Blog archives

Your own personal cell tower

Filed Under: Tech
Monday, April 12th, 2010

Maybe I’m just lucky, but somehow I’ve always managed to have decent cell phone coverage at home.  Wireless carriers work hard to provide good coverage, but the nature of wireless communications makes that a very difficult task.  Over the years, I’ve had many conversations with people who complain that their cell phone works great when they’re out and about, but when they return home, they’re greeted with poor coverage.

For years now, the carriers have been installing equipment that I’ve always called “micro cells” into large commercial buildings, due to the fact that the frequencies used for mobile phones aren’t great at penetrating building materials like steel and concrete.  These micro cells are essentially small indoor cell towers, and help to improve signal strength inside of the building.

Fairly recently, carriers have been offering a device called a “Femtocell” that their customers can install in their homes.  The devices are about the same size as a cable modem or router, and act as a personal cell tower.  Calls are routed back to the wireless carrier over the users home broadband connection.

Unfortunately, these femtocell devices have been aimed at improving voice coverage and not data coverage.  Luckily, that may be changing!  I came across an article on Wired today that speculates (based upon documents files with the FCC) that Sprint is readying a femtocell that will provide 3G data service in addition to voice coverage to users on their network.  If it’s true, this could be great for smarphone users who live in poor coverage areas.

MMS Bomber Attacks China

Filed Under: Blog, Mobile Threats
Monday, April 5th, 2010

Over the Easter weekend, there were stories coming out of China about a ‘virus’ called ‘MMS Bomber’ that was running rampant through Chinese smartphones.  Conservative estimates put the infection rate at 100’s of thousands to possibly more than a million devices were affected by the virus that appeared to be spreading over MMS.

Proper analysis of the malware in question revealed that a multitude of Chinese users had been affected by a new variant, Yxe.e, of the Worm.SymbOS.Yxe family of worms.  The Yxe worm is widely known to be the very first malicious program that was able to infect Symbian S60 3rd Edition devices that also had a valid digital signature.  Yxe.e’s predecessors (Yxe.a – Yxe.d) had the following functionality:

• Spread via SMS messages which contained a link to the worm
• Used social engineering in order to trick victims
• Harvested data about the smartphone from the device
• Sent the harvested data to a cybercriminal server
• Attempted to terminate third party applications designed for working with the smartphone’s file system or with active applications

Yxe.e adds in the following additional capabilities:

• Sends MMS messages containing a link to itself, and, attached, a black and white skull and crossbones image (Skuller, a Trojan which first appeared in 2004, also used a skull and crossbones)
• Connects to a Chinese social networking site
• Downloads files
• Block the smartphone’s Software Manager, making it more difficult to delete the malware

The Yxe.e worm currently spreads via MMS that includes social engineering as the means to trick the user into following a link to a website that will allow them to download and install the malicious program. Once the malicious application is installed on the victim’s device, Yxe.e automatically begins harvesting information about the device and sends it off to a server that is controlled by criminals, via SMS. Yxe.e will then attempt to stop several processes on the Symbian device that could assist the victim in identifying the malicious nature and/or from uninstalling the malicious application. In an attempt to propagate itself, Yxe.e will then begin crafting and sending MMS messages to phone numbers in the device address book that contains the URL to download the malicious applications, all at a cost to the user of the infected device. Yxe.e is also known to attempt to connect and spread itself via a Chinese social networking site.

It is believed that infections of the Yxe.e worm have been limited to devices operating within China. Symbian devices make up the largest percentage of smartphone devices in use outside of the U.S. However, Symbian devices make up merely a fraction of the market share of smartphones in the U.S. and North America.

As is the case with every malware threat that affects BlackBerry, iPhone and Android devices, the Yxe.e worm requires that the user manually install the malicious program, albeit under false pretenses. SMobile Security Shield currently provides detection and removal of this Symbian threat.

What’s with the G’s?

Filed Under: Tech
Monday, March 29th, 2010

For a few years now, you’ve heard the term “3G” used to describe data services on cellular networks. Now, all of a sudden, there is a new term showing up. Ads on TV, in magazines and newspapers, web sites, billboards, and anywhere else you can imagine are starting to feature new “4G” service from Sprint.

You may find yourself wondering “Do we really need an additional G? What is ‘G’ and why do I need four of them? Are the other carriers going to roll out an extra G for their customers too?”

