Mobile Malware Takes Victims by Surprise

October 29, 2014

Mobile malware creators prey on the fears of users who are unfamiliar with how it works. For example, Koler claims to encrypt all the data on a phone. However, it doesn’t do that, so the data is always recoverable from the phone without any dependence on Web predators. Removing the malware is relatively easy, but “the typical user isn’t going to know that,” said AdaptiveMobile’s Cathal McDaid.

Malware writers behind Koler, a bad app that attacks Android devices, have upped their game with a new variant of the pernicious program.

In its original version, Koler hijacked phones it landed on and wouldn’t set them free until a ransom was paid. This latest strain of the malapp also does the ransomware thing, but it takes its malignancy a step further.

“This version self-replicates,” Denis Maslennikov, a security analyst withAdaptiveMobile, told TechNewsWorld. “This is the first time we’ve seen self-replicating ransomware on Android.”

After a user downloads the new Koler to a phone, the software commandeers the mobile’s address book and spams everyone in it — only it doesn’t look like spam to the contacts because the SMS message is coming from a trusted source.

The message tells targets that a photo page has been created about them on the Web and includes a link to the page. After landing on the page, a target is directed to download and install a photo viewer to see the images. Following those instructions will infect the target’s phone with Koler.

Toothless Threats

“This is big jump in Koler’s propagation mechanism,” Maslennikov said. “Before it was just hiding on websites. Now it’s actively spreading to all your friends.”

Although mobile ransomware can be frightening to someone unfamiliar to its workings, the malware is tame compared to its computer counterpart.

For example, Koler claims to encrypt all the data on a phone. However, it doesn’t do that, so the data is always recoverable from the phone without any dependence on Web predators.

Moreover, removing the malware is relatively easy. You can reboot Android in safe mode and kill the malignant program using standard application-removal tools.

“If you reboot the phone normally, it’s always going to come back into the ransomware,” said Cathal McDaid, AdaptiveMobile’s head of data intelligence and analytics.

“The typical user isn’t going to know that, so they may go to extremes and do a factory reset, which will work as well — but they will lose all their data,” he told TechNewsWorld.

Bell Tolling for Passwords

While complaints about passwords as a way to authenticate users abound, progress on finding a substitute for them has been glacial. Last week, though, there were signs that was changing.

Microsoft plans to build two-factor authentication into the next version of its desktop operating system, Windows 10, ZDNet reported. It will be based on standards developed by the FIDO Alliance.

Owners of any device running it will be able to enroll the device as “trusted” for the purpose of authentication, according to the report.

In addition, the owner creates a PIN for the device. The PIN can be any combination of letters and numbers.

If PINs are compromised in a data breach, it won’t do the thieves much good. When they try to use them to obtain online services, they won’t have the associated devices to authenticate their identity. Conversely, if devices are stolen, the thieves won’t have the PINs for authentication.

Google Dongle

Meanwhile, Google also floated a two-factor authentication scheme using a USB security key.

Google already has two-factor authentication via SMS messaging, but the USB approach will give its users another option.

Initially, the key will work only with Google’s Chrome browser. With the key, you don’t have to fuss with any codes. You plug the key into a USB port, wait for a prompt, and tap the key to access your Google accounts.

The key also incorporates authentication technology from the FIDO Alliance.

“The idea here is to move away from just using a password to log into your email, your system, your network,” Aryeh Goretsy, a researcher with Eset, told TechNewsWorld.

“What we’ve seen in the past is a bunch of attacks where people’s accounts have been compromised,” he said. “So the goal here is to remove the weakest link, which is the password.”

Making NFC Respectable

Near-field communication has been around for some time, but it has failed to capture a lot of consumer interest or confidence in its ability to secure mobile transactions.

For example, by a two-to-one margin, consumers give lower security ratings to NFC transactions than those performed with magnetic strip cards, suggests a survey released last week by Phoenix Marketing International.

Apple might be able to change that perception with its Apple Pay system, however. That’s because the scheme depends on more than NFC alone for security.

“Apple delayed committing to NFC for a long time so when it entered the market, it could do so with a whole security platform,” said Greg Weed, PMI’s director of card research. That platform included a secure element chip inside the phone and a fingerprint scanner outside it.

Before Apple Pay, merchants, vendors and card issuers debated what kinds of rewards and enticements were needed to get consumers to use NFC devices. Apple Pay has changed that.

“What it did is take the idea of security and make it the benefit of the platform,” Weed told TechNewsWorld. “That’s changed the conversation.”

