Oracle Blog

Security threats common to the web are now attacking smartphone users. Jenneth Orantia explains the dangers and what you can do to prevent them.

You know that smartphone in your back pocket? If it happens to run Android (and there’s a 38.8% chance it does, according to IDC’s latest Aussie statistics), then cyber criminals have you firmly in their crosshairs.

IDC’s latest Worldwide Quarterly Mobile Phone Tracker puts Android as commanding 59% of the smartphone market share, with a little under 90 million devices shipped globally in the first quarter of 2012 alone.

This, among other things, makes Android a lucrative target for cyber criminals. Other factors include the platform’s open-source nature, which makes it easier to find and exploit vulnerabilities; loose security policies for apps, enabling hackers to distribute malware through both the official app store and external sources; and a low awareness of smartphone security threats, giving criminals ample opportunity to make a lot of money in a short amount of time.

Thomas Parsons, security response manager at Symantec, says the malware situation is ramping up rapidly. “Up until the end of May, we’d seen about 16,000 unique samples of Android malware. And the number we’ve seen in the last four weeks is almost the equivalent of everything we’ve seen in volume for the Android space to date.”

In its Quarterly Threats Report for Q1 2012, McAfee saw a steep 1,200% increase in Android malware in the first three months of this year. Michael Sentonas, chief technology officer at McAfee Asia Pacific, says many of the unofficial Android app stores are teeming with malware. “I’ve seen interesting statistics where in some countries, there are app stores where over 60-70% of the applications are fake or malicious in nature,” he said. “In China in particular, there are a number of app stores where a significant amount of the apps are fake.”

 

The many heads of mobile malware

Mobile malware can come in a variety of forms, including Trojans, viruses, adware, scareware and spyware. F-Secure’s Mobile Threat Report Q1 2012 lists Trojans as the most popular threat by far, making up 84% of the threats detected in that time period.

The effects of malware can be just as varied and usually manifest unknown to the user. “Now that smartphones are so powerful, we’re seeing incidents of rootkits for smartphones that have similar functionality to the rootkits we’ve been seeing on PCs for years,” says Michael McKinnon, security advisor at AVG.

“We’re talking about malicious applications that can be hidden from plain view, which can do things like send premium SMS messages without you being aware, read your SMS messages and transfer them on the internet, have full data communication, and report on your GPS location.”

Rogue Android apps have also been reported to do things like record phone calls, forward incoming mail, download and install further malicious software, load pages with fake banking web sites, and even turn your phone into a botnet to do things like perform denial of service attacks.

And it’s not just the apps that you download from dodgy places, either. Many of these apps are finding a home for themselves in the official Google Play Store, often masquerading as free versions of popular apps and games like Angry Birds and Netflix.

Advertisements in free apps and games are also being used by cyber criminals to peddle malware. “In the last month, we’ve noticed an increase in the amount of apps with adware,” says Liviu Arsene, malware researcher at BitDefender. “In our top 10 mobile malware stats, adware is in first place.” Last year, the legitimate ad-sponsored versions of Scrabble and Angry Birds were found to be displaying ads for a fake ‘Battery Doctor’ utility that harvested the user’s phone number, email address, handset IMEI number and contacts.

Some of the latest incarnations of Android malware include the following:

• Android Security Suite Premium, a fake security app that forwarded incoming text messages to remote servers.
• A fake Gmail app that silently sent the user’s SMS records, call log and email to an email address, with further capabilities that could be activated from command and control servers operated by the scammer.
• A fake Instagram app that sent messages to premium numbers without the user’s knowledge.

 

Google’s response

In February, Google announced a new layer of security in the Play Store codenamed Google Bouncer. According to Google Mobile’s blog post, this technology automatically scans every new Android application uploaded to the store and analyses it for known malware, spyware and Trojans. It also simulates how the app will run on an Android device to look for any hidden malicious behaviour. Between the first and second half of 2011, Google claims that Bouncer reduced the number of malicious applications in the Play Store by 40%.

However, it didn’t take long for workarounds to be discovered. In June, two security researchers from Duo Security found multiple ways for malware authors to beat the system, including getting the app to check whether it was running in the Bouncer virtualisation software, checking the account used to register the virtual phone and getting the app to suspend any malicious behaviour for the first five minutes that Bouncer scans the app.

