Yahoo! Releases On-Demand Passwords

Yahoo! Is taking a new tack in authentication with the implementation of on-demand passwords, which are texted to a mobile phone when a user needs them.

Yahoo! subscribers in the US can opt into the scheme via their security settings page in the account information section.  Once a mobile phone is added to the account, a one-time password will be sent every time a login is required.

It’s sort of like two-factor authentication—without the first factor involved.

“We’ve all been there…you’re logging into your email and you panic because you’ve forgotten your password,” said Chris Stoner, Yahoo! director of product management, in a blog. “After racking your brain for what feels like hours, it finally comes to you. Phew! Today, we’re hoping to make that process less anxiety-inducing…You no longer have to memorize a difficult password to sign in to your account—what a relief!”

But not everyone agrees that the method boosts safety. Tim Erlin, director of product management and a security and IT risk strategist for Tripwire, pointed out that the method simply directs hackers’ efforts to intercepting text messages.

“While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages,” he noted in an email. “Malware on your phone could be used to grab those SMS messages, and then have full access to your account. On-demand passwords are also mutually exclusive with Yahoo’s two-step verification, so enabling them forces users to effectively downgrade security on their account.”

TK Keanini, CTO of Lancope, told Infosecurity that he agreed that users will need to pay more attention to mobile security.

“While only leveraging a single factor (something you have—your phone), the security of the system will depend on how secure that device remains over time,” he said. “We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual. It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream.”

Nonetheless, he applauded Yahoo! for thinking creatively.

“We need more innovation like this with authentication,” he said. “Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo! knows that the most personal device on a person these days is their mobile phone. And let’s not stop here, let’s keep innovating even more techniques to raise the cost to our attackers.”

Your computer and smartphone, held hostage

Cybercriminals are making their attacks personal, remotely locking your computers and smartphones until you pay a hefty ransom.

Tapping a link on your smartphone to watch a new music video might sound harmless, but it got one 12-year-old girl from Tennessee into trouble last year.

Instead of a video, the preteen -- whose name has not been disclosed because of her age -- had unwittingly installed malicious software that downloaded child pornography, locked her Android phone, and threatened to report the pornography to the FBI if she didn't fork over $500 in ransom. She reported the hacker's extortion demands to Frank Watkins, an investigator with the Coffee County Sheriff's Department.

It's called ransomware, a type of malicious code that leaves its victims feeling personally violated. Some versions destroy your data if you don't pay, while others merely threaten. Some will encrypt your device, scrambling everything it contains until you pay a ransom.

Ransomware can be big business. CryptoLocker, which uses email attachments to infect and encrypt computers, harvested nearly $30 million in about 100 days, according to estimates from Keith Jarvis of Dell's SecureWorks counter-threat division. CryptoLocker's descendant CrytoWall, which has infected more than 1 million computers, continues to mutate and adopt new techniques that make it harder to remove.

While ransomware has been around since 1989, it's gotten worse as criminals target billions of smartphones and tablets used around the world, demanding $100 to $600 (often in bitcoins) to release it.

A mobile threat report from Mobile Lookout Security, which makes security software for smartphones, found 4 million of Lookout's 60 million users were held hostage last year, said Jeremy Linden, senior security product manager for the San Francisco company.

Avast, which says 55 million people use its free mobile security software, reports similar numbers. Last month alone, the company blocked 5,000 ransomware attacks a day -- up from nearly zero only seven months earlier -- according to Jiri Sejtko, director of Avast's virus detection lab.

Having your computer locked out can be traumatic in its own right. Losing access to your smartphone can trigger "abject panic," said Larry Rosen, a psychologist and researcher at California State University, Dominguez Hills, who studies people's reactions to modern technology. "That little box contains everything you ever need on a daily basis. You're carrying around a phone, computer, friends -- your everything in one box," he said.

Small wonder, then, that hackers have trained their attention on mobile extortion. But payer beware. "You could pay a ransom and the malware would still not unlock your phone," said Mobile Lookout's Linden.

