Android drive-by download attack via phishing SMS

Android drive-by download attack via phishing SMS

Summary: A new security start-up focused on helping businesses deal with targeted attacks plans to showcase a drive-by download that plans malware silently on Android smart phones.

SHARE:
22

A new security start-up focused on helping high-profile businesses deal with targeted attacks and advanced persistent threats (APTs) plans to showcase a drive-by download that plants malware silently on Android smart phones.

CrowdStrike, which emerged from stealth mode last week with $26 million in funding, says the attack is delivered via spear-phishing SMS messages that lure users to a link that exploits a WebKit zero-day vulnerability.

CrowdStrike's Dmitri Alperovitch told the LA Times that this attack scenario has already been spotted in the wild:

Alperovitch said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool emanating from China that was identified last year by virus firms as a so-called Trojan Horse. The malware was disguised as a Google+ app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users were hit.

Alperovitch and his team reversed engineered the malware, he said, and took control of it. He then conducted an experiment in which malware was delivered through a classic "spear phishing" attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies.

"The minute you go the site, it will download a real-life Chinese remote access tool to your phone," he said. "The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing."

The malware also intercepts texts and emails and tracks the phone's location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects.

CrowdStrike, which is headed by former McAfee executives, plans to present technical details of this issue at the RSA Conference which takes place this week in San Francisco.

[ SEE: Ten little things to secure your online presence ]

Topics: Security, Malware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • Software doesn't install itself on Android, unlike Windows drive-bys can do

    nt
    Dietrich T. Schmitz *Your
    • Wait a minute with every OEM trying to make more than

      the Android Price War allows per unit sale. I E Razor thin margins per device they are each messing with Android as they are allowed to do by Google so even "IF" Android un adjusted or altered by Google won't allow said can any consumer be certain that the altered Android they get from any given OEM and or Carrier is safe from this kind of thing?

      Pagan jim
      James Quinn
      • Jim, regardless of which OEM, from the Market, side-load, it works the same

        The end-user receives several prompts before any software installation occurs with Android.
        On the other hand, one can get infected visiting a legitimate website 'silently' with no prompts by Windows (dll injection). I know. I support it. Drive-by attacks are a chronic Windows problem.

        'Drive-by' term shouldn't be used with Android because of the above.
        Dietrich T. Schmitz *Your
      • LOL

        Dietrich T. Schmitz wrote:
        [i]one can get infected visiting a legitimate website 'silently' with no prompts by Windows (dll injection). I know. I support it. Drive-by attacks are a chronic Windows problem.[/i]

        Sounds like your support isn't quite up to the task. Create limited or standard user accounts for your users and don't give them local admin credentials. Setup application and dll whitelisting for your users with either Software Restriction Policy (via gpedit.msc) or App Locker. Finally, keep your users OS and application software up-to-date. If you need more, use Group Policy to tighten things even further.

        Perhaps if you spent less time trolling at ZDNet, you might have more time to learn the basics of Windows system administration and adequately protect your users.
        Rabid Howler Monkey
        • You think that is going to stop privilege escalation?

          Now that is funny.
          The only thing that stops privilege escalation certifiably is Linux with LSM sandboxing.
          With Windows, there is no fool-proof way to stop a DLL injection from making a system kernel call, because Windows kernel does not police 'itself'.

          The key differentiator with Linux is that LSM does police the actions of the kernel.

          A mind is a terrible thing to waste. :/
          Dietrich T. Schmitz *Your
      • Privilege escalation isn't limited to Windows

        Dietrich T. Schmitz wrote:
        [i]The only thing that stops privilege escalation certifiably is Linux with LSM sandboxing.[/i]

        Is SELinux a Linux security module? See The Invisible Things Lab's blog for the August, 2010, article entitled, "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit". Hmmm, a user to root escalation. :/

        Linux security modules provide good defense-in-depth. However, your statement is hilarious.

        Also, with regard to Windows and dll injection, search for this article, "Integrity Levels and DLL Injection", and read it. It's done by a well-known security researcher. Internet Explorer, by default, runs as a low integrity level process on Vista and 7 (it's called protected mode). As does Microsoft Office 2010 (it's called protected view). While integrity levels provide good defense-in-depth on Windows, like LSM does on Linux, they are not invincible.
        Rabid Howler Monkey
        • You can't argue the facts?

