Android Malware Exploits SSL Vulnerability

According to a blog posted by the security outfit Trend Micro, Android users could be potentially vulnerable to a new slew of problems thanks to a corrupted section of code discovered in the SSL authentication used to verify authentic channels between mobile devices and the servers that host popular apps and services contained within the OS.

By fooling the SSL servers into thinking the requests are coming from legitimate sources, the malware is able to not only avoid detection by most major anti-hacking services, but also inject huge payloads of infected data into a user’s data stream over a much longer period of time than criminals are normally used to operating within.

While most attack vectors have targeted Android phones themselves in recent years due to the explosion in the number of supporting devices and the relative ease with which their internal security can be breached with the lax security policy at the core of the OS, this attack is unique in the way it chooses to lift vital financial information and personal data out of each transaction.

By posing as the certifying SSL authority, hackers can not only eavesdrop on the connection being made between a customer and their banking institution, but on a whole host of other popular services, including Gmail, Twitter, and even Facebook.

Each program requires its own coded creation in order to effectively swipe data off an Android phone or tablet, such as the ANDROIDOS_GMUS.HNT installation, which poses as a file manager app that can pull an IMEI, phone number, and images stored on the SD card straight into the ether after the device automatically restarts itself.

Mobile Threat Analyst Seven Shen offered some rough speculation as to why hackers have glombed onto the SSL train in favor of more commonly abused malware distribution tactics in recent months:

“There are several possible reasons why cybercriminals are using SSL. Compared to plaintext transmission, data sent through SSL cannot be easily uncovered. Some dynamic analysis methods based on TCP traffic monitoring may not work well.

Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like.”

Examples of each of these exploits can be found below, including the path that hackers have attached themselves to in order to gain the most amount of information about a user in the shortest time allotted for each attack.

Gmail crack through SSL

Twitter exploit

Trend Micro says they’ve informed Google about the problem, though have yet to receive an official response about the problem from the search giant as they put their engineers on the hunt for a solution that can be easily patched and distributed across the widest cast net possible.