So far, mobile ransomware is considered to be easier to avoid than its desktop cousin. Experts have two tips for smartphone owners.

First, install an application that will block ransomware. And second, never download applications from outside the official Google Play store or Apple App Store.

And finally, report the crime to the police.

"Don't hesitate about calling," even if the attack installed child pornography on your phone, said Watkins, of the Coffee County Sheriff's Department. "Contact your local authorities. They'll be able to tell that it's ransomware."

Android ransomware 'Koler' turns into a worm, spreads via SMS

A malicious Android app that takes over the screen of devices and extorts money from users with fake notifications from law enforcement agencies was recently updated with a component that allows it to spread via text message spam.

Known as Koler, the ransomware Trojan has been on malware researchers' radar since May when it started being distributed through porn websites under the guise of legitimate apps. A new variant of the threat found recently by researchers from security firm AdaptiveMobile spreads through SMS messages that attempt to trick users into opening a shortened bit.ly URL.

Once installed on a device, Koler opens a persistent window that covers the entire screen and displays a fake message from local law enforcement agencies accusing users of viewing and storing child pornography. Victims are asked to pay a "fine" using MoneyPak prepaid cards in order to regain control of their phones.

The Koler ransomware is capable of displaying localized ransomware messages to users from at least 30 countries, including the U.S., where the impersonated law enforcement agency is the FBI.

The new version found by AdaptiveMobile sends a text message to all contacts in the victim's address book. The message reads: "someone made a profile named -[the contact's name]- and he uploaded some of your photos! is that you?" followed by a bit.ly URL or a similiar URL shortened link:

The URL points to an Android application package file called IMG_7821.apk that's hosted on a Dropbox account. When installed, this application uses the name PhotoViewer, but is actually the ransomware program.

Due to the Worm.Koler's SMS distribution mechanism, a rapid spread of infected devices since the 19th of October is observed, which is believed to be the original outbreak date.

During this short period, several hundred phones that exhibit signs of infection have been detected across multiple US carriers. In addition to this, other mobile operators worldwide -- predominantly in the Middle East, have been affected by this malware.

The best protection against ransomware threats like Koler is to have the "unknown sources" option turned off in the Android security settings menu. When this setting is disabled -- and it typically is by default -- users won't be able to install applications that are not obtained from the official Google Play store. Some users do turn this option on though, because there are legitimate applications that are not hosted on Google Play for various reasons.

Koler does not encrypt users’s files, for this reason it is easy for users to eliminate it from infected devices. Below the instructions to remove the malware:

• Reboot the mobile device in the “Safe Mode“
• Remove the malicious ‘PhotoViewer‘ app using standard Android app uninstallation tool

Instructions on how to reboot the device in safe mode should be available in the phone's manual, but it generally involves pressing and holding the power button until the power menu appears, then tapping and holding Power Off until the option to reboot in safe mode appears.

As of 24 Nov, this worm has reached the shores of Singapore, as reported in a popular local forum.

Life was good without technology.

1983 vs 2013 Life was good without technology.

Do you agree?

Ten simple things you should do this Data Privacy Day

When was the last time you ran a search on your own name – do you know if someone has been pretending to be you, or if unwanted eyes have easy access to your personal details?

Don’t stand idly by as the trail you leave online gets larger – be vigilant and take steps to protect your own information. In line with Data Privacy Day on January 28, here are ten simple things you can do to better protect
the information you share online.

1. Password protect your mobile devices – only 6 in 10 Singaporeans use passwords on their mobile device. Leaving your devices unprotected is equivalent to leaving your home or car unlocked. If you’re lucky, no one will take advantage of the access. If not, you might find yourself at the mercy of cyber risks and fraud.

2. Run a search on yourself – it’s not narcissistic, and is an easy way to stay on top of what’s available about you online. You never know who might be assuming your identity or sharing your private information.

