Tag Archives: apps

Four trends that will change mobile in 2015

In fact in the US mobile web traffic exceeded desktop web traffic for the first time. Mobile is fast becoming the most convenient and cost effective to way get online but what does the future hold for our smartphones?

Here are my predictions on how our mobile worlds will continue to evolve in 2015.

 

Apps will become the primary target for hackers

While the first generation of mobile threats was primarily using vectors and methods seen in the PC world, we are beginning to see new threats specifically designed to exploit mobile devices. The threats is not just malicious apps, but also regular apps that are vulnerable to attacks.

Until now, the centralized software distribution model seen with the AppStore and Google Play has helped protect our devices from malware. This concept came as a lesson we all learned from the PC, where software distribution is not controlled and so malware is common. Apps on official stores are less likely to be malicious, but it doesn’t mean they are not vulnerable to attacks.

Hackers love to find vulnerabilities. Almost every software program has vulnerabilities that are waiting to be discovered and mobile apps are not an exception. As official app stores make it difficult for hackers to directly upload malicious apps, they have instead begun hunting for vulnerable apps to attack.

Vulnerable Apps are not always removed from the App stores and as many have been left unmaintained by developers, creating an opportunity for hackers to exploit them.

 

New threats will emerge

As a result I expect to see a rise in the discovery of mobile app vulnerabilities during 2015. Here are a few examples:

  • Voice activation – Voice activated software is a standard feature on smartphones and are also appearing in smart TVs and other Internet-connected devices. However many of the implementations are vulnerable to voice activation attacks. This is because it does not authenticate the source of the voice – it could be you speaking, or equally it could be a synthesized voice coming out of an app – yes, even a game can play a sound an send an email to your contacts on your behalf.

Video

How Apps Could Hijack Google Now

 

  • Mobile browsers – For the average user, browsers on mobile are very difficult to operate. Small screens mean you see only a fraction of the URL, making it easy disguise a malicious URL. Drive-by infections, which are well known to PC users, will soon come to mobile users as well. Not surprising, mobile browsers are also vulnerable to JavaScript exploits that can be triggered by a hacker remotely. That could mean streaming video to or from a device, even if it is locked.
  • Radio-based threats (Wi-Fi, Bluetooth, NFC) – mobile devices are constantly broadcasting over radio frequencies in order to connect and transfer data. Rough access points and over-the-air sniffers can capture transmitted data, reply with malicious content or even modify the values in the data over-the-air.
  • Masque Attacks and malicious Profiles – as mobile users have less visibility on the files being downloaded on the device, like the running processes and settings, hackers will continue to use these limitations to mislead the user to download and install malicious files to their devices from outside the Appstore. However apps on app store are also vulnerable and I predict the number of malware detections from recognized app stores to increase in 2015.

 

Data will become more valuable and more threatened

Mobile devices are much more personal than our PCs ever could be. The data on them is much more intimate and is a much more rewarding target for hackers. In 2015, I expect data, especially that held on our mobile devices, to come under much greater scrutiny.

In particular, I foresee three threats to our data in the coming year:

  • Physical tracking – criminals or law enforcement can use location data stored on your phone to identify important places (such as home or place of work), analyze behavior such as a daily route or absence from home.
  • Data stealing – in mobile, everything is broadcast through the air, that means data is vulnerable to being intercepted as it travels. Credentials, financials, transactions or payments can all be captured and recorded by 3rd
  • Commercial tracking – mainly done by retailers to better understand the behavior of their visitors. Think online analytics but for the physical world.

 

Payments will also go mobile

The public’s positive reception of Apple Pay heralded a new phase of consumer payment methodology. Although Apple is not the first to introduce mobile payment, their offering came at a good time and the implementation seems to be practical and secure.

As mobile payments are a new experience for consumers, I expect to see social engineering attacks where hackers will try to confuse and mislead in order to steal credentials and personal data. This is expected to be the first phase of attacks. Once consumers are more familiar with the technology, attacks on vulnerable apps and even on the payment services are expected to soar.

