Sunday, July 21, 2013

Parmy Olson, Forbes Staff
I cover agitators and innovators in mobile.
First Posted 3/21/13                 

 

Malicious software is nothing new to the cyber security world. So-called malware is what unscrupulous folk use to disrupt or gather sensitive data from our desktop computers. Targeted attacks with malware have been relatively unseen on smartphones, those other computers we carry around that are teeming with personal data.

Now, however, security researchers at Kaspersky Labs say they’ve uncovered the first-known targeted malware attack on Android phones. The victims were specifically Tibetan activists, but the disclosure underlines the broader possibilities for targeted cyber attacks on smartphones.

The attack relied heavily on social engineering, a kind of verbal manipulation, to hack into their targets’ devices. Kaspersky explains that on March 24, the attackers infiltrated the email account of a high-profile Tibetan activist, and used that account to send a spear-phishing email to their contacts list.

The email looked like this:

Image via Kaspersky Labs 

Notice that it included an attachment, called “WUC’s Conference.apk.” Several activist groups had recently organized a human rights conference in Switzerland. (Kaspersky say they’ve seen several attacks mentioning this event as a baiting tool.)

People who opened that e-mail on an Android smartphone, along with the attached Android Package (APK) file, would find that the file opened an Android application. Once installed, the app called “Conference” would appear on the desktop:


Image via Kaspersky Labs 

If a user went on to open the app, they’d see a window of text with information about the upcoming “conference.” (See below) At this point, some might have noticed the misspelling of “World” as “Word.”


Image via Kaspersky Labs

As the target is reading the message, malicious software they had inadvertently installed would report back to a command-and-control server, before collecting information from the phone. According to Kaspersky, that information would include:

- Contacts that are stored on both the phone and the SIM card
- Call logs
- SMS messages
- Geo-location
- Data about the phone, including the phone number, what version OS it uses and the phone model.
  Once the victim received a text message that included a certain protocol, the malware would send     
  the collected data back to the command-and-control server.

Who were the perpetrators? Kaspersky mentions that throughout the malware’s code, the attackers included various messages in Chinese. Since this was probably done for debugging purposes, the malware may be an early prototype. The IP address for the command and control server points to Los Angeles, California, but a domain which used to point there was registered on March 8, by one Shanghai Meicheng Technology Information Co., Ltd, with contact details for the registrar pointing to Beijing.

There are other strong indications that the attackers were Chinese speakers, Kaspersky notes, adding that this is also just one of thousands of targeted cyber attacks on Tibetan and Uyghur supporters. The vast majority of attacks like these have target Windows via exploits in Word.

“Until now, we haven’t seen targeted attacks against mobile phones in the wild, although we’ve seen indications that these were in development,” the researchers said. “It is perhaps the first in a new wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”

No comments:

Post a Comment