II – Mobile Viruses: Truths, Fiction and Primers for Cops

Posted on 23 May 2011 by


We’ve recently seen some extraordinary activity in the mobile device virus world, as heaps of hype and piles of blogposts were shoveled on the world. We were left with the impression that iPhones, iPads and Macs had finally succumbed to the wrath of the malicious code writers; that Google’s android phones were completely insecure; and that BlackBerries are the world’s most boring platform.

The truth is less exciting, but the truth, and it’s probably good to know it, especially in these days when agencies are contemplating standardizing on device platforms.

Last Friday, our Metric of the Week: Cops, Video, Smartphone Penetration & Dropped Complaints was talking about how everyone that the police come in contact with is likely to be carrying a smartphone (with a personal recording device, and in that pieced we printed a chart from Gartner Group on mobile device manufacturer market share. It’s worth printing that once again as a reference before we move on:

The Smartphone World According To Gartner

Company 1Q11Units 1Q11 MarketShare (%) 1Q10 Units 1Q10 MarketShare (%)
Android 36,267.8 36.0 5,226.6 9.6
Symbian 27,598.5 27.4 24,067.7 44.2
iOS 16,883.2 16.8 8,359.7 15.3
Research In Motion 13,004.0 12.9 10,752.5 19.7
Microsoft 3,658.7 3.6 3,696.2 6.8
Other OS 3,357.2 3.3 2,402.9 4.4
Total 100,769.3 100.0 54,505.5 100.0

Source: Gartner (May 2011)

As we can see, in the first quarter, Google’s Android devices had more than twice the market share of Apple’s iPhone (iOS), with 36% and 16.8% of the market respectively. Manufacturers interested in law enforcement should note that, when Dave and I talk about law enforcement technologies playing nicely with others, we are talking about not creating products which exclude hardware and software made by other vendors, in the manner that Apple does. We’ve said that,

…this means, on a practical level, creating walled gardens as opposed to open frameworks. Dave and I believe that, to become irreplaceable to a customer, one must throw open the doors, not build higher fences. When an agency uses something and comes to rely upon it, that product becomes more integrated into the department’s workflow — what vendor doesn’t want to become more richly integrated in his customer’s environment?

It’s gratifying to note that, while the iPhone is a truly wondrous piece of equipment, and its users love it (and, to take it one step further, I personally own one), Apple’s model of total control of the ecosystem pales competitively with that of Google – which has made a Linux-derived operating system and allowed as many vendors as possible to jump in and develop for it – in fact, working with the Open Handset Alliance encouraged development in a range of fronts.

We’ll see that this model leads to greater market-share but also to more problems with attacks and malcode.

First, let’s go over to the Mac world, where last week doomsayers started claiming that everything was going to be just as sucky as it is in Windows World, where malicious code infects every memo. The kerfuffle started earlier in the month when Ed Bott proclaimed that serious malware was coming soon to a Mac near you. He followed up a few days later with reasons why he claims malware is coming for the Mac. Other stories are on What a mac malware attack looks like, how even AppleCare reps are noticing this alarming new trend in Mac Malware, and how Mac support forums are losing their lunch over how awful everything is.

To review,

Ed Bott is … the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

And that is what my dad would refer to as a, “Conflict of Interest.” That’s a tip, kids, you might want to write that down. This is like Dave writing How-To Guides for criminals – they might (rightly) suspect that the tips Dave gives are designed, you know, to get you caught. It’s a conflict because Dave, as a veteran police sergeant and investigator, has a vested interest in the criminals getting caught. Bott makes money when people buy Windows products; for him to review the security of Mac products is a little rich.

Last week, my wicked-smart friend Andy Jaquith wrote an astonishingly good piece on this, Don’t Panic Over the Latest Mac Malware Story, in which he highlighted some of the issues with Ed’s claims.

It is true that Macs aren’t dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By “fewer” I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By “less evolved” I mean “nonexistent,” this one example notwithstanding.

