Forgot your password?
typodupeerror
Android Botnet Security

Massive Android Mobile Botnet Hijacking SMS Data 117

Posted by Soulskill
from the all-your-texts-are-belong-to-us dept.
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
This discussion has been archived. No new comments can be posted.

Massive Android Mobile Botnet Hijacking SMS Data

Comments Filter:
  • Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?
    • Re:LOL WTF LMFAO (Score:4, Interesting)

      by icebike (68054) on Wednesday December 18, 2013 @03:36AM (#45723545)

      Put it on some dodgy mobile cracked app site and have it perform some trivial functionsfunctions, post about it in a conspiratorial tone in some forums and watch the cheap bastards come rolling in. There are a million cheapskates for every real customer of android apps.

    • I guess those Koreans or Chinese who are running those C&C must be having the time of their life fapping over who is cheating with whom via reading the world's sms :p,

      who knows, new category of porn soon:

      "Click here to see sexy conversations between %person you want% and %other person you fantasize% online, for only $5/monthly and receive a free android device on booking for 5 years!"
    • Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application

      Flashlight App.

    • Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?

      The fact that almost nobody in China can get to Google Play without trickery?

      • by robmv (855035)

        There is a reason Mozilla is hard with the requirements to name a build for Firefox codebase "Firefox", it is their trademark, if you build Firefox and replace Mozilla addons "store" with one that doesn't do reviews (manual or automated) and is filled with malware, I am pretty sure Mozilla will make you use another name. Android is trademarked by Google, Amazon don't call their tablets Android, because they can't. Google is to light allowing forkers to call it Android, tainting their brand

        • Google is to light allowing forkers to call it Android, tainting their brand

          Well, if they didn't half the marketshare of "Android" would be going to "others".

      • Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?

        The fact that almost nobody in China can get to Google Play without trickery?

        Don't get me wrong. I love android, but even Google Play has crappy asian malware. I wish they would clean that shat up.

        Search for a game or something and you get...

        LOVE BLOND KITCHEN See girl beautiful aprons...

        And 12 other similar apps from the same creepy ass developer...No way would someone with half a brain download that. Even worse, it wastes space in the search results, the results aren't relevant to what was searched, and it also wastes the end user's bandwidth in having do download the

        • by mlts (1038732)

          Google needs to start tiering their store. One tier is stuff actively moderated with strict, Draconian guidelines and perhaps additional fees to support this degree of moderation. This tier would be similar to Amazon's, Microsoft's, or Amazon's store and if an app doesn't toe the line perfectly, it gets pulled without mercy (since it can easily be offered on the "free for all" tier.) The second tier would be what their store is now -- pay a fee for an account, upload, and go from there.

          The next step is b

          • by Dishevel (1105119)

            This way, the average Joe who doesn't know or doesn't care about permissions is kept safe from potentially malicious software by only being in the actively moderated tier, but someone who has some sort of a clue can turn that protection off and go for whatever utility they want.

            Fuck the Average Joe.

            He is getting stupider and less capable of caring for himself every year. I for one am tired of this pathetic leech screwing shit up for the rest of us.

            Fuck Average Joe and all those that support his continued existence.

            • by mlts (1038732)

              I think we all feel that way. However, the average Joe is the one with the money, and keeping him relatively safe is a boon for everyone in the Android ecosystem.

              The other answer is to have a locked down platform like iOS where nobody can see a true "#" prompt or know what is going on in the device. Given a choice between a walled garden with no way out, versus one that has walls with a switch to flip to drop the walls as one's will, I'll take the latter.

              • by Dishevel (1105119)
                If we allow the stupid to die off in massive amounts by removing warning labels from hair dryers, airbags and cleaning supplies before they breed we could have a very positive effect on the average IQ of future Average Joe s.
          • by jeffmeden (135043)

            Google needs to start tiering their store. One tier is stuff actively moderated with strict, Draconian guidelines and perhaps additional fees to support this degree of moderation. This tier would be similar to Amazon's, Microsoft's, or Amazon's store and if an app doesn't toe the line perfectly, it gets pulled without mercy (since it can easily be offered on the "free for all" tier.) The second tier would be what their store is now -- pay a fee for an account, upload, and go from there.

