• United States



Google, Facebook ID codes found in Android malware stash

Sep 04, 20143 mins
AndroidCybercrimeData and Information Security

Text messages containing VPN passwords and authentication codes for Google and Facebook are found on a command-and-control server for Android malware

Research on Android malware called KorBanker has uncovered a treasure trove of text messages that include authentication codes for Google and Facebook and VPN passwords.

How the thieves made use of the data is not known. However, FireEye researcher Hitesh Dharmdasani assumes cybercriminals have figured out a way to exploit it for financial gain.

[Android now ‘mobile world’s equivalent’ of Windows for hackers]

“It is potentially bad that someone else apart from the intended recipient would have it,” Dharmdasani said Thursday of the stolen data.

Dharmdasani knew Android malware was used to intercept message communications on smartphones. However, he did not know the kind of data collected until he found the MySQL database in a command-and-control server for KorBanker.

FireEye has known about the malware, found mostly in South Korea, for about a year. KorBanker’s original purpose was to steal online banking credentials.

The malware is hidden in another app, such as a fake Google Play app, and offered for free on an online store. While most Android smartphone owners in the U.S. download apps from the official Google Play store, people in Asia regularly use less safe third-party stores, which often contain malware.

When the smartphone user installs the fake app, KorBanker overrides the online banking app. Clicking on the hijacked banking app launches a screen asking users if they want to install an update. Answering yes gets another screen asking for the username and password.

Over the last two months, the creators of KorBanker have expanded its thievery to text messages. The data collected by the app included VPN passwords and temporary authentication codes for Google, Korea Mobile, Facebook, Seoul Credit Rating & Information Co. and SK Telecom.

Authentication codes include temporary identification numbers used in two-factor authentication and password resets.

The research proves that valuable information can be collected from text messages, which should act as a warning to businesses, Dharmdasani said.

“There is sensitive information, it is being stolen and it can be used,” he said.

[F-Secure says 99 percent of mobile malware targets Android, but don’t worry too much]

In other Android news, a researcher has compiled a list of more than 350 apps that fail to perform SSL certification validation over HTTPS, making them vulnerable to man-in-the-middle attacks.

While this security flaw is known, Will Dorman with the CERT Coordination Center at Carnegie Mellon University is searching for vulnerable apps on Google Play and CERT is notifying the vendors.