Wednesday, 7 August 2013

Mobile Threat Monday: Smurfs 2, Black Hat, and Beyond

Android malware SW2
Just because practically the entire infosec community decamped to Las Vegas for the annual Black Hat security conference and DEF CON hacker jamboree last week does not mean we can stop worrying about malicious mobile apps.
From Black Hat
In fact, Android security was front and center at the conference as BlueBox Security CTO Jeff Forristal disclosed details of not one, but  multiple "master key" flaws in the Android operating system. A key takeaway to his talk was the fact that just telling users to turn off the ability to install apps from third-party sources is not practical.
"As far as Google is concerned, the Amazon App Store is a third-party marketplace," Forristal said. If your organization has its own app store to provide IT-approved apps, that is also a different source. Third-party sites aren't necessarily always dodgy forums or sites with pirated apps. This makes staying safe a bit more challenging: do we go all-Google or do we take the risk that dangerous Android apps can get installed from unknown sources?
Black Hat also brought to light the dangers of plugging your iPhone into a public charger. We normally focus on Android threats, but hey; the bad guys don't discriminate and neither do we. With a custom-built micro-computer, Georgia Institute of Technology researcher Billy Lau demonstrated how he could gain unprecedented access to a connected iPhone—perhaps one plugged into a charging station by a weary traveler.
While we ponder the bigger security issues of the past week, here are the apps flagged by BitDefender for August 5.
Drift Mania Championship 2 LE
This highly rated free racing game for Android was flagged for tracking your location while it was running. Free apps, particularly games, sometimes send information to ad networks in order to earn money for their developers. On its own, this is not malicious, but users should decide whether a free app is worth exposing their information.
The Smurfs 2 3D Live Wallpaper and Amazing Spider-Man 3D Live Wallpaper
We've talked about the dangers of Live Wallpapers before: these free, innocuous-seeming apps will sometimes harvest information from your phone and send them off to ad networks. In the case of the Smurfs 2 app, the app can access your location while it's running.
The Amazing Spiderman wallpaper on the other hand goes after your device's unique device identifier, which advertisers can use to monitor your activity across different apps. Bitdefender reports that this app uploads your Android ID, Device ID, or IMEI to data.flurry.com.
Bitdefender notes that neither the harvesting of location or device ID is necessary for the app to function. The choice is yours whether to accept this and download the apps, or look elsewhere.

No comments:

Post a Comment