UNCLASSIFIED

FB I EM E RG ING CYB ER TE CH NO LOGY

INT EL L IGE NCE UNIT

Emerging Threats & Technologies

V O L U M E 2 , I S S U E 1 0 S E P T E M B E R / O C T O B E R 2 0 1 2

Proof-of-Concept Android Malware Allows Researchers to Create 3D Maps of a Home

INSIDE THIS ISSUE: Proof-of-Concept 1 Android Malware Allows Researchers to Create 3D Maps of a Home Android Vulner- 1 ability Could Lead to Malicious Remote Wipe of User Data Zero-Day Attacks 2 are More Common and Last Longer, Say Security Researchers Malware Authors 2 Using Image Search Engine Poisoning to Infect Computers

Researchers have recently demonstrated the capability for smartphone malware to use the various sensors in devices to steal information from a physical environmentsuch as malware that can listen for spoken credit card numbers or feel for patterns in keystroke recognition. Researchers at Indiana University and the US Naval Surface Warfare Center have developed a proof-of-concept malware that is able to see the space around the phone and re-create a three-dimensional map of a room through use of the camera. Called PlaceRaider by the researchers, this malware is able to hijack the camera on Android smartphones and take pictures of the space around the phone. The researchers only introduced this to the Android phone, but expected that the results would be similar on other mobile operating systems. As pictures are taken, the malware sends the image to a command and control server, where the cyber actor would be able to model a map of the area as well as view and manipulate the various images. The images they captured were high definition, and allowed the researchers to focus and zoom in on areas they needed, but they were able to demonstrate that lower resolution photographs could

give enough detail to successfully steal information. Using a detailed attack scenario, the researchers were able to use the malware to find several pieces of personally identifiable information in a constructed test areasuch as a calendar describing plans and events, a bank account number on a personal check, and other such information. Taking control of certain permissions on the phone, they could silence the shutter sound of the camera and obtain accelerometer data that could detect the phones orientation and location within an environment. Though merely a proof-of-concept, researchers demonstrated the possibility that a camera smartphone could be exploited to obtain personally identifiable information, bank account information, or corporate secrets. The researchers suggested defenses that Android or smartphone developers could implement to protect against this kind of malware, but noted that any corporation could prevent unwarranted data theft by maintaining policies against possession of cameracontaining devices and personal discipline by smartphone owners to keep their devices free of malware.

Android Vulnerability Could Lead to Malicious Remote Wipe of User Data

Security researchers recently highlighted a new vulnerability in some Android operating systems that could lead to users unintentionally wiping their mobile device of all data by simply clicking on a malicious link or scanning a bar or quick response code. The specific flaw affects mainly Samsung devices and involves the malicious use of special codes that a user can type into the phone dialer on their device for troubleshooting with the carrier. (For example: the code *#06# can be typed into some phones to display the phones unique identifier for troubleshooting purposes) In a typical scenario, the user could visit any web site with the reset/ wipe code embedded on the page and that code could execute without any interaction with the
UNCLASSIFIED

victim and begin wiping the device. Once the wiping process has begun, there is no way for the user to halt the process. The specific vulnerability was patched in Androids core code earlier in 2012, but the patch was not rolled out to every handset in use. The most recent version of the Android operating system (4.1, named JellyBean) is the only version that is not vulnerable, according to open source researchers. The delay between the initial patch of the vulnerability and its deployment to all handsets illustrates the larger issue that while developers are routinely finding these flaws, it is unknown if and how the end devices are being patched of these known vulnerabilities.

UNCLASSIFIED
VOLUME 2, ISSUE 10 PAGE 2

Zero-Day Attacks are More Common and Last Longer, Say Security Researchers
According to security researchers from antivirus and computer security company Symantec, computer attacks targeting undisclosed vulnerabilities (called zerodays) are more common and last longer than originally thought. This comes from a study tracking the number and duration of zero-day attacks over a three year period from 2008 to 2011. These attacks typically exploit software flaws prior to their official public disclosure. According to the study, the average attack lasts 312 days, and some have lasted over two and a half years. 11 of the 18 attacks they studied went undetected by antivirus software. The study also showed that over 60% of the zero-day vulnerabilities identified were not known before; suggesting that many more zero-day attacksperhaps more than twice as manyexist in the wild. The research detected that most zero-day attacks were reserved for high-value targets. Stuxnet, the malware that sabotaged Iranian nuclear centrifuges, and Conficker, a virulent worm that infected multiple computers (and still does) in order to drop hosted malware, both exploited previously unknown software vulnerabilities. The research was, however, incomplete, as certain kinds of attacks (cross-site scripting, polymorphic malware, and attacks embedded in non-executable files) were unable to be tracked. This suggests that the number of zero-day attacks researched is only a small fraction of those that were actually detected.

Symantec studied 18 zero-day attacks between 2008 and 2011 and discovered;

One surprising note was that upon the exploits becomthe average attack ing public knowledge, the number of attacks grewby margins of two-fold to 100,000-foldand the number of lasted 312 days, 60% attack variants also increasedfrom 185 to 85,000 more of attacks were prevariants. A possible cause of the surge is that the exploits may have been repackaged in other attacks, or viously unknown, that the malware authors tried to infect as many comand the number of puters as possible before the malware was added to antivirus detection. attacks and attack Although zero-day attacks are difficult to detect, and variants increased usually performed when antivirus updates and software dramatically once the patches are not scheduled for release, it is important that as soon as a patch or update is released to block the mal- exploit became public ware, it should be rolled out to all computers on the knowledge. network.

Malware Authors Using Image Search Engine Poisoning to Infect Computers

Researchers for antivirus and computer security company Sophos discovered a method of black hat search engine poisoning that is more difficult to detect, and can result in more successful compromise of users computers. The research determined that Microsofts Bing search engine was the most affected by this poisoning, and the majority of these malicious redirects come from the results of image searches, rather than text searches. Sophos looked through the data for blocked search engine redirects that they received from their Web protection application and discovered that 65% of the malicious redirects were from Bing, and 92% of redirects came from the image search results. When a user searches for an image, Bing and Google both return a list of the different images, with file size and Web site information hidden until a user hovers over the image with their mouse. Clicking on an image will bring the user to a results Web page with a small version of the image either in a bar on top (Bing) or a splash screen in front (Google) of the Web page on which the image is located. By compromising Web sites, and uploading images related to common image search terms, malicious actors are capable of poisoning image search results and infecting users computers with malware or exploit kits. Although search engines consistently filter text search results for black hat poisoning, they are not as consistent when it comes to image searches. Furthermore, since image search results are often provided without context, a user will be more likely to click on a malicious link without knowing the Web site is compromised, according to researchers. When performing an image search, users should be should be careful to only click links from trusted Web sites, and maintain an updated antivirus protection service to detect malicious redirection scripts.

Black hat search engine poisoning through image searches is more difficult to detect and results in more successful compromise of users computers.

Address Comments to: Unit Chief Emerging Technology Cyber Intelligence Unit (ETCIU) Federal Bureau of Investigation 935 Pennsylvania Ave, NW, PAT-4 Washington, DC 20535 Tel: 202-651-3139

ETCIU Mission

ETCIU identifies innovations in information technology and assesses emerging cyber threats to US interests through the malicious use of those innovations.

UNCLASSIFIED