Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 7th, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment | Tags: cybercrime, Malware

Mobile threats are reaching new heights today, and the Android platform becoming a favorite of attackers. Google made the Android platform “open” as possible and released application development documentations, source-codes, and SDKs for anyone. Being an Android developer is quite easy – a person just needs to pay a $25 registration fee and that person is set and able to upload applications into the Android Market.

Google put the trust into the community of developers and users to rate an application or flag it to be malicious. This was supposed to encourage programmers to develop applications that in turn attract people to purchase Android Smartphones since numerous applications would be available.

However, this openness also attracted cybercriminals, as Android’s popularity has become a perfect opportunity to profit for them. As we have seen with the first Android malware, criminals Trojanized legitimate applications and uploaded the new packages into third party markets hoping users download these. Trojanizing legitimate Apps became a norm in the Android platform landscape and the best advice (seemingly) is to download only from trusted sites — and of course from the Android Market.

Yet criminals seemed to have gotten away with uploading a number of Trojanized applications which Trend Micro detects as AndroidOS_LOTOOR.A.

I was able to analyze a sample of this Trojanized applications, specifically the game Falling Down (My colleague Rik Ferguson posted a complete list of the names of the Trojanized applications in his blog entry here). The Trojanized version of the game is very much similar to the clean version, and is even playable.

The only noticeable difference between the Trojanized and the clean version of the game is the number of device resources to which the application asks permission for access:

It is possible that the cybercriminal(s) behind this attack hoped that users will mindlessly skim through this granting of access, and not realize that the application asked permission to access even those resources that are not related to the game.

This malware, like most of its predecessors, gathers device information like IMEI and IMSI. What is new and significant about this threat is that it roots affected devices. Rooting allows a user to gain root privileges, similar to jailbreaking in iOS devices. AndroidOS_LOTOOR.A uses two well-known binaries namely rageagainstthecage and exploid to root infected devices. It also has the capability to download and install other applications without the user’s knowledge. This gives remote attackers limitless control over infected devices.

Threats for mobile devices are expected to rise continuously, thus users should be vigilant. Download only from trusted sources and developers. ‘Application Permissions’ are enumerated when installing applications, so please do read these and report the application if you suspect that it does not need a permission to do something that it is requesting.

Trend Micro offers security for Android mobile devices through Mobile Security for Android™

Update as of March 7, 2011, 9:40 AM Pacific Time

The Trojanized applications have since been removed from the Android Market, according to Google. Moreover, the Android team is remotely removing the malicious applications from infected devices and installing the Android Market Security Tool 2011.

Post from: TrendLabs | Malware Blog – by Trend Micro

Trojanized Apps Root Android Devices