What Is a Trojan Horse?

One of history’s great literary classics is Homer’s Iliad, which tells the story of the Trojan horse—the wooden horse that the Greeks hid in to enter the city of Troy and take it over. Two thousand and some odd years later, hackers use a digital Trojan horse to hide malicious files in seemingly harmless files with the intent to attack or take over your device. A Trojan horse (or Trojan) is one of the most common and dangerous types of threats that can infect your computer or mobile device. Trojans are usually disguised as benign or useful software that you download from the Internet, but they actually carry malicious code designed to do harm—thus their name.

There are a variety of types of Trojans, many of which can launch sophisticated and clever attacks. Here are some types to be aware of:

  • Password-stealing Trojans—These look for saved passwords on your computer and email them to the hackers. Some can even steal passwords cached in your browser history.
  • Remote access Trojans—These are quite common, allowing the attacker to take control of your computer and access all of your files. The hacker could potentially even access your online banking and credit card sites if you have your password stored in your browser memory or on your computer.
  • Destructive Trojans—These Trojans destroy and delete files from your computer
  • Antivirus killers—These Trojans detect and kill your antivirus and firewall programs to give the attacker easier access to your computer

A Trojan can have one or multiple destructive uses—that is what makes them so dangerous. It’s also important to realize that unlike viruses, Trojans are not self-replicating and are only spread by users who mistakenly download them, usually from an email attachment or by visiting an infected site.

Here are some steps you can take to avoid downloading a Trojan horse:

  • Beware of suspicious emails. Don’t open an email attachment if you don’t recognize the sender of the email
  • Use comprehensive security software. Protect all your devices with McAfee LiveSafe™ service as well as stay protected from spam, sketchy files, and viruses
  • Separate the good from the bad. Use an email program with a built-in spam filter to decrease the chance of a malicious email getting into your inbox
  • Know the threats. Keep current on the latest threats so you know what to look for when you receive suspicious emails

Remember that Trojans are common because they are so successful. Hackers use social engineering techniques, such as mentioning a current news topic or popular celebrity, to get you to click on their email. Just being aware of what they are and how they work can prevent you from having to deal with financial loss, identity theft, damage to your computer, and significant downtime.


RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post What Is a Trojan Horse? appeared first on McAfee Blogs.

Android Security Internals is out

Some six months after the first early access chapters were announced, my book has now officially been released. While the final ebook PDF has been available for a few weeks, you can now get all ebook formats (PDF, Mobi and ePub) directly from the publisher, No Starch Press. Print books are also ready and should start shipping tomorrow (Oct 24th). You can use the code UNDERTHEHOOD when checking out for a 30% discount in the next few days. The book will also be available from O’ReillyAmazon and other retailers in the coming weeks.

This book would not have been possible without the efforts of Bill Pollock and Alison Law from No Starch, who edited, refined and produced my raw writings. +Kenny Root  reviewed all chapters and caught some embarrassing mistakes, all that are left are mine alone. Jorrit “Chainfire” Jongma reviewed my coverage of SuperSU and Jon “jcase” Sawyer contributed the foreword. Once again, a big thanks to everyone involved!

About the book

The book’s purpose and structure have not changed considerably since it was first announced. It walks you through Android’s security architecture, starting from the bottom up. It starts with fundamental concepts such as Binder, permissions and code signing, and goes on to describe more specific topics such as cryptographic providers, account management and device administration. The book includes excerpts from core native daemons and platform services, as well as some application-level code samples, so some familiarity with Linux and Android programming is assumed (but not absolutely required). 

Android versions covered

The book covers Android 4.4, based on the source code publicly released through AOSP. Android’s master branch is also referenced a few times, because master changes are usually a good indicator of the direction future releases will take. Vendor modifications or extensions to Android, as well as  device-specific features are not discussed.
The first developer preview of Android 5.0 (Lollipop, then known only as ‘Android L’) was announced shortly after the first draft of this book was finished. This first preview L release included some new security features, such as improvements to full-disk encryption and device administration, but not all planned features were available (for example, Smart Lock was missing). The final Lollipop developer preview (released last week) added those missing features and finalized the public API. The source code for Lollipop is however not yet available, and trying to write an ‘internals’ book without it would either result in incomplete or speculative coverage, or would turn into an (rather though) exercise in reverse engineering. That is why I’ve chosen not to cover Android 5.0 in the book at all and it is exclusively focused on Android 4.4 (KitKat).

Lollipop is a major release, and as such would require reworking most of the chapters and, of course, adding a lot of new content. This could happen in an updated version of the book at some point. Not to worry though, some of the more interesting new security features will probably get covered right here, on the blog,  first.

With that out of the way, here is the extended table of contents. You can find the full table of contents on the book’s official page.

Update: Chapter 1 is now also freely available on No Starch’s site.