          LSM doesn't solve privilege escalation. It just stops it when used to profile any app.
          So, system kernel calls get blocked also.
          Windows kernel doesn't have a mechanism to police itself. You won't address that.
          Which is why Zero Day Blog exists and thrives on Groundhog Day stories.
          Same situation, different day.
          You simply don't know what you are talking about.
          Put up a citation if you do.

          This story is pure unadulterated fiction unless supported by proof. None exists, so Ryan should qualify with 'alleged' to play fair.
          Dietrich T. Schmitz *Your
      • You won't face the facts

        Dietrich T. Schmitz wrote:
        [i]LSM doesn't solve privilege escalation. It just stops it when used to profile any app.[/i]

        The Linux kernel vulnerability in the ITL blog article I referenced allows privilege escalation through a vulnerable app (e.g., a PDF Reader opening a malformed PDF file) that is "protected" by SELinux. Newsflash!! SELinux is a LSM (AppArmor isn't the only one).

        [i]Windows kernel doesn't have a mechanism to police itself. You won't address that.[/i]

        I'm not the one saying that operating system x (Windows in my case) is bulletproof. One only needs to reflect on Pwn2Own, Stuxnet and Duqu to know that. You're overrating the policing in Linux. Running an app protected by LSM in Linux isn't bulletproof either. Read the ITL blog article and look up the enlightenment framework.
        Rabid Howler Monkey
        • You have made an 'empty' assertion that LSM can be compromised.

          Where is your citation [b]link[/b]?
          Curious that you didn't supply one.

          P.S.
          Pwn2Own, intentionally, leaves Linux out of their competition. Why do you suppose that is? Hmmmmm (wink)
          Dietrich T. Schmitz *Your
      • Nope

        ZDNet's security blog is notorious for not allowing links to be posted in comments (I've given up). Here are the relevant details (again): The Invisible Things Lab's blog for the August, 2010, article entitled, "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit". Use your favorite seach engine. Or not. Ditto for the enlightenment framework (it's an exploit for Linux) created by the grsecurity developer.

        As for Pwn2Own, desktop Linux, specifically Ubuntu, was represented for 1 or 2 years. However, the contestents showed very little interest in the platform. Charlie Miller, in an interview, made the trollish comment that (I'm paraphrasing) 'my grandmother doesn't use it'. It certainly wasn't related to LSM as the AppArmor profile for Firefox is disabled by default in Ubuntu. That said, I really wish that they would bring it back.
        Rabid Howler Monkey
        • Liar Liar

          Pants on fire.

          Here is a link:
          h-t-t-p://google.com

          You've got nothing unless you can put up a link to a citation on your claim.
          Dietrich T. Schmitz *Your
      • Agreed.

        @Rabid Howler Monkey

        > Sounds like your support isn't quite up to the task.

        I very much agree with this. We're a Windows shop -- 5 businesses including 2 Internet based. Ever since after the first month after taking over 2 years ago (when I had to do a lot of cleanup because the previous self-proclaimed expert was clueless), not one infection. My routine maintenance is only approving updates, reviewing logs, and replacements, installations, or upgrades where needed -- usually 1 to 16 hours/month. The rest of my time is spent developing software.
        I like coffee.
      • I'm impressed that you can find Google

        @Dietrich T. Schmitz * Your Linux Advocate Perhaps, there's hope for you after all. Here's the search queries that you can copy and paste into Google search (don't forget to hit the 'Enter' key):

        o "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit"
        o "Integrity Levels and DLL Injection"
        o "enlightenment framework" grsecurity

        Happy reading. :)
        Rabid Howler Monkey
    • According to the article, it does

      Perhaps you missed these important lines in the article:
      [i]Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware.[/i]

      or

      [i]???The minute you go the site, it will download a real-life Chinese remote access tool to your phone,??? he said. ???The user will not see anything. Once the app is installed, we???ll be intercepting voice calls. The microphone activates the moment you start dialing.???[/i]

      But you keep fooling yourself into thinking you are safe and live with that false sense of security.
      Loverock Davidson-
      • The story is 'sketchy' at best and there is no documentation for an exploit

        furnished. It's someone saying they exploited Android's browser with a 'Drive-by' method of attack.

