ExpensiveWall Affects Millions

Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

How to stay off the list of Top Breaches 2013

An example of theft. Someone took everything e...
An example of theft. Someone took everything except for the front wheel. (Photo credit: Wikipedia)

As the saying goes there is always something to be learned from every success
and failure, what we can take away from the top breaches of 2012 is a
list of what to do to avoid similar breaches and ensure you’re not on the list
for 2013.
Below is a list of what we felt were the most significant:

  1. Segment and divide your networks. Don’t
    have the prisoners on the same network as the guards. Related breach: New
    Hampshire Department of Corrections prisoners accessed guard’s database.
  2. When you have a database make sure you watch who is accessing, what they
    are accessing and from where they are accessing. Related breach: New York State Electric & Gas
    Co. had 1.8 million files exposed due to unauthorized access by contractor.  
  3. Create alerts for large amounts of data being moved. Related breach:
    South Carolina Health and Human Services had employee steal the records of about
    228,000 people by emailing it to himself. 
  4. Use a trusted, private corporate courier for sensitive data. Related breach: California Department of Social Services microfiche damaged after sent
    through U.S. Postal Service. 
  5. Limit access to and storage/transfer of large amounts of data and only
    to non-mobile devices. Related breach: NASA laptop stolen with thousands of
    employee’s personally identifiable information. 
  6. All reports that are to be made public should be vetted by senior or
    security staff for sign off ensuring the report doesn’t contain any sensitive
    information. Related breach: Wisconsin Department of Revenue staff members
    posts report with sensitive material on website with public access. 
  7. When making major changes with data storage include a security
    assessment: Does your new set up meet the standards of the old system? It
    should exceed the old not be a step back. Apply same security if not more to
    backup information as for primary source. Related breach: California Department
    of Child Support Services lost more than 800,000 sensitive records on backup
    tape when shipped by FedEx and files fell off truck. 
  8. Update employee awareness and training. Related breach: University of
    North Carolina-Charlotte exposed 350,000 personal data files “accidentally made
    available for three months.”  
  9. Sensitive data should be encrypted in case it is hacked. Related breach:
    Zappos had their network hacked but hackers couldn’t use information because it
    was encrypted. 
  10. Protect
    your network against SQL injection attack by working with best practices. Related breach: United States Navy & DHS website was hacked by Blind SQL injection

eSecurityPlanet offers a comprehensive article that outlines four methods to prevent a SQL
injection attack.  

  • Filter user data for context, such as email addresses should be filtered
    to allow only the characters allowed in email address
  • Use a web application firewall
  • Limit database privileges by context by creating multiple database user
  • Use
    SQL variable binding with prepared statements or stored procedures

What are you adding to your check list?

Editorial comment: We’ve received feedback about point #10 not being relevant as it is a known fact and not a needed reminder. Excellent point, unfortunately that isn’t what we saw when we reviewed the lists of top breaches for 2012. On one list of top ten, two of the breaches were caused by SQL injection. 

Related articles

Enhanced by Zemanta