 

The local situation

Most of the Android malware reported so far has originated in non-English-speaking countries — Russia and China in particular appear to be the two main nesting grounds — and this language barrier has served to reduce the number of potential victims.

But that doesn’t mean Aussies and other English-speaking Android users are safe. McKinnon says AVG has come into contact with Australian customers that have been affected by smartphone malware, but that most of them were keeping quiet about it. “One of the issues we see in Australia is that a lot of this is not reported,” he said.

In some situations, it’s a case of not even realising that your phone has been infected. As noted by Sean Sullivan, security advisor at F-Secure Labs, one of the more alarming trends in recent months is malware apps that ‘deliver on their promise’. “Today what we’re seeing are malicious Android apps that have bundled legitimate apps, such as Rovio’s Angry Birds Space,” he said in F-Secure’s Mobile Threat Report Q1 2012.

“First the malicious ‘wrapper’ tricks and manipulates the user into granting permissions that allow the malware to subscribe to premium-rate services, but then the malware actually does install a working copy of that game. At this point, there is little to be suspicious of and nothing to troubleshoot. The user gets the game that he was promised. With this new paradigm, it remains to be seen just how long it takes victims to realise they’ve been victimised.”

Checking your phone bill is one way to check whether you’ve been the victim of a premium SMS scam, but even this has its drawbacks. “For a lot of us, it’s just annoying,” says McKinnon. “If you check your bill at the end of the month, and you see that there are a couple of SMSs that you can’t identify, you might not immediately equate that with a rogue app on your phone.”

Premium SMS scams are proving to be an attractive monetisation technique for cyber criminals, as they can get mobile carriers to do all the money laundering for them. They set up the premium rate numbers, distribute the malware, rake in the charges and disappear long before victims receive their phone bills.

“It’s a hit-and-run situation,” says McKinnon. “The goal of a scammer who is producing this malicious software is skimming a small amount of money from as many people as they can. They’re taking advantage of the immense leverage of the network and the app stores. If they can skim 30c or $1 off everyone they infect, they might make $10,000 in that one crime.”

 

The other guys

OK, we get it, Android smartphones are ticking time bombs. Does this mean you’re in the clear if your smartphone runs a different operating system? Not necessarily. You’re probably safer, in the same way that Mac is safer than Windows, but that’s purely because hackers tend to target the low-hanging fruit, which in this case is Android.

“We don’t hear much about iPhone malware because in terms of the ease of infecting someone, cyber criminals always go for the path of least resistance,” said McKinnon. “At the moment, this path is getting a hold of Android apps and modifying them into rogue apps, or creating them from scratch.”

But iOS is no stranger to malware. Last year, iOS security researcher Charlie Miller was able to sneak a proof-of-concept app onto the App Store that purported to track stocks. In the background, however, it downloaded third-party malware onto the victim’s iPhone that accessed and edited sensitive data, as well as triggering random push notifications. Apple subsequently issued a software update that patched the security vulnerability.

More recently, certain iOS apps, including the popular Path image sharing app, were discovered to be uploading entire contact lists to remote servers. This wasn’t necessarily malicious, as the apps were doing this to enable certain features in the app, but it was done without users’ consent. Apple promised to update iOS to require user approval before apps can access contact information, similar to the dialogue box that exists now for apps that require access to your location.

In May, the chief technology officer for Kaspersky Lab, Nikolay Grebennikov, told Computing.co.uk that the company expected iPhones and iPads to be infected by malware within the next year. “Our experience tells us that in the near future, perhaps in a year or so, we will see the first malware targeting iOS,” he said.

Even users with ‘dumb phones’ aren’t immune and can be scammed using a combination of SMS and social engineering. SCAMwatch, a web site run by the Australian Competition & Consumer Commission, warns of a ‘voucher prize’ scam text message currently making the rounds that signs you up to a mobile premium service when you enter your number into a web site to claim your prize.

 

Turning the tide

It’s not all gloom and doom. Authorities around the world are catching on quickly and punishing the perpetrators of malware with hefty fines and jail sentences.

In May, fake apps masquerading as popular games like Angry Birds and Cut the Rope were discovered in the official Google Play Store. When users opened one of the games, it would send three text messages, costing £5 each, to a premium service based in the UK, with no evidence of the outgoing or incoming messages appearing in the user’s messaging app.

