The evolution of Android security threats over the past year

Introduction

I do not know about you, but I love malicious software. No, of course, Virmake is a negative phenomenon and punishable activity. But Malware itself, distracting from the results of its work, most often represents interesting and conceptual programs, and on the viral scene there is a sufficient number of talented developers who are able to embody the original ideas and implement the complex technical part.

The more interesting to follow the evolution of such software ...

Mobile Platform Security

... and the most accessible object for observation is the Android platform - the system is only three years old and it is developing much faster than its defense mechanisms. Popularity determines the interest of the virmakers to the product. In addition, the malware, created for mobile devices, will give an excellent effect. Suppose that hundreds of websites do not rotate on smartphones and tablets, but they store the personal information of an individual user, and also possess mechanisms that desktops do not have (SMS, GPS and others) and which are yet to be used.

A year ago, my friend and I created a website dedicated to Google’s mobile system. I keep a “Security” section there, making notes about emerging viruses and vulnerabilities. Over the past year, a small amount of material has accumulated, in which one can quite clearly trace the emergence of new vectors and attack concepts of the mobile platform. So I compiled everything in the form of chronology. Each element of it I will give a comment and my subjective assessment, as well as a link to an article on my website, where you can read more about the subject, because the details simply do not fit in the article, and they are not needed in its framework.
')

Comment

The material contains only those facts that are associated with the emergence of new attack vectors on the platform using software. This is, first of all, the emergence of Malvari, built on new principles, as well as the concepts of researchers and the discovered vulnerabilities, demonstrating new approaches that could be used to create malware.

In particular, viruses like Android.Spy did not get here, since there is nothing interesting in them - the standard gentleman's set “Young Trojan” and extra kilobytes in the anti-virus signature database. So…

Chronology

November 23, 2010 - Security Specialist Thomas Kenon discovered a vulnerability in the embedded Android browser. It allowed using the web page with an embedded special javascript code to access information on the SD card of the device.

This is not to say that this vulnerability was already very serious, but it found use in the future when creating Trojans for Android.

And the reaction of Google Android Security Team, which was promptly warned by a specialist, was also indicative. The vulnerability was not closed until the release in December of the new Gingerbread, where the hole successfully migrated!

Late December 2010 - Lookout Mobile Security discovered the Geinimi Trojan in the Chinese application markets. The malicious code was contained in legitimate programs and games. This is the first virus for Android, which can be called really complete and technological. He collected personal user data and other information, sending it all to remote servers. Malvari architecture allowed to deploy a botnet.

Late January 2011 - Researchers from City University of Hong Kong and Indiana University Bloomington present two concepts of malicious Trojan software that demonstrate two interesting ideas.

The Dubbed Soundminer program uses the device's microphone to intercept speech, and a special recognition algorithm pulls out the spoken credit card numbers from the resulting recording. It works in conjunction with another prototype - Deliverer. At the same time, both trojans interact with each other, bypassing the existing platform security mechanisms designed to prevent switching between applications. Thanks to this trick, malware can transfer information to third-party servers through other applications, and it itself does not need access to the Internet.

Mid February 2011 - The appearance of the Android.Andrd trojan is the first horse that, in addition to carrying out a standard set of actions, began to manipulate the search results of the browser on an infected device. This was done for SEO-promotion sites in the search engine Baidu. Thus, another practical application of mobile viruses was implemented.

The beginning of March 2011 - perhaps the most high-profile event in the Android security world - the appearance of Malvari on the Android Market itself. Prior to this, the infected applications were inhabited by various warez portals, mainly Chinese, and here ...

Within a few days, data appeared on 21 infected versions of Android applications. Then this number grew to 56. All programs were downloaded from three accounts and were copies of legitimate applications with embedded malicious code — an ordinary trojan called DroidDream .

Google security again failed, in time without reacting to the warning - in fact, the trojan was discovered very quickly, the developers of the Guitar Solo Lite application did it, analyzing the strange bug reports of their infected brainchild. They notified Google experts, but they missed the moment and began to act only after such information appeared on a large portal. By that time, a large number of users had been infected, and the total volume for all the time was about 200,000 infected devices, becoming the largest in the Android world.

The Android Market was cleaned (the employees of Symantec, Samsung and Lookout also took part), and the developers created a special utility, Android Market Security Tool, that installs automatically and cleans the user's device. She, as if in mockery, was immediately protroannena by unknown craftsmen and posted on alternative application markets, causing a new wave of infection.

Beginning of April 2011 - Infected Text and Walk application has spread through several file hosting sites in Asia. The animal conducted an SMS from the infected device to send SMS to numbers from the contact list (the bank was, of course, a user). The messages contained the following text:

“Hi, I just downloaded the pirated Walk and Text application for Android from the Internet. I am stupid and poor, and in fact it costs only one dollar. Don't steal like me! ”

Such is the virus-truth. He even offered the user to download the present legitimate proposal. However, such “exemplary” behavior did not prevent him from doing ordinary Trojan affairs like the theft of personal information.