3. Be stingy with your personal details – some websites will prompt you for information such as your email, address or phone number. Be cautious as this information might end up being used in unexpected ways.

4. Mobile security software can add another layer of protection – yes it exists, and yes it works.

5. Unknown sources are usually bad news – emails and text messages that contain links or ask for information might do you more harm than good. Make sure you know who the sender is before opening these messages.

6. Be in charge of your privacy settings – some social networks and applications can share your personal information and location with strangers. You should only share personal details with those you trust.

7. Download apps from reliable sources – mobile malware is spreading via fake app markets. Be mindful of what apps you’re downloading and where you’re downloading them from.

8. Keep your apps updated – security patches exist for a reason, use them when available.

9. Log off and log out – unless you want others to have easy access to your accounts, you should always log out after use.

10. Stay informed – keep up to date with the latest mobile threats and dangers by visiting websites such as MobileSecurity.com, which has the latest news on all things related to protecting yourself and your mobile devices.

Researcher points out critical Samsung Android phone vulnerabilities

Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make

matter and maybe make the company pick up the pace.



Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow:

•a silent installation of highly-privileged applications with no user interaction
•SMS sending and changing of various phone settings without the app requiring the permission to do so
•an app performing almost any action on the victim's phone.

"All these issues were caused by Samsung-specific software or customizations," he noted. "All the vulnerabilities I reported can be exploited from an unprivileged local application. In other words, no specific Android privileges are required for the attacks to succeed. This allows attackers to conceal the exploit code inside a low-privileged (and apparently benign) application, distributed through Google Play or the Samsung Apps market."

He admits at being surprised at the length of time it takes for Samsung to patch the vulnerabilities, especially because he believes they are easily fixed. The company replied to him that "any patches [Samsung] develops must first be approved by the network carriers."

In the meantime, UK blogger Terence Eden has demonstrated another lock screen bypass flaw he found on Samsung Android phones, which allows anyone to completely disable the lock screen and get access to any app.

The lock screen bypass flaw he discovered earlier this month has still not been patched by Samsung, but Bkav has released a patch that not only fixes the flaw, but also takes a photo of anyone trying to misuse the flaw and emails it to the phone's owner.

UPDATE (March 22): Bkav has developed a patch for the Samsung lock screen flaw disclosed by Eden.

Android, iOS bugs expose phones to voyeurs, data thieves

The first line of defense against smartphone snoops is a handset's lock screen, but the two largest smartphone makers are having trouble keeping them secure.

Bugs were discovered Wednesday in both Android and Apple smartphones.

A bug discovered by Android researcher Terence Eden allows anyone to bypass the security measures in place at a phone's lock screen and gain total access to the contents of a handset.

Eden outlined the method for bypassing the lock screen in his personal blog. The technique exploits the 911 feature of a phone, which allows emergency calls to be made whether a phone is locked or not.

The researcher noted that he found his attack to work only on a Samsung version of Android. It does not work on phones running a stock version of Android from Google.

He tested the attack on a Galaxy Note II from Samsung, but he predicted it would also work on a Samsung Galaxy III, as well as other Samsung devices, too.

Samsung did not respond to a request for comment for this story.

Eden explained that he reported the bug to the company in February, and that he expected a bug fix to be issued shortly.

Meanwhile, another lock screen bug was discovered in Apple's iPhone. The bug was discovered less than a day after Apple began pushing a version of its iOS operating system, version 6.1.3, to address a lock screen flaw discovered several seeks ago.

The bug was revealed by a reader of the Cult of the Mac website. It uses an iPhone's control feature to bypass the lock screen. However, the exploit appears to only work on iPhone 4's.

When a call is voice dialed, the publication explained, if the phone's SIM card is ejected during the dial-up, the phone will display its recent call log. From that screen, a peeper can browse and edit contacts and add pictures to the phone.

Both the Android and Apple bugs are similar, according to Diogo Monica, a security engineer with Square, a mobile payments company in San Francisco.

"They both exploit the emergency call system," he said in an interview. "When an emergency call is made, it allows a logic bug to be exploited and let you access the screen without authentication."

Once the lock screen is bypassed, not only can the information in it be eyeballed, but it can be copied, too. If your phone is unlocked, it can be connected to a computer and its contents dumped to the device, Monica explained.

He estimated that all the important data in a phone can be siphoned into a computer in a couple of minutes. A complete data dump of everything in a phone would take a maximum of 15 minutes.

Faulty lock screens would create serious concerns for corporations, maintained Glenn Chisholm, CSO and vice president of Cylance, a cyber security firm in Reston, Va.

"When you try to access your corporate mail, it usually forces you to enable your lock screen," he explained  in an interview. "If the corporation can't trust a lock screen to protect their corporate information ... that's a big problem."

Another big problem for corporations is lost or stolen smartphones, added Giri Sreenivas, vice president and general manager of mobile for Rapid7.

To mitigate those risks, companies require their employees to secure their phones with a PIN. "These vulnerabilities allow those controls to be bypassed," he said in an interview.


A video run through of the issue:

Tips for removing data from mobile devices

AVG released tips on how consumers can remove their personal data before they recycle or throw away their old smartphones.



In an era of frequent and seamless device upgrades, it’s easy to ditch an old handset and move on to the next. However, chances are the old device has personal information lingering on it, putting consumers at a greater risk of identity theft.

“Think about all the personal data stored on your phone: text messages, emails, even intimate photos of you or your significant other,” said Tony Anscombe, senior security evangelist at AVG. “Consumers are now carrying more and more personal information on their devices, and AVG wants to ensure everyone is well equipped to wipe out that data when the time comes. Your identity is essentially yours to lose, so take every precaution possible to stay safe.”

While the factory reset button seems like the logical place to start, numerous industry and security experts report that even after consumers carry out this exercise, personal information often remains.

The following tips will help ensure private information is erased:

• Remove the memory and SIM cards. Both store personal data and are best kept safe in your possession or destroyed.
• Use a data removal application to ensure data really is deleted.
• Once the data is deleted, then run a factory reset. Instructions can be found on manufacturers’ or carriers’ websites.
• If you are going to simply throw away your mobile phone, older handsets can contain toxic materials. Consult your local authority or drop it off at a mobile phone retailer, where they will be able to dispose of it correctly. Additionally, there are specialist companies that will take it apart and recycle each component.
• Of course, recycling or handing it on for use is a good option; there are many charities and organizations that redistribute old phones and will even send you a pre-paid postage box to send it in. Just search on the Internet for the many options!

HOWTO Brute Force Android Encryption on Santoku Linux

This HOWTO will guide you through the process of cracking the pin used to encrypt an Android device (Ice Cream Sandwich and Jelly Bean) using brute force on Santoku Linux Community edition.

iPhone 5 release brings out email scammers

Apple's long awaited release of iPhone 5 has provided cyber crooks with a perfect opportunity to scam users.

Even before yesterday's official presentation of the new device, a mass mailing campaign offering a protective case for it has been spotted by Kaspersky Lab researchers:



Now - even if this offer was legitimate, it is highly unlikely that the case would fit, as the iPhone 5 is thinner and longer than its predecessor. The fact that the senders sent out the email before the release of the device indicates that this is likely a scam.

It's hard to tell just what type of scam it is, but at best you can get saddled with a case that doesn't fit, and at worst your credit card information can be stolen and used by the scammers.

In any case, beware of offers like these and restrict your online shopping to legitimate e-commerce sites.

Trojan posing as Flash Player for Android

Russian Android users are constantly targeted with Trojans posing as legitimate apps. Last month it was fake Instagram and Angry Birds Space apps, this time the lure is a bogus Flash Player for Android:



"When users opt to download and install the said fake app, the site connects to another URL to download a malicious .APK file," Trend Micro researchers warn.