            The next step is by default, have Android devices download only from the restricted tier of the Google Play Store, and a checkbox, similar to the one that allows sideloading, for using the open tier of their market. This way, the average Joe who doesn't know or doesn't care about permissions is kept safe from potentially malicious software by only being in the actively moderated tier, but someone who has some sort of a clue can turn that protection off and go for whatever utility they want.

            Of course, there is worse in the way of markets. AFIAK, China has no access to the Google Play store, and Chinese app stores may have absolutely zero curation or moderation in place whatsoever, so there may be numerous copies of a perfectly legit app, except only one doesn't bring with it an added payload. To boot, number of downloads isn't a good statistic if bogus store accounts are easily created.

            The Play store is wiped of malware on a pretty regular basis, but there are still a lot of pointless/crappy apps in there. Any true malware capable apps are swiftly removed from the store and from users devices. Your second point is exactly right though; China and other non-western areas don't get the Play store like NA/EUR does. Specifically Google cant collect/disseminate charges from the Play store there, so no developers are interested in making anything but free crApps for it. This means that even

    • SMSes seem to be fairly commonly abused as the cheapskate's "Two-factor authentication" (a convenient excuse to rake in customer phone numbers, and a device that probably isn't infected with the same malware as the users' PCs, plus it's cheaper than dedicate hardware security tokens!)
    • Google, i dare you, i really dare you, make android by default, whitelist countries IP addresses.

      So that I can choose, EU only, or Asia only, except china/korea. Or USA only ip addresses.

      Yeah its drastic, but 99% of users wont access websites outside usa, or their home country or two.

      But france is as bad, I know no one there or use their websites, so should block the whole country on my linux server...

      Is there any easy to use firewall configs to block/allow by country?

      • > Is there any easy to use firewall configs to block/allow by country?

        That very much depends on your definition of easy.
        Netfilter is there. Some phones have iptables pre-installed, so on those phones you'd blacklist or whitelist list exactly the same as any other Linux distribution. That's easy for me, it would be hard for a lot of people.

        Other phones don't have iptables installed so you'd need to copy the binary over to the phone.

        At minimum, you'll need root access on the device.

      • by mcgrew (92797) *

        Google, i dare you, i really dare you, make android by default, whitelist countries IP addresses. So that I can choose, EU only, or Asia only, except china/korea. Or USA only ip addresses. Yeah its drastic, but 99% of users wont access websites outside usa, or their home country or two.

        Do you have citations or experience to back that claim up? I live in Illinois, my web site is in Canada. I had a pretty popular Quake site from 1998 to 2003 that used the same host as I'm using now. My traffic came from all o

    • This was my exact question. What is the infection vector? I don't care what software is installed, but how it gets there in the first place. If it's not exploiting a flaw in the OS itself, then it's just user stupidity.

    • by wolja (449971)

      Seriously, what is the "trickery" that gets one to download and install this "Google Vx" application, and how many Chinese people does it take to read our LOLs? Is someone out there texting their social security number or bank PIN?

      Yep they are. Peeps do most everything including texting things to themselves to remember stuff. Creating draft SMS to remember, not sure if that is sent to the server but probably. /guilty - Not of sending bank data but sensitive url's /shamed

  • "The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China,” the researchers reported."

    The problem is with dumb users out there who just do not read the type of permissions required by apps they download versus the functionalities that it is supposed to give, that also without reading reviews and comments about it, su
    • Re:MisoSMS (Score:5, Insightful)

      by Eskarel (565631) on Wednesday December 18, 2013 @03:55AM (#45723617)

      The bigger problem is the really poor security options available on Android apps with somewhat ridiculously broad security rights. Most apps will ask to read phone identity simply because the need to be able to identify the device on which the app is installed, but the security grant for phone identity gives a whole crapload more than that. Manage accounts is another good one where in order for an app to actually store its own accounts it needs access to all the accounts.

      Add to that the fact that Google themselves have been constantly trying to take over your SMS with bloody Hangouts and it's not really that surprising that folks don't really understand the permissions they are granting.

      • by Anonymous Coward

        The problem is that there is really no shame in exploiting the user anymore. This has led to the situation where users routinely have to give permissions that are not related to the primary function of an app, simply to enable the app monetization. The difference between a truly hostile app and ad-supported apps is only a nuance.

