Up to 5 million Android handsets infected with information-stealing bot
Symantec has released a report detailing a new variation on a trojan malware which may have infected up to 5 million Android handsets.
Android.Counterclank is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.
The combined download figures of all the malicious apps indicate that Android.Counterclank has the highest distribution of any malware identified so far this year. With 250 million Android handsets activated, it appears a significant percentage of Android users are suffering the effects of malware, downloaded directly from the Android Marketplace, and a problem which has only continued to escalate, with Juniper Networks saying Android malware is increasing at a rate of 1,320% per year.
While Windows Phone has not been free of its issues, it is by design much, much less of a wild west than the Android ecosystem. Feeling secure when you downloads apps is definitely a clear reason to chose Windows Phone over Android.
Did the 8107 update also fix the Windows Phone SMS vulnerability?
When the news of the 8107 update for Windows Phone 7 appears I was pretty excited about a solution for the disappearing keyboard problem.
Now however Chris Walshie has found there may be a much more significant fix included with the update. He found the package contains patches also for the SMS module and contacts in the Windows Phone 7 OS. Windows Phone 7 was recently revealed to be vulnerable to a messaging bug where a specially crafted message, either via SMS or Windows Live Messenger/ Facebook could reboot the phone and then deny further access to the Messaging hub, which could only be fixed by a hard reset, which would lose SMS messages and other app data which could not be backed up.
While this is no proof (I guess we will have to wait for either Microsoft or the developer of the DOS hack to verify this) I cant imagine Microsoft releasing an OS update without fixing this serious issue first.
Update: Tom Warren has directly confirmed that it does not fix the issue. I guess we are due another one soon then?
Microsoft Found Cause For Messaging Bug, Testing Fix
Microsoft apparently found the root cause of the messaging bug and is currently testing a fix.
Two weeks ago, WinRumors revealed the bug, which would crash the device and kill the messaging app upon receiving a special text message, and contacted Microsoft with the details, including the specific text which otherwise has not been published.
Now Microsoft apparently contacted Khaled Salameh, who originally found the bug. He tweeted that Microsoft’s security team “confirmed the WP7 SMS Bug and found the root cause, a fix is currently under testing”.
However, it should be noted that this bug seems to be common across a wide range of Microsoft products using its Silverlight/WPF framework, which includes Windows Phone but also desktop applications such as Windows Live Messenger, Visual Studio and Blend, according to Salameh. He says Microsoft is still investigating this issue.
Microsoft confirms Windows Phone Messaging killing bug
Tom Warren from Winrumors revealed (pretty irresponsibly we feel) that Windows Phone 7 has an SMS bug that would allow specially formatted messages (be it from Facebook, SMS or Windows Live) to reboot devices and then cause the Messaging system to lock up permanently, requiring a hard reset to fix.
This would of course be a pretty good denial of service attack on a user, and given that it can come from a SMS message, it could originate from people completely unknown to you.
Microsoft has now confirmed the bug and promised to work to fix it, with Greg Sullivan, Senior product manager for the Windows Phone division telling the Verge:
“We are aware of the issue and our engineering teams are examining it now. Once we have more details, we will take appropriate action to help ensure customers are protected.”
The last time Microsoft had to send out a security update it was for the browser certificate security vulnerability, which was pushed out several months after the vulnerability was patched on the desktop. Lets hope Microsoft proves more nimble on this occasion.
Source:theVerge.com
Joe Belfiore confirms no CarrierIQ on Windows Phone
When we posted about CarrierIQ this morning we were a bit guarded crowing about the spyware not being present on Windows Phone 7 (unlike iPhone, Android and Blackberry), but Joe Belfiore now confirmed that Windows Phone 7 handsets are completely unencumbered by the keylogging software, meaning if you want a secure phone, there is one more reason to jump to Windows Phone.
CarrierIQ spyware now found on iOS, Android, Blackberry and Symbian – only Windows Phone not implicated so far
We don’t know if its simply due to not being investigated yet, but so far only Windows Phone 7 appears not to be infected with the Carrier IQ software, which is installed on not just millions of Android and Blackberry devices, but also installed on iOS, so far thought to be immune due to Apple’s supervision.
It is interesting however that, once Apple became involved, the tone of the conversation suddenly changed, with chpwn, who found the software on iOS noting:
It appears that if you really care about this, Windows Phone 7 is the only mobile operating system without this installed. ;P However, I think the blame here really belongs with the US carriers who obviously demanded this: personally, I am completely fine with this data being sent off (especially if it helps AT&T’s network improve), but I would definitely prefer if it was more transparent — even if you can disable it with that toggle, Apple only explains that it “might contain location data”.
CarrierIQ is likely a carrier requirement, but no-one likes being spied on, and so far, as far as we know, the only platform free of this scrounge, which is installed on 142 million devices, is Windows Phone 7.