The business of malware, in the Windows world, is a lot like the fast food industry, with results almost as toxic. Crime syndicates sell dozens of exploit kits, readily available from purchase or rental on underground forums. It’s a super-sized supply chain operation with raw materials manufacturers (who turn exploits into weapons), assemblers (who make the exploit kits), distributors (forums), franchisees (who run botnets) and customers (victims).

However Andy raises an additional specter: that publicity about the malware on the Mac will result in Apple becoming even more Draconian, less open, with its platform. He writes,

I predict that the increase in perceived risks to Mac customers will give Apple the excuse it needs to increase its control over the Mac software ecosystem, by moving [Independent software vendors] to the Mac App Store. It is no accident that the theme of the upcoming Lion desktop operating system is “Back to the Mac”: taking concepts that Apple employed successfully with the mobile version of OS X (iOS) and back-porting them to the desktop OS

And we’ll let Andy have the last word on that.

Meanwhile over in what we have been saying is the “better” world of Android, different problems emerge. Turns out that there are some security issues with flinging open the doors as Dave and I keep espousing.

Last November, penetration tester and researcher Thomas Cannon discovered a vulnerability in Android phones in which “a malicious website [may be able] to get the contents of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.” Cannon notified the Android security team on 19 November and it responded that it would fix the issue with the rollout of version 2.3.

In January, Metasploit released an exploit for this bug, reminding you all of the fact that it’s not just about the vulnerabilities, it’s about the ease of access to code that exploits the vulnerabilities. Anyone counting on the difficulty-level of exploits should contact me, as I have a really nice, and only slightly-used, bridge to sell you (as we mentioned recently in our post on Some New Cyber Tools for Law Enforcement, Metasploit is available in the BackTrack distribution, but we should also mention that BackTrack does not always contain the latest version of Metasploit).

It is now important to note two things.

First, as I say, the free availability of an exploit to this bug should answer the question about how difficult or trivial is exploitation of Cannon’s vulnerability, but, also:

Second, in the words of Metasploit’s developer of the exploit (who, by the way created it using nothing but HTML and JavaScript), “Now, take a deep breath give some thanks to the fact that, under Android, most every process runs under a separate, confined, unix-style user account. This design feature partially mitigates this issue, lowering confidentiality impact to “Partial” and bringing the CVSS score from 5 to 3.5. That said, an attacker can still gain access to some pretty interesting stuff.”

In February, associate professor at Rice University’s Department of Computer Science Dan Wallach wrote on the Freedom to Tinker Blog, that he and his undergraduate security class set up sniffers to listen in on their Android phones. Among their findings:

  • Google properly encrypts traffic to Gmail and Google Voice, but they don’t encrypt traffic to Google Calendar. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar.
  • The free version of Angry Birds, which uses AdMob, appears to preserve your privacy.
  • SoundHound and ShopSaavy transmit your fine GPS coordinates whenever you make a request to them. One of the students typed the coordinates into Google Maps and they nailed me to the proper side of the building I was teaching in.

In March, DroidDream malware, along with 50 or so other apps, were removed from the Android environment, with pundits claiming the end of malware-free phones as we know them (but with instructions on removing the “Android Nightmare”.

Then this month, a mounds of defecation hit the ventilation on Android authentication, after the publication by Bastian Könings, Jens Nickels, and Florian Schaub at the Institute of Media Informatics at Ulm (Germany) University, Catching AuthTokens in the Wild: The Insecurity of Google’s ClientLogin Protocol. Security blogs are claiming that 99.7% of Android users are potentially open to compromise.

I urge you to listen to our podcast with Aaron Turner and Mike Vallez on some dangers and some wonderful qualities of mobile devices.

And, finally, to make it clear that we’re not trashing either phone platform, we’ll give the last word of this Intel Intelligencer to Lifehacker, which recently published Top Ten Awesome Android Features The iPhone Doesn’t Have and Ten ways iOS outdoes Android phones.