But now it appears that apps with no permissions pose a new threat, gaining access to sensitive personal information without authorization. Leviathan Security Group researcher Paul Brodeur explained in a blog post earlier this week that he created a proof-of-concept to demonstrate that “no permissions” apps still have access to the device’s SD card, handset identification data, and files stored by other apps.

On the SD card, Brodeur’s app yielded a list of all non-hidden files, including photos, backups, and external configuration files. Brodeur said he found that OpenVPN certificates were stored on his own device’s SD card.

“While it’s possible to fetch the contents of all those files, I’ll leave it to someone else to decide what files should be grabbed and which are going to be boring,” he said.

He then fetched the /data/system/packages.list file to which apps were installed on the device and scanned the directories to determine whether sensitive information could be read from those directories. He said during testing that he was able to read some files belonging to other apps. “This feature could be used to find apps with weak-permission vulnerabilities, such as those that were reported in Skype last year,” he said.

Lastly, Brodeur’s app was able to gather the handset’s identification information. Without the “PHONE_STATE” permission, applications can’t read the device’s International Mobile Equipment Identity or International Mobile Subscriber Identity. However, the Global System for Mobile Communications information and SIM vendor IDs could still be read.

“Though this app uses buttons to activate the three different actions detailed above, it’s trivial for any installed app to execute these actions without any user interaction,” he wrote.

Brodeur said he tested the app on Android 4.0.3 Ice Cream Sandwich and Android 2.3.5 Gingerbread.

Source: Steve Musil/CNET

A security researcher Trevor Eckhart  has posted a video detailing hidden software installed on smart phones that logs numerous details about users’ activities.

In a 17-minute video posted Monday on YouTube, Trevor Eckhart shows how the software – known as Carrier IQ – logs every text message, Google search and phone number typed on a wide variety of smart phones – including HTC, Blackberry, Nokia and others – and reports them to the mobile phone carrier.

 Eckhart showed his findings off first in the XDA Developer Forums. Once his first findings were found by Carrier IQ (again, an app that runs in the background that you may never have known is on your device right this second), they threatened legal action against him. As it turns out thanks to the support from the EFF (Electronic Frontier Foundation), Carrier IQ has decided not pursue a lawsuit against TrevE, issuing a statement apologizing for their actions.

“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”

 
When they found that legal threats weren’t going to do them any good, they sent out word to the public that their software does not record keystrokes or other personal information. What we’re to understand today if Eckhard’s findings are true is that this claim was quite simply incorrect.

 On its website, Carrier IQ, founded in 2005, describes itself as “the world’s leading provider of Mobile Service Intelligence solutions.” Carrie IQ has since issued the following press release: [showhide type=”pressrelease” more_text=”Show Press Release” less_text=”Hide Press Release ” hidden=”yes”]MEDIA ALERT
Measuring Mobile User Experience Does Matter!
Mountain View, CA – November 16, 2011 – Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices.
Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices – feature phones, smartphones and tablets. This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.
While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.
Our customers have stringent policies and obligations on data collection and retention. Each customer is different and our technology is customized to their exacting needs and legal requirements. Carrier IQ enables a measurable impact on improving the quality and experience of our customers’ mobile networks and devices. Our business model and technology aligns exclusively with this goal.
For media Commentary, contact:
Mira Woods
Phone: 617-513-7020
Email: mwoods@carrieriq.com
www.carrieriq.com[/showhide]

As an IT Security Professional and a Certified Ethical Hacker (C|EH) one thing I have noticed is malware is on the rise. The complexity and the growth of malware have more than just tripled in the last six months. What we have witnessed and will be witnessing is a change in the threat landscape. Clever new ways have cropped up to compromise new devices of which, fake antivirus are on the rise and password stealing malware are showing a sudden surge in the level of activity. Their ability to adapt to avoid detection is one aspect that needs to be taken into consideration.

Smartphone malware is hardly a new concept, but the tools being used by hackers to crack smartphones are new and more clever than ever. As apps developed for phones become more platform neutral (able to operate on android, windows 7 etc and able to run HTML, XML, Flash etc), there is increased likelihood that web-based worms will rise up and start to be more of an issue as the hosts which they can spread to become more numerous.