This scam was identified in 18 countries, downloaded an estimated 14,000 times and made £28,000 from its victims in the UK alone. PhonepayPlus, the premium rate phone services regulator in the UK, fined the premium service provider A1 Agregator £50,000 and ordered it to repay all victims within three months.

In June, six men were arrested in Japan in connection with an Android malware scam. The app was distributed on a porn web site that purported to be a raunchy video player. When the users opened it, the app would display a message demanding payment of ¥99,800 every five minutes — even when the phone was turned off. It also sent the user’s personal information to a remote server. Out of the 9,252 people that installed the app, 211 fell for the con, making the scammers ¥20 million ($265,000).

 

How to keep yourself safe

Short of switching your smartphone off permanently, there’s no one single step that will keep you safe from mobile malware and scams. But there are a range of best practice techniques you can employ that will minimise the chances of infection.

• Download apps from the Play Store only. This lets you take advantage of Google’s Bounce security technology, which scans apps for known threats before they’re published. Failing that, only download apps from the web sites of developers that you’ve heard of and trust.
• Check the app’s ratings and reviews. Just because it’s in the Play Store, doesn’t mean it’s not malware. If there’s more than one version of the same app or game listed in the search results, go for the one with the most downloads. Apps that have an ‘Editor’s Choice’ award or are in the ‘Staff Picks’ section are the safest bets, as these have been independently verified and recommended by a human.
• Be especially careful about apps that you download from external sources, as this is where most of the Android malware is found. If it’s available for free when it’s usually a paid app, then there’s a good chance it’s malware.
• Don’t click on links sent to you from unknown sources via SMS or email. This may take you to a fake landing page designed to look like a bank, or to a page that falsely says you’ve won a prize. In both cases, the site is trying to harvest personal details like your phone number and banking details.
• Turn off the setting that lets you install apps from unknown sources. This won’t prevent drive-by downloads that occur when you visit a particular web page, but it will prevent you from installing the app accidentally. If you ever need to install an app outside of the Play Store — an avenue that many legitimate developers use to distribute beta software — you can simply turn this setting back on temporarily.
• Check the permissions that apps are requesting before you download them. The permissions to keep an eye on in particular are services that cost you money, your personal information, phone calls, your location, your messages and your accounts. It’s a matter of common sense — does a photo editor really need access to your phone calls?
• Install a third-party security solution. All of the major security software vendors now offer mobile security suites for Android that scan apps and app updates for known threats before you install them. Extra antimalware features vary between vendors. Norton Mobile Security includes web protection that blocks fraudulent and phishing web sites, while AVG Antivirus for Android offers SMS scanning for suspicious messages.
• Check your phone bill on a regular basis. If there are mobile premium services listed there that you don’t remember subscribing to, contact your carrier straight away. If you don’t use premium SMS or MMS at all, you can also ask your carrier to block them from your service as an extra safeguard.
• Treat any text that says you’ve won a prize or the lotto with a healthy dose of scepticism. Web sites like SCAMwatch are a good resource for finding out about the latest SMS scams.
• Don’t trust ads just because they appear inside legitimate apps — many cyber criminals are now using affiliate ad networks as a vehicle for distributing malware.

Technical support is a joint effort between the customer and the staff member to diagnose and fix a problem. It can't be adversarial. Both parties want the same outcome – to fix the issue, so the blame game is pointless. The problem is that the fix is rarely obvious. When a customer calls up and says "my Internet is not working" there is no button we can push to fix it instantly. We have to diagnose it step by step and try to work out where it's broken. Just to give a few examples, the issue could be:

• A problem with the application that you are using (eg. the web browser)
• A virus or other problem on your computer
• A fault with the computer itself
• The cables connecting to the modem or the wireless device used to tune into the wireless network
• The actual WiFi network (which can be affected by interference from other devices)
• Other devices connected to telephone sockets in another room (security alarm, Foxtel, unfiltered phones)
• A configuration problem on the modem/router
• A hardware fault with the modem/router
• The cables from the modem/router to the phone connection
• The internal wiring in the house
• Any part of the copper line from the house to the exchange (which can be affected by weather or many other things)
• Simply trying to push the link beyond its capabilities (which can change over time)
• Our equipment at the exchange
• Configuration issues with authentication or similar
• The links from the exchange back to the city
• Lots of potential issues inside the network
• The links to the rest of the world
• A problem with the site that the customer is trying to connect to

That's not even a complete list! So you and the CSR need to go through and try to rule out each issue. It can be particularly hard when the issue might be intermittent or caused by two or more issues coinciding, or caused by an external factor like weather or interference.

