Suspicious Apps on Google Play Leak Google Account IDs

The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of Android device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk.

Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of download of each app is between 10,000 and 50,000. McAfee Mobile Security detects these apps as Android/ChatLeaker.D.

 

galeaker-1
These two suspicious apps leak Google account IDs.

 

Another set of suspicious apps, from various categories, shown in the figure below secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users. We detect these apps as Android/GaLeaker.A and its variants.

 

galeaker-2
More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI

 

We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to decline the data transfer.

Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes.

 

galeaker-3e
A GET_ACCOUNTS permission request.

 

Although the account passwords cannot be retrieved in this case, leaking only account IDs still creates several types of risks.

  • Attackers can share account IDs with other malicious parties including email address collectors.
  • Attackers can directly send spam/scam emails to the address.
  • Attackers can break passwords and illegally access accounts if users employ easy-to-guess passwords.
  • Attackers can identify a user’s personal information on social networking services related to Google account IDs, for example, Google+.

Users should be especially careful about registering SNS/communication services using a Gmail address with services that encourage users to be searchable by their email addresses. If users have enabled the feature and make their profiles public, which is the default on many services, an attacker can easily identify personal information using the email address as a search key.

 

galeaker-4
A User’s real name is suggested based using the Gmail address as a search key.

 

With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen.

 

galeaker-5e
Account names for various services can be easily retrieved.

 

We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also not expose their account names in public unless it is necessary.

The post Suspicious Apps on Google Play Leak Google Account IDs appeared first on McAfee Blogs.

What’s on Your Phone?

Today, most of us depend on our mobile phones and see it as a necessity in our everyday lives. Smartphones (and tablets) have provided us with a convenient way to communicate, socialize, work, take pictures, have our address book on hand, shop and even bank online. But we often forget that our smartphones are more akin to a mini handheld computer than a phone. Yes, it can make and receive phone calls, but with a web browser and apps, it can do so much more!

Our reliance on our mobile phones has driven an explosion in the growth of smartphones (a mobile phone that is able to perform many of the functions of a computer, typically having a relatively large screen and an operating system capable of running general-purpose applications). According to ABI Research, there will be over 1.4 billion smartphones in use by the end of this year, which is a 44% increase from last year. And we’re also spending money to make the most of our mini computers. IHS reports that consumers will spend $15.5 billion on apps by the end of this year, which is more than the combined total for 2010, 2011 and 2012.

So what’s on your phone? Definitely a lot more than you think.

With the advent of the apps, your smartphone now contains much more of your personal data than you probably realize. Yes it has your contacts with their phone numbers and emails, but depending on what you store on your mobile device, it probably also has your user names and passwords, access to your credit cards and bank accounts, possibly access to your work email and files.

Yet despite all this personal information and data (that is valuable to hackers), most of us don’t take the proper steps to protect our information. 36% of us don’t lock our smartphones or tablets with a PIN or passcode and 30% of us have password information “hidden” in our notes app. And almost 40% of us don’t have the data on our smartphone or tablet backed up in the event of loss or theft.*

It’s time we all realize that our smartphones are more than just phones. And yes if our phone was lost or stolen it would stink to have to pay to replace it. But it will be a lot worse to lose your valuable data that is on that smartphone than the phone itself. So do yourself a favor and make sure you protect your mobile devices, just like you protect your computer and remember that your mobile device is your phonebook, email account, family photo album, social media connection and even your wallet, all rolled into one.

Protect all your devices with McAfee LiveSafe™ service or if you just need to protect your mobile device, from now until Dec 13, you can get 80% off McAfee® Mobile Security.

 

* McAfee and One Poll, January 2013

 

RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post What’s on Your Phone? appeared first on McAfee Blogs.

Don’t Get Your PIN Skimmed by Your Own Mobile Camera

Photo and video editing apps are on the rise with mobile device owners. In fact, according to a poll by Flickr, 43% of people use their mobile phones as their primary camera. And with so many photo editing and voice recording apps out there, it can be difficult to keep track of who and what has access to the sensitive data that you store on your mobile device. Allowing apps to access photos or even the microphone on your smartphone or tablet may seem fairly innocuous, but throw a malicious app into the mix and you may be unwittingly opening yourself up to a number of security vulnerabilities.