The SpyEye hacker application is but one example. SpyEye seeks to intercept bank issued SMS codes (for the purposes of online banking) and redirect them to the hacker without the knowledge of the phone’s owner. SpyEye which is often installed unknowingly by a user when they download other apps. Quite often it sits dormant, waiting for the right flags to be triggered before engaging. Infosecland.com recently reported that:

“SpyEye is known to be one of the more powerful data-sniffing Trojans ever developed, and the release of the source code means the likelihood that there will be a dramatic increase in its application is a very real scenario”

McAfee Q2 2011 Threats Report Shows Significant Growth for Malware on Mobile Platforms

Report Shows Record Growth for Malware and Rootkits; Major Hacktivist Activity

SANTA CLARA, Calif.–(BUSINESS WIRE)–McAfee today released the McAfee Threats Report: Second Quarter 2011, showing that the amount of malware targeted at Android devices jumped 76 percent since last quarter, to become the most attacked mobile operating system. 2011 has also resulted in the busiest ever first half-year in malware history, including a first-ever appearance of Mac fake AV and a significant uptick in rootkits, suggesting that McAfee’s comprehensive malware “zoo” collection will reach a record 75 million samples by the year’s end.

“This year we’ve seen record-breaking numbers of malware, especially on mobile devices, where the uptick is in direct correlation to popularity”

“This year we’ve seen record-breaking numbers of malware, especially on mobile devices, where the uptick is in direct correlation to popularity,” said Vincent Weafer, senior vice president of McAfee Labs. “Overall attacks are becoming more stealth and more sophisticated, suggesting that we could see attacks that remain unnoticed for longer periods of time. High-profile hacktivist groups have also changed the landscape by drawing a line between attacks for personal gain and attacks meant to send a message.”

The report also details specific activity shaping the way cybercriminals operate, such as cybercrime “pricebooks” that determine the going rate for large email address lists, and acts of hacktivism and cyberwar.

2011 On Track to Reach Record “Malware Zoo”

With an approximate 12 million unique samples for the first half of 2011, a 22 percent increase over 2010, this has been the busiest first half-year in malware history. With the addition of Q2’s numbers, the grand total of total malware samples in McAfee’s database has reached approximately 65 million, and McAfee researchers estimate that this “Malware Zoo” will reach at least 75 million samples by the year’s end.

Android Nabs Top Spot for Most Mobile Malware

With the vast amount of personal and business data now found on user’s mobile phones, mobile malware is steadily increasing, often mimicking the same code as PC-based threats. In the second quarter of 2011, Android OS-based malware surpassed Symbian OS for the most popular target for mobile malware developers. While Symbian OS and Java ME remain the most targeted to date, the rapid rise in Android malware in Q2 indicates that the platform could become an increasing target for cybercriminals – affecting everything from calendar apps, to comedy apps to SMS messages to a fake Angry Birds updates.

Fake Anti-Virus for Apple, Rootkits and Stealth Malware Reach New Terrain

There are more Mac users than ever before, and as organizations increasingly adopt Macs for business use, Apple now has become more a target for malware authors. Though historically the Apple platform has been unaffected by fake anti-virus (fake AV) software, activity in Q2 indicates that it is now being affected. Although this type of fake AV is the first of its kind, McAfee Labs does expect fake AV in general will drop off over time.

Another malware category that is demonstrating recent steady growth is stealth malware. The tactic of hiding malware in a rootkit is used by cybercriminals to make malware stealthier and more persistent, and has seen this type of attack gain in prominence over the past year, with high-profile attacks such as Stuxnet. Stealth malware has increased more rapidly in the last six months than in any previous period, up almost 38 percent over 2010.

Acts of Hacktivism and Cyberwar Make Their Mark

Acts of hacktivism, primarily from the groups Anonymous and LulzSec, were among some of the most prominent cyber news generators for Q2. The report details hacktivist activity from Q2, with at least 20 global attacks reported in Q2 alone, and with the majority allegedly at the hands of LulzSec. The report also outlines acts of cyberwar that occurred in Q2, including attacks on United States’ Oak Ridge National Laboratory, and an attack on South Korea’s National Agricultural Cooperative Federation.

Email “Black Market” for Spammers

Though spam is still at historic low levels, due in part to the Rustock takedown, McAfee Labs still expects to see a sharp rise in activity over the coming months. A common method for cybercriminals to increase their volume of spam activity is to purchase a bulk list of emails in order to flood as much spam as possible to a widespread group of people. Whether it’s a botnet or a rental service, prices vary for such enterprises, often by location. For instance, in the United States, the going rate for 1 million emails is $25, whereas in England 1.5 million emails are worth $100.

For more information on trends related to hacktivism, cyberwar, web threats and malware, please download a full copy of the McAfee Threats Report: Second Quarter 2011 at http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2011.pdf