Table of contents

 Chapter 1: Android’s Security Model
  • Android’s Architecture
  • Android’s Security Model
Chapter 2: Permissions
  • The Nature of Permissions
  • Requesting Permissions
  • Permission Management
  • Permission Protection Levels
  • Permission Assignment
  • Permission Enforcement
  • System Permissions
  • Shared User ID
  • Custom Permissions
  • Public and Private Components
  • Activity and Service Permissions
  • Broadcast Permissions
  • Content Provider Permissions
  • Pending Intents
Chapter 3: Package Management
  • Android Application Package Format
  • Code signing
  • APK Install Process
  • Package Verification
Chapter 4: User Management
  • Multi-User Support Overview
  • Types of Users
  • User Management
  • User Metadata
  • Per-User Application Management
  • External Storage
  • Other Multi-User Features
Chapter 5: Cryptographic Providers
  • JCA Provider Architecture
  • JCA Engine Classes
  • Android JCA Providers
  • Using a Custom Provider
Chapter 6: Network Security and PKI
  • PKI and SSL Overview
  • JSSE Introduction
  • Android JSSE Implementation
Chapter 7: Credential Storage
  • VPN and Wi-Fi EAP Credentials
  • Credential Storage Implementation
  • Public APIs
Chapter 8: Online Account Management
  • Android Account Management Overview
  • Account Management Implementation
  • Google Accounts Support
Chapter 9: Enterprise Security
  • Device Administration
  • VPN Support
  • Wi-Fi EAP
Chapter 10: Device Security
  • Controlling OS Boot-Up and Installation
  • Verified Boot
  • Disk Encryption
  • Screen Security
  • Secure USB Debugging
  • Android Backup
Chapter 11: NFC and Secure Elements
  • NFC Overview
  • Android NFC Support
  • Secure Elements
  • Software Card Emulation
Chapter 12: SElinux
  • SELinux Introduction
  • Android Implementation
  • Android 4.4 SELinux Policy
Chapter 13: System Updates and Root Access
  • Bootloader
  • Recovery
  • Root Access
  • Root Access on Production Builds

The Shame Game: Mobile App Security Under Fire

Shame on you!

We’ve all seen a good public shaming in the form of celeb gossip or a scorned ex online, but shaming apps with lax security? That’s something new….

Software engineer, Tony Webster, got fed up with a number of mobile app developers not taking security seriously enough—just look at Snapchat being under fire for being compromised several times in one year — so he decided to take matters into his own hands. Webster created a website, HTTP Shaming, in which he publicly calls out mobile apps and businesses that send user’s personal information to the Internet without encrypting it first. He posts each of these cases in hopes of convincing companies to provide better security measures for handling customer data.

The problem with these mobile apps is that they use unencrypted data and links or companies are simply not using HTTPS, the secure version of the Web protocol. In both of these instances, a user’s data is at risk, whether an attacker is tracking a user’s location, harboring their personal information, or using said information to commit various forms of fraud.

In one particular case highlighting travel-information company, TripIt, it was found that hackers could change or cancel a victim’s flight This app had a built-in calendar sync feature and would automatically send unencrypted details about a user’s past and upcoming trips on the calendar app on that user’s phone. Meaning, if the user joined an unsecured Wi-Fi network, eavesdroppers on that same network could pluck information such as the user’s name, phone number, email address, and last four digits of their credit card straight from the air.

HTTP Shaming had some success with this case, as the company in question has converted its calendar feeds to HTTPS since being publicly shamed. However, that is just one success story in the long list of mobile apps that have security flaws placing user’s privacy at risk.

With the above in mind, it’s important to follow these tips to protect yourself and your personal information when using a mobile app:

  • Avoid using public Wi-Fi to send private information. Public Wi-Fi can be both a blessing and a curse. Since these networks are used by a large number of people, they can often be a prime target for hackers. Try to limit the amount of personal information you send over any website, especially when you are using a public network.
  • Install comprehensive security software on your phone. Having security software installed on your device is an essential part of protecting your privacy. McAfee® Mobile Security is free for both Android and iOS, and will alert you if you are about to connect to an unsecured Wi-Fi network from your Android device.
  • Stay current on the updates for your mobile apps. App updates usually come when companies either want to add new features, or fix critical security issues. A good rule of thumb here is if you stay on top of your app updates, you’re likely to stay ahead of most security flaws.
  • Only download apps from official app stores. Third party app stores are often the cardinal destination for malicious apps. By avoiding these unapproved app stores, you are helping to ensure you stay one step ahead of hackers.  

And as always, to keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post The Shame Game: Mobile App Security Under Fire appeared first on McAfee Blogs.

Is Your Teen Using Mobile Banking Facility

Mobile banking is the new age smartphone revolution. While the computer and laptop brought the bank to our homes, the smartphone made it possible for us to take our bank along, wherever we go. So convenient it is that the global populace is rapidly opting for this method of banking.

