Friday, September 25, 2015

iPhones & Android at risk as smartphone malware increases

These past few months have raised concerns for mobile phone manufacturers and users alike. Indeed it does not seem to matter which platform one is using as hardly a week goes by when another exploit or vulnerability is publicised.

iPhone users this week found that Apple's so-called walled garden, where every app is vetted before being made publicly available on iTunes, was not enough to prevent infected apps being posted to the site.

Apple makes and distributes a suite of software development tools design to make apps for iOS and OSX. However, app developers in some countries had used fake software infected with malware. This in turn led to the distribution of malware infected apps which could pass on user data to undisclosed servers somewhere in the world.

The malware in the apps was so carefully hidden that Apple's own vetting system failed to spot it and the company only became aware after the issue was brought to their attention by Palo Alto Networks, an American network security company based in Santa Clara, California.

Rotten Apples hit by worms

Most of the apps identified in a list made available by Palo Alto Networks were Chinese apps and included the popular WeChat app which is used by millions of people in China and around the world.

What appears to have happened is that app developers in China downloaded the fake software from servers in China not related to Apple.

"In China - and in other places around the world - sometimes network speeds are very slow when downloading large files from Apple's servers," explained Palo Alto Networks in a blog post. "As the standard Xcode installer is nearly three gigabytes, some Chinese developers choose to download the package from other sources."

Indeed a simple search for 'Xcode 下载 ' on Google, and more importantly China's main search engine Baidu, offers up dozens of pages hosting the compromised version of the software.

Effects of Internet censorship

There was some indication that China's Internet restrictions may be partly to blame. The so-called Great Firewall of China which is employed to censor offensive and illegal material has another undesired effect of slowing down the Internet when it comes to opening pages beyond China's borders.

Even if a website is not blocked it must still pass through the Great Firewall's filtering system which may strip out certain web content. For example some pages may have embedded comment boards which use a Facebook log-in. Since Facebook is blocked in China these webpage elements will be stripped out before it arrives in a person's browser.

The firewall also looks for a series of banned words and terms. So even if a news website is otherwise available in China, should a page have a reference to the Dalai Lama, the Tiananmen Square Massacre or other contentious subjects, that page may be blocked. 

In fact even Chinese based websites, unless on a 'white list', may pass through filtering systems in order that the page be checked for 'illegal' content. The result is that even 'legitimate' and otherwise 'safe' websites may be extremely slow to load.

Putting customers at risk

Given downloading issues in China, app developers there sought quicker, but unsafe, alternatives. The average connection speed in cities like Beijing and Shanghai is only around 5 mbps [Source: SCMP] and so for small independent developers, with even slower connections, choosing a local source to download Xcode seemed to be a no-brainer.

But it wasn't just the small independent developers that downloaded and developed apps with the dodgy software. Even Internet giants such Tencent, which make the popular WeChat, were caught out and developed apps with the fake XcodeGhost software.

Damage control

Apple have responded by removing any infected apps from its walled garden. But much of the damage has already been done.

Many iPhone users, in China and around the world, may already have had their data compromised. Some may still be unaware of the bugs and even if they are, they may not know which apps to delete and replace with legitimate ones.

China is a place where rumours are abound on the Internet, and given the severity of the bug, even official Chinese media stepped in to alert people in China that the 'rumour' was in fact true and that users should delete or update the relevant apps.

For Apple this is a PR nightmare. Despite a proactive response, there may be some users who will lose their trust with the company. And in a country like China where mobile phone use is on the rise, this could be devastating for Apple.

China is a lucrative market for Apple, although iPhone use is still way below that of cheaper Android devices. Thus the firm will be pulling out all the stops in damage control, identifying and pulling apps from its online store [PC World / ArsTechnica].

App developers too were seeking to reassure their users. WeChat, known as Weixin in China, posted a statement on its blog saying that the latest version was risk free, but did not say how long users had been using a compromised version of the app.

"This flaw has been repaired and will not affect users who install or upgrade WeChat version 6.2.6 or greater," the statement said. The statement also claimed that there had been "no theft and leakage of users' information or money, but the WeChat team will continue to closely monitor the situation." [Bloomberg]

Anger & trust

This may be little solace for those who have used the app and had their data compromised. And there is an issue of trust since WeChat and others did not apply common sense or stringent security protocols when developing their app by using the official bonafide Apple software.

Indeed there seemed to be an angry response from Apple which said that developers "put customers at risk by downloading counterfeit software." Meanwhile Apple said they were now implementing more stringent vetting and verification systems. In a further criticism of the app developers concerned, the company said "Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install." [Apple]

There seemed also to be anger coming from some users too. "Nice app but presently it's a security risk," one person stated in a review on the iTunes download page for WeChat, whilst also criticising "Tencent's poor management."

[BBC / Sky / Telegraph / Guardian / Techcrunch / The Australian / Reuters

Android bugs

Apple's iPhone is not the only smartphone confronted by security risks. The vulnerability of Android devices has been highlighted several times this year.

One of the most serious vulnerabilities was something dubbed Stagefright which could potentially allow a third party to gain control of a device and steal data [Android Central].

The bug allowed hackers to send a specially crafted MMS [Multimedia Messaging Service] message to the victim device and in most cases required no end-user actions upon message reception to succeed.

By default many text messaging apps, including Google's Hangouts app, automatically process video in a received MMS message so it is ready for viewing as soon as the user opens the message. Thus the attack could theoretically occur without a user being aware it had become a victim.

Whilst Google worked on a fix users were advised to turn off "Auto-retrieve MMS messages" in settings [Android Central].

The news of the exploit was concerning on a number of levels. Firstly the bug was found to exist in nearly every Android device on the planet, specifically every device above Android 2.2 Froyo. Around 0.2% of all Android devices still use Android 2.2 and the numbers using anything earlier are so negligible that there is little if any data showing the number of devices using earlier operating systems. In fact most devices will be running on Android 4.1 and above encompassing Jelly Bean, KitKat and Lollipop. In all the number of devices could exceed 1 billion [android developer dashboard].

Security updates

Google said it would update its Hangouts and Messenger apps so that they don't automatically process video messages in the background.

The bad news was that users would have to wait on the manufacturers and carriers to push out system updates.

And for older devices, updates - even related to security - may never arrive.

Google swiftly rolled out security updates for its flagship Nexus phones and tablets and announced they would release monthly security patches for devices in its Nexus range [Android Police / Android Central / Google Official Blog]. But that only covered recent models dating back to the Nexus 4 which was released in November 2012.

Those with older Nexus devices - the Nexus One, Nexus S and Galaxy Nexus - were essentially out in the cold.

The good news, however, appeared to be that despite some 900 million vulnerable phones in existence there were no reported cases of exploitation.

Fragmentation & security

There are few who doubt the advantages of the Android platform particularly concerning customisation. However, fragmentation and security is becoming a headache for Google and third party manufacturers as well as the millions of Android users around the globe.

Google Play has been criticised for its lack of security since apps were not, until relatively recently, vetted prior to being made available on the Android market place. Though, as we have seen even Apple's walled garden has not kept out all the weeds. Nonetheless, whilst Apple is often criticised for its walled garden which has delayed or even blocked the release of popular apps, the vetting that Apple applies to its iTunes store has significantly reduced iPhone users' exposure to malware.

While careful Android users might well have avoided installing malware via the Google Play store, all Android phone users appear to be vulnerable to a bug in the software known as Stagefright.

Google were of course made aware of the issue. But releasing a patch is not as simple as it sounds.

Because Android is open source, different manufacturers build upon the basic operating system, adding features some refer to as bloatware. Thus a patch designed for any of Google's Nexus flagship phones running stock Android may well conflict with the additional software running on other devices.

Even if there were no conflicts, the patch might not work and still leave security holes since Google might not be able to take into account the millions of pieces of different code running on other manufacturers' devices.

It is an issue which has highlighted the huge problems of so-called fragmentation [The Next Web].

Fragmentation and the fact that Android is open-source has created particular problems for users, app designers and of course the rolling out of security and other updates.

The issue of fragmentation used to be more an irritation to app developers and users. Apps designed for one version of Android might not work on another, and users of earlier versions of the OS were often left out in the cold. Meanwhile app developers struggled to keep up with Google's constant upgrades to the Android operating system. For example an app that once worked with KitKat might fail to work properly with Lollipop!

The issue of fragmentation as well as the fact that older devices are left without security support, has further compounded the problems surrounding the release of patches. Google might send them out to most of its Nexus devices, but the same patch may take weeks or months to arrive on other handsets via different carriers and mobile phone networks, if it ever arrives at all [Android Central].

Checkpoint

Only days after Apple's iPhone issues came to light yet another issue surfaced that might affect a significant number of Android users.

According to reports millions of Android phones could be easily hijacked using software that was installed on them.

The malware was found packaged within an Android game called Brain Test which reports say was developed in China before being uploaded to Google Play, Google's Android app market.

Check Point researchers detected the malicious application and found it had been published twice in the Google Play Store. The research team found that it was removed from the store on August 24th after the company reached out to Google, but the app was reposted and was taken down again on September 15th. According to Google Play statistics the game was downloaded by up to 1 million users.

The security firm, Check Point, said the malware was capable of facilitating various cyber criminal goals, including installation of additional apps on the infected devices, download and run any code an attacker may want to, and possibly deploy a payload to steal user credentials [Daily Mail / IBT / V3 / VCCFTech / Register].

Increased vetting

Google claimed earlier this year that the number of malicious applications available in the Google Play Store halved this year. Adrian Ludwig, Lead Engineer for Android Security, had shared back in April that "the overall worldwide rate of Potentially Harmful Application [PHA] installs decreased by nearly 50% between Q1 and Q4 2014."

For a long time Google had been criticised for not employing vetting, as Apple does, and merely allowed anyone to make apps available. However given the rise of apps containing malware Google eventually began to scan apps that were submitted to its app store. Codenamed Bouncer, the software was intended to provide automated scanning of the Android app store for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process [Google Mobile blog]. Later in 2014 Google also rolled out scanning of apps on mobile devices in order to check apps form third-party sources as well as those from the Play store [Mashable].

However, it appears that those responsible for uploading the Brain Test app used multiple methods to evade detection by Google, including bypassing Google's "Bouncer" Android defence tool.

Android Installer Hijacking

Earlier this year Palo Alto Networks discovered that a vulnerability existed in Android that could allow an attacker to replace a legitimate app with malicious software that can collect sensitive data from a phone.

According to Palo Alto Networks the situation could only occur should a user download from a third-party site, rather than Google Play, and uncheck the install from Unknown Sources tab in the security settings.

China syndrome

Much of the risk appears to emanating from China. Brain Test is said to have come from China. Meanwhile the dodgy Xcode Ghost software used to make the malware infected apps for iPhones was distributed in China via Chinese cloud storage systems.

Some attacks have created massive problems for users. One report recently highlighted an instance where a Chinese advertising company infected and 'completely' hijacked hundreds of thousands of Android handsets with an attack which exposes a global botnet to easy hijacking and opens handsets to total compromise by any malware [The Register / FireEye].

And according to John McAffee, the man behind the well known anti-virus software, four Chinese airlines are supposedly installing spyware on the Android smartphones of passengers travelling on international flights [Softpedia / IBT].

But why trick people to installing malware when you can sell them a device with pre-installed malware as has been seen recently in parts of China [The Register / Softpedia / HackerNews].

Malware risk growing

Smartphones as we know them today have been with us less than a decade, and yet their use is almost ubiquitous. But even some of the first smartphones running on the Symbian operating system as far back as 2004 were prone to malware risks.

2004 saw the distribution of Qdial disguised as a trojanised version of the game, "Mosquitos," which would send premium rate text messages from compromised Symbian s60 platform devices. In November of that year the destructive Skulls virus was distributed through file-sharing sites and over email, and was designed to overwrite key files [History of Mobile Malware: PDF].

Such malware gained little attention, and for the most part was more an irritation than a major problem.

However, a decade on, with nearly every mobile phone user holding a smartphone in their hand, the dangers and risks from malware are far more serious.

Many people now do online banking, online shopping and conduct business on their mobile devices. And it is clear that both the major platforms, Apple's iPhone and Android, are vulnerable.

Future risks

With the introduction of Apple Pay, Samsung Pay, Android Pay and other mobile tap-to-pay tie ins with certain banks, security is all the more important.

Apple Pay which has been available in the US since October last year, began rolling out in Britain in July this year. Google started rolling out its own tap-to-pay solution, dubbed Android Pay, across the United States on 11th September. However it is still unclear when the company will roll out the service to Britain or Europe. Meanwhile Barclaycard have already rolled out its own tap-to-pay solution within an updated app allowing users to spend up to £100 [Daily Express].

All the tap-to-pay apps require NFC, or Near Field Communication chips to be built into the device. However, while Android Pay is yet to appear outside the US, Google does have an advantage that more than 40% of Android devices have NFC built in due to the fact that it became almost standard when it was released in 2011. Apple will have to rely on its users upgrading to the iPhone 6 and 6 Plus which are the only Apple devices with NFC built in [List of NFC enabled mobile devices].

There have already been concerns raised over data leakage from contactless debit and credit cards [Daily Express / This is Money]. However both Google and Apple claim that card information is not directly shared when a transaction is made with their respective systems and as is much more secure.

But with the list of more and more serious data breaches and vulnerabilities occurring, there may well be some who fear the risks are becoming too great.

Will Android users get stagefright after Stagefright and move to the 'dark side'? Will Apple fanboys discard their iPhones which have been shown to be just as vulnerable. Will smartphone users migrate to Windows Phones, which are reportedly more secure, and so far have seen no instances of malware attacks.

Google and its Android arm have a lot of work to do to beef up security and regain trust. Apple also need to take stock and be less blasé when it comes to their security. Assuming app developers have used the correct software and not checking for anomalies is almost as bad as the developers use of the dodgy software. XCodeGhost may have been a one off for Apple, or it may be just a hint at the many ghosts in the machine we might see in the future...

Google, Apple, Microsoft, the app developers and device manufacturers have a duty not only to their customers, but also to themselves and their shareholders and employees. Any big fail in trust or a significant data breach in which mobile users are shown to lose money could see these companies experience dwindling sales, lost profits, and the shedding of jobs.

It's time to wake up and smell the coffee.

tvnewswatch, London, UK

No comments: