malware in your pocket

You're going to need a better pocket protector than this...

2011 is looking to be the year when mobile malware comes into its own.  Why?  First off, the devices we carry in our pockets are morphing from phones to true computers.  They can run sophisticated software, and multitask, allowing evil code to lurk in the background and do its dirty work.  Secondly, our phones are increasingly becoming repositories of interesting and valuable information.  Mobile payment applications such as Square and even Starbucks’ “pay for your coffee” app mean that there’s gold in them thar phones for attackers.

Researchers in Hong Kong and Indiana have provided us with a preview of things to come with their Soundminer proof of concept app for Android.  Soundminer and its companion app, Deliverer, listen for spoken or touch toned credit card numbers during phone calls.  The recordings are converted into typed numbers and then delivered (by Deliverer) to the central control server.  This is pretty sophisticated stuff.  Converting the recordings to text on the phone is a neat trick – and the authors found a really clever way to get around Android’s restrictions on sharing information between apps.  Both of the apps require fewer privileges than many legitimate Marketplace apps.  You can read more about this project and see a video demo here.

While Soundminer is a proof of concept, there have been some instances of mobile malware found in the wild.  Another Android trojan called Geinimi appeared on Chinese app stores in 2010.  Geinimi is meant to be packaged with legitimate applications.  Geinimi appears to be able to send information about SMS messages and contacts to a remote server, make phone calls and download files, according to an analysis conducted by Lookout, a purveyor of anti malware software for Android phones.

I think that over the next year, having an antimalware program on your phone or tablet will be the status quo… Lookout seems to be the market leader in the Android world at the moment, but industry leaders Norton and McAfee have both released Android apps as well.  I have a feeling that this is going to be a profitable market segment – and the source of security woes for many smartphone users.

malware in your pocket

bus-ted

Back in May, I wrote about the Commonwealth of Massachusetts’  kick ass new data protection law, which looked like it could really encourage companies doing business in the state to pay more attention to the security of customer information.  Well, since the law’s passage, there has not been any enforcement action in connection with it, and the MA Attorney General has not issued any guidance for companies as to how to comply with the law’s provisions.  This my be about to change, however, thanks to a recently reported breach of the credit card numbers and personal information of 1800 MA residents (amongst a total of 110,000 records stolen) resulting from a hack of the web server of New York City based CitySights (a tour bus operator).  I really hope that MA throws the proverbial book at these guys.  For one thing, they violated both PCI standards and common sense by storing credit card CVV2 codes with the associated credit card numbers.  More importantly, they consistently mistake me for a tourist as I walk around midtown and try to sell me tour bus tickets.  Do I look like a freakin tourist???

bus-ted

score one for paranoia and just plain common sense

OK - who was our 7th grade teacher, punk?

Here is a story to warm the hearts of even the most cynical infosec professional… When Tracy got an unexpected Facebook chat from a classmate she had not spoken to in the last 30 years asking her to take a survey, she got suspicious and quizzed the “classmate” about some events in their common past.  When the “classmate” couldn’t answer and abruptly dropped the connection, Tracy knew that her intuition saved her from an attempted scam.  I wish all users were as on the ball as Tracy!  Read the story at Sophos’ (excellent) Naked Security blog.

score one for paranoia and just plain common sense