For instance, with the right software a hacker can gain access to your photos, share your photos, as well as use the microphone and camera to steal your personal identification number (PIN) code. A team of researchers at the University of Cambridge created a software package for Android to test out this very theory. Their results might have you thinking twice before allowing a new app of any kind access to the hardware in your device.

The app, called PIN Skimmer, used a mobile phone’s camera and microphone to figure out and unlock a user’s PIN code. While not 100% accurate, the method did glean the correct 4-digit PIN by recording movement and sound more than half of the time, with an 8-digit PIN proving even easier to crack after several attempts. Surprisingly, longer PINs actually gave the program more information initially, which made them easier to predict versus shorter codes. Just like a typical piece of malware, this attack used stealth to go undetected by both the user and the device itself. The app ran remotely in order to minimize battery drain, and disabled the LED light that switches on in some handsets when the camera is in use to avoid suspicion.

Luckily, PIN Skimmer is not an app on the market, but rather was created with the intent to spread awareness, not actually steal personal information. However, it does help shed light on what malware can already do—most likely even better when created by skilled hackers. If researchers can create software to steal PINs using a smartphone’s camera and microphone, it’s almost guaranteed that cybercriminals can too.

Security threats like PIN Skimmer are an issue for both users and phone manufacturers, and the latter should explore solutions like restricting phone resources during PIN entry or even using biometrics as an extra layer of security. Incorporating fingerprint scanning or other biometrics steps could thwart malicious apps like PIN Skimmer since in such cases the PIN is only half of the information needed to unlock a device. While biometrics have their own security risks, staying one step ahead of hackers starts with the latest tools.

In the meantime, Android users should be extra vigilant when it comes to mobile security in order to avoid being taken advantage of by similar schemes. The name of the game for these kinds of malicious apps is “stealth,” so superficial safety checks won’t be enough to detect anything potentially harmful. However, there are steps you can take to prevent bad apps from getting in. To begin with, always know what each app can access, including the camera and other key functions, as well as why. Just like with your laptop or home computer, any strange behavior like battery drainage or a sudden onslaught of spam messages should be checked out right away. Additionally, use security software with the capability to detect hidden apps like the notorious Obad.a Trojan and others like it.

Also, consider these additional tips to help keep your device and information safe from current as well as potential threats:

  • Secure your device with a strong passcode. While PIN Skimmer cracked passcodes more than 50% of the time, some security is still better than none at all. Make sure to steer clear of easy options such as 1234 or your birth year.
  • Review app permissions before you download. Third-party apps, especially games or entertainment apps, should have limited access to personal data such as location or social networking sites. Requesting too much permission is a definite red flag that this could be an app up to no good.
  • Only download apps from official sources. Third-party app stores and websites are known for fostering risky apps and malware. Stick to downloading from trusted online sources, such as the Apple App Store and Google Play.
  • Update your mobile software. Depending on if your mobile carrier allows for it, updating your OS can immediately improve the security of your device.
  • Never use public Wi-Fi networks to access sensitive information. Avoid checking your bank account or downloading content on unsecure networks. Cybercriminals often use public Wi-Fi in places like coffee shops and airports as a hunting ground for victims.
  • Go the extra mile when it comes to mobile security. Sometimes taking all the precautions you can is just not enough. McAfee® Mobile Security comes with many features to help protect your smartphone and tablet from a variety of threats, including hidden device admin detector and remote lock and wipe functions should your device become lost or stolen, as well as virus protection with continuous scanning and monitoring of your mobile activity.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.

lianne-caetano

The post Don’t Get Your PIN Skimmed by Your Own Mobile Camera appeared first on McAfee Blogs.

Five predictions for information security and cybercrime in 2014

Eugene Kaspersky, chairman and CEO, Kaspersky Lab

Eugene Kaspersky
Kaspersky Lab

Fragmentation of the internet: 2014 is likely to become the year when fragmentation of the internet will become fully visible. The loss of international trust in the field of global communications that has followed Edward Snowden’s disclosures will result in the emergence of more cyber-borders and new parallel secure networks.

The new networks will be run by governments to protect their communications and national infrastructure from any sort of foreign intrusion. This will increase the security and reliability of cyber-infrastructure, but also siphon resources away from public initiatives and global internet projects and businesses, and ultimately possibly pose a threat to the very existence of the borderless internet as we know it today.