The file in question is a premium service Trojan that saddles users with unwanted charges.

Both the website offering the fake app and the one from which the Trojan is downloaded are hosted on the same IP address - a Russian domain.

"Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme," conclude the researchers.

SMS-controlled Android malware records calls

Researchers at NQ Mobile Security have discovered a new piece of Android malware that receives instructions, i.e. is controlled, via SMS.

Dubbed TigerBot, the Trojan hides by not showing any icon on the home screen and takes the names and icons of popular and common Google and Adobe apps like "Flash" or "System" in order to blend in with the legitimate apps installed on the phone.

"In order to receive remote commands, it registers a receiver with a high priority to listen to the intent with action 'android.provider.Telephony.SMS_RECEIVED'," point out the researchers. "As a result, it can receive and intercept incoming SMS messages before others with lower priorities."

The capabilities of the malware include: recording phone calls, changing network settings, uploading the current GPS location, capturing and uploading images, sending text messages to a particular number (but, it seems, not a premium service one), rebooting the phone and killing other running processes. Still, not all the actions are always effective.

So far, the Trojan hasn't been detected being offered on Google Play (the former Google’s Android Market), but only on third-party online marketplaces.

The researchers urge users to always be careful when downloading new apps.

"Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading," they say.

Siri - Can She Spill Your Secrets?

By Default, Yes.
An IT/infosec expert Ben Schorr points out in an article, the feature of the iPhone 4S that everyone is excited about is Siri, the voice-enabled personal assistant. Siri can do some cool things - she can direct you to the nearest gas station, read you your e-mails and help you remember the coffee shop you liked in Seattle the last time you visited - ah, the wonders of GPS.

Unfortunately, Siri has no loyalty - if someone else gets possession of your phone, Siri will obligingly read them your texts or e-mails - or send text and e-mails that appear to come from you. This is true EVEN if you have your phone locked with a PIN.

This recently discovered security flaw can be corrected, but you must take the affirmative step of disabling Siri when the phone is locked - and how many users are going to do that? Unless you take that step, be wary of what you share with the faithless Siri!

Analyzing and dissecting Android applications for security defects and vulnerabilities

In March 2011, 58 malicious applications were found in the Android Market. Before Google could remove the applications from the Android Market they were downloaded to around 260,000 devices. These applications contained Trojans hidden in pirated versions of legitimate applications. The malware DroidDream exploited a bug which was present in Android versions older than 2.2.2.

Android device manufacturers and carriers work in tandem to distribute Android-based updates and didn't issue patches for the DroidDream exploit, leaving users vulnerable. Google said the exploit allowed the applications to gather device specific information, as well as personal information.

The exploit also allowed the applications to download additional code that could be run on the device which allowed attackers to potentially gain access to sensitive information.

This article introduces ScanDroid for Android applications, using Ruby code to show how it works and demonstrate how to implement it. This code is a prototype to highlight the capabilities of using ScanDroid.

For simplicity, we will consider three vulnerabilities for an Android application:
1. Read/WritetolocalStorage
2. AccessexternalURL
3. MakeSocketConnection

This document explains the following aspects:

• ScanDroid Overview
• Using ScanDroid
• Using ScanDroid library with interactive Ruby (irb).

Download the complete paper here.

Android URL Filtering SDK: Secure Web browsing and compliance

Commtouch announced GlobalView URL Filtering for Mobile, which enables real-time protection for mobile device users browsing the Web.


GlobalView URL Filtering is comprised of a Software Development Kit that connects to the cloud-based GlobalView Network. Access to the resources available in the cloud enables the solution to index the sites mobile users actually visit, including dynamic Web 2.0 sites and hundreds of millions of others.

Mobile users benefit from the protection offered by GlobalView URL Filtering without compromising their browsing experience. The Commtouch SDK requires minimal resources, and an adjustable local cache categorizes the vast majority of visited URLs on the device, preventing annoying browser lag.

