The old saying goes that “you can’t teach an old dog new tricks.” But, nothing says “you can’t teach a new dog old tricks.” Which is what cybercriminals are doing by borrowing a trick or two from desktop days and applying them to smartphones. At least that’s the import of an article by Michael Lee’s on ZDNet.com.
Now, in previous blogs, we’ve talked about how cybercriminals use Twitter to steer smart phone users to places online where cybercrooks have malware stashed. Though it can be used for other nasty things, this malware is often used to force a phone to send SMS texts to premium-rate numbers with the cybercriminal getting a chunk of the action for the higher fees.
“During a single eight-hour operation, [security expert Joji Hamada] witnessed over 130,000 malicious tweets from about 100 Twitter accounts. Another operation saw over 1500 tweets from over 50 accounts in one hour. He said that this could just be the tip of the iceberg as several operations are typically conducted at the same time.”
Here’s an interesting sidelight. Cybercriminals use malware against smartphones the same way they used to use it against desktops. In the days of the desktop (apologies to everybody still using desktops), whenever the user’s antivirus found a cure for a particular strain of malware, the cybercriminal would develop a new strain or new virus. This one-upmanship arms race is now taking place on smartphones with cybercriminals getting an added advantage by trading on one of the smartphone’s major attractions. And, that is the ability to have access to the Internet anytime, anywhere 24/7/365. This offers cybercriminals, as Hamada puts it, to “mix their game around, thereby making it difficult to recognize all bad tweets.”
Research and security professional, Dinesh Venkatesan, found another anti-detection technique that cybercriminals use that’s borrowed from desktop days. It’s called reflection and allows the executing program to examine classes and, among other abilities, find particular functions to execute at runtime without necessarily knowing what the code is at compile time.
As a matter of course, when malware calls a sendTextMessage() function in Android for example, anti-malware applications are warned there’s a suspicious activity going on.
Based on reflection Venkatesan said, “Instead of directly calling the sendTextMessage() function, the malware stores the name of the function as a presumably harmless string and, after searching the API[*] for the function by this name, stores its location as a reference. When the malware then wants to execute the sendTextMessage() function, it will call on this reference rather than its direct name. For static code analysis tools, this is typically enough for the malware to escape detection.”
* If you’re not into programming, an API or application programming interface is used as an interface by software components to communicate with each other.
Additionally, Venkatesan “found that these particular samples were taking steps to encrypt the data they used. In particular, criminals had taken steps to ensure that the data was only decrypted at runtime. From here, the data was stored in memory as an XML file and used to determine which number to send SMS messages to and their content.” So it seems new dogs not only learn old tricks, they can also come up with new ones.