Well, it’s a new way to root Android phones running 2.3.4. We already had exploits for that on versions prior to 2.1 or 2.2. (uDev and rageinthecage exploits), or prior to 2.3.4, or 3.0 (gingerbreak/honeybomb), but nothing in between for 2.3.4/2.3.5.
And because rooting a phone is particularly valued by malware authors, it’s important to us. For example, malware like to silently download and install other packages, but this requires root privileges. This is why trojans such as Android/DroidKungFu.A!tr initially try to root the phone with an exploit. We were used to looking for rageinthecage binaries, now we’ll have to keep an eye on levitator…
– the Crypto Girl
Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.
by Karine de Ponteves November 23, 2011 at 5:19 am
On 15th november 2011, Google’s mobile operating system Android reached 52.5% of the global smartphone market share. And with it an almost sixfold increase in malware threats.
Gartner's share of worldwide 2011 Q2 smartphones sold to end-users by operating system.
Fortinet numbers show an increase of 83% for malware creation in 2011 compared to 2010 even though the end of the year has not been reached.
Number of distinct Android samples received by Fortinet in 2011
The Top 5 malware families, in the number of variants, accounting for nearly half of Android malware found in 2011 include:
Geinimi: Android’s first botnet.
Hongtoutou: A trojan wallpaper which steals IMEI and IMSI and includes an update feature.
DroidKungFu: Another botnet stealing private information.
JiFake: Fake Jimm (instant messenger) application which sends SMS messages to premium numbers.
BaseBridge: A trojan that sends SMS messages to premium numbers.
The main threats include information stealing and financial harm as cyber-criminals try to make money out of these malware.
It should be noted these malware are usually downloaded via the Android Market, either trying to pass as a legitimate application, but can be also found within legitimate application they have infected. A good example is Geinimi which could be found within the legitimate application “Sex Positions” and was downloaded more than 1 million times.
Author bio: Karine de Ponteves has always been into computer security and its many aspects. Her current responsibilities include analysis and research for Fortinet's FortiGuard Global Security Research Team.
In the AV industry, one of the golden rules is to make sure that, during analysis, we do not in any way help the malware authors and/or propagate their offspring.
This requires special care in the case of malware for mobile phones, because, on the one hand, many of them won’t run if the phone is offline, but on the other hand, if the phone is online, the malware is free to call or send SMS messages in the wild without any way to block those actions. So, we thought building our own local GSM operator, using a USRP coupled with a Linux box running OpenBTS and Asterisk.
USRP connected to OpenBTS in our lab
Actually, this is what I presented at Virus Bulletin Conference [paper] [slides], in Barcelona, a few weeks ago. If you missed it, I also showed a video comparing how much we see when analyzing a Symbian sample of Zitmo on an offline phone and the same sample when the phone is registered to our OpenBTS-based jail. Without OpenBTS, there are quite a few details we could have missed, such as the use of UCS2 encoding for SMS messages…
– the Crypto Girl
Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.
Thank you to everyone who tried to solve our FortiChallenge 2k11!
We’ve had way more participants than expected, and two winners :
Shirley Chen
Nagy Ferenc László
Shirley and Nagy found the secret sentence, without even using the hints.
A special mention for another participant (StalkR) who tried to solve it in the wake of Insomni’Hack 2011, and managed to reach the md5 collision step.
Stay tuned for the official solution!
– the Reverse naM
Author bio: Working as malware analyst and researcher for the Fortinet's FortiGuard Global Security Research Team, Alexandre likes the topics related to the security and reversing engineering. He has a background in network protocols (CCNA certified).
It’s high time the Crypto Girl talks about Crypto, isn’t it?
A few days ago, I analyzed a malicious Opera Updater, named SymbOS/OpFake.A!tr.dial, and was surprised to discover it uses a 91-byte XOR key to conceal one of its configuration file. 91 bytes?! Yes, bytes, so 728 bits. This is quite a lot. AES only uses keys up to 256 bits, though I do not mean it would be less secure than this XOR. But it is a first for mobile malware where we had only seen XOR used with a single byte key. Have a look at the disassembled decryption routine below.
Actually, this is another confirmation to my talk at RSA Conference Europe, where I explained that 1-byte key XOR encryption is still very popular among malware authors but that they are gradually shifting to more complicated algorithms. Actually, I had meant algorithms such as AES ;) but a 91-byte key for XOR is another way of complicating things… Feel free to check my slides or the demo video below.
Fortunately, for SymbOS/OpFake.A!tr.dial, the key was provided at the beginning of the encrypted file. First the key length (0x5b = 91), then the key, then the ciphertext.
Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.
All Posts
Twitter
FaceBook
LinkedIn
YouTube