GlobalView URL Filtering is currently available for operating systems and environments that run a Java Virtual Machine such as Android. Commtouch anticipates adding support for other mobile operating systems such as iOS, QNX and other BlackBerry operating systems, and Windows Phone 7.

Vendors and carriers can leverage GlobalView URL Filtering for Mobile to offer:

Secure web browsing: Mobile users can be protected from phishing sites or sites that download viruses and malicious content.

Regulatory compliance: Organizations can limit their liability, improve productivity and comply with required standards by enforcing Web access policies.

Parental control: Young surfers can be protected from inappropriate Web content such as pornography, gambling, violence and hate sites.

These solutions can be deployed by smartphone, tablet and eBook manufacturers, mobile service providers, as well as Internet security and mobile application developers.

Encrypted voice calling for Android

Cellcrypt launched Mobile for Android, a version of its encrypted voice calling application that runs on Android devices operating over Wi-Fi, GSM and CDMA wireless networks.


Cellcrypt Mobile provides encrypted voice calling for off-the-shelf cell phones using government-certified security in an easy-to-use downloadable application that makes highly secure calling as easy as making or placing a normal phone call.

It is a software-only solution that uses the IP data channel of cellular (2G, 3G, 4G), Wi-Fi and satellite networks and can be deployed to personnel anywhere in the world in as little as 10 minutes.

Cellcrypt Mobile for Android is available immediately on devices supporting Android 2.3 and is interoperable with Cellcrypt running on other devices such as Nokia and BlackBerry smartphones.

"Cellular voice interception is different from other types of data breach,” said Nigel Stanley, Practice Leader, Security at Bloor Research, “if you lose a laptop, USB stick or disk drive it can be fairly obvious that the data has gone missing. But with voice, a successful interception can leave no physical trace so there is little chance of realizing your data has actually been intercepted resulting in disastrous consequences. If you can compromise a cell phone then you are more or less assured that you can collect the most relevant, current and damaging data possible about a user, their business or their private life. By supporting Android devices, Cellcrypt is providing enhanced security for one of the world’s most popular mobile platforms.”

Latest Android Malware Takes Flight With Angry Birds

Malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game.

Xuxian Jiang, an assistant professor in computer science at North Carolina State University, last week found 10 applications infected with malware in the Android Market. On June 5, he reported it to Google, which suspended the applications on the same day. Jiang also contacted mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, CA, SmrtGuard, Juniper, Kinetoo, Fortinet, and others.

What is this latest threat?

In a blog post published last week, Jiang explained that this new malware, which his team named "Plankton" (after the pesky Spongebob character?) doesn't attempt to root Android phones. Rather, it was designed to run in the background secretly.

This particular piece of malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game (Angry Birds itself was not infected).

What does it do? Once the malware is fired up by the users, it loads a background service. That background service application scours the device for user data, including the device ID code, and reports it back to a remote server. The server parses the data and then sends a link back to the malware, which downloads an executable and then runs nearly invisible in the background.

The application then starts collecting more data, such as browser bookmarks, browser history, home page shortcuts, and runtime log information.

Full article here.

400% increase in Android malware

Enterprise and consumer mobile devices are exposed to a record number of security threats, including a 400 percent increase in Android malware, as well as highly targeted Wi-Fi attacks, according to a report by Juniper Networks.

With smartphones set to eclipse PCs as the preferred method of both personal and professional computing, cyber criminals have turned their attention to mobile devices.

At the same time, the gap between attacker capabilities and an organization's defenses is widening. These trends underscore the need for further mobile security awareness, as well as more stringent, better integrated mobile security policies and solutions.


"The last 18 months have produced a non-stop barrage of newsworthy threat events, and while most had been aimed at traditional desktop computers, hackers are now setting their sights on mobile devices. Operating system consolidation and the massive and growing installed base of powerful mobile devices is tempting profit-motivated hackers to target these devices," Jeff Wilson, principle analyst, Security at Infonetics Research. "In a recent survey of large businesses, we found that nearly 40 percent considered smartphones the device type posing the largest security threat now. Businesses need security tools that provide comprehensive protection: from the core of the network to the diverse range of endpoints that all IT shops are now forced to manage and secure."