Breach Diary


  • Oct. 20. Office supplies retailer Staples confirms it is investigating possible data breach affecting some of its outlets.
  • Oct. 20. releases survey finding 45 percent of consumers say they won’t shop at a store that’s suffered a data breach. Forty-eight percent of consumers who say they’ll still shop at the outlets say they’ll only use cash at them.
  • Oct. 21. Two weeks after it discovered data breach, Oregon Employment Department begins informing 851,322 clients of the agency that their personal information was stolen by hackers.
  • Oct. 21. Microsoft releases fix for zero day vulnerabillity in all versions of Windows, except Server 2003, that use OLE to gain unauthorized access to a system through Powerpoint files.
  • Oct. 22. Apple CEO Tim Cook meets with Chinese Vice Premier Ma Kai following report that Apple users in the People’s Republic were targets of a widespread attack by hackers attempting to obtain credentials that could be used to ransack iCloud accounts.
  • Oct. 22. Trend Micro releases report on Operation Pawn Storm, a cyberespionage campaign that has been ongoing since 2007. The campaign uses advanced spearphishing techniques to steal email credentials from employees of military agencies, embassies, defense contractors and international media outlets that use Microsoft’s Office 365’s Outlook Web App.
  • Oct. 23. Heartland Payment Systems files motion to dismiss lawsuit by banks and credit unions stemming from data breach in 2008. The breach, one of the largest in history, compromised some 100 million credit cards and 650 financial services companies.
  • Oct. 23. Facebook proposes new email standard, RRVS (Require Recipient Valid Since), to prevent recycled email accounts from being used to compromise the accounts of their prior owners.
  • Oct. 23. Electronic Frontier Foundation releases new edition of its guide for Web surfers to protect themselves online, “Surveillance Self-Defense.”
  • Oct. 24. Damballa, which makes computer network threat detection systems, reports 57 percent increase in August and September of devices infected with Backoff malware. Backoff has been used in a number of attacks on retail point-of-sale systems.


Upcoming Security Events


  • Oct. 29. One-Time Passwords Are Being Compromised! 1 p.m. ET. Webinar sponsored by Entersekt. Free with registration.
  • Oct. 29. How to Best Secure Your Mobile Enterprise. 3 p.m. ET. Webinar sponsored by Dell. Free with registration.
  • Oct. 29-30. Security Industry Association: Securing New Ground. Millennium Broadway Hotel, New York City. Registration: before Oct. 4, US$1,095-$1,395; after Oct. 3, $1,495-$1,895.
  • Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
  • Nov. 3-5. FS-ISAC EU Summit. 155 Bishopsgate, London, UK. Registration: free, members; non-member, $1,750; core member, $1,500; standard, $1,250; government, $750.
  • Nov. 5. Strategies for Third-Party Software Security that Actually Work. Noon ET. Webinar sposored by Veracode. Free with registration.
  • Nov. 5. More Detection, Less Defense: How to be more agile. 1 p.m. ET. Webinar sponsored by BAE Systems. Free with registration.
  • Nov. 5. Bay Area Secureworld. Santa Clara Convention Center, Santa Clara, California. Registration: $695, two days; $545, one day.
  • Nov. 5. FedCyber 2014 Annual Summit. Tyson’s Corner Marriot, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: free, government; $106.49, academics; $626.92, industry.
  • Nov. 6. B-Sides Iceland. Tjarnarbíó, Reykjavík, Iceland. Free.
  • Nov. 8. B-Sides Dallas-Fort Worth. University of Texas-Dallas (UTD), ECSS building, 800 West Campbell Rd, Richardson, Texas. Free.
  • Nov. 8. B-Sides Jackson. Southern Farm Bureau Casualty, 1800 E. County Rd. #400, Jackson, Mississippi. Free.
  • Nov. 12-13. Seattle Secureworld. Meydenbauer Center, Seattle. Registration: $695, two days; $545, one day.
  • Nov. 14-15. B-Sides Delaware. Wilmington University, 320 North Dupont Highway, New Castle, Delaware. Free.
  • Nov. 15. B-Sides Jacksonville. The Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Free.
  • Nov. 19. Stealing from Uncle Sam. 7:30 a.m.-1:30 p.m. ET. Newseum, Washington, D.C. Registration: government and press, free; before Nov. 19, $495; Nov. 19, $595.
  • Nov. 21-22. B-Sides Charleston. College of Charleston campus, Charleston, South Carolina. Free.
  • Nov. 22. B-Sides Vienna. Top Kino, Rahlgasse 1 (Ecke Theobaldgasse, 1060 Wien, Vienna, Austria. Free.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
  • Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.

Leave a Reply

Your email address will not be published. Required fields are marked *