News  Android
SMS Worm


In a return to the old-school way of spreading smartphone viruses, the recently discovered Andr/SlfMite-A worm "merely" sends a link to a site via an SMS to the first 20 contacts on the handsets it infects. This has proven to be a tricky method to stamp out however, since a users contacts usually trust those in each others contacts lists and so tend to click the link instinctively. The target link then installs the same virus to the recipients handset, and so the whole process begins again.

It does more

The days when these kind of worms spread for fun and did nothing else are long gone. This one, once on an infected device, tries to install Mobogenie, which is an alternative to Google's Play Store. Whilst there may well be nothing wrong with Mobogenie, it is obviously a concern that a virus is attempting to get users to download apps from a non-Google trusted app store. This is how it appears when it arrives on a handset:


Full details...

News  Android
The Fake-id bug hits Android

Not fully checking security certificates

A long-standing defect in the Android certificate security system has been uncovered by BlueBox Labs. Google has confirmed a fix has already been applied, but concerns still exist over Android devices which live outside the Google mothership, and therefore won't be updated automatically. A Google spokesperson said "We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users."

Forgot to double-check

Present in Android versions 2.1 to 4.4, the origins of the bug actually begin with the Apache open source web communications code, which is used by Android for managing its security certificates. Put simply, what's been happening is that the system of "I trust who you trust" - i.e. the chain of trust relationships - has been failing to actually double-check those in the chain really are who they say they are. This is important because some apps are granted special privileges - for example, Adobe's flash player - which then gain access to areas not usually allowed even with the users permissions. These special apps just wouldn't work otherwise, such as in the Flash example which needs access to lower-level functions by its very nature. So, if an app could somehow switch the Adobe cert to a fake one but keep its id, Android wouldn't then "phone home" to check the cert is genuine and continue to grant it these elevated privileges. It's the "phone home" part which has now been fixed.

News  Android
New security system coming with Android L?

Hints from Google I/O at permission fixes

Along with the fanfare surrounding the UI makeover termed "material", this years Google I/O threw up some other interesting nuggets which needed the boffins over at XDA Developers to uncover properly. It seems there is code in the Android L preview which throws up a screen asking for "at-time-of-use" permissions, like iOS, as opposed to the "at -time-of-install" only ones we see today. The implementation is purely speculative - i.e. it could turn out to use both, for example - but the mere presence of such code is the smoking gun you'd see if such changes were coming.

Users benefit

The existing permission system Android uses hasn't changed much from the start. It asks the users what features of the handset they are willing to grant to the app at the point of install only. Granted, if a future upgrade changes the required permissions they are again prompted to provide them, but it's all seen as rather a kludge in that something the user agreed to some time ago now has "free reign" over their data without reminding them exactly what it's allowed to do.

News  General
Phone app password fraud hits financial institutions

Global financial targets

A report this week revealed over 30 financial institutions spread over 6 countries have been hit by sophisticated malware on their smartphones. The attack convinces its victims to reveal their account details and passwords to the bad guys, even though the institutions make use of 2-factor authentication mechanisms. This is achieved by the fall-back system the bank uses which involves an SMS being sent - and where SMS's are used, smartphones - and in particular smartphone virus apps working in conjunction with other attack vectors - can be too.


Trend Micro Inc.have dubbed the attack "emmental" with a wry nod to the famous swiss cheese. Suspected to originate in Romania, institutions in Austria, Sweden, Switzerland and Japan have all been attacked, with damages totalling several millions of dollars, said Trend Micro Chief Cybersecurity Officer Tom Kellermann. Suprisingly, there is a fairly low-tech aspect to part of the attack - an email is sent with an attachment which, when opened, secretly sets up the victims PC to visit fake versions of selected banks when they later use their browsers. Then, at this later point, they see what appears to be their real bank and supply their user credentials such as their account number and passwords. The bad guys then not only harvest these but also prompt them to download an app which is in fact a smartphone virus. Thinking it is legitimate since it seems to come from a trusted source, the users follow through with this and the perpetrators then have access to their smartphone details.

Full details...