Mobile advertising firms spread malware by posing as official Google Play apps

As a malware analyst, I find new pieces of malware day in and day out. In fact, I see so many new malware samples that it’s difficult for me to determine which pieces would be really interesting for the public. Today, however, I found something that immediately caught my attention and that I thought would be interesting to share.

Mobilelinks

The three URLs listed above are websites that offer mobile monetizing kits, which are advertising kits that developers can implement in their mobile apps. The goal for developers is to monetize from advertisements. If a user clicks on one of the ads delivered by one of the above listed providers, he may be lead to a malicious subdomain.

The most visited of the three URLs is Espabit. According to our statistics, we know that Espabit’s servers get around 150,000 views a day and nearly 100% of the views are from mobile devices. This may not seem like that much compared to the number of Android users there are in the world, but it is still a considerable number. Espabit is trying to position themselves as a world leader in advertising, and their website may appear innocent, but first impressions can be deceiving.

 

espabit

The most visited Espabit subdomain, with more than 400,000 views during the last few months, leads app users to pornographic sites via the ads displayed in their apps. The site displays a download offer for nasty apps (no pun intended) that have malicious behavior.

image

 

The above is just one example of the malicious links; there are many others hosted on the same server. The majority of the links lead to pornography or fake apps that all have one thing in common: They all steal money from innocent users.

How do they convince people to download their app? By posing as official Google Play apps. The apps are designed to look like they are from the official Google Play Store – tricking people into trusting the source. Since Android does not allow users to install apps from untrusted sources, the sites offer manuals in different languages, like English, Spanish, German, and French, explaining how to adjust Android’s settings so that users can install apps from untrusted sources, like these malicious apps. How considerate of them.

image_1

 

Now let’s take a deeper look at what the apps are capable of doing:

All of the “different” apps being offered by the three sites listed above are essentially the same in that they can steal personal information and send premium SMS. So far, we know about more than 40 of them stored on the websites’ servers. Most of the apps are stored under different links and, again, are offered in different languages (they want everyone to be able to “enjoy” their apps). The goal behind all of the apps is always the same: Steal money.

apps code1

 

 

 

 

Some of the permissions the apps are granted when downloaded…

apps code2

 

Once you open the apps, you get asked if you are 18 or older (they are not only considerate in that they offer their product in various languages, but they also have morals!).

sexyface

 

 

sexyface2

 

After you click on “YES” you are asked to connect your device to the Internet. Once connected to the Internet your device automatically starts sending premium SMS, each costing $0.25 and sent three times a week. That’s all the app does! The amount stolen a week does not seem like much, but that may be done on purpose. People may not notice if their phone bill is $3.00 more than it was the month before and if they don’t realize that the app is stealing money from them and don’t delete the app it can cost them $36.00 a year.

This malware is actually not unique in terms of the technique it uses. However, collectively, the three websites have around 185,000 views daily, which is a lot considering there is malware stored on their servers. Not everyone is redirected to malware, but those who are, are being scammed. Considering that the most visited malicious subdomain had around 400,000 views in the last quarter, it tells us that a large number of those visitors were infected. This means these ad providers are making a nice sum of money and it’s not all from ad clicks and views.

Although many mobile carriers around the world block premium SMS, including major carriers in the U.S., Brazil, and the UK, this case should not be taken lightly. These malware authors use social engineering to circumvent Google’s security and target innocent app users via ads. Think of how many apps you use that display ads, then think of all the valuable information you have stored on your phone that could be abused.

All malicious apps we found and described here are detected by Avast as:

Android:Erop-AG [Trj]
Android:Erop-AJ [Trj]|
Android:Erop-AS [Trj]

Some of SHA256:
DBEA83D04B6151A634B93289150CA1611D11F142EA3C17451454B25086EE0AEF
87AC7645F41744B722CEFC204A6473FD68756D8B2731A4BF82EBAED03BCF3C9B

Android scam: Firms fined over $500,000 for malicious apps’ hidden subscriptions

Three UK firms have been fined over $500,000 for a scam that involved Android apps signing up to a subscription service, and suppressing notifications informing the victim they were being charged, according to The Guardian.

