New Android Malware Threatens Users' Personal Data

 
 
By Wayne Rash  |  Posted 2012-03-22 Email Print this article Print
 
 
 
 
 
 
 

NEWS ANALYSIS: Innovative new malware design makes it possible to take data from Android smartphones and tablets without actually infecting the device.

Google's Android mobile operating system continues to attract a growing number of malware threats as creators discover the ease of working with an open software environment. The result, as eWEEK noted, is a huge jump in malware over the last year. Some of these threats can be innovative in their efforts to extract financial data from unsuspecting users.

One such threat, discovered by malware researchers at McAfee, found a new remotely controlled man-in-the-middle attack that can steal the initial password from a mobile device without actually infecting the user's device.

The malware uses its man-in-the-middle activity to pose as a token generator for a bank, using the bank's logo, according to McAfee researcher Carlos Castillo. The fake token-generator is really intended to look like the user's bank log-in screen, and it asks for the initial password. When it receives this, it runs XML code that captures additional access information, as well as the user's contact list. The initial contact that leads to a man-in-the-middle attack is usually a Short Messaging Service (SMS) text sent to the user's phone that appears to be from the bank.

Once the XML commands are run, the malware creates a system event that executes at a future time and then listens for commands from control servers that cause the device to send the required information, and to add updates that allow the malware to update itself and to initiate spyware. This, in turn, allows the control server to gather additional credentials that will allow the server operator to gain access to the user's bank accounts.

€œThis threat is basically a phishing attack so the user can be tricked into believing that it is a legitimate application from a real bank,€ Castillo wrote in an email interview.

However, Castillo notes that only Android users who have selected the option in the Android settings that allows installing apps from unknown sources are vulnerable to this attack. He said that legitimate banking applications would be available from the Android Market, now renamed Google Play. He said that Google checks the apps there for malware, and gets rid of them using Google Bouncer.

€œThe user should avoid the installation of applications from non-trusted sources/markets,€ said Castillo. He also recommended installing an anti-malware package on any Android device.

Currently, McAfee lists the new Android malware, now known as Android/FakeToken.A, as a low-risk threat, primarily because it requires user intervention in Android's existing security settings in order to work. In addition, this malware puts an icon on the menu page of an Android device and requires that the user invoke the app. However, the fact that this sort of remote-control malware is able to gather information from an Android device is in itself significant. While most enterprises aren't doing their banking on an Android phone, the fact is that the same approach could very easily be used to a different end, such as corporate espionage or to facilitate an attack on a corporate partner.



 
 
 
 
Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel