News  Android
News  Android
SMS Worm


In a return to the old-school way of spreading smartphone viruses, the recently discovered Andr/SlfMite-A worm "merely" sends a link to a site via an SMS to the first 20 contacts on the handsets it infects. This has proven to be a tricky method to stamp out however, since a users contacts usually trust those in each others contacts lists and so tend to click the link instinctively. The target link then installs the same virus to the recipients handset, and so the whole process begins again.

It does more

The days when these kind of worms spread for fun and did nothing else are long gone. This one, once on an infected device, tries to install Mobogenie, which is an alternative to Google's Play Store. Whilst there may well be nothing wrong with Mobogenie, it is obviously a concern that a virus is attempting to get users to download apps from a non-Google trusted app store. This is how it appears when it arrives on a handset:


Full details...

News  Android
The Fake-id bug hits Android

Not fully checking security certificates

A long-standing defect in the Android certificate security system has been uncovered by BlueBox Labs. Google has confirmed a fix has already been applied, but concerns still exist over Android devices which live outside the Google mothership, and therefore won't be updated automatically. A Google spokesperson said "We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users."

Forgot to double-check

Present in Android versions 2.1 to 4.4, the origins of the bug actually begin with the Apache open source web communications code, which is used by Android for managing its security certificates. Put simply, what's been happening is that the system of "I trust who you trust" - i.e. the chain of trust relationships - has been failing to actually double-check those in the chain really are who they say they are. This is important because some apps are granted special privileges - for example, Adobe's flash player - which then gain access to areas not usually allowed even with the users permissions. These special apps just wouldn't work otherwise, such as in the Flash example which needs access to lower-level functions by its very nature. So, if an app could somehow switch the Adobe cert to a fake one but keep its id, Android wouldn't then "phone home" to check the cert is genuine and continue to grant it these elevated privileges. It's the "phone home" part which has now been fixed.

News  Android
New security system coming with Android L?

Hints from Google I/O at permission fixes

Along with the fanfare surrounding the UI makeover termed "material", this years Google I/O threw up some other interesting nuggets which needed the boffins over at XDA Developers to uncover properly. It seems there is code in the Android L preview which throws up a screen asking for "at-time-of-use" permissions, like iOS, as opposed to the "at -time-of-install" only ones we see today. The implementation is purely speculative - i.e. it could turn out to use both, for example - but the mere presence of such code is the smoking gun you'd see if such changes were coming.

Users benefit

The existing permission system Android uses hasn't changed much from the start. It asks the users what features of the handset they are willing to grant to the app at the point of install only. Granted, if a future upgrade changes the required permissions they are again prompted to provide them, but it's all seen as rather a kludge in that something the user agreed to some time ago now has "free reign" over their data without reminding them exactly what it's allowed to do.

News  Android
Android virus

Unofficial app stores are a hackers paradise

Kaspersky Labs are warning Android users that the growing threat from malware has reached upwards of 10 million apps. The danger this poses ranges from stealing passwords, sending spam, sending premium text messages charged to your account or even turning your handset into a zombie controller capable of launching attacks on other targets. They have also identified a new kind of target - the booming virtual currency systems appearing now such as BitCoin.

Going for the money

By far, however, the largest target was financial information. Banking apps are an obvious target, but increasingly a "pure" virus isn't the only method - social engineering malware also plays a part, for example taking over a Facebook or Twitter account. Multiple attack vectors also play a role - even basic attempts such as links sent via SMS, which then download malicious Apps when clicked. Kaspersky's report states Android is the target for 98.05% of known (mobile) malware.