Android Trojan Capable of Launching DDOS Attacks from your Smartphone

Security researchers from Russian firm Doctor Web have come across a new Android Trojan they call Android.DDoS.1.origin. The piece of malware can be used for various malicious tasks, including to launch distributed denial-of-service (DDOS) attacks and to send SMS messages.

For the time being, it’s uncertain how the Trojan is distributed, but experts believe the cybercriminals might be disguising it as a legitimate Android application.

Once it’s installed on a smartphone, the malware creates a fake Google Play icon on the desktop. When executed, this shortcut opens the real Google Play in order to avoid raising any suspicion.

After being executed, the Trojan connects to a remote server, sends it the victim’s phone number, and waits for further SMS commands.

The masterminds of Android.DDoS.1.origin can send various SMS commands. One of them orders the infected device to start sending out packets to a certain server, basically launching a DDOS attack against it.

While this only affects the phone’s performance, there are other activities that can be done by this threat. For instance, the cybercriminals can order the device to start sending out SMS messages to certain numbers.

These SMSs can be used to sign up the victim for premium mobile services or they can be utilized to send out spam.

Messages can also be sent to premium rate numbers, inflating the victim’s phone bill and implicitly filling the fraudsters’ pockets.

“Activities of the Trojan can lower performance of the infected handset and affect the well-being of its owner, as access to the Internet and SMS are chargeable services. Should the device send messages to premium numbers, malicious activities will cost the user even more,” experts noted.

Doctor Web has updated its products to ensure that its customers are protected against this threat.

Android Malware Now Exploits Steganography

Summary: Malware makers are turning to quite sophisticated tricks to disguise the true purpose of rogue applications.

Security firm F-Secure have released details on how Android malware makes use of steganography to hide the control parameters for rogue code.

First, what is steganography? It’s the technique of hiding messages within something else, in this case, an icon file.

F-Secure first suspected that Android malware was making use of steganography when researchers came across this line of code:

Further digging revealed more code, and it soon became clear that the image file being referenced here was the icon file bundled with the rogue application:

So what’s this hidden information used for? It’s used to control how and when premium rate SMS messages are sent from the victim’s handset, which, as far as the bad guys are concerned, is the primary purpose of the rogue application.

You’ve got to admit, that’s a pretty clever use of steganography.

Android Bug Allows Hackers to Install Malicious Code Without Warning

It's been more than a month since researchers reported two serious security vulnerabilities in Android, but so far there's no indication when they will be purged from the Google-spawned operating system that's the world's most popular smartphone platform.

The first flaw allows apps to be installed without prompting users for permission. The permission-escalation vulnerability permits attackers to surreptitiously install malware in much the way a proof-of-concept exploit researcher Jon Oberheide published last year did. In that case, an app he planted in the Android Market and disguised as an expansion pack for the Angry Birds game secretly installed three additional apps that without warning monitored a phone's contacts, location information and text messages so data could transmitted to a remote server.

“The Android Market ecosystem continues to be a ripe area for bugs,” Oberheide wrote in an email. “There are some complex interactions between the device and Google's Market servers which has only been made more complex and dangerous by the Android Web Market.”

The second bug resides in the Linux kernel where Android originates and makes it possible for installed apps with limited privileges to gain full control over the device. The vulnerability is contained in code device manufacturer have put into some of Android's most popular handsets, including the Nexus S. The bug undermines the security model Google developers created to contain the damage any one application can do to the overall phone.

Oberheide and fellow researcher Zach Lanier plan to speak more about the vulnerabilities at a two-day training course at the SOURCE conference in Barcelona in November. In the meantime, they put together a brief video showing their exploits in action.



One of the hopes for Android a few years back was that it would be a viable alternative to Apple's iOS, both in terms of features and security. With the passage of time, the error of that view is becoming harder to ignore. And if i'm not wrong, Google developers have updated Android just 16 times since the OS debuted in September 2008. The number of iOS updates over the same period is 29.

It's a far cry from the approach Google takes with its Chrome browser, which is updated frequently, and has been known to release fixes for the Flash Player before they're even released by Adobe.

Even more telling, when a new version of iOS is released, it's available almost immediately to any iPhone user with the hardware to support the upgrade. Android users, by contrast, often wait years for their phone carriers to supply updates that fix code execution vulnerabilities and other serious flaws.

Owners of the Motorola Droid, for instance, are stuck running Android 2.2.2 even though that version was released in May 2010 and contains a variety of known bugs that allow attackers to steal confidential data and remotely execute code on handsets the run the outdated version.

Oberheide has more here.

Android Malware Posing as Google+ app

A new flavor of Android malware is disguising itself as a Google+ app in an attempt to capture instant messages, GPS, location, call logs, and other sensitive data.