        • Re:MisoSMS (Score:5, Informative)

          by Rob Simpson (533360) * on Wednesday December 18, 2013 @05:20AM (#45723929)
          No kidding. I had to look through dozens of "flashlight" apps to find one that didn't want my calendar, SMS, internet access, and GPS.
          • Re:Mf-droidisoSMS (Score:5, Informative)

            by nadaou (535365) on Wednesday December 18, 2013 @07:01AM (#45724309) Homepage

            > No kidding. I had to look through dozens of "flashlight" apps
            > to find one that didn't want my calendar, SMS, internet access,
            > and GPS.

            F-Droid [f-droid.org] is your friend.

            As always, FOSS means you don't have to put up with the bullshit.

            F-Droid build all apps they ship from source, including some sort
            of grep filter on permissions to catch (and then remove) any code
            which is not in the user's best interest, or at minimum flag and
            explain the issue in detail to let you decide for yourself.
            Otherwise-good apps with flagrant ad-ware or cripple-ware in it
            simply gets patched.

          • by epine (68316) on Wednesday December 18, 2013 @07:09AM (#45724347)

            No kidding. I had to look through dozens of "flashlight" apps to find one that didn't want my calendar, SMS, internet access, and GPS.

            The Android permission system blows goats. It's not just the "all or nothing" approach to app acceptance. It runs deeper. It's also the app store itself, where I can't restrict (or prioritize) search results based on permissions demanded.

            Using aSpotCat, under android.permission-group.PERSONAL_INFO I've got AdService, Chrome, Firefox, Gmail, Google Play, Pebble, and RunKeeper. I've had to bail on the installation of close to fifty apps to keep this list this short.

            Basically the Android security model deters me from actually installing software, to the point where I no longer regard it as a platform.

            This xmas between an Android tablet and an eReader, I'm likely to get an eReader (Kobo here in Canada), which is not a platform either, and doesn't play one on TV.

            I was reading reviews that commented that a Kobo Aura is about the price of a servicable, entry level tablet from Walmart. Several of the reviewers commented "you might as well get the full Android platform for the price". What platform? Android is mainly a platform for sharing far more about myself than I wish to divulge with strangers I don't even know. Whatever information is gleaned will never be under my control ever again: it will almost certainly be amalgamated from one low-life to another ad nausium.

            I'd be quite happy if not a single vendor knew my location ever, who wasn't providing me with a map for my own purposes (such as RunKeeper). If they need to know, I'll tell them. Yet 90% of Android applications demand to hoover this up and the Google play store provides no mechanism to put these applications on a personal shit list, so that better-behaved applications float to the top of the candidate list.

            Android: Death by a thousand peeping toms. Where's well-behaved Waldo? Crushed by the throng. Eventually Diogenes tires of visiting the Turkish baazar and begins to subsist on juniper berries.

      • Re:MisoSMS (Score:4, Informative)

        by erikkemperman (252014) on Wednesday December 18, 2013 @04:47AM (#45723799)

        A million times this. Android's permission model is deeply flawed. You have to either accept or deny *all* that an app requests in its manifest, or you can't install.

        So as a developer, sure you could add a setting to your app's config pages to, say, turn of location services -- but the app still has that privilege. nothing for it but uninstalling.

        • No. Not a million times this. To get this stupid app on your device you have to deliberately go out of your way to enable sideloading, download the app when promted from some dodgy website, install it, grant it admin.

          This has nothing to do with the Android permissions system and everything to do with dumb people. Actually REALLY dumb becaus they chose to enable sideloading, they are going out of their way to be hacked... the "Google Vx" settings app isn't pinging up in the Top 10's in the app store, it's si

          • Sorry, but the post I replied to was about Android's poor permission model. You're right that this particular nasty would still bite a lot of people in the ass -- due to their own carelessness -- even with a less crappy permission system. That much is not disputed, there is no easy fix for stupid.

            The argument of GGP, as I read it at least, is basically saying that even bona fide devs and clever users are stuck with this all-or-nothing approach to granting privileges.

          • by Anonymous Coward

            In China, phones do not have Google Play installed. You can't use it. Period. How many times do you have to be told before that fact sinks in?

