Mobile malware

It’s been a busy few weeks in the security world, here we bring you a brief round-up of the most important stories that will help keep your data and devices safe.

Happy birthday mobile malware!

2014 is the 10th anniversary of viruses and the like appearing on mobile devices. While early efforts were crude, their complex descendents mean we all need to remain vigilant when we’re out and about. 

"It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers," explains Joe Ferrar, mobile security expert at Symantec. "Back then, the user had to manually accept the file transfer and agree to the worm’s installation before the malware could infect the device. Over the past decade, the creators of mobile malware have become more sophisticated and prolific; between 2012 and 2013 alone, Symantec recorded a 69 percent growth in malware designed for mobile devices, mainly affecting Android phones." carried a report that increased this number to eye-watering levels, with Android accounting for 97 percent of all global mobile malware. The most damning statistic though was that the other 3 percent wasn’t made up of iOS, Blackberry, or even Window’s Phone - all of which had a remarkable 0 percent of new threats - but rather the now defunct Symbian platform that once graced Nokia phones.

But before you set fire to your Android device and jump ship to an iPhone, there is a very important statistic that the report pointed out: only 0.1 percent of apps on the Google Play store were found to contain malware, and those that did were usually dealt with quickly.

It seems that the vast majority of infected apps reside in third-party app stores, predominantly in emerging nations. So the advice is to stick to the official channels and you should remain safe from any nasty, data-stealing versions of Flappy Bird. Of course that doesn’t mean you’re completely immune from attacks, with other vectors remaining open due to your mobile device being connected to the internet.

‘Mobile threats will continue to evolve, particularly as mobile phones are used more widely as identification tokens and payment solutions in the future’ Joe Ferrer asserts. ‘We anticipate that scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure they may seem. As consumers are increasingly accessing their social media profiles on the go, the risks of app based malware look set to soar. We trust our mobile devices and the apps that run on them to make our lives better, and suspend disbelief for that device that sits in our pocket. Cybercriminals will take advantage of this trust in 2014. We’re not just talking about malware – mobile apps are going to be behind hoaxes, cons and scams over the next few years.’

Apple security vulnerabilities exposed

The California giant has long boasted that its iOS and OS X operating systems are the safest around. In many ways this is correct, as Macs account for a small percentage of the computers used in the world, making them a low-yield target for hackers, and iOS is a heavily locked down environment.

It came as quite a surprise, then, when it was revealed that both systems were seriously compromised, not due to a virus or malware attack, but because of an erroneous line of code inserted by an Apple programmer.

When you navigate to a secure website a certificate is issued by the site to prove its authenticity to your browser. This is an important safety procedure to ensure that you don’t become the victim of a spoof site seeking to hijack your data. The SSL/TLS bug in the Apple code meant that this vital step was never completed, making Mac and iDevice users extremely vulnerable to ‘Man in the Middle’ attacks. The reason for the failed validation was a simple case of a repeated line of code, where the command 'gotofail' appeared twice in a row, resulting in the shocking security breach.

The fault was introduced in iOS 6 and OS X 10.9 Mavericks, meaning that it has been in the wild for some time. Applications using Apple’s SecureTransport API are the ones affected, which includes the Safari browser, Apple Mail, iMessage, and Facetime, among others. Apple has since released patches for both platforms which eradicates the fault, so if you have an Apple device running iOS 6/7 or OS X Mavericks be sure to install the update as soon as possible.

Linksys owners not over The Moon

Reports have emerged from the SANS Institute’s Internet Storm Centre (ISC) detailing a strange malware that is seemingly widespread among Linksys E-series routers and some Belkin Wireless-N models. Dubbed TheMoon, due to images contained in the malware which originate from the 2009 film Moon starring Sam Rockwell, this self-replicating program exploits a security breach in the Remote Management Access feature to gain control of the devices. These in turn then look for other routers to infect.

The malware sends a request to the Home Network Administration Protocol (HNAP) to determine the model and firmware versions of a router. Then if it matches a known vulnerable device TheMoon sends a script which is executed locally, giving the malware access. So far it’s not entirely clear what the program is for, as its primary function seems to be to look for more routers, but there are suggestions that it could be used as part of a botnet that attackers could control remotely.

An official statement from the manufacturer was released after news about the exploit began to circulate.

‘Linksys is aware of the malware called The Moon that has affected select older Linksys E-series Routers and select older Wireless-N access points and routers.  We will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.’

The company also added that the ‘exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default.

Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware.’

A guide for removing the threat is now available on Linksys' site.