Sophos downplays Android malware threat
Doesn't blend. Won't spread
Updated Android users have little reason to fear an immediate onslaught of malware despite the demonstration of a rootkit-based attack at last week's Defcon conference, according to a leading anti-virus supplier.
Researchers at Spider Labs demonstrated proof-of-concept malware that could access messages and emails on an Android smartphone.
Chester Wisniewski, a senior security advisor at Sophos who attended the presentation, was underwhelmed.
He pointed out that the demo was carried out on an already jailbroken HTC Legend. And, crucially, the researchers at Spider Labs failed to explain how end users might be at risk from malware along the lines of the proof-of-concept tool developed by the Spider Labs team. "They developed a rootkit but there's no way to install it," Wisniewski told The Reg. "No method of propagation was demonstrated."
A spokewoman for Trustwave, parent firm of Spider Labs, explained that it was never the intention to develop a remote hack for the purposes of the demo. Even with a local hack plenty might be achieved as evidenced by the latest iPhone jailbreak exploit.
"The focus of the talk was the implications of a kernel level rootkit on a smart phone," she explained. "They chose Android in their research because it was Open Source and they could get access to many of the phone's kernel source code off the Internet. They did NOT develop a remote exploit for propagation because that was not the focus of the research."
"Exploits that would allow malware or a rootkit to be installed are discovered all the time. Just last week, someone discovered a flaw in iPhone PDF reader that allows a simple "jailbreak". With an exploit, all it would take is a rogue app armed with an exploit and a payload".
Sophos has yet to see any examples of Android malware in the wild. Two or three worms targeting jailbroken iPhone devices appeared last year but the attacks have not reappeared as carriers have learned lessons from the outbreak and applied improved security controls, such as filtering SSH connections.
The likelihood of malware migrating onto new platforms is one of the key themes of a review of the security landscape by Sophos, published on Tuesday.
Microsoft is likely to respond to the success of the iPad with the launch of its own tablet-style device. A tablet-ready version of Windows 7 is already well advanced but the technology is likely to inherit the security problems of its desktop cousins, even if Microsoft takes a "walled garden" approach to application delivery, according to Sophos.
Whether the security problems of full-blown Windows platforms will be sufficiently addressed on the new platform remains to be seen; but with the browser being based on Internet Explorer and Adobe apparently working hard on Flash integration for the new platform, malware problems seem inevitable.
The Sophos report (pdf) goes on to suggest that Linux-targeting mobile attacks are likely to increase as devices running webOS and MeeGo (Nokia’s plan for a new mobile platform) become more commonplace in the market. The point is made in passing, without any substantiation, and sits oddly with the attempts by Sophos to downplay the threat of Android-based malware.
The study also charts general trends in the mainstream (desktop) malware landscape. Sophos’s global network of labs received around 60,000 new malware samples every day in the first half of 2010, an average run rate of one new sample every 1.4 seconds per day every day. In the same period last year the rate was 40,000 samples per day. By that reckoning VXers have increased production by 50 per cent. Adobe came out a close second to Microsoft as hacker targets during the first six months of 2010, according to Sophos.
Booby-trapped websites and email in malware, which has returned as a hacker favourite over recent months, remain security menaces to businesses. Hackers often use vulnerabilities to plant malware or redirections to hacking portals on legitimate websites. These tactics - along with the prevalence of free hosting providers in Europe that offer minimum setup times to business and hackers alike - resulted in France, Italy and the Netherlands all joining the top ten of malware hosting countries since the start of the year. United States (42.29 per cent) and China (10.75 per cent) remain the top two malware hosting menaces. ®
This story was updated to add comments from Trustwave