Forgot your password?
typodupeerror
Android Security IT

Symantec Identifies Android Trojans That Mutate With Every Download 97

Posted by samzenpus
from the learning-at-a-geometric-rate dept.
angry tapir writes "Symantec researchers have identified a new premium-rate SMS Android Trojan that modifies its code every time it gets downloaded in order to bypass antivirus detection. This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it."
This discussion has been archived. No new comments can be posted.

Symantec Identifies Android Trojans That Mutate With Every Download

Comments Filter:
  • New movie (Score:3, Funny)

    by X.25 (255792) on Monday February 06, 2012 @08:05AM (#38940763)

    X-Men: Androids

  • by ewanm89 (1052822) on Monday February 06, 2012 @08:11AM (#38940795) Homepage
    I do not need Norton Mobile, Avast is cheaper and just as good, so Symantec, stop using your fear tactics for advertising.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If your running Anti-virus on a your phone, you've already lost the game...

      • by ewanm89 (1052822)
        Avast and Norton Mobile aren't just antivirus, but firewall and anti-theft (if simcard changed it sends of GPS coordinates and stuff, doesn't protect if someone knows how to factory flash, but how many people who nick phones understand how to use fastboot or odin).
      • by pclminion (145572)

        you've already lost the game...

        I see what you did there... AC bastard!

    • Norton Mobile, slow you phone down and annoy you, for a cost, to protect yourself against stupidity...

      How many viruses can infect my phone if I never download the crapware that they need to do this ...Dancing Bunnies do not interest me

    • by JamesP (688957)

      I really wonder what's all the crap people download for mobile phones that's infected

      People don't need an Anti-Virus they need a Brain (and a secure OS)

  • Turn it off! (Score:5, Informative)

    by ArcherB (796902) on Monday February 06, 2012 @08:12AM (#38940799) Journal

    I had my carrier, Sprint, turn "premium rate" text messaging off completely. My phone is clean, but I don't have to worry about it anyway.

    Also, it's worth noting that these guys don't need a virus to charge you for this stuff. About 2-3 times a year, I would get some charge on my bill from a joke line, horoscope line or whatever that I never signed up for through text messaging or any other way. The last time it happened, I explained to the customer service rep that I would never use this type of service and she suggested that I block it. I have not had another charge since.

    • Re:Turn it off! (Score:5, Interesting)

      by Aladrin (926209) on Monday February 06, 2012 @08:31AM (#38940889)

      This is my only complaint about T-Mobile's customer service. The only way to block this is to pay $5/month and then micromanage your lines. -sigh-

      I had this problem with my father's line. He somehow got signed up for all kinds of garbage, and we didn't figure it out until later. (Really gotta watch that bill better.) They reversed a few months' charges, but they're only willing to go back so far. (I don't blame them, there.)

      But I did expect them to help me prevent the charges in the future, without me paying for the service.

      • by Amouth (879122)

        they shouldn't be able to charge you to block that "feature" from use.. i'd call them out on that..

        • by Skapare (16644)

          It should just a be a flag on the account "this account is not eligible for outside service billing". All outside billing would be rejected to those doing the billing (and then it's up to them to not provide those services for the legitimate services). Whether on or off, it only takes 1 bit.

      • The only way to block this is to pay $5/month and then micromanage your lines.

        Wrong. You also have the option of leaving T-Mobile.

    • by azalin (67640)
      Simple solution? Go for the money and this will disappear.
      Any company setting up a premium number must sign a lot of liability clauses in their contract. No money is transferred to the company right away for any premium number. They get a "payment received" messages, but the money itself is frozen for at least 2 months, either with the carrier or an accredited payment service provider. If reports of abuse come in, this period is extended. If to many complains come in, all transfers to this company are fro
  • notnews (Score:4, Informative)

    by Cyberax (705495) on Monday February 06, 2012 @08:12AM (#38940803)

    So they've discovered polymorphic viruses? You know, like in good old days of DOS where viruses were real viruses and not simple worms.

    http://en.wikipedia.org/wiki/Polymorphic_code [wikipedia.org]

    • Re:notnews (Score:5, Interesting)

      by gl4ss (559668) on Monday February 06, 2012 @08:28AM (#38940875) Homepage Journal

      it's not as elegant as polymorphic on it's own virus. it's server side generated, the server adds some randomization to the code changes classnames, adds'/removes unneeded code and then builds a new package. meaning the signature changes. Now, it's perfectly possible to build a binary and a new package _on_ device too, it just doesn't seem that any malware does it, polymorphic on device _and_ spread through bluetooth would be newsworthy I'd think(it needs the victim to press yes about 3 times and to open the file though - and the user to keep bt on too.. as it happens, you can't on android keep just the handsfree parts of bluetooth on, if you got bt on then obex is on, but you'll still need to accept the incoming files as said).