        • by gl4ss (559668)

          it could ask every fucking time it does something too, like j2me security model as implemented on phones did. want to write a file, a single file with filesystem api? that's 3-4 security questions each with two button presses.

          too bad they didn't think of the middle ground option. you know, too many screens to designs and committees to attend if doing that(also this is why the official mobile java failed and android emerged as the victor)...

        • by Richy_T (111409)

          I've actually considered releasing two versions of my app to allow people this fine grained control. There's some really neat features I could add by adding location services but I am conscious that there are some people who would balk at that. If it was an "optional" setting, it would be a no-brainer.

          • I don't know why Android Security Model doesn't include the option for apps to request trading features for permissions. If you want to use cool feature X it needs location services. Or Feature Y needs access to your SMS/Contacts. If you don't enable X or Y, those features are not available.

            • by jafac (1449)

              Ha ha. Yeah, I don't want to use the "advertising features" of my free app, so let's chop-off all the spyware permissions.

      • by Anonymous Coward

        And to add on top of that the user is presented with two choices: Either install the app and grant all the requested permissions, or don't install the app.

        Not even an obviously malicious permission request will stop most users from installing (cf: flashlight app [bbc.co.uk], Why does this need data? I don't care. *click*). My guess is that this happens because at this point the user has already made the decision (I've just clicked on 'Install'!).

        Google treats this as works as intended/wontfix [eff.org], so don't expect any chang

      • by DrXym (126579)
        Android certainly has poor security options once an app installs, but I would say in this case that if someone is stupid enough to download an app from an untrusted source, click through when it asks for suspiciously broad permissions, that more fine grained controls is not going to help these people. They are idiots.

        That said, Android has some shocking poor security behaviour that Google should fix. It should be possible to turn off certain permissions an app says it wants regardless of what the manifest

      • I understand what you're saying. However, compare this "ridiculously broad" system to almost anything else, such as your Windows desktop. On Windows, applications have 100% permissions to do whatever they want on your computer. The user is either admin or not admin, two choices only.

        It seems to me Android's system is a giant leap forward, although it's imperfect. You have very fine grained control in Linux through SELinux. Some people might prefer that level of control, but that level of detailed control

      • by riis138 (3020505)
        Not to mention they have severely hampered the ability to limit permissions on a per app basis, and you have a recipe for disaster.
      • by Russ1642 (1087959)

        The permission system itself is flawed. There's no reason for an all-or-nothing approach. Let me install an app and deny it internet access. Please. If the app doesn't like it it can just not run. That way we can put the control in the hands of users while not having any worse security than we have now.

    • The problem is with dumb users out there who just do not read the type of permissions required by apps they download versus the functionalities that it is supposed to give, that also without reading reviews and comments about it, such problems are bound to happen.

      No, the problem is commercial "appstores" that try to mimick the original open source model for application repositories, also known as package management systems, badly.

      The reason software packages on Free OSes work well is because the

  • Point of view (Score:1, Insightful)

    by Anonymous Coward

    Heh you Android guys are funny. If that was an article about Microsoft Windows, you'd be all over the place spewing end of days stuff :))))))

  • What will it look like if I ever go into one of those mobile OSes from the security standpoint compared to less mobille OSes? I haven't touched mobile OSes even remotely yet. I understand the apps ecosystem might cause problems not directly linked to the OS but still, overall?

    • by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Wednesday December 18, 2013 @04:47AM (#45723801) Homepage

      Well, First there's Linux. Which is fine, except it's out of date, and thus can be compromised trivially. Then there's the device drivers which frequently have exploits due to the rapid progression of mobile platforms, being built by the lowest bidder, and the lack of consumer desire to pay a premium for security.

      At this point we interact with the other small separate OS for the cellular radio -- It doesn't really validate inputs well and can be compromised trivially.

      Moving on, we have an excellent application of user / group privileges which constrict application. Really would love actually a bit more than the level of control this has on desktops; Eg: Firefox runs as its own user on my desktop system and the Firefox user has access to its settings folder and is in the "Internet" group, so it can access the web. "sudo" is nice, but we need such a thing for granting user-level access to user-agents such as Firefox; It's one reason I'm developing an Agent Oriented OS and programming language... Anyhow, since the granularity is utterly shite it's basically pointless on mobile systems.

