Rob Rachwald

Subscribe to Rob Rachwald: eMailAlertsEmail Alerts
Get Rob Rachwald: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Rob Rachwald

In the past, we've discussed the rise of mobile malware. More recently, Imperva's ADC has analyzed mobile malware and our findings support the observation that we'll see more Android malware than those targeted at Apple for two reasons: Technically, it is easier to write malware for Android. Currently, better channels exist to distribute for Android malware. Google has bought Motorola (for the best market perspective on the acquisition, read Fabrizio's take). Consolidation aside, mobile malware is on the rise. For instance, Juniper's malicious Mobile Threat Threats Report found a 400% increase in Android malware since the summer of 2010. According to Paolo Passeri, the number of malware is growing exponentially, and has reached a huge peak in July. This trend is very important for the security industry. A recent Wall Street Journal headline captures the shifting la... (more)

Mobile Malware: Emulating a Dynamic Infection

Check out Part 1 and Part 2. In Part 3, we showed the code that intercepts the SMS messages and sends them to the drop point. As we have previously mentioned, the malware is distributed through the Android's application market. It remains to address the following question: What does an infection look like from the point of view of the victim? Dynamic Infection Rather than installing the Trojan on an Android, we had decided to install it on an Android SDK on an Ubuntu machine. Following are some screenshots that emulate what the victim sees on their handset. 1: An Android virtual ... (more)

Mobile Malware: Decompiling the Application

This four-part series presents an under the hood analysis of Android malware. This malicious mobile application is distributed via the Android's application shop market. What does it do? The application captures incoming SMS messages before any other system application. It then posts their contents to a drop server. Due to this interception behavior, security researchers have been calling it ZitMo - Zeus in the Mobile. But is this in fact the mobile equivalent of the notorious banking Trojan, ZeuS? As the analysis will show, we cannot guarantee the validity of the ZitMo claim du... (more)

Mobile Malware: A Deep Dive into Decompiled Classes

In the Part 2 we demonstrated how to decompile the Trojan's .dex file - the compiled Android application code file. In Part 3, we show how the Trojan intercepts the messages and sends them to the drop point. In particular, we take a deep dive into these three decompiled classes: The Activation Class: Responsible for the UI window The ServerSession Class: Responsible for sending the intercepted text messages to the drop box. The Main Class: Runs the application where the Trojan intercepts the incoming text messages. Classes Overview Activation Class The Activity class takes care of... (more)