      • Re: (Score:2, Funny)

        by Anonymous Coward

        it needs the victim to press yes about 3 times and to open the file though - and the user to keep bt on too..

        No problem; to see cute bunny, press yes 3 times.

        • by gl4ss (559668)

          it needs the victim to press yes about 3 times and to open the file though - and the user to keep bt on too..

          No problem; to see cute bunny, press yes 3 times.

          I was thinking more along the lines of "psst. are you available??? ;)". would work wonders.

          • by azalin (67640)

            it needs the victim to press yes about 3 times and to open the file though - and the user to keep bt on too..

            No problem; to see cute bunny, press yes 3 times.

            I was thinking more along the lines of "psst. are you available??? ;)". would work wonders.

            The proud people of slashdot would never fall for that. Even if a few might actually think that it would be genuine, those would probably faint from hormonal overload on the spot.

      • Sounds complicated and fairly limited. They'd be better off encrypting the package, and using a salt that changes with each download. That'd work really well for dumb filters that match binary signatures.

        polymorphic on device _and_ spread through bluetooth would be newsworthy

        Does bluetooth transmit processes for running remotely? The way viruses worked in the ol' DOS days is that the front section of an executable file was overwritten and the virus code was appended at the end of the file. Then instead o

        • by gl4ss (559668)

          * bluetooth transmit processes for running remotely? * ..not when the bluetooth server is done properly, user interaction is always needed to run things originating from bluetooth.

    • Viruses were never worms, and neither are trojans, which is what these are properly called.
  • WOLF! (Score:2, Funny)

    by Anonymous Coward

    cried Symantec...

    • They didn't cry wolf, they just recorded every time norton mobile was downloaded since it is more of a virus than a protector.
  • Nothing to see here (Score:3, Informative)

    by Anonymous Coward on Monday February 06, 2012 @08:58AM (#38941107)

    "According to Armstrong, server-side polymorphism is not very widespread on the Android platform at the moment because most users get their apps through official channels and the current structure of the Android Market does not allow for a malware distribution scheme like this one."

    • by MrDoh! (71235)

      Yeah, that's how I see it. If you're downloading from dodgy websites/torrents,well... you're kinda asking for virus/trojans/who knows what.

      Funny how they've announced this as Google announces 'Bouncer' to check market apps.

  • Brings back memories of when I was in high school... I bought Mark Ludwig's book, 'The big black book of computer viruses'.



    I didn't actually write any viruses from reading the book, just a fun boot sector program that displayed subliminal messages. It also happened to get installed on a few choice computers.

    Here's his 'little black book' book: http://vxheavens.com/lib/vml00.html [vxheavens.com]. Of course his work talked about polymorphism over a decade ago.
  • Sounds like Symantec's usual tactics of - create a terrible virus, tell everyone how bad it is, and only their products can protect you. This has been done before to try and sell AV. With Microsoft now having it's free Security Essentials, AV companies are getting desperate!
    • by tokul (682258)

      With Microsoft now having it's free Security Essentials

      MSE is not free for anything bigger than SOHO. Check licensing terms again.

  • Symantec Identifies Android Trojans That Mutate With Every Download

    Symantec DEVELOPS Android Trojans That Mutate With Every Download

    There - fixed that for ya'!

    • You know, every time an AV story comes up, so does this stupid canard. AV companies have no real need to develop viruses and other malware - there are enough people doing that external to their companies to keep them quite busy enough all of their working hours and to allow them to continue making sales. And do you think these companies would risk the millions of dollars they make each year doing something as idiotic as this?

      You may not like their products, but please... Your post (like the others of the sa

  • by Rix (54095) on Monday February 06, 2012 @12:20PM (#38943515)

    Has anyone, anywhere ever intentionally used a "premium" SMS service?

    Telecoms obviously need a regulatory smackdown requiring them not to act as payment processors.

  • Got to have our dose of fear mongering from Symantec. I hate those vultures and I distrust everything they say.

  • How does 'server-side polymorphism` apply to a read-only bootable Ubuntu USB distro, which is the one I use here?
  • FTFA "A special mechanism that runs on the distribution server modifies certain parts of the Trojan in order to ensure that every malicious app that gets downloaded is unique. "

    So basically we're talking about "some guys website" hosting malware. This is not about Android Market.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...