If your Internet has stopped working it's often easy to start by thinking "but I haven't changed anything", so the steps you're being asked to go through may seem pointless. But the CSR really does need to go through and test as many pieces of the puzzle as possible to try and build a picture of what might be causing the problem. For instance, our staff members might ask you to move your computer next to the modem and connect with an Ethernet cable. Now you're thinking "that's a waste of time" because you don't want the computer there at all! But doing this can allow us to rule out any issues with your wireless network or WiFi configuration.

If there is a particularly niggling issue it can mean many hours of work by both the customer and our CSR to find the answer. It can also mean going back and trying earlier tests again as later issues are ruled out or corrected. For example, if other issues have been ruled out staff may conclude the modem is faulty and suggest a replacement.

On rare occasions the issue won't be found and the connection will continue to be dodgy due to factors that may evade diagnosis no matter how much time and stress is invested by you and our staff. There may need to be a point where both parties say "you know what, I reckon we've done all we can here". At that point, we need to be mature enough to accept that the connection is not perfect but it's usable. Or even just shake hands and go our separate ways. If we have tried all the usual tests, send out line technicians, replaced and still been unable to get a reliable connection, then a penalty free separation should be offered.

ACCC and ACMA advise Australians to "hang up" on scammers.  Fraudsters posing as Microsoft technicians are among the five most concerning telephone scams listed by competition and telecommunications regulators.

The ACCC (Australian Competition and Consumer Commission) and ACMA (Australian Communications and Media Authority) released a joint statement urging Australians to "immediately hang up the phone" on telephone scams.  Reports of scam telephone calls to both regulators have skyrocketed from 200 per month to around 2000 in recent months.

The regulators were particularly concerned about scams that involved:
1.) Callers advising that the person's computer is infected with a virus and requesting credit card details to fix the problem. The Western Australian Department of Commerce warned that over 150 people in the state had been duped into paying between $125 and $220 by fake Microsoft technicians.
2.) Callers offering products, services or cash under fake government grants. Legitimate information is available on government web sites and rarely administered through outbound call centres.
3.) Callers seeking bank details in order to process a bank fee refund or tax refund - a classic phishing technique also used by fraudsters via email.
4.) Callers offering to place the person's number on the Do Not Call Register for a fee. The register is free.
5.) Recorded messages asking consumers to 'dial 9' for a 'free' holiday.

The regulators advised those receiving "a cold call from someone claiming you are entitled to a refund, have won a holiday or have a virus on your computer" to "hang up immediately."  Those that feel they may have been duped are urged to contact legitimate sources of information (such as their bank) immediately.  "Consumers can stop themselves being scammed by never disclosing any personal or financial details to these callers," said ACCC Chairman, Graeme Samuel.

Before Smartphones, travellers spent their time with their noses in translation books, frantically searching for an online café to check their flight details or writing about their experiences in a steadily disintegrating journal.  As with most other aspects of life, Smartphones have stepped in to make our lives just that little bit easier. When you’re already lugging around a heavy backpack, it helps to have all the answers in one little device.  Here’s some of the best Smartphone apps to take with you on your travels. Flight Track

If you’re one of those people who likes to watch the minutes tick by as you get closer to your destination, get your hands on Flight Track. It’ll show you live and zoom able maps of your flight in progress, how the weather is going and what your baggage is up to. You’ll be the first to know when your flight is delayed or canceled and the app will even go one step further and help you book an alternative flight. If paperwork is not your friend, save your itinerary into Flight Track and use it to send your travel details to friends and family.

XE Currency

Simple and effective, XE Currency can convert every world currency while on the go. You’ll use it mostly to calculate your dollars to pounds, yen or any other currency you might need. It also keeps a history of currency charts

Translator

Those travelling through countries where English isn’t the dominant language will find Translator very helpful. How many times have you had to thumb through your translation book to find the right sentence? All this app requires you to do is pick which language you’re translating to and type in what you’d like to say. It’s also pretty entertaining when you’re whiling away the hours on a long flight.