Early May 2011 - Specialists from Doctor Web discovered the “first full-fledged backdoor for Android” - Android.Crusewind . It is difficult to say why this malware got such a title. After all, if you take the feature typical for backdoors - to provide access to the system's command interpreter, then Crusewind didn’t have such a thing, it didn’t contain an appropriate exploit for getting root access. And if we take a broader definition of backdoors as software mechanisms for controlling a hacked device, then yes, Crusewind belongs to this class, but certainly not the first. Geinimi also had quite efficient mechanisms tied to the teams.

Crusewind is also interesting because it was distributed via SMS. A simple mechanism - the user receives a link to download the program, if he downloads it and infects his device, then SMS is sent to his contact list. Everything is tied to social engineering. Up to this point, no such propagation mechanism has been encountered. On the other hand, almost simultaneously with Crusewind, the Android.Evan family of viruses appeared in China, copies of which were also distributed via SMS and social engineering. It is difficult to say in which software this idea was implemented first.

End of June 2011 - TrendLabs specialist detects a virus instance that implements a hidden SMS retransmission mechanism. That is, the infected device acts as a gateway. True to teams of intruders, it sends messages to the specified recipients, and transmits incoming messages from these recipients to a remote server. To use such a mechanism, which turned out to be very flexible, you can use a ton of ways to pay for SMS billing, simply send and receive messages, steal the user's correspondence. However, the Trojan itself, which belongs to the same Crusewind family, looks still damp at the time - the propagation mechanisms are not screwed to it. Yes, and the practical use of this new mechanism is not yet visible, but ...

July 10, 2011 - the HippoSMS Trojan was detected, which uses a similar SMS processing mechanism to send messages from infected devices to paid numbers. This is one of the first (and not the last, closer to the end of July, the Android.Ggtrack family appeared, built on a similar principle) implementations of this trend in the use of infected mobile devices.

Mid June 2011 - Fortinet reports detection of a Zeus modification for the Android operating system. This is an important event, one of the most significant - the malware is being moved from the “big” computers to the mobile platform, which is incredibly technological and dangerous. The goal is the financial data of the user. And, obviously, the top-level virmakers have now noticed on Android.

However, this mobile Trojan turned out to be clumsy and with obvious problems in architecture, unlike its “big brother”.

Beginning of August 2011 - a new vector appears. This time the target of the malware, or rather its raw prototype, is the user's conversations - they are recorded and saved to a file, which is then transmitted to third-party servers. There was no interception on Android devices yet.

Mid-August 2011 - ANDROIDOS_NICKISPY.A , a disguise disguised as a Google+ application client application, which uses the above mechanism for listening to conversations, came into view.

Late August 2011 - Researchers from the University of Davis in California developed the TouchLogger app for Android, which is the prototype keylogger for touch screen devices. An innovative idea has been implemented, based on the use of information from the sensors of the device, and not on traditional interception mechanisms. It really delights, the concept has turned out so interesting and fresh.

The beginning of September 2011 - after Zeus on Android comes SpyEye - another advanced trojan from the world of “big” computers. Receiving root access on a mobile device and the previously encountered mechanism for working with receiving and sending SMS has been implemented.

Unique here is the hybrid use of versions of Malvari for desktops and for mobile devices. The device is infected just through the connection with the computer. Let me remind you that SpyEye is aimed at payment systems, and most of them use the mechanism of linking the account to the phone. And operations with user accounts require confirmation via SMS.

Once SpyEye has infected a computer, he could steal money if it were not for SMS confirmations. So it is logical to seize upon the mobile device, and with it the necessary operations with SMS. It was on this idea that the mobile version of the animal was developed, which really became a good method of circumventing the protective mechanisms of payment systems.

The end of September 2011 - most recently, everyone could hear about this Trojan. It might not have been included in the chronology if it had not been noted with an interesting implementation of the mechanism for transferring commands from C & C servers to infected devices via ordinary open blog sites on the Internet containing encrypted entries with commands.

On the other hand, AnserverBot (as his name is) is Malvarue, which characterizes both modern architecture and the trend of virus construction in general. Vir is technologically advanced, contains tools for complicating reverse engineering, a two-tier C & C server system, a good combat load. Interesting ideas, he certainly brought.

findings

As can be seen from the chronology, malware for Android is constantly being improved and watching this process is surprisingly interesting and useful - here are the ideas, here are the concepts, here is the trend and creativity. What will be the new viruses for Android is difficult to say, but for sure we will see in them everything that has appeared over the past year. In the meantime, there is a trend towards manufacturability and efficiency of mechanisms, to quality. But this does not exclude the fact that we will still see interesting ideas.

Instead of conclusion

I just want to share my opinion - the most significant event is the appearance of Geinimi, a virus that was one of the first and very high-tech, the most notorious event - the infection of the Android Market, the most interesting concepts - TouchLogger from California researchers and. definitely a mobile spyeye.

Thank you for your attention, love elegant ideas, I hope that this topic seemed interesting to you.