Google's Android mobile operating system continues to attract a growing number of malware threats as creators discover the ease of working with an open software environment. The result, as eWEEK noted, is a huge jump in malware over the last year. Some of these threats can be innovative in their efforts to extract financial data from unsuspecting users.
One such threat, discovered by malware researchers at McAfee, found a new remotely controlled man-in-the-middle attack that can steal the initial password from a mobile device without actually infecting the user's device.
The malware uses its man-in-the-middle activity to pose as a token generator for a bank, using the bank's logo, according to McAfee researcher Carlos Castillo. The fake token-generator is really intended to look like the user's bank log-in screen, and it asks for the initial password. When it receives this, it runs XML code that captures additional access information, as well as the user's contact list. The initial contact that leads to a man-in-the-middle attack is usually a Short Messaging Service (SMS) text sent to the user's phone that appears to be from the bank.
Once the XML commands are run, the malware creates a system event that executes at a future time and then listens for commands from control servers that cause the device to send the required information, and to add updates that allow the malware to update itself and to initiate spyware. This, in turn, allows the control server to gather additional credentials that will allow the server operator to gain access to the user's bank accounts.
This threat is basically a phishing attack so the user can be tricked into believing that it is a legitimate application from a real bank, Castillo wrote in an email interview.
However, Castillo notes that only Android users who have selected the option in the Android settings that allows installing apps from unknown sources are vulnerable to this attack. He said that legitimate banking applications would be available from the Android Market, now renamed Google Play. He said that Google checks the apps there for malware, and gets rid of them using Google Bouncer.
The user should avoid the installation of applications from non-trusted sources/markets, said Castillo. He also recommended installing an anti-malware package on any Android device.
Currently, McAfee lists the new Android malware, now known as Android/FakeToken.A, as a low-risk threat, primarily because it requires user intervention in Android's existing security settings in order to work. In addition, this malware puts an icon on the menu page of an Android device and requires that the user invoke the app. However, the fact that this sort of remote-control malware is able to gather information from an Android device is in itself significant. While most enterprises aren't doing their banking on an Android phone, the fact is that the same approach could very easily be used to a different end, such as corporate espionage or to facilitate an attack on a corporate partner.