This Malware is estimated to affect between 10,000 and 30,000 phones on any given day. The malware, mostly found on Chinese phones, works by using GingerBreak, a tool that gives users root access to Android 2.3 Gingerbread. RootSmart is designed to escape detection by being named "com.google.android.smart," which the same name as a settings app included by default with Android operating systems.

Mullaney explained that once the malware is installed on the Android phone, an outbound connection from the infected phone to a remote server is generated.“The malware posts some user and phone-specific data to the remote address and attempts to download and run an APK file from the server. The downloaded file is the second stage in the malware and is a Remote Administration Tool (RAT) for Android, detected as Android.Bmaster. This type of malware is used to remotely control a device by issuing commands from a remote server”.

No es bueno.

Nearly all new mobile malware in Q3 was targeted at Android. This follows a 76 percent rise in Android malware in Q2 of 2011.

At the end of 2010, McAfee predicted that malware would reach the 70 million unique samples by the end of 2011 but has increased this prediction to 75 million unique malware samples reached by year’s end, which is the busiest in malware history, says McAfee.

As mentioned above, McAfee says that malware authors are capitalizing on the popularity of Android devices (and perhaps the security flaws as well) this quarter. The Android platform was the only mobile operating system for all new mobile malware in Q3. One of the most popular forms of trickery in Q3 was SMS-sending Trojans that collect personal information and steal money. Another new method of stealing user information is malware that records phone conversations and forwards them to the attacker.

In another recent finding, security researchers at Trend Micro discovered a malware on Android devices that disguised itself as a Google+ app. The app was capable of performing malicious activities like recording phone calls and gathering GPS location, and more. This user data was then uploaded on a remote server. The application called itself Google++, which apparently was overlooked by several customers. It’s worth mentioning here that a big factor in the working of a malware is the casual behavior of the user, who fails to pay enough attention when installing a program on their device.

At a conference in Chicago on Thursday, a group of computer researchers from Georgia Tech will report on another potential threat. The researchers have shown that the accelerometer and orientation sensor of a phone resting on a surface can be used to eavesdrop as a password is entered using a keyboard on the same surface. They were able to capture the words typed on the keyboard with as much as 80 percent accuracy.

Spooky.

This is a bit too easy.

HT to @jhaddix for the find.

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.

But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed:

• active notifications in the notification bar, including notification text
• build number, bootloader version, radio version, kernel version
• network info, including IP addresses
• full memory info
• CPU info
• file system info and free space on each partition
• running processes
• current snapshot/stacktrace of not only every running process but every running thread
• list of installed apps, including permissions used, user ids, versions, and more
• system properties/variables
• currently active broadcast listeners and history of past broadcasts received
• currently active content providers
• battery info and status, including charging/wake lock history
• and more

For anyone interested, this is a webcast I did yesterday on mobile application security. I wasn't too happy with it, but it rated decently well.

If anyone is curious about the basics of mobile security it might be worth a go. ::

Russian company ElcomSoft is claiming to have cracked the 256-bit hardware encryption Apple uses to protect the data on iOS 4 devices, and is offering software that allows anyone to do it.

ElcomSoft is well-known as a corporate security and IT audit company, working with law enforcement agencies, the military, and intelligence agencies to recover data and perform forensics on devices. Its latest work has managed to open up the data stored on any device running iOS 4 by circumventing the hardware encryption chip Apple uses.

Rather than relying on a hardware dump from such a device, which will be encrypted amd may be missing some of the important data a forensic investigation needs, ElcomSoft can now gain full access to what is stored on a gadget such as the iPhone 4. This includes historical information such as geolocation data, browsing history, call history, text messages and emails, usernames, and passwords. They can even recover data deleted by the user from the device.

Um, ouch?

It wasn't long ago that being on the cutting edge of business equated to having a website. Soon after, it wasn't enough to simply have an Internet presence; you had to be interactive and engaging (see Web 2.0). But now there's a new standard. In order to truly compete in the second decade of the 21st century, you need to be in the mobile space.

That means you either have an iPhone and/or Android application or you're likely losing business to competitors who do.

An article I just did for the Fortify newsletter.