For some time now we have been predicting that the next evolution in smartphone malware will be for this type of malware to move closer to parity with traditional desktop malware. This has now been confirmed by Trend Micro who have found a varient of Malware – ANDROIDOS_ANDROIDSERVERBOT.A apparently originating from China that masquerades as an e-book reader app. Once on an infected device this malware uses an internet Blog site as its Command and Control server, joining infected devices into an army of zombie smartphones:

Permissions requested by ANDROIDOS_ANSERVERBOT.A

Permissions requested by ANDROIDOS_ANSERVERBOT.A

“From our analysis, we found that this malware has two hardcoded C&C servers to which it connects in order to receive commands and to deliver payloads. The first server is just like the usual remote site to which the malware posts information to and gets commands from. The second C&C server, however, caught our attention more. This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate.”

Image showing how ANDROIDOS_ANDROIDSERVERBOT.A uses tts C&C

http://ping.fm/iO5kq

In an additional element of parity, this Malware also has the capability to disable on device security software, terminating the following chinese security apps:

com.qihoo360.mobilesafe
com.tencent.qqpimsecure
com.ijinshan.mguard
com.lbe.security

Smartphones are full computing platforms. This latest threat evolution was entirely predictable yet in my view very little is being done at the consumer end or even at the telco end to protect against the impact this sort of infection could represent.

Just imagine an army of millions of infected phones all calling premium rate numbers or sending out spam emails….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Marc Rogers

Marc has been a hacker since the 80's and has worked in the security industry for almost 20 years. Some of Marc's professional highlights include a decade managing security in the operator Vodafone plc, and 5 years as working as the CSO for a real estate and asset management conglomerate in South Korea. Known as "Cyberjunky", "Cjunky" or just "CJ" in the hacker community Marc is the Head of Security and part of the CFP review board for DEF CON, the worlds largest hacker conference. After spending more than 15 years wrangling hackers, criminals and spooks Marc has seen it all. Sometimes several times at once. Professionally Marc uses his skills as a whitehat hacker and security evangelist to bring a positive outlook on security to today's global organizations. It's this outlook that Marc used when he helped put together the award winning BBC series "The Real Hustle". Today Marc works as the Principal Security Researcher for Lookout Mobile Security.

Category

Uncategorized