The post Android scam: Firms fined over $500,000 for malicious apps’ hidden subscriptions appeared first on We Live Security.

Apps For Our Veterans

As we celebrate Veteran’s Day in the U.S. this November 11th, I’d like to honor our uniformed men and women, both those who have served and those who continue to do so. I am very proud of my own military service and most veterans will tell you the same. If you are like many of us, and have friends or family members who have served, here are a five great apps/services to check out.

 

For Re-entry into Civilian Life

The U.S. Chamber of Commerce Foundation Hiring Our Heroes app, in partnership with Verizon, is a mobile one-stop shop developed to help veterans, transitioning service members, and military spouses searching for employment. The app gathers all of the program’s resources in one tool – enabling military members and their families to search for jobs and access free employment resources on virtually all mobile devices.

Militarylounge.com has an app called College Guide that provides a comprehensive list of universities that accept the G.I. Bill, a calculator of benefits, as well as a handbook of benefits that are available to vets and soldiers.  A major benefit to the military is the G.I. Bill, which, in its post-9/11 form, provides full tuition and fees for public, in-state schools, plus a monthly allowance for housing and an annual stipend for textbooks. Over 6,000 institutions participate in the Post 9/11 GI Bill Yellow Ribbon Program.

 

For Health

Many veterans understandably have trouble navigating the complicated world of the Veterans Administration. Claims Coach, developed by The American Legion, is designed to help the process. It provides step-by-step guidance to help service officers through the process of filing for VA benefits. The free app features a nationwide directory of accredited American Legion service officers, a built-in organizer for appointments, documents and deadlines, and a wealth of other resources. Additionally, a personal secure file called “My Checklist” keeps everything in order, from the initial meeting with a service officer through VA’s decision and appeal, if necessary.

Unfortunately, but understandably, many of our troops come back from service traumatized from events. PTSD Coach was designed for veterans and military service members who have or may have Posttraumatic Stress Disorder (PTSD). This app was created by the VA’s National Center for PTSD in partnership with the Department of Defense’s National Center for Telehealth and Technology. It provides users with education about PTSD, opportunities to find support and tools to help manage the stresses of everyday life with PTSD.  You can download it here.   It’s been downloaded more than 100,000 times in 74 countries. Features include:

  • Information on PTSD and treatments that work
  • Tools for screening and tracking symptoms
  • Direct links to support and help
  • And, as a mobile app, it’s always just a click or phone call away.

As the VA points out: Any data created by the user of this app are only as secure as the phone/device itself. Use the security features on your device if you are concerned about the privacy of your information.

 

For Families

Scout Military Discounts LLC has just launched SCOUT, a military savings mobile application for both iOS and Android devices. The new, free mobile app is designed to provide all U.S. veterans, military members and their families a way to easily access military discounts and freebies from anywhere, at any time from their mobile phone or other mobile devices.

The SCOUT app is available for download at Apple or Google Play. Use the search term SCOUT Military to find the app for download. And if you want to volunteer or get involved, go to scoutmilitarydiscounts.com. The SCOUT app is available for download at the Apple App Store and Google Play. This looks like a great app to use during the holiday season!

 

For Those Still Serving

So much support for our troops come from veterans friends and families. You can’t beat Skype for keeping in touch with troops at home or abroad.  Rules and regulations are different depending upon where a soldier is stationed, but veterans can communicate face to face with their overseas colleagues for practically nothing, and perhaps more importantly, spouses can keep in touch with loved ones that might be far away.

This Veteran’s Day, I want to wish all those who have served, and those who still do serve, the gifts of safety, health, and happiness. Thank you for your service.