      Then we have the Application. Note, this is not plural. We have the Davlik VM aka Java, but register based (faster, more memory use) instead of stack based (slower, less RAM use). There's some great stuff in the install process here whereby linkage occurs and the byte orders of values in the images are translated to machine order. Prior to running on Android the complied Java bytecode is translated into Davlik bytecode -- Unfortunately, there is no copy of this bytecode kept around in case you want to copy it to another device. I'm a firm believer of link on install, but they've done it horribly wrong: My OS links programs on install into MACHINE CODE... ugh. This is mobile so, yeah, let's use what little CPU we got to run a VM -- er, a just in time compiler for a VM.

      Now, on desktop systems such as 80486, you'll have up to 4 different execution permission rings to leverage, but on the ARM and other systems you get 2: Kernel or Not. This really messes up the fact that you are running a VM atop a kernel. Well, Linux moronically doesn't reserve a ring level for applications to use against their plugins the same way the kernel isolates itself from user-land applications, so the hardware makers have adopted the monolithic kernel approach. Hey, guess what? We're running a monolithic VM atop a monolithic kernel! Yay! It's like Exploit HEAVEN! Remember how in 16 bit DOSs your program could access any other "TSR" program's memory, or even the OS / BIOS itself and wreak havok? Oh, man. It was great! Mobile has brought this back!

      Then we have the app ecosystem, which is actually the strong point IMO. It at least gives you a chance to let other suckers become victims of an exploit and hope it gets pulled / blacklisted from the markets before you try it out. Also, 64GB micro SD's exist now... but a lot of new devices don't have SD card slots, so fuck 'em.

      Finally we have the Carriers. They dig down deep into the nether regions of shit that shain't be shat around with, and do just that to create the UI's and app launchers high atop the software stack. Noticeably, desktop OSs have less overhead for doing things than the mobile methodology, but that's the sacrifice you make to have idiots develop you tech on the cheap.

  • FUD? (Score:3, Insightful)

    by wannabgeek (323414) on Wednesday December 18, 2013 @05:09AM (#45723895) Journal

    For all the exaggerated scary words used like "one of the largest", "more than 60 campaigns" etc, there was not a single solid data point about the actual devices infected. Not even a ball park number - like whether it is tens, thousands or millions of devices.
    Makes me suspect the claims.

  • I can't find any information about where this was downloaded from. It's not on the Play Store (or at least, not anymore), so where were people downloading it from?

  • by DrXym (126579) on Wednesday December 18, 2013 @05:32AM (#45724001)
    Download your apps from a reputable store and exercise some common sense. I wouldn't be surprised if this infection was because idiots were downloading warez from some dubious app store.
    • by zoffdino (848658)
      It's the biggest challenge in software design. There are lots of dumb or technically-inept people. 20% of the cars are stolen each year when the drivers left their vehicles ' engines on, with keys still in ignition. If people don't have common sense like that, how do you expect them know that a flash light app doesn't need access to SMS, photos, emails and contacts?
    • What "reputable store" happens to be available to people who live in the People's Republic of China, which doesn't appear to have Google Play or Amazon?
    • Advertisers and junk apps on legitimate sites are now common vectors for these trojan horses.

      I can't go to Download.com anymore because there's no real way to tell the difference between; "click here to download your file" and "click here to download your file" from an ad unless you closely examine the link -- though the only difference is usually a hashed code from the same download location. They look exactly the same, but the other will download an installer to put spam on your machine and it turn it int

  • Why go through all the trouble just to know my wife asked me to pick up milk?
    • Increasingly, major webmail and social networking providers have been using access to a particular mobile phone number's SMS inbox as a second factor in 2-factor authentication.
  • I assume that's a strange way of spelling 'sending'
  • "MisoSMS is wreaking havoc on the Android platform"

    This is BS, how does this malware get on to the device in the first place, does it require user action or can it install silently and root the device.
  • the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.

    Rumor has it that they are paying James Earl Jones and Malcom McDowell to read those stolen SMS messages out loud.

  • Why not use app ops? remove all permissions you do not want an app to have. We should be telling apps what they are allowed to do not the other way around!

Memory fault -- brain fried

Working...