Palo Alto Networks has discovered a bug that can send text messages from a mobile device and intercept any that come in, without the user knowing. That of course opens the door for all kinds of nefarious things, including signing the user up for premium mobile services. In many cases, it sets up a backdoor for future malware delivery.
“[Mobile] devices are a potential bonanza to sophisticated attackers because, first there are a lot of them (analysts predict mobile device shipments to outpace PCs this year), they are increasingly powerful with the ability to do most things a PC can, and typically they are very poorly secured compared to a corporate laptop”, said Wade Williamson, a security researcher at Palo Alto, in a blog. “This trifecta of large opportunity, high target value and poor defenses stand to make mobility one of the most active fronts in cybersecurity in the coming months and years.”
While the tactic of spreading malware delivery via online ad networks is hardly a new phenomenon, the morphing of the concept into a mobile environment presents a new set of concerns because no social engineering is involved. As Palo Alto pointed out to Infosecurity in an email, mobile ad networks are far more insidious that normal ad networks. That’s because mobile applications have hooks built into them to reach out to the appropriate ad network to fetch ads and update them so that the app developer gets paid. In order to do this, the app developer typically needs to embed software from the ad network into the mobile application itself. So the ad network has its own application code inserted in the application. This is not just HTML rendering, this is code built into the app itself.
“This is a normal part of the application and it isn't inherently malicious,” a Palo Alto spokesperson explained. “This is why many applications with hooks to BadNews were in the Google Play Store and no one noticed. The application and their developers were legit.”
And so, the culpability of the user shifts – and the threat becomes much more alarming. “If I click on a link and install software from some random tweet that is one thing, and shame on me,” the spokesperson continued. “[Now], we are talking about completely valid application reaching out to an ad network and pulling down malware unbeknownst to the victim…That victim could have gone to the proper place, gotten the real and valid application, and still gotten malware because the ad network that the application uses is malicious.”
And that malware is clearly out to sign up a few million mobile devices to a premium SMS scam that does nothing but charge users a fee per month.
“These innovations in mobile attacks are likely just the beginning of a long cat-and-mouse game between the good guys and bad guys, but it should serve as a reminder that new technologies often result in new threat vectors,” Williamson said.