First and foremost, “G” stands for “Generation”. The first generation cellular technology was the original analog cell phone system that became popular in the 80’s and early 90’s. The second generation transitioned us from analog to digital cell phone service in the late 90’s. The third generation, or “3G” technology added support for higher data speeds that have enabled the rich mobile experience we have grown accustomed to on our smart phones.

Quite simply, “4G” refers to the fourth generation cellular network technology that is optimized for high speed internet traffic. I know, this is an extreme simplification, but I don’t want to get hung up on the formal technical definition of 4G as set forth by the ITU. For the overwhelming majority of cell phone users, this is a good enough working definition to understand what the carriers are talking about.

Sprint is rolling out a 4G technology called WiMax on their network. This network upgrade will allow new devices to connect to the internet at speeds up to 20 Mbps. What this really means is that WiMax will allow mobile connections at speeds comparable to, or faster than many people’s home internet connections.

Sprint won’t be the only wireless carrier in the US to offer 4G service. AT&T, Verizon Wireless, and Tmobile are also planning to roll their own 4G network upgrades. The catch though, is that AT&T, Verizon, and Tmobile are planning to roll out a different 4G technology called LTE. LTE offers theoretical speeds of 56 Mbps, but real world connections will probably not reach this limit.

At this time, Sprint has a head start. They have already rolled out WiMax in a handful of markets around the US, and will expand their service throughout 2010. Verizon Wireless will be rolling out LTE starting this year, and plan to finish upgrading their network bo 2013. AT&T plans to start rolling out LTE on their network in 2011. Tmobile plans to launch their LTE network in 2011.

Study of Android Malware in the Market

Filed Under: Mobile Threats, Security
Monday, March 29th, 2010

The SMobile Global Threat Center (GTC) has released a study of malicious applications that currently exist in the Android Market. This study attempts to identify applications that are available for download that either market themselves as spyware, or have the ability to be used as a spying application against an unaware user. SMobile identifies and categorizes malicious applications that could enable illegal spying based upon the fact that the application lends the ability to hide itself from detection from a user. According to information security managers around the world, spyware represents the greatest threat to intellectual property or proprietary information manipulated on mobile devices. Law enforcement officials have stated that spyware could lead to identity theft, loss of sensitive, personal or financial information, and is often used to illegally track the movements and communications of consumers.

To continue reading, download the full report:

Android Malware in the Market

iPhone Compromised, I Mean “Hacked”

Filed Under: Mobile Security, Security
Friday, March 26th, 2010

The world awoke this morning to the news that the iPhone had been hacked.  Besides the fact that I hate the term “hacked”…it is used, incorrectly, ad nauseum.  But, I digress.  The annual Pwn2Own contest is one of the central focuses of the CanSecWest conference that is currently underway.  Up for grabs is a prize purse of $100,000, tempting hackers to pull out their tools and tricks to come up with the latest and greatest attacks against the world’s most popular electronic devices.

This conference is just one of a few places during the year where you’ll find some of the best and brightest minds, where it pertains to technology, all in the same room.  Many of these individuals should be considered reputable security researchers  that, while working tirelessly to undermine security mechanisms, do so in responsible ways that disclose their findings to the vendors before releasing them to the public.  Some of the participants are not quite as responsible.  Nevertheless, each and every participant of the Pwn2Own competition has worked, likely, months and months to uncover tiny little vulnerabilities that they may be able to leverage in front of the CanSecWest crowds in their bids to win the cash and notoriety.

The same story holds true for these two young fellows that “hacked” the iPhone in under 20 seconds.  What I would assume to be months and months of fuzzing, testing, sniffing, scripting, exploiting, then likely scrapping it all and starting over, led to the finding of a browser vulnerability in the iPhone that allowed them to jump outside of the browser’s application “sandbox” and access data that they shouldn’t otherwise be able to access.

I can already hear the moaning and sniffling from myiPhone-using friends.  I’ve also already heard too many say that it is more theoretical that this attack could ever work than not, because it still involves user intervention for it to be successful (check out some of the comments from the first link I provided).   That’s fine.  I understand where it comes from.  However, if someone were to ask me if I was surprised by this finding, I would say, definitively; “NO!”

Of course I’m not surprised that a browser exploit was successful and that it allowed the attacker to gain access to sensitive information.  This happens each and every single day in the PC world.  It has also already happened to BlackBerry, Android, Symbian and every other browser that has ever been used to access the Internet.  Browser exploits will always be a viable attack vector, as long as users continue to accept and follow unsolicited links.

