The U of Manitoba is distributing Kaspersky AntiVirus software for university owned machines (both Windows and OS X: more info at: http://umanitoba.ca/computing/ist/security/kaspersky-antivirus.html)

Kaspersky Lab is a privately held, world-wide (North and South America; Western Europe; Eastern Europe, the Middle East and Africa; the Asia-Pacific region; and Japan) anti-malware company with headquarters in Moscow, Russia. Founded in 1997, Kaspersky Lab claims over 2,000 employees working on software protecting over 300 million users around the globe.

Kaspersky Lab's in-house magazine - entitled Secureview - is written by Kaspersky Lab's analysts, journalists, and industry specialists from many different companies. The magazine is designed to appeal to IT and security specialists, technical managers and anyone with an interest in computer security. (Subscriptions at: http://www.secureviewmag.com/subscriptions)

This month's issue of Secureview contains an article entitled "IT Threat Evolution for Q1-2011". That article - at the end of this message - contains an overview of the exploits that were released with the opening of one online application store for mobile devices.

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 

(NOTE: ...from: http://developer.apple.com/appstore/guidelines.html

Apple's App Store Review Guidelines
The app approval process [in Apple's App Stores] is in place to ensure that applications are reliable, perform as expected, and are free of explicit and offensive material. We review every app on the App Store based on a set of technical, content, and design criteria. This review criteria is now available to you in the App Store Review Guidelines. These guidelines are designed to help [developers] prepare iOS and Mac OS X apps for the approval process.)

= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 


...from:
http://www.securelist.com/en/analysis/204792176/IT_Threat_Evolution_for_Q1_2011#17



Now in a store near you – mobile Trojans!

We start with malware for the Android OS uploaded to the Android Market by cybercriminals. The malicious applications, over fifty of which have been detected, were infected with Trojans and repacked as legitimate programs. The attackers were after mobile phone data, including IMEI and IMSI numbers. The Trojans also included a module that could install additional malicious components on devices without users being aware. This involved gaining full control of the phone by ‘jailbreaking’ it, a process that circumvents protection to provide full access to the file system. In order to gain root privileges, which provide virtually limitless possibilities for manipulating the system, the malware leveraged Android OS vulnerabilities using popular ‘rage against the cage’ exploits, which were distributed in the same package as the Trojans.

It was lucky for users who had Kaspersky Mobile Security 9 installed on their devices that these exploits were used. The Trojans were new and had not been included in antivirus databases, while the exploits bundled with them were successfully detected. Until signatures were created for the Trojans, KMS 9 proactively detected the whole bundle as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j. Since adding the Trojans to our antivirus databases, we have detected them as Backdoor.AndroidOS.Rooter. It should be noted that they are also called DroidDream in other antivirus vendors’ classifications.

This situation gives rise to two questions:

  1. Is it difficult for cybercriminals to get an Android Market Developer account? Sadly, it is very easy. All a user has to do to get an account is pay US $25. Clearly, Google wants to attract as many developers to its operating system as possible. However, $25 is not nearly enough of a barrier to entry and cybercriminals can afford to create dozens of such accounts. This could result in an endless loop, with Google shutting down accounts used to distribute malware and cybercriminals creating new ones without any problems.
  2. Can more stringent controls be enforced over applications offered on the Android Market? The primary problem is the resources available for this task. Checking all the code in apps available via Android Market, App Store, Samsung Market, plus others, is a difficult task because it is almost impossible to automate. This means that in future we will inevitably face an increase in the amount of malware-infected software in the various app stores.

As mentioned above, the malware detected on Android Market exploited vulnerabilities. Note that vulnerabilities affected devices with Android versions earlier than 2.3 ‘Gingerbread’, which was released on 6 December, 2010. According to Google, three months after its release the number of systems running the new version of the OS was only 2%. It is obvious that users are not in any hurry to upgrade their systems. The main reason for this lack of inertia is that device manufacturers make significant modifications to their operating systems before installing them on mobile devices. After this, upgrading the OS may become impossible or wholly dependent upon the manufacturer’s involvement.

This means that installing patches then becomes manufacturer-dependant and so they share the responsibility for the security of mobile devices. However, they often have no interest in supporting and updating software on existing devices. Since smartphone models become outdated very quickly, updating software on devices that are in effect obsolete results in additional costs with no obvious way to recoup them. All users can hope for is that device manufacturers will take appropriate measures and make it possible to install updates on their devices. Is it possible to seriously discuss security in circumstances such as these?

Importantly, Google can remotely install / remove applications on / from any Android device. This ought to be very helpful when it comes to neutralizing malware on phones which are already infected. However, the incident with Trojans on Android Market has demonstrated several weaknesses in the system.

Firstly, once they got administrator privileges, Trojans made themselves at home on the smartphones and could only be removed by an application that had the same administrator privileges. Google had to release a dedicated program that had such privileges in order to remove these Trojans from infected devices.

Secondly, as cybercriminals further develop mobile malware, they may implement technologies that allow Trojans to disable this remote administration mechanism, a process similar to disabling the Windows Update functionality on PCs.

Thirdly, the current system involves removing Trojans from infected phones, but not the prevention of infections. However, if a Trojan is used by attackers to steal money or important data, its removal will not undo the damage.

Overall, the situation with the Android OS is becoming similar to the current situation with Windows:

Since 2007, the number of new antivirus database records for mobile malware has virtually doubled every year.

namest_q1threat_2011_pic01_all.png
The number of new mobile malware signatures added to antivirus databases

Based on our statistics for the first quarter of this year, it can be safely predicted that the number of malicious programs for mobile devices detected in 2011 will be more than double that of 2010.

The situation with mobile malware is particularly disturbing because large amounts of important data are already stored on mobile devices and smartphones are likely to be widely adopted as mobile wallets in the near future. In addition, since employees are increasingly using their personal mobile devices for work-related purposes, so-called consumerization, data leaks from individual smartphones are turning into a real headache for their employers.