Android malware steals info from one million phone owners

Updated A developer of Android apps has been accused of using their apps to steal information from more than one million smartphone users.

 

John Hering and Kevin MaHaffey, of mobile security firm Lookout, told the Black Hat security conference in Las Vegas that they discovered that a wallpaper app developed by Jackeey Wallpaper (who have created over 70 different applications for the Google Android mobile operating system) secretly transmitted affected phones’ numbers, subscriber identifiers, and voicemail numbers to a server in Shenzen, China.

 

Over a million people are believed to have downloaded the app – which Sophos has not yet seen – from the Android Market (Google’s equivalent to the Apple iPhone AppStore).

 

This isn’t the first time that the Android smartphone operating system has apparently been targeted by malware, of course.

 

One of the challenges that owners of smartphones running the Android operating system face is that it is not as closely monitored as Apple’s equivalent, and adopts a more relaxed philosophy as to what apps can be published.

 

Although there’s much criticism that Apple has received for the way it controls the iPhone environment, it’s clear that the only malware attacks we’ve seen to date on that platform (such as Duh and the infamous rickrolling Ikee worms) have affected users who have chosen to jailbreak their iPhones and escape the relative safety of the AppStore.

 

Yes, malware has previously emerged for jailbroken iPhones, but the malicious applications have not made it onto users’ devices via Apple’s highly guarded AppStore.

 

It remains to be seen how many users will treat security as a factor when choosing between the rival mobile operating systems.

 

Update Some media reports suggested incorrectly that voicemail passwords were accessed by the wallpaper app, and it’s important to make clear that this is not true.

 

 

Read More…

 

Details of 100 million Facebook users were *already* exposed on the net

Have you seen the headlines? They’re pretty scary-looking.

 

Here’s just a handful – although there were hundreds more to choose from:

“A fifth of Facebook users names ‘leaked’ to file-sharers”, Techwatch

“Details from 100 million Facebook profiles posted online”, Network World

“Details of 100m Facebook users collected and published”, BBC News Online

“100 million Facebook accounts exposed”, V3

 

At first glance these headlines might appear frightening. But there’s one thing you need to know. All of this information was already available to anyone on the internet.

 

What’s happened is that a security consultant called Ron Bowes wrote some scripts to harvest publicly-available information from the profiles of Facebook users who had left their profiles open for anyone to view.

 

In total he managed to scrape the names and urls of some 100 million Facebook users (about 20% of their population), and posted the database of snaffled information up on a peer-to-peer file-sharing network for anyone to download.

 

 

This wasn’t really a “hack” as such, as the guy who collected this information didn’t have to break into accounts to access the information. The personal information from users’ Facebook profiles was already available to anyone because individuals’ privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see.

 

The real problem here is that users haven’t secured their profiles well enough – but I don’t think they’re the only ones at fault. Facebook has gradually eroded its users’ privacy over the years, in an attempt to share more information with the rest of the internet. In fact, it’s even recommended that users use settings that share more information – and some users may not have been aware that going with Facebook’s recommendations would leave them open to being snooped on in this fashion.

 

The problem is that once you’ve shared your information with “everyone” on the net in this fashion, there’s no going back. You can’t withdraw your data – and now the user details have been harvested they will forever be available for anyone to access.

 

 

Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don’t know, and are comfortable with their choices. Today the news story is about names and urls being scooped up – maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.

 

 

Read More…

 

Citi iPhone banking app contains security flaw

iPhone-owning customers of Citigroup have been urged to update their mobile banking app immediately because of a security flaw that secretly stored account numbers, bill payments and security access codes in a hidden file.

 

The Citi Mobile app allows customers to check their account balances, transfer funds and pay bills from their iPhone, and is one of the most popular finance applications in the Apple App Store with approximately 120,000 users since it was launched in March 2009.

 

Citigroup told the Wall Street Journal that it had “no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone.”

 

 

However, there will undoubtedly be concerns that if users lost their iPhone the information could be accessed by an identity thief. Furthermore, it is believed that the sensitive data could also have been backed-up to customers’ Windows and Mac computers when they are synchronised with the iPhone. Certainly, there are many more chances for the typical malicious hacker to access information stored on a PC than on the controlled environment of an Apple iPhone.

 

 

Read More…

 

SophosLabs – What is Fake Anti-Virus?

Free Windows Shortcut Exploit Protection Tool From SOPHOS

Want to see who has viewed your Facebook profile? Take care..

I’m increasingly being asked by folks on Facebook if it’s possible to tell who has been viewing their Facebook profile. A number have been attracted to webpages and Facebook applications that claim to be able to give you a secret insight into who is spying on your profile.

 

Well, if you’re one of those people who are curious about who might be watching you online, take care.

 

Right now we’re seeing a significant number of Facebook users posting messages such as:

OMG OMG OMG... I can't believe this actually works! Now you really can see who views your profile!!! WOAH

and

See who views your Facebook profile in real-time!!!

 

However, like the “Justin Bieber cell phone number” scam and the “This mother went to jail for taking this pic of her son!” scam, the links pointed to in your friends’ status updates are not to be trusted.

 

If you make the mistake of clicking on the link to one of these pages offering to tell you who is viewing your Facebook profile, you will find that the people behind the “services” want you to do a few things first.

 

For instance, they’ll ask you to “Like” their pages (which means you are spreading the link to friends in your social network), and they will ask you to advertise their site by posting an “OMG” message (with a link) to at least five different places on Facebook.

 

After all that hard work you would hope that they would give you access to the powerful Profile Spy app wouldn’t you? But I’m afraid your luck is out.

 

They’ll next ask you to hand over your personal information by taking numerous surveys – before ultimately trying to trick you into handing over your cellphone number which they’ll sign up to an expensive premium rate service.

 

 

Remember, this scam doesn’t work as the result of clickjacking, or a vulnerability on Facebook. The scammers are achieving their ends because of human gullibility – pure and simple. If people considered what they were doing and thought twice about the possible consequences then we would see nothing like as many of these attacks occurring, and our news feeds on Facebook would see less spam.

 

 

Read More…

 

More malware exploiting Windows shortcut vulnerability

It probably won’t come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).

 

Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.

 

Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink – however, here is more information on the specific malware:

 

Troj/Chymin-A:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.

 

Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.

 

W32/Dulkis-A:
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.

 

W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).

 

 

Read More…

 

Shortcut zero-day attack code goes public

If you’ve been following Chet Wisniewski’s blog over the last few days you will already know about the serious zero-day vulnerability that has been found in versions of Windows.

 

Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.

 

Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.

 

You can watch the following YouTube video where Chet shows the attack in action:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.

 

What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.

 

In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.

 

There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.

 

So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.

 

Sophos detects the malware we’ve seen so far using the exploit as W32/Stuxnet-B and Troj/Cplink-A.

 

 

Read More…

 

Google ‘malware’ sponsored advert delivers fake anti-virus

“Be careful what you ask for – you might get it.”

 

That’s the thought running through my head today after I searched for the word “malware” on Google.

 

As you’ll see in the following short YouTube video I made, a sponsored link right at the top of the Google search results points to a fake anti-virus website posing as a legitimate security company:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

 

If you download the fake anti-virus program promoted on the website you risk infection by malware identified by Sophos as Troj/FakeAV-AOV.

 

 

Read More…

 

Mozilla pulls password-sniffing Firefox add-on

Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.

 

“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.

 

In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.

 

And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.

 

Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.

 

Mozilla has now block-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be promoted to remove it.

 

If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.

 

 

Read More…

 

Next Page »