McAfee finds code-validation dodging Android malware

Cyber attackers are using malware to circumvent digital signature app validation on Android and PCs, says McAfee

Cyber attackers are using new methods to circumvent digital signature app validation on PCs and Android-based devices, according to the latest threat report from security firm McAfee.

The firm’s researchers have identified a new family of Mobile malware that allows attackers to bypass the digital signature validation of apps on Android devices.

The researchers said this new security control evasion technique has contributed to a 30% increase in Android-based malware.

At the same time, traditional malware signed with digital signatures grew by 50% to more than 1.5 million samples.

At McAfee Focus 2013 in October, researchers said digitally signed malware was a fast-growing threat aimed at bypassing whitelisting and sandboxing security controls.

“We found 1.2 million pieces of new signed malware in the last quarter alone,” said David Marcus, director of advanced research and threat intelligence at McAfee.

This is malware that is signed using legitimate digital certificates that have not been stolen or forged, but acquired from certificate authorities (CAs) or their sub-contractors, he told Computer Weekly.

The latest report reveals the top 50 certificates used to sign malicious payloads, noting that this growing threat calls into question the validity of digital certificates as a trust mechanism.

Researchers said efforts to bypass code validation on mobile devices and commandeer it altogether on PCs represent attempts to circumvent trust mechanisms upon which digital ecosystems rely.

More on digital certificates

  • Options for mitigating digital security certificate problems
  • Microsoft revokes additional digital certificates due to encryption weakness
  • New malware signed with government digital certificate
  • SSL certificate management: Avoiding common mistakes
  • Microsoft warns of fraudulent digital certificates, issues patch
  • Explaining how trusted SSL certificates and forged SSL certificates work

McAfee Labs researchers identified one new family of Android malware, Exploit/MasterKey.A, which allows an attacker to bypass the digital signature validation of apps, a key component of the Android security process.

McAfee Labs researchers also found a new class of Android malware that downloads a second-stage payload without the user’s knowledge.

“The industry must work harder to ensure the integrity of these technologies as they become more pervasive in every aspect of our daily lives,” said Vincent Weafer, senior vice president , McAfee Labs.

The third quarter also saw notable events in the use of Bitcoin for illicit activities such as contract killings, drugs, weapons, and other illegal goods on websites such as Silk Road.

The growing presence of Bitcoin-mining malware highlights the increasing popularity of the currency.

Researchers found malware designed to infect systems, mine their processing power, and produce Bitcoins for commercial transactions

“As these currencies become further integrated into our global financial system, their stability and safety will require both financial monetary controls and oversight, and the security measures our industry provides,” said Weafer.

The International Cyber Security Protection Alliance (ICSPA) has called for international collaboration in outlawing currencies such as Bitcoin because they are enabling a large proportion of cyber crime.

John Lyons, ICSPA chief executive told the ISSE 2013 security conference in Brussels that if US and European financial institutions collaborated, they could shut down virtual currencies overnight by requiring all financial transactions to go through auditable channels only.

“This is the safest and most secure way of shutting down funding to criminal groups,” he said.


Read more on Hackers and cybercrime prevention