Although he 1st asked how I was, he quickly said he needed help to post an ad on a popular french classifieds website, leboncoin.fr. Although suspicion rose immediately, as a security researcher, I was very curious to see where this was going to lead.

The ad is for a car, and although he tells me to list the required fields so that he can give me all the requested information, my friend seems to have his text all prepared. He seems to be rather pasting chunks of text, with fields I haven’t even mentionned.

Giving me fields I haven't mentionned.

When I ask why the car is being sold in a totally different area from ours (800km away), he says it is for his aunt. I don’t want to question him too much, so I just keep on copying the information he is giving me. He gives me an email address, a phone number, links to pictures of the car, and a password for the ad. At this point, I’m not sure what his motives are. It is probably a false ad with hopes of getting the money for this non-existent car, but why would he need me to post it for him? Is his IP address blocked from the website? Or is this a way of trying to hide his traces? As he’s given me a password, it is certainly not a way to try to get any of the passwords I might commonly use on the Internet.

The classified's vendor details.

When I validate the ad, an email with a confirmation link is sent to the address I have provided. My friend copy/pastes the url into Facebook chat so that I can confirm. He asks me to copy/paste the message from the website to ensure I have really validated.

Asking me to prove I have validated the ad.

This guy seems to not want to waste much time. He is giving short and clear directions on what to input, how to download the pictures. Not once does he say “please” or “thanks”, or tries to make a bit of conversation. When I ask why he needs me to post the ad for him, he first eludes the question, but when I insist he eventually says it’s because the website won’t show on his computer. Then out of nowhere he asks whether I’ve seen the “new Facebook”. It’s pretty obvious I have as I have the new Timeline on my profile, and oh, so does he!

Link to the "new Facebook".

Of course, it is a phishing site to steal user credentials so that he can later hijack more Facebook profiles. This site does not even try to look like the real Facebook. It is called “Facebook L0ve”, and yes, with a ’0′ instead of a capital ‘O’.

The new Facebook L0ve.

Now at the lab we’re curious to find out where this guy is. So we lure him into a “hot” MSN chat while we quickly set-up a webserver with photos for him to visit so that we can get his IP address and geolocalize it. Needless to say the MSN ID he gives me is another different email address, one he most probably uses to pass as a pretty girl to lure men into a fake romance!

As it turns out, our foe is in Benin, and it is not the 1st recorded scam of this type coming from there. So if a “friend” hits you up to post an ad for him/her, or asks you to click on a link:

• Make sure it is really your friend, by asking for example if it is sunny in Alaska (and they normally live in Florida)
• Tell your real friend their profile has been hijacked and they need to inform Facebook about it
• Report the scam to your local Internet Complaint Center (USA: http://www.ic3.gov, France: https://www.internet-signalement.gouv.fr)
• Report the fake ad to the website (leboncoin.fr)

The video includes explanations of the features of FortiClient Lite and how set the software up on both the Android and FortiGate devices. FortiClient Lite Android was released from beta in December 2011 and features SSL VPN connectivity.

A question and answer forum can be found at:

http://support.fortinet.com/forum/tt.asp?appid=6

Alternatively, users may ask questions directly from their Android device using the “Report a Problem” feature located in FortiClient Lite’s menu.

Stay tuned for more updates on our mobile products!

Carrier IQ on Android – FAQ
Android Malware Surges in 2011
Fortinet Security Minute for September 2011
Threat Landscape Midyear in Review
Apple Plays Cat-and-Mouse Game with Mac Malware Makers
World IPv6 Day
Phishing 101
Stop Your Computer From Becoming a Zombie!
40th Anniversary of the Computer Virus
What’s Not Going to Happen in 2011: Anti-Predictions

Have you subscribed to the FortiGuard blog’s RSS feed?
Subscribe Now.