Uncovered by the team at Trend Micro, the new malware known as ANDROIDOS_NICKISPY.C can also automatically answer and record phone calls. To capture data, the app loads at boot-up and runs certain services that can monitor messages, phone calls, and the user's location, thereby stealing e-mail and other content.

Detailing its findings in a blog Friday, Trend Micro said it discovered that the malicious app tries to trick people by installing itself under the name Google++.

But instead of providing access to Google's new social network, the app sends its stolen user data to a remote site where presumably cybercriminals can grab it. Unlike some malware in the past that masqueraded as legitimate apps through Google's Android Market, this particular one must be downloaded by an unsuspecting user from a malicious Web site and then manually installed.

And even if installed, the app can be uninstalled from an Android device by selecting Settings > Application > Manage applications, choosing Google++ and then clicking Uninstall, according to Trend Micro.

Trend Micro gives the app a low-risk rating, but it's still something that Android owners should be sure to avoid.

Android users concerned about security can learn how to better protect themselves through Trend Micro's online guide "5 Simple Steps to Secure Your Android-Based Smartphones."

How to Keep Malware Off Your Android Phone

Although some of these apps might look suspicious, others bearing names such as "Quick Notes" or "Chess" seem innocent enough, and you might not think twice about downloading them.

Tips for a Malware-Free Smartphone

Following are five quick tips to help you keep your Android handset free of malware.

1. Always research the publisher of the app. What other apps does it offer? Do any of them look a bit shady? If so, you should probably stay away.
2. Read online reviews. Android Market reviews may not always be truthful. Check around to see what reputable Websites are saying about the app before you hit the download button.
3. Always check app permissions. Whenever you download or update an app, you get a list of permissions for it. An alarm clock app, for instance, probably shouldn't need to look through your contacts. The general rule of thumb: If an app is asking for more than what it needs to do its job, you should skip it. 
4. Avoid directly installing Android Package files (APKs). When Angry Birds first came to Android, you could get it only through a third party. This is called "sideloading," or installing apps using an .APK file. Although Angry Birds wasn't malware, in general it is highly advisable not to download and install .APK files that you randomly come across. Most of the time you won't know what the file contains until you install it--and by then it's too late.
5. Put a malware and antivirus scanner on your phone. Although many people still think that antivirus scanners on phones are useless, maybe outbreaks such as this one will change minds. Several different big-name security companies already offer mobile-security options, many of them free. I myself had downloaded "Spider Man," which is on a bad-apps list. My Lookout software identified it as a Trojan horse.

Infected-Apps List Published by Android User 'Myournet'

• Advanced Currency Converter
• App Uninstaller
• Chess
• Dice Roller
• Falling Ball Dodge
• Falling Down
• Funny Paint
• Hilton Sex Sound
• Hot Sexy Videos
• Photo Editor
• Scientific Calculator
• Screaming Sexy Japanese Girls
• Spider Man
• Super Guitar Solo
• Super History Eraser
• Super Ringtone Maker
• Super Sex Positions

Infected-Apps List Published by Android User 'Kingmall2010'

Advanced App to SD
Advanced Barcode Scanner
Advanced Compass Leveler
Advanced File Manager
Best password safe
Bowling Time
Magic Strobe Light
Music Box
Sexy Girls: Japanese
Sexy Legs
Super Stopwatch & Timer
Supre Bluetooth Transfer
Task Killer Pro

Infected-Apps List Compiled Under the Developer Name 'we20090202'

• Advanced Sound Manager
• Basketball Shot Now
• Bubble Shoot
• Color Blindness Test
• Finger Race
• Funny Face
• Magic Hypnotic Spiral
• Omok Five in a Row
• Piano
• Quick Delete Contacts
• Quick Notes
• Super Sexy Ringtones
• Tie a Tie

Also on the lists are the foreign-language apps shown at left.

Lookout Mobile Security, which provides security software for mobile phones, posted on its blog a list of 56 Android applications that have been infected with DroidDream, a new type of Android malware that roots your phone and gains access to as much personal information as it can. The apps also can open a backdoor, allowing more executable code to download to your phone without your being aware of it.

A few of these apps have already been downloaded by at least 50,000 users, making this one of the most widespread cases of Android malware to date. Although the apps in question have been pulled from the Android Market, Google is investigating them and has not yet moved to wipe them remotely from users' phones.

Lookout has issued an update to its mobile security software. If you have downloaded any of these apps, the company advises that you run its malware scanner and e-mail the Lookout support center. Mashable (also posted a list of infected apps complied by Myournet) suggests returning your phone to your carrier, as your data and security may be compromised.

With more and more malware emerging for the Android platform every day, users would do well to be careful and pay strict attention to what happens on their phones. You have to remember that smartphones are essentially computers--and all computers are vulnerable to attack by malicious software.

Credit: PC World