Users on other platforms are free to switch – I hear AT&T have some pretty good deals these days 
Windows Phone 7 browser exploit demoed
Alex Plaskett from MWR Labs have demoed a browser exploit in the pre-Mango Internet explorer which in combination with vulnerable code in HTC’s drivers can result in full kernel-mode access, which can be used to install rootkits, eavesdrop on a user or of course could be used to jailbreak the device.
Interestingly the browser vulnerability itself still does not allow full access to the OS, as it runs with least privileges, hence the requirement for the second vulnerability.
The hack also had to to defeat Address Space Randomization and eXecute Never flags.
The Mango update fixes the vulnerability and makes it more difficult to find new ones, but of course no platform is ever 100% secure. However MWR Labs lay a lot of the blame on OEM code, which they note have many more exploits that Microsoft’s native code. This problem did not go away with Mango.
Alex recently presented the hack at Microsoft’s BlueHat Redmond Security Brief and I am sure Microsoft is already hard at work making the OS more secure, as there recent job postings suggest.
Microsoft wants Windows Phone to be “the most secure phone the market has ever seen.”
In a recent job posting Microsoft has made its intention to secure Windows Phone very clear.
The company is looking for a software Development Engineer in Test to engage in “cutting edge fuzzing technology, pentesting, and other security tools to help us ship the most secure phone the market has ever seen.”
Windows Phone 7 has so far not really had any significant testing of their sandbox, and truth be told hackers have managed to work around most of the lock down features Microsoft has implemented so far e.g. the ability to jailbreak and sideload apps, and likely largely benefits from less attention, so this move is certainly welcome.
We however hope it also includes a focus on enterprise security and features like full device encryption, which are there more to reassure corporations than keep hackers out, but which are essential for enterprise adoption of Windows Phone 7.
See the full job posting after the break.
Is Microsoft failing to police Marketplace?
A rash of NES Emulator games recently managed to make it into Marketplace, with the games, which remain subject to copyright, being sold for considerable amounts of money, even when they did not have proper controls or even working sound.
Emulators have of course always been banned in Marketplace, but of course the “developer” Jesse Dudley never advertised it as such.
Microsoft is currently in the process of removing these apps from Marketplace, but it does raise questions regarding the scrutiny apps receive before going live in Marketplace. While, due to sandboxing, the damage rogue apps can do is limited on Windows Phone 7, apps could still very easily steal private information from users, including their address book, location and user ID.
The security of users remains crucially dependent on the how much effort Microsoft puts into policing Marketplace, and with the rash of spams apps seen recently it suggests Microsoft could do a lot better.
Windows Phone 7 security attacks to be discussed at Deepsec
While we know Android is riddled like Swiss cheese with security exploits, Windows Phone 7, except for the jailbreaking scene, has been left more or less alone.
At Deepsec in Vienna security researchers will be discussing methods to attack OS security in Windows Phone 7 by exploiting the special privileges OEM applications have.
They write:
The talk will aim to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.
The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.
A number of OEM manufacturer weaknesses, “features?” will be discussed and a demonstration of how these “features” can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM “functionality” to compromise sensitive information.
We already know the jailbreaking community is using the same route using Microsoft.Phone.InteropServices, a hole which Microsoft is already trying to close. However while Microsoft gives OEM special privileges their security will only be as good as the implementation of those OEMs.
Read more about Deepsec here.
Via TamsPPC
Windows Phone does transmit location data without authorization
Microsoft is currently being sued for tracking users using Windows Phone 7 handsets without authorization. The claim was supported using packet traces by an independent security researcher.
Microsoft denied the allegations, but now Rafael Rivera from Within Windows has been able to replicate the findings, showing Windows Phone 7 does ping Microsoft’s servers to establish the location of a handset using surrounding WIFI access points before permission has been granted by the user.
While this is of course pretty convenient it is against Microsoft’s own guidelines to developers, which says “Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information.”
The case, being brought in U.S. District Court, Western District of Washington by Rebecca Cousineau, is of course seeking class action status, but I wonder if enough Windows Phone 7 users would be perturbed enough to join her in the suit.
In the mean time I suspect Microsoft already has an emergency patch in the works to fix the breach.
Read more at Within Windows here.
Via Winrumors.com
Chrome to WP7 has less than ideal security
Chrome to WP7 is a handy app which lets one send links from the desktop to one’s Windows Phone 7 handset using an intermediate server.
The app is by Dave Amenta and the service is provided free of charge.
Martani Fakhrou however has a complaint about the security model of the app, which relies on an obfuscated device ID.