Marcin Kleczynski, CEO, Malwarebytes

Marcin Kleczynski
Niko Hayashi/Malwarebytes

Smarter and more evolved malware: As technology gets even more portable and powerful, the continued evolution of mobile malware will be a big trend next year. This takes advantage of the fact that people have an increasing reliance on their phones and tablets as a place to store sensitive information, such as bank details. As the malware market continues to polarise, ransomware will also continue to increase, using the most graphic scare tactics to convince people into parting with money.

Mac operating systems will also continue to be targeted more next year with ransomware, malicious browser plugins, rogue antivirus software and a slew of other malware attacking the increasingly popular OS. Security software will have to stop being so passive in 2014. Proactive layers of security software are the only way to stop the latest criminal malware.

Marc Rogers, principal security researcher, Lookout

Marc Rogers
Lookout

The impact of the internet of things: The ongoing development of the internet of things will continue to impact cyber security in 2014, as attackers now have more potential entry routes to sensitive governmental, corporate and personal data than ever. Mundane objects – such as thermostats and fridges – which were once completely unremarkable from a security perspective, have suddenly become the guardians of sensitive data, ranging from sensitive financial information to detailed telemetry about personal aspects of our lives.

In the post-PC era, we need to be looking at new approaches to security that use connected devices to form a network immune system. Through this, we have a chance to turn the asymmetry of digital war against attackers, and give the defenders an advantage instead.

Rob Stavrou, director of IT consultancy, Northdoor

Rob Stavrou
Martin Orpen/Northdoor

Major organisational changes: In 2014, IT security breaches will continue to rise and organisations will consistently face growing numbers of sophisticated, persistent threats to their corporate data. Data is becoming more and more crucial to organisations and threats to that data will not be taken lightly.

Organisations will adopt cyber security insurance to help mitigate the risk of loss of data and brand – this will create an enormous challenge for insurers as it is very hard to predict the probable maximum loss. As a result, 2014 will see a significant rise in organisations undertaking assessments, audits and post-breach protection to ensure they keep on top of the threat landscape and potential weaknesses in their IT security defences.

Ken Parnham, managing director EMEA, TRUSTe

Ken Parnham
TRUSTe

Trust: Trust will be increasingly important next year if businesses are to take advantage of new opportunities to collect and use data to create more targeted, personalised, cross-device experiences for customers. The rise of dual-screening, wearable tech and smart devices are likely to give rise to new privacy challenges for consumers, businesses and regulators.

The winners in 2014 will be those that find ways to use new technology in a privacy-centric manner and are transparent about the data they collect, what they do with it and provide people with a way to opt out if they wish. Addressing potential privacy concerns from the start will not just increase trust with customers but will also be one of the best ways to ensure your business is well-prepared for any potential regulatory changes that may be introduced in 2014 and beyond.

More to follow

Get more articles like this sent direct to your inbox by signing up for free membership to the Guardian Media Network – this content is brought to you by Guardian Professional.

Android/Balloonpopper Sums Up Mobile Threat Landscape in 2013

WhatsApp has received more than its fair share of hits from Trojans attempting to target its large user base and worldwide popularity, but only a handful of those possesses the threat level of this new discovery that appears to be aimed primarily at Latin America.

Recently revoked from Google Play, Android/Balloonpopper is a game that carries a Trojan which secretly uploads WhatsApp conversations and pictures. This Trojan takes advantage of the fact that encryption on WhatsApp is easy to break. Plus its (recent) position on Google Play helped to lower the guard of its victims.

Trojan

The stolen conversation and pictures are stored by the app developer and can be retrieved by anyone who knows the phone number of the victim. For complete information, a buyer must pay the developer an unspecified amount.

fig2

The game itself is both simple and real. It distracts the victim while stealing the data. Other apps–from this developer or others–could easily copy this technique. As long as the developer remains in business, there is no telling what tactic or app might appear next on Google Play.

Android/Balloonpopper is a perfect example of the threats we see affecting the mobile landscape in 2013. Protecting privacy is at the forefront of mobile security, but an effective attack can turn personal information into a commodity for cybercriminals.

The post Android/Balloonpopper Sums Up Mobile Threat Landscape in 2013 appeared first on McAfee Blogs.