SAN FRANCISCO â€" a couple of malware experts offered a glimpse into the complicated, duplicitous underworld of Android malware development and deployment, encouraging information security pros to assist shine a focus at the problem by conducting their very own Android malware research.
During a presentation Thursday at RSA Conference 2012, speakers Grayson Milbourne, manager of threat research for Broomfield, Colo.-based security vendor Webroot Inc., and Webroot senior threat research analyst Armando Orozco, illustrated the various many options available to assist attackers in exploiting Android-based devices and applications.
Attackers' approach to choice, Milbourne said, is malicious apps spread via the Android Market or third-party app stores. In a single example, he showed two identical-looking versions of a favored app called Jungle Shooter: one was a straightforward game, and any other was an altered version that silently steals users' online banking credentials.
Yet, sometimes, users don't even have to click "download" to show themselves to dangerous apps. Milbourne said that, since pre-installed Android apps often include unrestricted permissions, attackers have successfully exploited those apps to achieve broader permissions to put in malware.
Many of those and similar Android app security issues are resulting from what Milbourne called operating system diversity. Google's latest Android OS series, 4.x, also known by its codename, Ice Cream Sandwich, was released in October and provides a number of security improvements. However, most Android devices in use today still use a version 2.x operating system, Milbourne said, that is susceptible to numerous exploits.
"Google does a fine job patching these exploits, however the users of the devices do not have the newest upgrade path," Milbourne said. "That could be a disservice to the shoppers, and the blame falls at the carriers and the device manufacturers. They do not want you to update; they need you to purchase a better device with the recent OS stock-installed."
However, Orozco said there are many solid Android malware defense tools and strategies available which could help practitioners identify attack techniques and threatening applications. For starters, he suggested testing a number of the apps available inside the official Android Market, in addition to on forums, torrents and third-party markets, especially Russian markets.
Using free tools, it's possible to establish a system as an Android device emulator after which scrape various locations on the web to download and install apps to guage their behavior. From there, Orozco said it's simply an issue of gathering data at the methods, classes and services they use, since common ones are used repeatedly by malware authors.
"a variety of this [malware] is truly lazy, and the malware authors just like to get stuff out," Orozco said.
For those fascinated with more in-depth, manual analysis of Android malware, Orozco said there are many free tools for that, too. Dexdump, which comes with Android SDK, dumps dexcode and gives an output file that lists all of the program's functions and strings. Related tools called Dedexer and Baksmali convert dex format files into bytecode or readable text.
He also noted lots of helpful dynamic analysis tools, including DroidBox, TaintDroid and ARE Virtual Machine. Network traffic analyzers are useful to boot, Orozco said, recommending Wireshark, Tcpdump and Shark for Root. Amateur researchers have one advantage, Milbourne said, in that malware authors rarely use packers or obfuscators, often deferring to pure, decompiled Java.
For all organizations that use or allow Android-based devices, Orozco said that each one devices need to be protected with a PIN or password, have personal or confidential data encrypted and backed up, and feature a device to remotely disable or erase lost or stolen devices. When vetting Android apps, he said that apps should only be downloaded from trusted sources, and users ought to be encouraged to make the effort to read reviews of the apps and research the ratings of app developers.
Milbourne said mobile device management products might help defend Android devices by enabling security teams to create group-based policies that prevent or restrict apps or features from running.
"The suitable thing to do is have an education plan and a smartphone policy," Milbourne said. "You may avoid simple mistakes like not having adequate device locks. Even have employees sign a document saying they understand the dangers related to smartphones."
View all of our RSA 2012 Conference coverage.
Nessun commento:
Posta un commento
Comments links could be nofollow free