Security Apps, Malware Race to Be First On Your Mobile
Posted by: Tim Tibbetts on 06/28/2013 01:40 PM
[
Comments
]
In China, there is a saying: “道高一尺,魔高一丈,” meaning “The law is strong, but the outlaws are sometimes stronger.”
It is interesting to note that although DeviceAdmin has been used by some security applications to avoid being accidentally or intentionally uninstalled, this is the first known instance of a sophisticated malware using DeviceAdmin.
In addition to those techniques, Android/Obad.A does the following:
Collects sensitive information: IMEI (International Mobile Equipment Identity, a phone serial number), operator name, phone number, and local time
Encrypts the information and sends it to the attacker
Executes commands from the control server, including:
sending SMS messages
downloading another package
installing a package
accessing a certain website
sending the contacts information to the attacker
sending itself to nearby devices through Bluetooth
more commands
These payloads have been seen in other mobile malware since the beginning of Android attacks. However, the malware author breaks new ground in antisecurity software techniques–by attacking antimalware software.
Previously, malware has used the basic technique of deleting or uninstalling antimalware programs. Some malware looked for specific versions or particular brands of antimalware; others targeted multiple brands. Antimalware programs now have real-time scanning to prevent malware from running and deactivating them. In contrast, sophisticated malware runs its own service to detect antimalware software being installed on the device and uninstalling it.
All this looks like a race between the security application and malware. Who runs faster, and who catches (detects) whom?
Unfortunately, some antimalware apps can’t remove Android/Obad.A even if they detect it–due to its DeviceAdmin privilege. An alternative way to combat Obad.A is to develop a special tool to reveal it, and then to disable its DeviceAdmin privilege and allow the antimalware product to remove it. We have recently updated our McAfee Mobile Innovations application, which has multiple features, with one to find hidden applications, including malware such as Android/Obad.A.
More information and screenshots at the McAfee blog: http://blogs.mcafee.com/mcafee-labs/security-apps-malware-race-to-be-first-on-your-mobile
It is interesting to note that although DeviceAdmin has been used by some security applications to avoid being accidentally or intentionally uninstalled, this is the first known instance of a sophisticated malware using DeviceAdmin.
In addition to those techniques, Android/Obad.A does the following:
Collects sensitive information: IMEI (International Mobile Equipment Identity, a phone serial number), operator name, phone number, and local time
Encrypts the information and sends it to the attacker
Executes commands from the control server, including:
sending SMS messages
downloading another package
installing a package
accessing a certain website
sending the contacts information to the attacker
sending itself to nearby devices through Bluetooth
more commands
These payloads have been seen in other mobile malware since the beginning of Android attacks. However, the malware author breaks new ground in antisecurity software techniques–by attacking antimalware software.
Previously, malware has used the basic technique of deleting or uninstalling antimalware programs. Some malware looked for specific versions or particular brands of antimalware; others targeted multiple brands. Antimalware programs now have real-time scanning to prevent malware from running and deactivating them. In contrast, sophisticated malware runs its own service to detect antimalware software being installed on the device and uninstalling it.
All this looks like a race between the security application and malware. Who runs faster, and who catches (detects) whom?
Unfortunately, some antimalware apps can’t remove Android/Obad.A even if they detect it–due to its DeviceAdmin privilege. An alternative way to combat Obad.A is to develop a special tool to reveal it, and then to disable its DeviceAdmin privilege and allow the antimalware product to remove it. We have recently updated our McAfee Mobile Innovations application, which has multiple features, with one to find hidden applications, including malware such as Android/Obad.A.
More information and screenshots at the McAfee blog: http://blogs.mcafee.com/mcafee-labs/security-apps-malware-race-to-be-first-on-your-mobile
Comments
