This Android malware has infected 85 million devices

Discussion in 'malware problems & news' started by JRViejo, Jul 5, 2016.

  1. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,905
    Location:
    U.S.A.
     
  2. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    525
  3. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    It is, but the reports are pretty vague on the actual mechanism of infection. "Drive by download" is an ambiguous term. What is the vulnerability?
     
  4. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    525
  5. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    That's unhelpful. I'm already aware of the multiple definitions of "drive-by downloads."

    The definition of "drive-by download" in your 2012 link would easily be defeated by not manually installing randomly downloaded .APKs, and keeping "Unknown sources" disabled as per the defaults. That's not a problem necessitating a real-time security solution.

    When it instead means malware installing without any user intervention (i.e. through exploitation of vulnerabilities) then I want to know the specifics in order to patch or mitigate.
     
  6. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    Looking at the Check Point descriptions from April and July:
    http://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/
    http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

    They gloss over the initial infection in both reports:
    After whatever causes the initial breach, the malware decrypts Right_Core.apk in order to gain root access, and if that fails then activates qs.apk to serve a fake system update notification message and to attempt additional privilege escalations. Still no clear indication how the malware (com.android.sensjm) is present and running on the system in the first place. If they don't mention it, then it's probably just a manual installation with "unknown sources" enabled.

    Alternatively, if it's anything like Xinyinhe malware then another option could be that it's bundled in apps (including those from Google play) https://forums.malwarebytes.org/topic/181128-androidpupadwarexinyinhe/
     
    Last edited: Jul 6, 2016
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,087
Loading...