Key report findings include:

App store anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an antivirus solution on their mobile device to scan for malware.

Wi-Fi worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications.

The text threat: 17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise.

Device loss and theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued.

Risky teen behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device.

"Droid Distress": The number of Android malware attacks increased 400 percent since Summer 2010.

"These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions," said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

"App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand," he added.

The complete report is available here (registration required).

Mobile Security: Camelot And The Wild West

The only secure device is one that is not connected to a network. However, this more or less defeats the purpose of mobile devices. Especially with the onset of social media and cloud computing, users are no longer just browsing the internet. As mobile devices become the primary platform for users, so will hackers' attention.

Just last month Google pushed the "Android Market Security Tool" onto at least 256,000 infected devices to remove apps with DroidDream malware, first reported by the Android Police. DroidDream was published within seemingly legitimate apps on the Android Marketplace which, once installed on Androids prior to 2.2.2, could obtain personal information as well as download additional code to run. The 58 apps infected with the malware were removed from the marketplace within minutes.

As with desktops, mobile malware can come in the form of anything from fake antivirus to "phishing" apps (apps posing as trusted banks or businesses), and they can be contracted through messages, app marketplaces, third-party marketplaces, and yes, even through the web browser. And this isn't just the case for Android. Even the iPhone has its own bout of security issues. Then, why is there so much hype regarding Android security?

The iPhone and Android exist in different worlds. The first is like Camelot, the second like the Wild West. On the iPhone platform, the operating system itself is tightly controlled and the App Store has strict regulations and screening. iOS users are looked after and protected by the "castle guards" at Apple. Exploits for iPhone are available only to very careless and those who install third party applications. The OS offers various encryption features and any known security holes in the OS are fixed and made available for users to easily upgrade upon syncing with their computer.

The Android platform is open source and there is little marketplace oversight. Users must lookout for themselves and the unguarded are vulnerable to exploit. There remains no built-in encryption available to apps, hence Skype's recent upgrade. That said, the lack of cooperation between carriers and Google to provide updates for the OS only compounds the issue, as this article discusses. Google has made security patches to its OS, but carriers have been unwilling to push the upgrades to its phones.

Both users and enterprises alike should realize the vast differences in the Android and iPhone environments. Be sure to confirm the authenticity of an app before installing, browse only trustworthy sites, and, as much as possible, keep devices upgraded.

Google Android security tool found repackaged with malware

In a what should actually not be a wholly unexpected turn of events, the Android Market security update - pushed to Android users whose devices where affected by one or more "trojanized" applications found on the official Android marketplace - has itself been repackaged with a Trojan and is being offered on some third-party Chinese marketplaces.

The application, called “Android Market Security Tool”, has been repackaged with suspicious code, and according to the analysis by Trend Micro's researchers, this malicious version opens a backdoor through which device information such as IMEI, its phone number and routine logs is uploaded to a remote URL.
But it doesn't stop there. It can also modify call logs, intercept or monitor messages, download videos, and more, which could also lead to a very high phone bill for the user. One must only take a look at the permissions the application asks for to see that they can be misused in a myriad of ways:

Permissions asked from the legitimate application do not include receiving and sending text messages, pinpointing the location of the device and preventing the phone from sleeping.

Also, the legitimate Android Market Security Tool shows its version to be 2.5, while the malicious application says its version is 1.5. So far, this trojanized tool seems to be aimed exclusively at Chinese Android users.

It bears repeating that checking out any application's permissions before installing it is a good idea, and if you spot something that strikes you odd or with a great potential for misuse, consider not installing it.

I would say that keeping to the official Android Marketplace is also a smart move - despite what happened last week. The odds for avoiding malicious application are better, at least.