IT pro to make sure your employees’ devices are safe? First, make sure you have some kind of centralized management. You can use Microsoft ActiveSync to control what goes on these devices, and there are many popular third party tools like Citix’s XenMobile.
 
Using these tools, you can ensure encryption is used, you can control which apps your employees can download and use, and you can block rooted or jailbroken devices from infecting your network. You can also use one of the many anti-malware solutions available on the various app stores, and just recently Malwarebytes said they would be releasing an Android version of their popular software
by the end of the year. Overall, the security situation for mobile devices is much better than it is on the desktop, but that doesn’t mean you should leave yourself completely open to problems, and just as desktop malware evolved into more and more sophisticated threats, mobile malware is sure to go the same way.
 
~ Patrick Lambert 

Related Posts