Wednesday, October 29, 2014

Mobile Malware Takes Victims by Surprise

Malware writers behind Koler, a bad app that attacks Android devices, have upped their game with a new variant of the pernicious program.
In its original version, Koler hijacked phones it landed on and wouldn't set them free until a ransom was paid. This latest strain of the malapp also does the ransomware thing, but it takes its malignancy a step further.
"This version self-replicates," Denis Maslennikov, a security analyst withAdaptiveMobile, told TechNewsWorld. "This is the first time we've seen self-replicating ransomware on Android."
After a user downloads the new Koler to a phone, the software commandeers the mobile's address book and spams everyone in it -- only it doesn't look like spam to the contacts because the SMS message is coming from a trusted source.
The message tells targets that a photo page has been created about them on the Web and includes a link to the page. After landing on the page, a target is directed to download and install a photo viewer to see the images. Following those instructions will infect the target's phone with Koler.

Toothless Threats

"This is big jump in Koler's propagation mechanism," Maslennikov said. "Before it was just hiding on websites. Now it's actively spreading to all your friends."
Although mobile ransomware can be frightening to someone unfamiliar to its workings, the malware is tame compared to its computer counterpart.
For example, Koler claims to encrypt all the data on a phone. However, it doesn't do that, so the data is always recoverable from the phone without any dependence on Web predators.
Moreover, removing the malware is relatively easy. You can reboot Android in safe mode and kill the malignant program using standard application-removal tools.
"If you reboot the phone normally, it's always going to come back into the ransomware," said Cathal McDaid, AdaptiveMobile's head of data intelligence and analytics.
"The typical user isn't going to know that, so they may go to extremes and do a factory reset, which will work as well -- but they will lose all their data," he told TechNewsWorld.

Bell Tolling for Passwords

While complaints about passwords as a way to authenticate users abound, progress on finding a substitute for them has been glacial. Last week, though, there were signs that was changing.
Microsoft plans to build two-factor authentication into the next version of its desktop operating system, Windows 10, ZDNet reported. It will be based on standards developed by the FIDO Alliance.
Owners of any device running it will be able to enroll the device as "trusted" for the purpose of authentication, according to the report.
In addition, the owner creates a PIN for the device. The PIN can be any combination of letters and numbers.
If PINs are compromised in a data breach, it won't do the thieves much good. When they try to use them to obtain online services, they won't have the associated devices to authenticate their identity. Conversely, if devices are stolen, the thieves won't have the PINs for authentication.

Google Dongle

Meanwhile, Google also floated a two-factor authentication scheme using a USB security key.
Google already has two-factor authentication via SMS messaging, but the USB approach will give its users another option.
Initially, the key will work only with Google's Chrome browser. With the key, you don't have to fuss with any codes. You plug the key into a USB port, wait for a prompt, and tap the key to access your Google accounts.
The key also incorporates authentication technology from the FIDO Alliance.
"The idea here is to move away from just using a password to log into your email, your system, your network," Aryeh Goretsy, a researcher with Eset, told TechNewsWorld.
"What we've seen in the past is a bunch of attacks where people's accounts have been compromised," he said. "So the goal here is to remove the weakest link, which is the password."

Making NFC Respectable

Near-field communication has been around for some time, but it has failed to capture a lot of consumer interest or confidence in its ability to secure mobile transactions.
For example, by a two-to-one margin, consumers give lower security ratings to NFC transactions than those performed with magnetic strip cards, suggests a survey released last week by Phoenix Marketing International.
Apple might be able to change that perception with its Apple Pay system, however. That's because the scheme depends on more than NFC alone for security.
"Apple delayed committing to NFC for a long time so when it entered the market, it could do so with a whole security platform," said Greg Weed, PMI's director of card research. That platform included a secure element chip inside the phone and a fingerprint scanner outside it.
Before Apple Pay, merchants, vendors and card issuers debated what kinds of rewards and enticements were needed to get consumers to use NFC devices. Apple Pay has changed that.
"What it did is take the idea of security and make it the benefit of the platform," Weed told TechNewsWorld. "That's changed the conversation."