In this edition of Security Minute, Derek Manky, Fortinet’s senior security strategist, wraps up 2011 with his predictions of the type of network security threats we might see in 2012. Here’s a link to the full report for more detailed info: http://blog.fortinet.com/2012-threat-predictions/

“The IQ Agent uploads diagnostic data once per day, at a time when the device is not being used” (page 4)

This is hardly a defense to me. People do not like that their phone is being used without their consent, even if it is for good reasons.
When I buy a car, I pay for it, and I don’t expect anybody to drive it without asking my permission. This is still the case if that person is kind enough to use the car while I don’t need it. It is even still the case if that person pays for the fuel.
It’s my car, you ask if you want to borrow it. Right?
It’s the same for my phone. I bought a phone, I paid for it, it’s my phone. I don’t expect anybody to use it (call, SMS, Internet whatever) without asking my permission. And this is still the case even if my phone is used when I don’t need it. And even if I don’t pay for the communication.

“Carrier IQ’s software has access to no more data than any other application on a device” (page 5)

On Android devices, access to data is regulated by asking for specific permissions.
True, CarrierIQ has to request those permissions like any other application, but the difference is that CarrierIQ gets those permissions without asking for end-user’s consent, whereas other applications do.
Indeed, CarrierIQ is already installed on the device when the end-user gets it. He/she is never prompted with any screen asking whether he/she agrees to such permissions. Probably even worse, the end-user is not even aware of the presence of CIQ.

“… [in bold] what is actually gathered by a Network Operator is based on their business requirements and the agreements they form with their consumers on data collection.“ (page 7)

Besides I wonder how operators react to this line of defense “it’s not my fault, it’s theirs”, I believe end-users do not really care who is to blame – CarrierIQ, manufacturers and network operators – as long as the situation never happens again.
At a second thought, actually, Carrier IQ’s sentence acknowledges someone should have asked for end-users agreement.

“The IQ Agent does not use the Android log files to acquire or output metrics” (page 8)

I don’t think anybody ever suggested they were using log files to acquire data.
As to using them to output data, I disagree. CarrierIQ actually acknowledges on the next page using a “secure temporary location on the device” (page 9). It should be noted than on Android, which is a Unix-based system, everything is, by design, a file. So, this “secure temporary location” is a file (if ever this is important). And it contains metrics gathers by the IQ agent. This is logging. The fact the log is not directly human readable is irrelevant to the definition of logging.
Anyway, the debate is not over “using human-readable files or not” but over “is somebody reading and eventually storing data”.
As I already said, CarrierIQ does not provide any detail on how this temporary location is secured. Let’s hope it’s good.

“The embedded version of IQ Agent metrics allows for the collection of URLs [..] the IQ Agent cannot read or copy the content of a website” (page 9)

Ok. How would you react to this claim: “I did not spy on your readings, I only got the titles and reference of the books
you read, not their content!”?
It’s exactly the same here. CarrierIQ does not get the content of the pages I visited, but the URLs. The problem is that leaking a URL is already significant. It will say which pages we are visiting. In several cases, the URL also contains additional arguments which will for instance state our login name, session id etc.

– the Crypto Girl

Many of these events the team predicted in their “Top 5 Security Predictions for 2011,” while others, such as legislation to potentially jail and fine individuals who had malicious code stored on computer systems were more surprising.

2012 promises to be even more worrisome. After gazing into FortiCrystalball this month, FortiGuard Labs saw eight network security trends that could happen in the coming year. In short, the Labs are predicting a rise of mobile malware (with new worms and polymorphism) , increased crackdowns on network run money laundering operations, renewed and successful collaboration between government and the private sectors, discoveries of exploitable SCADA vulnerabilities, an increase in sponsored attacks, and Anonymous hacktivists using their powers for good over evil. The full report is outlined below.

1. Ransomware to Take Mobile Devices Hostage
Over the past few years, FortiGuard Labs has witnessed the evolution and success of “ransomware” (an infection that holds a device “hostage” until a “ransom” payment is delivered) on the PC. Mobile malware that utilize exploits have also been observed, along with social engineering tricks that lead to root access on the infected device. With root access comes more control and elevated privileges, suitable for the likes of ransomware. FortiGuard predicts the team will see the first instances of ransomware on a mobile device in the coming year.

