August 4, 2011
Dasient Research Discovers Major Privacy and Security Threats in Mobile Applications
LAS VEGAS, Aug. 4, 2011 /PRNewswire/ -- Black Hat USA 2011 Conference -- At the Black Hat conference today, Dasient Inc., the leading provider of anti-malware solutions for websites and ad networks, will deliver the full results of an in-depth study that reveals new concerns about the security of mobile applications and devices, as well as the personal information of the people who use them.
The report, "Mobile Malware Madness, and How to Cap the Mad Hatters: A Preliminary Look at Mitigating Mobile Malware" was authored by Dasient's research team including Neil Daswani, Gerry Eisenhaur, Michael N. Gagnon and Tufan Demir. In a Black Hat presentation scheduled at 4:45pm PT on Thursday, August 4, Dasient's co-founder and Chief Technology Officer (CTO) Neil Daswani will reveal details on this behavioral analysis study of 10,000 applications downloaded from the Android Market, which found that 842 of those applications are leaking personal information. He will also discuss Dasient's findings on mobile drive-bys - a method by which malware is delivered to users via legitimate markets or applications.
"Our research indicates that mobile devices and applications are subject to a number of security considerations that may cause them to leak personal data, or expose users to infection via malicious drive-bys," said Daswani. "These issues need to be recognized immediately, both by those who write mobile applications and by the people who use them."
Some of the key findings of Dasient's research include:
- 842 of the 10,000 apps analyzed from Google's Android marketplace were leaking private information. The apps transmitted International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers to remote servers, potentially exposing this personally identifying information to compromise. The leaks occurred most frequently when application developers used IMEIs as user IDs, enabling unrelated applications to compare notes on user behavior, and clone users' phones.
- Hashing IMEI numbers to protect privacy does not protect user privacy. While some mobile application developers seek to protect the personal IMEI data via cryptographic "hashing," the Dasient security team found that the hashing techniques used on IMEI were relatively easy to circumvent.
- Mobile drive-by attacks can become a very real and new threat vector for malware distributors. Dasient's security team prototyped a mobile drive-by attack for Android. While drive-bys on desktop PCs on the Web are very common, the ability to conduct mobile drive-by attacks is a new, and potentially attractive, method of deployment for malware distributors.
"Mobile devices and applications are becoming a more popular platform for malware creation and distribution," Daswani concluded. "It's likely that we are on the threshold of another new wave of malicious attacks, and the time to start preparing is now."
The full Dasient report on mobile malware, including detailed results of the Android application study, can be found at: http://www.dasient.com/mobile-malware-madness/. More information can also be found on Dasient's blog: http://blog.dasient.com/
Dasient, the leader in Web anti-malware technology, envisions an Internet that is safe and malware-free for users and online businesses. Dasient protects the websites of leading financial services, e-commerce, media, web hosting and other global enterprises from losses of data, revenue and reputation caused by web-based malware attacks. Furthermore, Dasient's adaptive security intelligence redefines Internet security by scanning the expanses of the Web and harnessing the power of data to mount defenses against future malware attacks. For more information about the company and its services, visit www.dasient.com.