justice4all writes “Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. ‘While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,’ Cannon wrote. ‘It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.’” Sophos’s Chester Wisniewski adds commentary on how this situation is one of the downsides to Android’s increasing fragmentation in the mobile marketplace.

Read more of this story at Slashdot.

Link to the original site

CWmike writes “A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google’s Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith’s attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. ‘We’re aware of an issue in WebKit that could potentially impact only old versions of the Android browser,’ Google spokesman Jay Nancarrow confirmed in an e-mail. ‘The issue does not affect Android 2.2 or later versions.’ Version 2.2 runs on 36.2 percent of Android phones, Google says”

Read more of this story at Slashdot.

Link to the original site

wisebabo writes “A wallpaper utility (that presents purloined copyrighted material) ‘quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.’”

Read more of this story at Slashdot.

Link to the original site

alphadogg writes “Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious ‘rootkit’ program they’ve written for Google’s Android phone next month at the Defcon hacking conference in Las Vegas. Once it’s installed on the Android phone, the rootkit can be activated via a phone call or SMS message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. ‘You call the phone, the phone doesn’t ring, and when the phone realizes that it’s being called by an attacker’s phone number, it sends him back a shell [program],’ said Christian Papathanasiou, a security consultant with Chicago’s Trustwave, the company that did the research.”

Read more of this story at Slashdot.

Link to the original site

By Tim Conneally, Betanews

Security researchers at Kaspersky Lab announced the first malware for the Android operating system to be classified as a Trojan-SMS, the most widespread type of malware on mobile phones.

The malware is disguised as a media player application with the standard Android .APK file extension. When the 13KB file is installed, the mobile device will start to send SMS messages to premium numbers which incur charges on the user’s account.

Because Android is growing at such an explosive rate, and users are storing an increasing amount of important data on their mobile phones, the platform is an attractive one for renegade application makers.

“We can expect to see a corresponding rise in the amount of malware targeting [Android],” Denis Maslennikov, Mobile Research Group Manager at Kaspersky Lab said in a blog posting Monday. “Kaspersky Lab is actively developing technologies and solutions to protect this operating system and plans to release Kaspersky Mobile Security for Android in early 2011.”

The company has profiled the malware as “Trojan-SMS.AndroidOS.FakePlayer.a”

Copyright Betanews, Inc. 2010

Link to the original site