2. Worming into Android
Worms, i.e., malware that is able to quickly propagate from one device to another, have by and large remained absent from the Android operating system, but FortiGuard Labs believes that will change in 2012. Unlike Cabir, the first Symbian worm discovered in 2004, Android malware developers most likely won’t be using Bluetooth or computer sync to spread out because of their limited ranges. Instead, the team believes the threat will come from either poisoned SMS messages that include a link that contains the worm or through infected links on social networks, such as Facebook and Twitter.

3. Polymorphism Want a Cracker?
There’s no denying that Android-based malware has gotten more diverse and complex. In the last year: FortiGuard Labs has seen Android malware use encryption, embed exploits, detect emulators and implement botnets. But what they haven’t seen yet is an example of polymorphism in action. Polymorphism is malware that is capable of automatically mutating, making it extremely difficult to identify and thus destroy. The team has previously encountered polymorphism on Windows Mobile phones and believes it’s only a matter of time before the malware appears on Android devices.

4. Clampdown on Network-Based Money Laundering
Money mules, which typically consist of third party individuals electronically transferring money from one person or service to another and illegitimate payment processors, are critical components to a successful money laundering and fraud operation. Using anonymous fund transferring services, human networks and payment processor safe havens, cybercriminal syndicates have pretty much operated with impunity for years. How do you catch someone when you don’t even know where they’re located? FortiGuard believes that will change in 2012 [By this, are you saying in 2012 we expect to be able to catch these people?]. The recent arrest of ChronoPay CEO Pavel Vrublevsky’s on the grounds of hacking Aerfolot’s Website and preventing visitors from buying tickets, is a good example of the type of takedowns the team expects to see in the coming year.

5. Public-Private Relationships in Security
Last year FortiGuard Labs predicted they’d see an increase in global collaborative botnet takedowns. And they were right not only with botnet takedowns, but global collaboration period. Among globally-supported botnet takedowns were Rustock and DNS Changer while other international efforts helped take a massive scareware operation offline that siphoned $72 million in bank funds. Meanwhile, arrests were made against international members of Anonymous and LulzSec hacktivist groups. This crackdown will continue in 2012, and the team believes that much of it will be aided by Defense Advanced Research Projects Agency’s (DARPA’s) public defense initiative. DARPA was recently granted $188 million budget and plans to use part of the money on initiatives to build a cyber defense team in the private sector. With recent movement, it seems likely that in 2012 we will start to see similar relationships formed worldwide.

6. SCADA Under the Scope
For over a decade, Supervisory Control and Data Acquisition- (SCADA) based threats have been a concern, because they are often connected to critical infrastructure such as power and water grids that would have serious consequences if they were ever breached. This last year FortiGuard saw two examples of this in the form of Stuxnet, which compromised Iran’s nuclear program and Duqu, a Stuxnet-like virus that used similar attack methods and stolen certificates. While Iranian officials confirmed the latter had infected systems in the region, no hostile industrial code has been found to date. However, it’s clear the building blocks are now in place. The reality today is that critical infrastructure systems are not always operating on a closed circuit. New human machine interface (HMI) devices that interact with these systems are being developed by a number of different software and hardware manufacturers, and many have Web interfaces for logging in. And the FortiGuard team has seen historically that Web-based interfaces that interact with back end systems can many times be circumvented. Even more concerning is the migration to cloud-based SCADA services. This allows data storage and potential control of critical systems on a public cloud server – hence the security concern. Groups like Anonymous have already found an assortment of Web-based vulnerabilities simply by picking targets and scouring code. In 2012, FortiGuard predicts a number of SCADA vulnerabilities will be discovered and exploited with potentially devastating consequences.

7. Sponsored Attacks
The FortiGuard team often talks about Crime as a Service (CaaS), which is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks. If you’ve got the money, there’s a good chance you can find a CaaS provider to help you out. What FortiGuard sees evolving in 2012, is that instead of hiring a CaaS outfit for blanket attacks, they’re going to see more strategic and targeted attacks on companies and individuals. This scope would include state or corporate sponsorship. Admittedly, this prediction will be tough to monitor because without “freedom of information” legislation in place, many of these discovered cases will be settled out of court with verdicts not being released publicly. For example, Russian payment processor ChronoPay allegedly hired a hacker to attack a direct competitor (Assist) in 2011.