Urban Spoon

Just like its online counterpart, Urban Spoon gives you the lowdown on restaurants from around the world. You can locate fine dining according to suburb, types of food served, how pricey the restaurant is and whether it does anything special like happy hour or live music. To make sure you’re well informed, Urban Spoon also delivers all the necessary details including opening hours, menus, photos of the interior and customer reviews

Off Exploring

This website is a travel bloggers dream and now it is available on your iPhone. The free online blogging app allows you to log your experiences as they’re happening – even if you don’t have an Internet connection. Take your friends and family on your trip with you by sharing what you’re up to and photos you’ve taken. You can also map out your travels by geo-tagging your location as you complete your blog for the day.

Off Maps 2

Navigating a foreign country can be tricky at the best of times. It’s even harder when you can’t rely on an Internet connection. This is where Off Maps 2 shines. So long as you download all the maps you might need on your travels while you’ve still got an Internet connection, you’ll stay well informed. As you travel, the map will locate points of interest and give you detailed information. Better yet, you’ll get all of this important information without the data roaming charges

The TIO is receiving up to 20 complaints a week from small businesses who say they were misled about, or did not fully understand, the nature and operation of equipment leases bundled with telecommunication deals when they signed up to them.  “Small businesses are telling us they are being approached by a sales person who offers a contract for call costs at the same price or less than what they are currently paying. They also say they were offered a handset, plasma TV, laptop or even an overseas holiday at ‘no extra cost’,”

Deputy Ombudsman Simon Cleary said. “What small businesses sometimes don’t fully appreciate is that they are signing two separate contracts: one for the phone calls with a telecommunications service provider and the second being a lease of the equipment from a finance company." “The two contracts are inter-related, with monthly lease payments often being offset by ‘credits’ on the phone bill from the telecommunications service provider. The size of these credits is similar to the monthly lease payments for the finance contract and the sales person will often ask to see a past telephone account for the purpose of calculating the credits. “However, small businesses say that their call rates subsequently increase and the package proves to be more expensive than their previous arrangement. Importantly, if the business then transfers to another phone company, the small business will still be bound by the finance company lease but without receiving the credits. “And far from being free, the equipment can prove to be quite expensive if the business ends up paying just the finance lease. We have received complaints of standard model laptops leased over a five-year period costing up to $20,000 in lease payments.”

Mr Cleary said that while the dual contract arrangement might meet the needs of many businesses the TIO was concerned by the number of complaints from small businesses who said they had been misled and then found themselves locked into expensive equipment leases. The TIO can make binding rulings to direct service providers to release a small business or consumer from a telecommunications contract, but has no similar power over a finance company and their leases. Given the number of similar complaints received by the TIO, the TIO warns small businesses who might be offered equipment leases bundled with telecommunication deals to take extreme care before signing contracts. In particular, small businesses should ask:

Who are the parties involved in the deal? Are commissions paid as part of the deal, and to whom? How many contracts does the deal involve? Is it just one contract with one company or are they separate contracts? Exactly what services are being offered by the phone company? If “credits” are being offered to offset the lease payments, how much are the credits and are there any limitations on when they are paid? Is there a lease? If so, what are the monthly lease payments, and how long is the lease for? What happens if the telecommunications contract ends? Is the business still bound by the lease? What is the total cost of the deal over the term of the contracts? Does it actually work out to be cheaper than the small business’s existing telecommunications arrangements?

Oracle Telecom does not engage in phone plan or equipment contracts like those mentioned above. Oracle Telecom has a strict policy not to interact with service providers who conduct misleading plans.

DISGRUNTLED customers often make at least five attempts to have complaints resolved by their phone companies and most spend hours trying to sort out problems before giving up, a report has revealed.  The Telecommunications Industry Ombudsman surveyed more than 500 consumers who lodged complaints with his office and discovered customers are increasingly making repeated and time-consuming contacts with the companies.  Most customers surveyed said they spent at least three hours unsuccessfully trying to resolve their complaint before going to the ombudsman. Twenty per cent said they spent more than nine hours trying to sort out a complaint.  The most common reasons for complaining to the ombudsman was because there was no solution offered by the service provider (39 per cent) or a promise to resolve the complaint was not kept (39 per cent). Half of those surveyed reported being directed to three different departments within their phone company.  The report, shows there has been a small decrease in the number of complaints lodged with the ombudsman's office.  The ombudsman, Simon Cohen, said customers appeared to be extremely resilient given what they had to deal with.  ''Consumers seemed to get the run around when they try and make a complaint,'' Mr Cohen said.

Alexandra Smith -  Consumer Affairs