In-brief: organizations need to better understand mobile risks if they want to protect critical data, writes Aaron Cockerill of the firm Lookout.
In-brief: Lookout said it identified an active threat that was using three critical iOS zero-day (that is: previously unknown) vulnerabilities. When exploited, the three vulnerabilities “form an attack chain that subverts even Apple’s strong security environment.”
The folks over at Lookout Security have an interesting blog piece on “DeathRing,” a Chinese Trojan that comes pre-installed on a number of smartphones most popular in Asian and African countries. According to the bulletin, the Trojan masquerades as a ringtone app, but downloads an SMS and WAP (or “wireless access protocol” ) content from a command and control server to the victim’s phone once it is installed. That downloaded content can be used for various malicious, money-making schemes, according to Lookout. For example, DeathRing can use the SMS content to send phishing text messages to the phone to elicit sensitive information from the user. The WAP content to manipulate a mobile user’s web browsing session. For example: the attackers might prompt victims to download additional mobile applications or add-ons, potentially extending their reach over the victim’s device and data. [Read more Security Ledger coverage of supply chain risks.] Lookout […]
A security researcher claims to have uncovered a flaw in the Android security model that leaves almost all devices running the mobile operating system vulnerable to attacks and malicious software. Jeff Forristal, the Chief Technology Officer at Bluebox Security posted a description of the flaw on Wednesday. It affects Android devices running any version of the OS released in the past four years, starting with Version 1.6 (codename: “Donut” ) – a population of nearly 900 million devices. Discrepancies in how Android applications are cryptographically signed and then verified by Android allow a malicious attacker to modify the application package file (or APK) code without breaking the cryptographic signature. The implications of the flaw are huge. A malicious application installed on a vulnerable Android device could access any data stored on the device. For applications, such as mobile virtual private network (VPN), an attacker who could alter the application’s code or […]
Editor’s Note: Updated to add comments from Lookout Mobile Security. – PFR 6/10/2013 When reports surfaced about “BadNews,” a new family of mobile malware that affected Google Android devices the news sounded…well…bad. BadNews was described as a new kind of mobile malware for the Android platform-one that harness mobile ad networks to push out malicious links, harvest information on compromised devices and more. Now, six weeks later, a senior member of Google’s Android security team claims that BadNews wasn’t really all that bad, after all. Speaking at an event in Washington D.C. sponsored by the Federal Trade Commission, Google employee and Android team member Adrian Ludwig threw cold water on reports linking BadNews to sites that installed malicious programs. The search giant, he said, had not found any evidence linking BadNews to so-called SMS “toll fraud” malware. “We’ve observed the app(lication) and we’ve reviewed all the logs we have access […]