hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015Top Android malware families in 2014As expected, the majority of Android malware discovered in 2014 was found outside of theGoogle Play market, although there are instances in which malware was placed on Google Playby maliciously created developer accounts. The biggest family, similar to the situation withWindows platform, is Agent, which is a standard name reserved by anti-malware companiesfor malware that cannot be classified with high certainty into any well-known family. Agent isfollowed by some of the usual suspects—for example, Opfake and Boxer, two related familiesoriginating and mostly targeting users in the Russian Federation and neighboring countries.However, it is the families that are not seen in most top 10 Android malware family lists thathave caught our attention, because they follow successful patterns previously seen andfrequently used in Windows malware.Figure 14. Top Android malware families in 2014, as detected by ReversingLabs64%10%6%5%5%2%2%2%2%1%1%AgentStealerFakeinstSmsagentMsegOpfakeSmsregBoxerSmssendGinmasterOtherNotable Android malware in 2014Although some of the methods featured here will not appear sophisticated compared to themethods used by Windows-based malware, most of them are new to Android, especiallyconsidering the fact that the first Android malware was only discovered a few years ago.RansomwareThis year we have seen our first purposefully made ransomware samples, with functionalitythat prevented the users of infected devices from working. This was usually achieved by acombination of social engineering techniques used to convince the user to allow a malicious appto obtain device admin privilege (which is different from the user privileges granted to apps bythe underlying Linux kernel) and interception of various system events that prevented the userfrom launching any other app or terminating the malware.The first ransomware, which belongs to the Android.Trojan.Tlock family, was discovered in Apriland contained basic functionality for locking the screen and preventing the user from navigatingaway from it. The app purported to be a free anti-malware app by Norton, but after presenting afake anti-malware user interface, it displayed a warning that appeared to come from the FBI.This technique is consistent with techniques used by some of the desktop-based malwarefamilies, such as Reveton or BrowserLock. The Tlock family evolved over time and reached fullransomware functionality that included allowing the user to unlock the device by entering avalid MoneyPak voucher number into the application UI.36
HP Security Research | Cyber Risk Report 2015Tlock was not the only Android ransomware family in 2014. New families also included Kolerand Simplelocker. Simplelocker was written for the Russian and Ukrainian markets andattempted to encrypt some file types on the external memory card using the AES encryptionalgorithm with a hard-coded phrase to initialize the algorithm, which allowed for easyrecovery of encrypted data. In addition to that, Simplelocker uses the TOR .onion domain forcommunications to its command-and-control (C&C) center, which makes it the first Androidmalware to actively use TOR.One of the mitigation factors for apps attempting to encrypt documents is Google’s introductionof constraints for accessing apps on the external memory card in Android 4.4 (KitKat). The newaccess permissions prevent third-party apps from writing outside their own directory, similarto how a sandbox prevents apps from accessing another application’s data on the main internalmemory card.However, even without the ability to encrypt documents, Android ransomware has the potentialto prevent users from accessing their devices, simply by employing screen-locking techniques.This chart shows an increase in the number of Android ransomware samples discoveredmonthly from the moment in April when the first Android ransomware was discovered.Figure 15. Number of Android ransomware samples discovered per month by ReversingLabs ; note January-March absence200150High183100500Low0Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov37
Page 1 and 2: BrochureHP SecurityResearchCyber Ri
Page 3 and 4: HP Security Research | Cyber Risk R
Page 35: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R

hp-security-research-cyber-risk-report-pdf-2-w-1408

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?