Observing the activity of several groups of digital criminals, Kaspersky Lab researchers have detected unusual activity in a malicious script, located on an "infected" website, which puts device users Android in danger.
The script usually activates Flash exploits to attack Windows device users. However, at some point, the script was configured to be able to control the type of device that its victims use, specifically looking for Android 4.0 and / or earlier versions. As soon as they identified the risk, Kaspersky Lab experts decided to deepen their research.
"Infecting" an Android device is much more difficult for criminals than "infecting" a Windows PC. Windows – and many popular ones applications for this operating system – have vulnerabilities that allow malicious code to run without user interaction.
As a rule, this is not the case with the Android operating system, since each application installation on an Android device requires confirmation from its owner. However, vulnerabilities in the operating system could be exploited to circumvent this constraint and - as the company's researchers have found - this is indeed the case.
Το script είναι μια σειρά ειδικών οδηγιών προς εκτέλεση στον browser, που ενσωματώνονται στον κώδικα της «μολυσμένης» ιστοσελίδας. Το πρώτο script ανακαλύφθηκε όταν αναζητούσε συσκευές που λειτουργούσαν με τις παλιές εκδόσεις του λογισμικού Android. Δύο ακόμα ύποπτα script εντοπίστηκαν στη συνέχεια. Το πρώτο είναι σε θέση να στείλει ένα SMS σε οποιονδήποτε αριθμό κινητού τηλεφώνου, ενώ το άλλο δημιουργεί κακόβουλα αρχεία στην κάρτα SD της συσκευής που έχει δεχθεί attack.
Αυτό το κακόβουλο αρχείο είναι ένα Trojan και έχει τη δυνατότητα να παρεμβαίνει και να στέλνει messages SMS. Και τα δύο κακόβουλα script είναι σε θέση να εκτελούν ενέργειες ανεξάρτητα από το χρήστη Android. Το μόνο που χρειάζεται για να εκτεθούν οι χρήστες σε κίνδυνο, είναι να επισκέπτονται περιστασιακά έναν «μολυσμένο» δικτυακό τόπο.
This has been possible because digital criminals have used exploits for many vulnerabilities on Android versions 4.1.x and earlier. In particular, these vulnerabilities are identified by their code names CVE-2012-6636, CVE-2013-4710 and CVE-2014-1939. All three vulnerabilities have been repaired by Google between 2012 and 2014, but the risk of exploitation continues to exist.
For example, because of the Android ecosystem features, many Android device providers are releasing the necessary security updates too late. Some, in fact, have no updates, because certain models become technically obsolete over time.
"The exploitation techniques we detected during our research were not new. On the contrary, these are ideas that were "upheld" by references, previously published by white hat researchers. This means that Android device providers should take into account the fact that the publication of PoCs will inevitably lead to the emergence of "equipped" exploits. Users of these devices deserve to be protected with corresponding security updates, even if the devices are not for sale at the given time"Said Victor Chebyshev, Kaspersky Lab security specialist.
To protect against drive-by attacks, Kaspersky Lab specialists recommend users:
- Keep their Android device up-to-date by allowing automatic updates
- Restrict the installation of applications from alternative sources, mainly using Google Play, especially if they manage many devices used on corporate networks
- Use a proven security solution. For example, solutions Kaspersky Internet Security for Android and Kaspersky Security for Mobile with Mobile Device Management they are able to locate changes to the device's SD card in real-time, thus protecting users from the drive-by attacks described above.
More information about drive-by attacks on Android devices is available on the site Securelist.com.