In my opinion, the real problem for Apple and the iPhone is the fact that this particular browser exploit allowed the attackers to break out of the “application sandbox“, where they were able to then access and upload data from other areas of the device.  In this particular instance, once the attackers pointed the iPhone browser to their specially crafted web site, the attack forwards the contents of “the local SMS database of the phone to the server we control”.  The purpose of the “application sandbox” is to explicitly restrict one application from accessing data and resources that belong to another application without first requesting permission to do so, in the form of an API (application programming interface).

The other interesting piece of information that came out of this finding was that when the local SMS database had been obtained, SMS messages that a user would assume to have been deleted were still present in the database file.  If you’ll think back to last summer, the SMobile Global Threat Center published a lengthy whitepaper discussing the possibility of bypassing the backup encryption functionality built-in to iTunes.  One interesting piece of information that we found, through a series of tests to document and illustrate our process, was that deleted contacts still existed in raw format in the SQLite database file that functioned as the device’s address book.

What we were able to determine is that for some reason, the SQLite database that the iPhone uses has the ability to track changes to the database file.  In tracking those changes, the raw file “remembers” the data that was deleted.  Even though the deleted data is no longer visible in the database tables, as they are viewed with a SQLite database viewer, the data is still visible when viewing the raw file with a ‘cat’ or ‘grep’ command.   Check out the whitepaper for more information about this.

The two gentlemen that developed this attack went on to state that if the exploit were written to do so, it could also capture the full address book, any photos that exist on the device, music, and email.  Since I have not tested this functionality, I would venture a guess to say that since we know deleted SMS and deleted contacts could be obtained, that deleted emails can be obtained as well.   At least, I would think your deleted sexting pics and Rick Astley songs are safe for now.

Mariposa Botnet Hits Android via HTC Magic and Vodafone…or Does It?

Filed Under: Mobile Security, Security
Tuesday, March 23rd, 2010

About two weeks ago, I was sitting in our new Threat Center and we were tinkering around with a website that is part of our tool set to identify indications of malware or infections affecting smartphones across the world.  The website that we were looking at is called Twitterfall.com and it allows a user to perform keyword searches to match against tweets that are being published.  It’s amazing how quickly information hits Twitter and even more amazing how quickly that information is re-tweeted, copied and pasted, and parroted as the truth.

Among others, one of the keywords I chose was “android malware”.  I was immediately presented with dozens upon dozens of nearly identical tweets parroting the sentiment that Vodafone had sold at least one Android handset to a Panda Security employee that was infected with malware.  Obviously, this immediately sparked raging discussions in Android and Apple forums declaring Android a failed iPhone killer.  iPhone fans were ready to begin singing “another one bites the dust” as they saw Android’s attacks being repelled.

But, what was lost in the immediate attempts to castigate Android as an inherent security flaw because of it’s open source philosophy, was the fact that the Android device in question was not infected with malware.  What’s that you say?  Not infected?  That’s right…not infected.  What actually happened was that a Panda Security employee received an HTC Magic device running the Android operating system, from the carrier Vodafone, that had three instances of malware pre-loaded onto the device’s SD card.  The device SD card is wholly separate from the Android operating system.

When the Panda employee connected the device to her PC via the USB cable, she was automatically alerted to the fact that her anti-virus software on the PC had detected the existence of an autorin.inf and autorun.exe that were both being flagged as malicious.  Further analysis indicated that the device was infected with the Mariposa botnet, the Conficker worm and a Lineage (the game) password stealing tool.  This is terrible news, right?  Of course it is…for Vodafone and for HTC.  But is it necessarily bad news for Android?  Not really.

Let’s take a a closer look at what actually happened.  HTC manufactures the Magic device and chose Android to drive the proverbial bus.  HTC likely purchases SD cards from some other manufacturer and may do some level of formatting or configuring of the SD card before or after it has been installed in the Magic device.  HTC then ships the handsets with some Vodafone specific ROM installed on the device, and the pre-installed SD card to Vodafone.  Vodafone then sells the device to a customer.  As an interested observer, I don’t really see where Android plays any factor in this equation at all.