        The assumption is that the story is true, but there is zero substantiation.
        No links, other than to the a 'Blogger' CrowdStrike web site where there's nothing but a twitter reference that the purported exploit will be demoed on February 29.

        This is a former CTO of McAfee trying to 'vault' his own career with 'fluff'.

        This is a non-story.
        Dietrich T. Schmitz *Your
  • Android drive-by download attack via phishing SMS

    Another day another android malware story shows up. Its almost predictable now. I was told this simply could not happen on linux based devices but we have proof that it does. Lets see how long it takes Google to fix these issues, assuming they do at all.
    Loverock Davidson-
    • Have more DayQuil.

      nt
      Dietrich T. Schmitz *Your
  • Ryan. Since there is NO substantion for the drive-by claim

    Might it be advised for you to prefix the title with: 'Alleged'?

    Yes Ryan?
    Dietrich T. Schmitz *Your
  • ANY operating system can be hijacked

    Okay boys and girls... stop fighting. I will say this once! ANY operating system can and will be hijacked if the need arises. They are all written by and maintained by humans, and humans make mistakes. The only reason Windows gets hacked so often is it is on 90 percent of computers. It is profitable to write exploit code for that platform. As more and more turn to Android it too becomes a target. Why then is it that Mac and iPhone are less targeted? They are in lesser number worldwide so why write code to exploit 10%?? They do not want to waste their time. I know, you say iPhone is safer, and it is part true, but it's defenses for malware are less than that of Android. Again, worldwide, Android has more appeal to a hacker as there are more using it (easy money). So, the moral of the story is... if you have something or some information someone wants, they WILL get it. Stop saying this one is safer. If you do you are seriously missing the point here. ANYTHING is hackable, and easily I might add! I started out in the Internet's early days as an Internet Service Provider, and today I still learn from it. Remember... you are never too old to learn :-) Keep the faith and keep learning the right things, not how to destroy your neighbor! -Al
    athiel1
    • ANY operating system can be hijacked...?

      Once again, we see the same tired deceptions being spewed...

      "ANY operating system can be..." hacked. So... ALL operating systems are equal.

      NON-SENSE. anyone that expounds this tripe is either wholly ignorant of this subject, or they are intentionally spreading, seriously debunked, deceptions and propaganda (as is, anyone that parrots the perennial deception that "Windows" is only compromised so often because it's more "popular").

      Well... first, the absolute non-sequitur, fallacy, that -any-, alleged, security-issue in -any- operating system (other than "Windows") somehow demonstrates that -all- other OSes are just as insecure as "MS-Windows"... That is a complete logical fallacy. You might just as well claim that, since, "any" automobile can be in a crash... "ALL" cars are as equally "unsafe" ...as the most bug-ridden, cheap, death-trap, ever sold. Clearly such a claim is nothing more than desperate SPIN. Overall quality, demonstrated-security, and testable-experience, are -not- a true/false (yes/no) proposition. And trying to portray them [relative security], as such, indicates either pedantic-ignorance, or outright-deception.

      And, then there is the even more ridiculous and well-proven, out-and-out, lie that "Windows" has more security-issues, simply because it is more "popular". Sorry, sweeties, but "popularity" does -not- cause the spontaneous-generation of overwhelming numbers of, well-documented, security-flaws and holes. Here are some axiomatic facts that everyone needs to understand... wishful-thinking, and engineering, are -not- the same thing. And, security and quality, are not -magic-. They are measurable, and objective.

      Finally, there is also the real issue that... once again... this "security" warning about "Android" seems full of the usual alarmist-hyperbole, and seriously short on the basic understanding... that the "user" -must-, once again, apparently, actively act to install "malware" on their own device... BEFORE... the device's security is actually breached ...unlike ...sadly -every- version of "Windows", since Windows-95.
      Gayle Edwards