8. Hacking a Good Cause
While Anonymous has been alive and kicking in one capacity or another since its formation on 4Chan.org in 2003, only in the last year have the loosely organized anarchists started using their power to attack large, high profile targets such as Sony. More hacktivist groups were formed in 2011 (most notably LulzSec), and more will likely rise in 2012. What FortiGuard found interesting about Anonymous towards the end of the year, was how the group started to use their power for “good.” Case in point, they’ve recently threatened to unmask Mexican drug cartel members and they recently helped authorities break up a child porn ring. FortiGuard expects to see more examples of “hacktivist” justice meted out throughout 2012 along with a mix of attacks that border or cross the line of justice.

Foncy has first been spotted by Denis Maslennikov. It is a dialer, i.e it sends SMS messages to premium numbers, without user’s consent. It does not spread by itself: victims are infected when they download and install the malware, likely from an alternate marketplace. They probably just wanted to try out an application, which happened to be the malware.

The application’s name (SuiConFo) – which is a French abbreviation for tracking mobile plans – immediately rang a bell in our French anti-virus labs. Since then, Karine de Ponteves and I, have been able to track information on this malware.

The malware looks like former versions of a legitimate application named Track Your Plan. The code and signing certificate bear however absolutely no similarity.

Contents of the legitimate plan tracking application

Contents of the malicious plan tracking application

In France, the malware sends 4 SMS to short number 81001, with body “STAR”. Each SMS costs 4.50 euros. The short number is a SMS+ number, rented to a French company, who in turn rents it to its customers and other intermediaries. Searching the web, we found several French users complaining about their bill and obviously infected by the malware.

Actually, the French short number 81001 seems to be involved in several scams. For example, an end-user below reports he received an e-mail telling him he had won an iPhone 4 and was being asked to send an SMS to 81001 with body “STAR”. The e-mail looks like it comes from a Fabrice Andre from Orange. Actually, a Fabrice Andre of Orange does exist, but certainly hasn’t sent this e-mail. The operator Orange is aware of this scam.

We also acknowledged a discussion on a French forum where a member was boasting about a new method to make easy money using 81001. He explained he opened a StarPass account (StarPass is a micro-payment system – via SMS), and then would ask his Facebook contacts to send a SMS to 81001.

WeeyWayne explains how he makes money out of 81001

For each 4.50 euro SMS received, StarPass pays back the author 2 euros.

For each SMS "A" (client cost 4.5 euros), you receive 2.00 euros (in French)

Additionally, Android/Foncy listens to incoming responses from 81001 and forwards the answers by SMS to a French mobile number 06xxxxxxxx. This mobile number belongs to SFR, who has been notified.

French mobile phone subscribers should be particulary wary of abnormal SMS bills, as the short number 81001 and the mobile line 06xxxxxxxx are still active at the time of writing this blog, and Android/Foncy is still in the wild. End-users should complain to their operator and/or report any unsollicited spam to the French service 33700.

To this date, we do not know the amount of French victims, and will keep you informed.

– the Crypto Girl

CarrierIQ is a controversial piece of code which was intentionally placed on several mobile phones by their vendors or carriers.
It has the capability of monitoring and/or collecting various information – without user’s consent.

Q2- What is Carrier IQ exactly doing?

Precisely, CarrierIQ (CIQ) has developed a series of hooks to monitor plenty of metrics such as:

• HT01: HTTP request URI
• AL15: browser’s URL
• MG01: SMS recipient and SMS center
• MG03: SMS originator
• MG11: MMS version, sender, recipient and relay URL
• HW10: min and maximum battery voltage, capacity, model
• HW11: battery’s voltage and temperature
• LC18: altitude, latitude, longitude, uncertainty, velocity…

See for instance the MG11 metric below:

MG11 metric used by CarrierIQ

A broader view of available metrics is available here and here.

