Google’s Android mobile operating system continues to attract a growing number of malware threats as creators discover the ease of working with an open software environment. The result, as eWEEK noted, is a huge jump in malware over the last year. Some of these threats can be innovative in their efforts to extract financial data from unsuspecting users.
One such threat, discovered by malware researchers at McAfee, found a new remotely controlled man-in-the-middle attack that can steal the initial password from a mobile device without actually infecting the user’s device.
The malware uses its man-in-the-middle activity to pose as a token generator for a bank, using the bank’s logo, according to McAfee researcher Carlos Castillo. The fake token-generator is really intended to look like the user’s bank log-in screen, and it asks for the initial password. When it receives this, it runs XML code that captures additional access information, as well as the user’s contact list. The initial contact that leads to a man-in-the-middle attack is usually a Short Messaging Service (SMS) text sent to the user’s phone that appears to be from the bank.
Once the XML commands are run, the malware creates a system event that executes at a future time and then listens for commands from control servers that cause the device to send the required information, and to add updates that allow the malware to update itself and to initiate spyware. This, in turn, allows the control server to gather additional credentials that will allow the server operator to gain access to the user’s bank accounts.
This threat is basically a phishing attack so the user can be tricked into believing that it is a legitimate application from a real bank, Castillo wrote in an email interview.
However, Castillo notes that only Android users who have selected the option in the Android settings that allows installing apps from unknown sources are vulnerable to this attack. He said that legitimate banking applications would be available from the Android Market, now renamed Google Play. He said that Google checks the apps there for malware, and gets rid of them using Google Bouncer.
The user should avoid the installation of applications from non-trusted sources/markets, said Castillo. He also recommended installing an anti-malware package on any Android device.
Currently, McAfee lists the new Android malware, now known as Android/FakeToken.A, as a low-risk threat, primarily because it requires user intervention in Android’s existing security settings in order to work. In addition, this malware puts an icon on the menu page of an Android device and requires that the user invoke the app. However, the fact that this sort of remote-control malware is able to gather information from an Android device is in itself significant. While most enterprises aren’t doing their banking on an Android phone, the fact is that the same approach could very easily be used to a different end, such as corporate espionage or to facilitate an attack on a corporate partner.
This Sort of Attack Can Take Place on Nearly Any Device
While it’s easy to blame Android’s ability to load apps from anywhere, the fact is that this sort of attack could take place on nearly any device through a link delivered by a text message or through an infected Web page. Getting the app installed on an Apple iOS device or a Research in Motion BlackBerry might be a little more difficult, but with appropriate social engineering, it’s certainly possible.
And, of course, this is the difficulty in defending Android devices against malware. The fact is that these are by design open devices. Android-based smartphones and tablets are intentionally designed to be able to use software from anywhere. The information anyone needs to develop apps, including malicious apps, is readily available and the development process is relatively straightforward. More important, you don’t have to deal with Big Brother looking over your shoulder while you develop something truly cool. Or truly evil.
Google does offer a protected area where you can find apps that have been checked and sanitized. That’s the safe approach. But Android users have another option, which is to be educated about the device OS, and then to pay attention to what’s happening when they install a new app. For the new app to work properly, you have to give it permission to access a variety of services on the device. Instead of simply answering yes to everything, perhaps it would make more sense to check the app out as much as possible before downloading, and then see if it asks for permission it shouldn’t need. You can always say no.
Of course, the same thing is true for most of the malware that runs on iOS or BlackBerry OS. Regardless of how the rogue app arrived on your device, you still have to allow it to function the first time. Think about all of the times when you’ve casually granted trusted application status to some new app without thinking about why it needed that. While paying attention to what you’re running and where it comes from won’t solve the malware problem, it will certainly help control it.