Android drive-by download attack via phishing SMS
Summary: A new security start-up focused on helping businesses deal with targeted attacks plans to showcase a drive-by download that plans malware silently on Android smart phones.
A new security start-up focused on helping high-profile businesses deal with targeted attacks and advanced persistent threats (APTs) plans to showcase a drive-by download that plants malware silently on Android smart phones.
CrowdStrike, which emerged from stealth mode last week with $26 million in funding, says the attack is delivered via spear-phishing SMS messages that lure users to a link that exploits a WebKit zero-day vulnerability.
CrowdStrike's Dmitri Alperovitch told the LA Times that this attack scenario has already been spotted in the wild:
Alperovitch said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool emanating from China that was identified last year by virus firms as a so-called Trojan Horse. The malware was disguised as a Google+ app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users were hit.
Alperovitch and his team reversed engineered the malware, he said, and took control of it. He then conducted an experiment in which malware was delivered through a classic "spear phishing" attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies.
"The minute you go the site, it will download a real-life Chinese remote access tool to your phone," he said. "The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing."
The malware also intercepts texts and emails and tracks the phone's location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects.
CrowdStrike, which is headed by former McAfee executives, plans to present technical details of this issue at the RSA Conference which takes place this week in San Francisco.
[ SEE: Ten little things to secure your online presence ]
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Software doesn't install itself on Android, unlike Windows drive-bys can do
Wait a minute with every OEM trying to make more than
Pagan jim
Jim, regardless of which OEM, from the Market, side-load, it works the same
On the other hand, one can get infected visiting a legitimate website 'silently' with no prompts by Windows (dll injection). I know. I support it. Drive-by attacks are a chronic Windows problem.
'Drive-by' term shouldn't be used with Android because of the above.
LOL
[i]one can get infected visiting a legitimate website 'silently' with no prompts by Windows (dll injection). I know. I support it. Drive-by attacks are a chronic Windows problem.[/i]
Sounds like your support isn't quite up to the task. Create limited or standard user accounts for your users and don't give them local admin credentials. Setup application and dll whitelisting for your users with either Software Restriction Policy (via gpedit.msc) or App Locker. Finally, keep your users OS and application software up-to-date. If you need more, use Group Policy to tighten things even further.
Perhaps if you spent less time trolling at ZDNet, you might have more time to learn the basics of Windows system administration and adequately protect your users.
You think that is going to stop privilege escalation?
The only thing that stops privilege escalation certifiably is Linux with LSM sandboxing.
With Windows, there is no fool-proof way to stop a DLL injection from making a system kernel call, because Windows kernel does not police 'itself'.
The key differentiator with Linux is that LSM does police the actions of the kernel.
A mind is a terrible thing to waste. :/
Privilege escalation isn't limited to Windows
[i]The only thing that stops privilege escalation certifiably is Linux with LSM sandboxing.[/i]
Is SELinux a Linux security module? See The Invisible Things Lab's blog for the August, 2010, article entitled, "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit". Hmmm, a user to root escalation. :/
Linux security modules provide good defense-in-depth. However, your statement is hilarious.
Also, with regard to Windows and dll injection, search for this article, "Integrity Levels and DLL Injection", and read it. It's done by a well-known security researcher. Internet Explorer, by default, runs as a low integrity level process on Vista and 7 (it's called protected mode). As does Microsoft Office 2010 (it's called protected view). While integrity levels provide good defense-in-depth on Windows, like LSM does on Linux, they are not invincible.
You can't argue the facts?
So, system kernel calls get blocked also.
Windows kernel doesn't have a mechanism to police itself. You won't address that.
Which is why Zero Day Blog exists and thrives on Groundhog Day stories.
Same situation, different day.
You simply don't know what you are talking about.
Put up a citation if you do.
This story is pure unadulterated fiction unless supported by proof. None exists, so Ryan should qualify with 'alleged' to play fair.
You won't face the facts
[i]LSM doesn't solve privilege escalation. It just stops it when used to profile any app.[/i]
The Linux kernel vulnerability in the ITL blog article I referenced allows privilege escalation through a vulnerable app (e.g., a PDF Reader opening a malformed PDF file) that is "protected" by SELinux. Newsflash!! SELinux is a LSM (AppArmor isn't the only one).