Then, OEMs and carriers pick up which metrics they are interested in, and integrate it to the phone. The data goes to remote portals which are controlled by the OEMs or carriers.

Interesting to read: Dan Rosenberg, “Carrier IQ: the Real Story”

Q3- So in spite of what their executives are claiming, CarrierIQ “logs” my personal data?

The short answer is yes, it does: Some of your actions on your phone are being silently reported to a third-party without your knowledge, and this is what we call logging.

Now indeed, it is true that CIQ may not log all our actions, and that it does not do so for itself: indeed,  although it constantly monitors everything, some actions may not be reported (and thus, simply dropped) to the carrier and/or vendor, depending on which metrics (see Q2 above) the latter cared to enable. As of this writing, we do not know which vendors/carriers enable which metrics.

Q4- Does it hamper my phone’s security?

In short: yes. But if you have time for more details, read the reasons below.

1. CIQ is no more no less than a rootkit – even if it was (perhaps) designed for benign usage. Like rootkits, CIQ’s service runs as root on the phone. Like rootkits, CIQ hooks basic functionalities on the phone (keys pressed, opened applications, SMS received etc). Finally, like rootkits, CIQ tries to hide itself, and as a matter of fact, end-users weren’t aware of its existence. CIQ does not display any application icon, it is not listed in installed application, and does not come with any policy.
2. As Trevor Eckart’s video shows, each time we press a key, this is shown as a new line of Android’s logcat. Logcat is a system feature – it does not belong to CIQ – which is the first reason CIQ argues it does not log anything. True. But if someone has access to logcat, he/she can still monitor all our actions – which is a threat to your privacy and confidentiality.
3. Moreover, actually, there is a log file: Carrier IQ has still admitted keeping a temporary log, and there are no details of how that temporary file is secure. The answer “it’s not readable if you don’t have our tools” does not sound good to me. It sounds like some hand-made obfuscation or crypto, and over years, this has never proven to be secure.

Interesting to read: Trevor Eckart, What is Carrier IQ?.

Q5- Do I have CIQ on my phone?

Carrier IQ has been found on several Android phones, but it actually also exists on other platforms, such as iPhone.

Fortinet detects it as Riskware/CarrierIQ!Android.

Alternatively, you may install an application to check if your phone has CIQ or not. There are Android apps for that, such as Lookout’s Carrier IQ Detector or Project Voodo (not tried).

If you are a phone geek, you can do this manually by searching for one of the following files:

/system/app/com.htc.android.iqagent.apk
/system/app/com.carrieriq.tmobile.apk
/system/app/com.carrieriq.iqagent.apk
/system/app/com.carrieriq.attrom.apk
/system/app/HtcLoggers.apk
/system/app/HTCIQAgent.apk
/system/bin/iqfd
/system/bin/iqd
/system/lib/libciq_client.so
/system/lib/libciq_htc.so
/system/lib/libhtciqagent.so
/system/etc/iqprofile.pro

Interesting to read: Trevor Eckart, [DEV|APPv7] CIQ / HTC & Google Checkin / HTC loggers / Tell HTC Info & Removal

Q6- How to get rid of Carrier IQ?

Unfortunately, it is difficult to get rid of CIQ because it has been built directly into the OS of the device, or packaged in the OEM’s/carrier’s ROM.

Consequently, you need to first root the phone and then

1. either you flash the ROM with a custom ROM that does not contain Carrier IQ.
2. or you use Trevor Eckart’s tool (1 USD)
3. or you try the Remove CIQ script, that removes CIQ files on the phone.

We haven’t tried any of these, so beware.

UPDATE Dec 16, 2001:

CarrierIQ does not leak SMS bodies in the general case. Actually, CIQ leaks the SMS in some cases only because of a design level bug: if CIQ is capturing GSM network traffic, at at the same time the phone receives a SMS, of course, the contents of the SMS will be included in the network capture…

– the Crypto Girl