This is certainly not the first time we have seen malware being distributed directly from some vendor or retail center.  Just to level the playing field, let’s focus on the case of iPod’s being distributed with a free SIWEOL.A worm that affected Windows PCs.  Ok, that was a cheap shot.  But the point is that we have seen plenty of cases that indicate that attackers are doing whatever they have to do in order to get their malware in your lives.  We know that USB media drives come from retail stores with malware. Digital picture frames have been the attacker and McDonald’s in Japan had to recall 10,000 MP3 players back in 2006.  There are still more examples of these types of successful attacks that I’ll continue to ignore.

With the exception a very few security centric blogs or analysis pieces that responsibly laid the blame of this attack on a faulty QA process between HTC and Vodafone, too many outlets were ready to call Android the problem.  But, what was lost in the finger pointing was the fact that a proven defense-in-depth strategy is what identified the problem and protected this user (and many others) from becoming a victim of and possibly propagating the affects of the attack.  It also didn’t hurt that the victim of the attack was a security-minded employee of a reputable PC security company.  This particular user was employing best practices and relied upon an anti-virus solution to assist in identifying malicious content.  Bravo!

The only part that Android could have played in this whole story would have been if Vodafone had bundled an anti-virus application with the device’s ROM that was configured to detect Windows-based malware that resided on the device’s SD card.  At the point that this story broke, there would have been exactly zero smartphone AV applications in the world that were capable of detecting this threat.  But, proven PC security mechanisms worked…as they should have.

What should be taken away from this whole debacle (since it wasn’t learned from the previous ones) is that when using technology, both in conjunction or on it’s own, there are limitations to what can be done to protect yourselves.  As a user that may be interested in protecting your personal information or financial assets, it is increasingly important to properly leverage technology to provide coverage where it applies.  In this scenario, the malware that existed did not affect the Android device, so there was no capability to detect it on the SD card.  But, when it did became an issue and could affect the Windows system, there was a capability to detect and defend.

Some might expect an Android anti-virus application to be able to detect this type of malware if it resides on the device.  This is where those limitations I spoke of come into question.  At this point in the game, it’s simply not possible for a Smartphone to effectively handle detection of every PC malware that we know about.  There simply is not enough resources available on the device.  But, the PC can handle it…and in this case, it did.

FlexiSpy Dives into Android

Filed Under: Mobile Threats
Tuesday, March 23rd, 2010

Over the last month, I’ve written two lengthy whitepapers discussing malware affecting Android devices.  The first whitepaper looks at some spyware applications that are avialable for Android that have not yet been published to the Android Market.  In that paper we discussed Mobile Spy and MobiStealth, as well as the bank phishing app from Droid09 that actually made it’s way into the Market for a short period of time before the community reacted and had it taken down.

The second whitepaper has yet to be published, but as a sneak peak, we take an in depth look at Android spyware that is currently in the Android Market and being marketed as tools to facilitate “legal” spying, as well as “illegal” spying.  The handful of applications from various developers that we found used different methods to hide themselves from detection, which is the determining factor when SMobile categorizes an application with monitoring capabilities as spyware.

Call it job security or bad luck, but almost as soon as I was done with these papers we found that FlexiSpy published their first version of spyware for Android.  As you may or may not remember, FlexiSpy is widely considered to be the leader in spyware for smartphones.  To date, they offer versions of their software for Symbian, Windows Mobile, BlackBerry, iPhone and now Android.  Various versions of FlexiSpy offer different levels of spying capabilities at different cost to the consumer.

Though there are now a multitude of imitators attempting to compete with FlexiSpy’s capabilities, it is undeniable that FlexiSpy did the lion’s share of the initial work in developing the capabilities necessary to make these types of applications a reality.  Traditionally, FlexiSpy offers the ability for an attacker to:

• Read the victim’s call records
• Determine device’s GPS location
• Read SMS and Email messages
• Listen in on actual phone calls as they are in progress
• Notify the attacker when the SIM has been changed
• Can activate the device’s microphone (spy call) in order to listen to ambient room conversation
• Remote configuration of the spyware via undetectable SMS messages
• Central management of acquired logs via web portal

Fortunately for unsuspecting victims, the version of FlexiSpy that was just released for Android devices only allows an attacker to read the victim’s call records, read SMS messages, and determine GPS location.  Well, I guess that’s still enough to be considered spying.  However, as a means to further ingratiate themselves with those that would want to illegally spy on someone’s activities, FlexiSpy is being generous enough to offer the Android version of their app for free for personal use.  If you would like to use FlexiSpy for “professional use”, you’ll have to check back later to see if they have published their professional version.