He writes:
While Google Chrome to Phone uses OAuth to authenticate users along with their Google accounts, Send to WP7 generates a 6 chars hex number which is calculated from a random GUID generated when the app is started for the first time. This code is then used by the extension to send data back to daveamenta.com server, waiting to be served when the WP7 client fetches the updates.
Since there is absolutely no validation process on the server and the design of the app that makes it impossible to verify who is sending to who depending only on the randomly generated code, abusing this app is just like taking a walk on the shore.
In short an attacker would just send messages to random IDs on Dave’s server, record the ones that belong to real people and could then spam them all day long.
Of course in reality no real attacker would waste their time searching the over 16777216 different available codes to spam a small subset of already small Windows Phone 7 population who has the app installed, but Martani notes that Google’s Chrome to Phone uses OAuth to authenticate users along with their Google accounts, and suggests Dave might want to tighten up on his security.
Read more at Martani.net here.
Update: Dave Ameta, the developer of Send to WP7 (Previously Chrome to WP7) has given us a statement denying there is any real security issue. He notes:
The attack posed here would not have been successful after scanning approximately 250 pair codes, which wouldn’t have exposed a single user. Furthermore, upon finding out about the suggested attack, I tightened security further to ensure that there is absolutely no information leak, even if someone were to distribute this attack across many computers. Using pair codes is a feature, to avoid harvesting “account information” like so many apps prefer to do. I’m confident that this security model is sufficient for this class of application today.
If you are reassured, as we are, Send to WP7 is a great utility which can be found at Dave’s site here.
Android root exploit remains unpatched for months
The Register reports two serious security vulnerabilities in Android has remained unpatched for more than a month, and allows apps to be installed without permission, and also apps to escape from the Android sandbox and do pretty much whatever they want.
“The Android Market ecosystem continues to be a ripe area for bugs,” said security researcher Jon Oberheide in an email. “There are some complex interactions between the device and Google’s Market servers which has only been made more complex and dangerous by the Android Web Market.”
The Register notes than Google has been slow in updating Android, and also that even when Google does release updates handsets are slow to receive then, leaving many users vulnerable to old exploits.
On Android exploits are more than theoretical, and are in fact found in the wild often, stealing not just private data but also costing users large amounts of money in premium phone calls.
The Windows Phone 7 Marketplace aims to provide better security and a more coherent update story, keeping Windows Phone 7 users safer than on Android.
Read more at The Register here.
Scan QR Codes, UPC, EAN, Code 39/128 or ITF barcodes on your Windows Phone 7 to find best prices online.
Enjoy slots? Blackjack? Video Poker? Play Crazy Casino FREE!
#1 FREE Solitaire on WP7
If your a fan of Pong then you will love this game. Heavenly Skies. Save the universe! Are you ready?
A rewarding mix of match 3 and tetris gameplay
Free, Live Tile support for Word Of The Day and so much more. Why NOT try it out?
Set up reminders with only two taps. Supports also text reminders and voice reminders.
Download the best puzzle game in WP7 Marketplace for FREE!
Are you a good Alchemist ?
Use your brain to discover Atomic Energy, Chuck Norris, Angry Birds and 1400 more !
Fun puzzle game with over 150 levels!
Fully featured, beautifully designed WP7 YouTube app.
u.n.i MEGA PACK (FREE), the ultimate addictive top GAMES bundle for Windows Phone 7! 7+ and growing!
Highly addictive word game designed for adrenaline junkies. Practice locally, but then are you fast enough to compete online?
Livescape is an activity and nutrition journal that features GPS tracking and the ability to count steps!
The smartest Google reader app.
Air Soccer Tour - Addictive FREE swipe soccer game. Win the world cup.
Beat the Story Mode. When your done Bring your skill online. Rank up by winning online matches. Have 1 on 1's with anyone! Global Online Multiplayer!
Never miss a bill again, now with a double-sided Live Tile and pop-up reminders.
Newest devices leaks, online charts and ultimate performance benchmark for every Windows Phone.
Every day, get great app deals from Windows Phone developers pushed to you!
Quick Tiles, a fully featured live tile editor for Windows Phone.
Great sports app for NFL, NBA, MLB, NHL. Pin scores/games to live tile on your home screen.
Local 1777 Ringtones , Zedge , Record and Save Ringtone ,Secret Voice Recorder and 7 Different Piano and Xylophone..Try Now..
MobileFax gives you the opportunity to send fax pages from your mobile phone anytime, anywhere !
Wheel of Wealth is a multiplayer turn based game based on the hit TV show Wheel of Fortune.
Embark on an adventure to locate the long lost Golden Chalice!
Enjoy a better WP7 experience with better & simpler apps
The most engaging weather experience with gorgeous live animations, simple intuitive Metro UI, live tiles, detailed weather data and much much more.
Promote your app on WMPoweruser.com
Facebook
Twitter
RSS
Youtube
GooglePlus