Though mobilebanking is not strictly an issue that is related to parenting tweens and teens, it is nevertheless important for both parents and children to know its pros and cons. I realized this first hand when my son joined college. He was instructed to install a mobilebanking app on his phone to enable him to pay fees, hostel bills etc. I had to give him a rapid course on mobile banking safety. This brought to my mind the large number of children leaving home at 16 to pursue higher studies. These kids will be on their own for perhaps the very first time in their lives, managing their finances along with their academics. They will be aware of mobile banking but may not be fully cognizant of all the precautions to take. And it will be the parents’ duty to teach them that.

So if you are a regular user of the app, well and good, you know the stakes. But it sure helps to have a clear idea of the merits and demerits just so you can clarify your child’s doubts and provide him the right tools to help him stay safe online.

As I keep saying, this is the internet age and everything will soon become internet-oriented. It’s best therefore to know than to repent. Agree?

Now here are some simple DOs related to mobile banking:

  • Mobile Security software: It goes without saying that having the latest security software running on your computer is a huge safety measure. It actually safeguards your phone, your data and warns you if it finds anything amiss. Try the highly recommended McAfee Mobile Security
  • Auto-lock on: Keep your phone locked, with Wi-Fi & Bluetooth turned off, when not in use
  • PIN-protect phone: The 4-digit PIN to unlock your phone should not be an easily guessable set of numbers. AND never the same sequence you use for your ATM transactions
  • Strong Password: Use strong passwords for account login. A passphrase is a better option. AND don’t store your passwords on your phone or draft e-mails. Anyone with access to your phone will be able to acquire it eventually
  • Official app: Always download the official mobilebanking app from your bank’s homepage and use it
  • Security checks: Before doing financial transactions, ALWAYS ensure that the web address starts with https//: and NOT http//:. In addition, the green padlock symbol should be visible
  • Beware of Phishing attacks: Do remember that banks will never send unsolicited emails or text messages asking for personal details like date of birth, address or mobile banking password. Report such mails as Phishing mails. Contact branch in case of doubt.

Things you should ask your teen to do:

1)     Use only the official apps provided by your bank

2)     Don’t use an unlocked phone for carrying out banking or any financial transactions, as it might be running an untrusted software

3)     Take printout of each transaction or save every message received.

4)     Request your bank to send you monthly account summary and review them thoroughly

5)     Give standing instruction to bank to send alerts on phone and email, everytime a transaction is carried out

6)     Use only trusted and verified websites to do online shopping

7)     Do not share mobile banking details with friends

8)     Regularly check all apps running on your phone and uninstall those you don’t use or those that want permission to access a lot of data on your phone


For more tips, click here

Stay safe, stay happy!!!

The post Is Your Teen Using Mobile Banking Facility appeared first on McAfee Blogs.

Don’t Judge An App By Its Cover

When it comes to the security of your mobile apps, things are not always how they appear on the surface. Stealthy malicious apps often seem benign at first glance but once installed, run quietly in the background harvesting your data and personal information. Thanks to these malicious apps created by hackers, the seemingly innocuous programs held in the palm of your hand can often end up providing you with much more than you’ve bargained for and potentially cost you just as much.

Unfortunately, handy uninstaller apps that claim to rid your mobile device of multiple unwanted apps in one fell swoop are no exception. One particularly stealthy app, Android/Trojan.Spy.Smsthief disguises itself as an uninstaller utility but rather than removing unwanted apps, this malware collects and relays your personal information back to the attacker who created it.

The app is designed to acquire device administrator privileges upon installation, providing it with deep access to your phone and causing it to be extremely tricky to remove. This level of permission is usually only granted to special Google and security apps and it is not yet known how this app is able to request such a high level of access.

Although the app appears to be lying dormant on a user’s phone after it has been installed, it is in fact doing just the opposite. Hiding its designating icon from the app launcher and running in the background, it quietly intercepts and copies your valuable information.

As the name suggests, this app specifically uses text messages for its nefarious means through the following methods:

  • Spam messaging: this causes the infected phone to send text messages containing malicious links to people in the infected device’s contact list. When the receiver of the messages clicks on said link, the attacker is paid either through call fraud or deals with (occasionally) innocent affiliates.
  • Premium SMS fraud: an attacker will secretly send text messages to premium numbers they have purchased through the infected mobile device, leaving the phone’s owner footing the bill. This trick can also be used by making calls to premium-rate phone numbers. Read more about it in this recent blog.

This Android/Trojan.Spy.Smsthief has been found on third-party app stores in China and file-sharing sites. However, whether this malicious app falls close to home for you or not, it is always best to continue to practice these key mobile security habits:

  • Avoid third-party app stores and only download mobile apps from trustworthy sites
  • Always check an app’s permission settings before installing it
  • Never click unfamiliar or unusual links within text messages

However, even with the most cautious approach to your mobile app download and usage, nasty things can get through the best defenses. Having security software installed on your mobile device is an essential part of protecting your privacy. McAfee® Mobile Security, free for Android and iOS, offers a variety of protections against malicious apps, including a text and call filter that weeds out unwanted numbers for Android users.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post Don’t Judge An App By Its Cover appeared first on McAfee Blogs.