As we’ve already seen FlexiSpy do, they’ll likely begin to ask their customers to consider SMobile’s anti-virus/anti-spyware software to be considered malware.  According to FlexiSpy, who are we to “interfere with legitimate, legal and accountable software”? I mean, who appointed us judge, jury and executioner anyway?

As long as service providers, enterprises, and consumers turn to SMobile to protect the privacy of their personal information and communications, we’ll continue to identify, categorize and “interfere” with applications that attempt to illegally monitor the activities of unsuspecting users.  Besides, if you have our software and it tells you that FlexiSpy is installed and asks you if you would like to remove it, if you already know it’s on there…what’s the problem? Right?

SMobile Systems Inc Receives 2009 Best of Business Award

Filed Under: Security
Monday, March 22nd, 2010

Small Business Commerce Association’s Award Honors the Achievement

SAN FRANCISCO, March 13, 2010, SMobile Systems Inc has been selected for the 2009 Best of Business Award in the Computer software category by the Small Business Commerce Association (SBCA)

The Small Business Commerce Association (SBCA) is pleased to announce that SMobile Systems Inc has been selected for the 2009 Best of Business Award in the Computer software category.

The SBCA 2009 Award Program recognizes the top 5% of small businesses throughout the country. Using statistical research and consumer feedback, the SBCA identifies companies that we believe have demonstrated what makes small businesses a vital part of the American economy. The selection committee chooses the award winners from nominees based off statistical research and also information taken from monthly surveys administered by the SBCA, a review of consumer rankings, and other consumer reports. Award winners are a valuable asset to their community and exemplify what makes small businesses great.

About Small Business Commerce Association (SBCA)

Small Business Commerce Association (SBCA) is a San Francisco based organization. The SBCA is a private sector entity that aims to provide tactical guidance with many day to day issues that small business owners face. In addition to our main goal of providing a central repository of small business operational advice; we use consumer feedback to identify companies that exemplify what makes small business a vital part of the American economy.

SOURCE: Small Business Commerce Association

CONTACT:
Small Business Commerce Association
Email: Press@SBCAAwards.org
URL: http://www.SBCAAwards.org

###

Cybercrime Complaints, Reported Losses Increase

Filed Under: Mobile Security
Monday, March 15th, 2010

By M.P. MCQUEEN
Complains about Internet crime in the U.S. soared last year in a phenomenon tied to the poor economy, law-enforcement officials say.

The number of reports increased 22.3% in 2009 over 2008, and reported losses soared to $559.7 million, up from $265 million a year earlier.

Losses per incident also rose in transactions in which a loss occurred, to a median of $575, according to information provided Friday by the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, a nonprofit federally funded group that aids local law enforcement. The center develops information and refers complaints involving cybercrimes to appropriate investigative agencies, including international police. Losses were $17.8 million in 2000, the center’s first year of operation.

SMobile GTC Sees Android Malware Coming

Filed Under: Blog, Mobile Security, Mobile Threats
Friday, March 12th, 2010

Open source versus closed source.  It’s a discussion that often leads to heated arguments and one that will likely continue well beyond its usefulness.  The discussion began before many of us realized there would need to be terms such as “malware” and the often incorrectly used “hacker”.  Regardless of what side of the discussion you come down on, the term Android has not helped to lessen the veracity of the debate.  Since Google released the first Smartphone operating system that was supposed to be completely open source, the debate between BlackBerry, Windows Mobile, iPhone and Symbian users continues to get louder.

Whether you’re new to the Smartphone revolution or are an Android convert from some other platform, there is a reason that you chose Android.  Some wanted to break the stuffy business-like feel of the BlackBerry.  Others were excited about the possibilities that an operating system built on a Linux kernel with incredible customization capabilities brings.  Some wanted something that was friendly or easier to use than the Windows Mobile or their Symbian device.  Then there are the ones that just want to be anti-Apple.  There are just as many anti-everything-Apple as there are Apple “fanboys” in the world.  There are also those that just got a deal from their provider that they couldn’t refuse.  Regardless of the reason, Andriod’s market share is growing….

To continue reading, download the full Android Malware Whitepaper

BlackBerry™ is a trademark of Research In Motion Limited. Windows Mobile™ is a trademark of Microsoft Corporation Symbian™ is a registered mark of Symbian Ltd. SMobile Systems Inc. is not endorsed, sponsored or affiliated with any of the respective companies