[i]Windows kernel doesn't have a mechanism to police itself. You won't address that.[/i]
I'm not the one saying that operating system x (Windows in my case) is bulletproof. One only needs to reflect on Pwn2Own, Stuxnet and Duqu to know that. You're overrating the policing in Linux. Running an app protected by LSM in Linux isn't bulletproof either. Read the ITL blog article and look up the enlightenment framework.
You have made an 'empty' assertion that LSM can be compromised.
Curious that you didn't supply one.
P.S.
Pwn2Own, intentionally, leaves Linux out of their competition. Why do you suppose that is? Hmmmmm (wink)
Nope
As for Pwn2Own, desktop Linux, specifically Ubuntu, was represented for 1 or 2 years. However, the contestents showed very little interest in the platform. Charlie Miller, in an interview, made the trollish comment that (I'm paraphrasing) 'my grandmother doesn't use it'. It certainly wasn't related to LSM as the AppArmor profile for Firefox is disabled by default in Ubuntu. That said, I really wish that they would bring it back.
Liar Liar
Here is a link:
h-t-t-p://google.com
You've got nothing unless you can put up a link to a citation on your claim.
Agreed.
> Sounds like your support isn't quite up to the task.
I very much agree with this. We're a Windows shop -- 5 businesses including 2 Internet based. Ever since after the first month after taking over 2 years ago (when I had to do a lot of cleanup because the previous self-proclaimed expert was clueless), not one infection. My routine maintenance is only approving updates, reviewing logs, and replacements, installations, or upgrades where needed -- usually 1 to 16 hours/month. The rest of my time is spent developing software.
I'm impressed that you can find Google
o "Skeletons Hidden in the Linux Closet: r00ting your Linux Desktop for Fun and Profit"
o "Integrity Levels and DLL Injection"
o "enlightenment framework" grsecurity
Happy reading. :)
According to the article, it does
[i]Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware.[/i]
or
[i]???The minute you go the site, it will download a real-life Chinese remote access tool to your phone,??? he said. ???The user will not see anything. Once the app is installed, we???ll be intercepting voice calls. The microphone activates the moment you start dialing.???[/i]
But you keep fooling yourself into thinking you are safe and live with that false sense of security.
The story is 'sketchy' at best and there is no documentation for an exploit
The assumption is that the story is true, but there is zero substantiation.
No links, other than to the a 'Blogger' CrowdStrike web site where there's nothing but a twitter reference that the purported exploit will be demoed on February 29.
This is a former CTO of McAfee trying to 'vault' his own career with 'fluff'.
This is a non-story.
Android drive-by download attack via phishing SMS
Have more DayQuil.
Ryan. Since there is NO substantion for the drive-by claim
Yes Ryan?
ANY operating system can be hijacked
ANY operating system can be hijacked...?
"ANY operating system can be..." hacked. So... ALL operating systems are equal.
NON-SENSE. anyone that expounds this tripe is either wholly ignorant of this subject, or they are intentionally spreading, seriously debunked, deceptions and propaganda (as is, anyone that parrots the perennial deception that "Windows" is only compromised so often because it's more "popular").
Well... first, the absolute non-sequitur, fallacy, that -any-, alleged, security-issue in -any- operating system (other than "Windows") somehow demonstrates that -all- other OSes are just as insecure as "MS-Windows"... That is a complete logical fallacy. You might just as well claim that, since, "any" automobile can be in a crash... "ALL" cars are as equally "unsafe" ...as the most bug-ridden, cheap, death-trap, ever sold. Clearly such a claim is nothing more than desperate SPIN. Overall quality, demonstrated-security, and testable-experience, are -not- a true/false (yes/no) proposition. And trying to portray them [relative security], as such, indicates either pedantic-ignorance, or outright-deception.
And, then there is the even more ridiculous and well-proven, out-and-out, lie that "Windows" has more security-issues, simply because it is more "popular". Sorry, sweeties, but "popularity" does -not- cause the spontaneous-generation of overwhelming numbers of, well-documented, security-flaws and holes. Here are some axiomatic facts that everyone needs to understand... wishful-thinking, and engineering, are -not- the same thing. And, security and quality, are not -magic-. They are measurable, and objective.
Finally, there is also the real issue that... once again... this "security" warning about "Android" seems full of the usual alarmist-hyperbole, and seriously short on the basic understanding... that the "user" -must-, once again, apparently, actively act to install "malware" on their own device... BEFORE... the device's security is actually breached ...unlike ...sadly -every- version of "Windows", since Windows-95.