Epidemic on the way. A mobile malware epidemic could render phone networks useless within two to three years, if public awareness of the issue and network security experts don’t take control out of the hands of hackers. If you’re intelligent enough to be reading the Sciencetext blog, then it’s unlikely that you’re going to be taken in by an email phishing scam or be running a security-compromised web browser. You’re never going to follow a suggestion in a Twitter direct message or run an unknown Facebook app, are you?
But, what about your mobile devices, malware on these is relatively rare, but the novelty of the smart generation of devices also means that even the most clued-up user may be unaware of the perils and pitfalls. The first cellphone virus in the US was Cabir way back in 2004. Martin’s team has investigated how fast mobile malware can spread in a typical commercial/urban environment, such as Washington, DC. They have data from 2004 to the present and have then extrapolated this to 2012. Juil C.
Viruslist.com/en/images/vlpub. Mobile Malware Evolution: An Overview, Part 3. Introduction The evolution of mobile malware all but stopped after the publication of our first two articles on the subject. This is why there has been an interval of nearly three years between articles. Mobile malware evolved rapidly during the first two years (2004 – 2006) of its existence. During this period, a wide range of malicious programs targeting mobile phones appeared, and these programs were very similar to malware which targeted computers: viruses, worms, and Trojans, the latter including spyware, backdoors, and adware. This threat landscape created conditions which could be used for an all-out attack on smartphone users. However, such an attack did not occur. Microsoft was the first to strike a competitive blow with its Windows Mobile platform. RIM has also strengthened its market position considerably as its Blackberry device (which runs a proprietary operating system) has become very popular in the USA.
This article discusses the results of this approach. What's new? Payload. SpyPhone app harvests personal data from stock iPhones | Zero Da. Over on Threatpost.com, Dennis Fisher has the skinny on a new iPhone app that is capable of harvesting huge amounts of personal data from stock iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API. The app, called SpyPhone, is the handiwork of Nicolas Seriot, a Swiss iPhone app developer who found a way to abuse the public iPhone API that Apple made available for application developers.
Fisher reports that SpyPhone does not need any exploits or hardware attacks in order to access the iPhone's data. Instead, SpyPhone relies on using the iPhone's usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone's developer, Nicolas Seriot, exploited. The developer has posted the source code for SpyPhone online and gave a talk about SpyPhone's capabilities at a security conference this week. Zeus crimeware using Amazon's EC2 as command and control server.
UPDATED: ScanSafe posted an update stating that "In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws, 45 of which were in 2009, 13 in 2008, and 22 in 2007. " Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon's EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon's RDS managed database hosting service as a backend alternative in case they loose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts. Would 2010 be the year when crimeware will dive deep into the cloud, in an attempt to undermine the security industry's take down operations?
With the clear migration towards the abuse of legitimate infrastructure we've observed throughout the entire 2009, this may well be the case. Trojan.Whitewell: What’s your (bot) Facebook Status Today? | Sym. Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server. The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab.
The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. Image 1: This is the only note present in the Facebook account contacted by the Trojan Image 2: The email account used to create the Facebook account. Fortinet Investigates a New SMS Mobile Worm: Yxes.A.
The FortiGuard Global Security Research Team has investigated the case of a new mobile worm resorting to a breakthrough propagation strategy, which leverages SMS messages and Internet access. This new worm, deemed SymbOS/Yxes.A! Worm (also known as "Sexy View"), is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running S60 3rd Edition. It gathers phone numbers from the infected device's file system, and repeatedly attempts to send SMS messages to those.
The messages feature a malicious Web address (URL); upon "clicking" on the address in the received message, the recipients will download a copy of the worm (provided their phones/subscriptions allow for internet browsing). Update: Action: