Published on May 15th, 2017 | by admin
Nick FitzGerald Interview (Senior Research Fellow at ESET)
Tell us how became involved with ESET Nick and your background with online security?
As a web threats researcher, I have worked in the industry from the early days of malware’s move to the web and its associated shift from ‘electronic graffiti’ to its primarily criminal activity today.
As the previous editor and head product tester for Virus Bulletin, I have extensive experience in computer malware, technical and editorial writing in the malware and e-crime field, and an in-depth knowledge of anti-malware product testing.
While at Virus Bulletin, I persuaded one of the founders of ESET to contribute its virus scanner to our comparative tests, and that started a very long run of impressively consistent test results. Watching that streak continue long after I left the journal, it became clear to me that ESET’s approach and attitude were well aligned with my own views, so when an opportunity arose to work with ESET, it was an easy decision to make.
How did the Flashlight Trojan app get through the Google Play process?
Google has prioritized ease-of-use for app developers and speed in the app publication process, even if that does not result in the highest level of user protection.
Since mid-2011, apps submitted for publication in the Google Play store pass through a security screening feature known as Bouncer. This system is proprietary to Google, so precisely what it does is unknown outside the company, but we know a little of its workings based on external testing and some high-level descriptions from Google staff. Submitted apps are run in an emulated Android environment for a short period of time and if various prohibited behaviours are observed, the app is blocked from publication. More recently, Google has added additional levels of human review, although it seems highly unlikely that all apps receive such checks. Various flaws in the system allow a malicious app to detect that it is running under Bouncer and thus don’t exhibit any prohibited or malicious activity. Bouncer would thus give the app a “pass”, allowing the malicious app to go undetected.
If someone does get infected, what advice would you give them?
Users are aware that apps can carry harmful malware and ransomware code, however they don’t always realise that sometimes installing a paid app that does not deliver the intended service can also be a scam.
There is no current, officially-sanctioned Adobe Flash Player for Android, so if you have installed one and been alerted that your version requires a paid update, you should install a security product and scan the whole device, especially if you have paid for the update, which indicates you have been duped and most likely have something undesirable running on your device.
Further, as Google has removed this particular app from the Play Store, Android users who had installed it have most likely had it removed from their devices by now via the “Verify apps” feature. This is enabled by default in all recent Android releases, but users should check that it is enabled on their devices.
Can these criminals be traced if users pay?
In this case it may be possible to trace the people behind this scam because of their use of PayPal as their payment processor. A suitable, official law enforcement request to PayPal for the account ownership details associated with the PayPal account used by these scammers should result in PayPal cooperating. Whether anyone is following this line of investigation is unclear.”
What advice would you give Android users to protect themselves from app scams?
The best advice for Android users is to only download apps from the official Google Play Store. However, as we know, some malicious apps still do get through.
It is always wise to read the reviews of an app before downloading it, along with taking a detailed look at what permissions and rights you are granting to the app.
In case these measures fail, it is best to use a reputable mobile security solution which will provide better protection against malware.”
In your role as Senior Research Fellow, what are some of the themes in cyber-crime that you have noticed?
Between 2015 and 2016, Australia saw an almost 20 per cent increase in the total number of cybercrimes reported to ACORN. More generally, the last three years have seen a major growth in the efforts of cybercriminals running ransomware campaigns, and since about October 2016 there has been a massive uptake in the abuse of IoT devices for cybercriminal activities such as DDoS botnets.
Besides computers and smartphones, how long will it be until other devices like smart TV’s, gaming consoles and cars will be affected?
This is already happening. Aside from the attention-grabbing headlines about recent hacking tool ‘leaks’ from US intelligence agencies, featuring tools that could make certain smart TVs appear to be powered off, whilst their cameras and microphones are recording, and so on, we have seen the Mirai botnet and its offspring perpetrating the largest DDoS attacks on record. Mirai is often described as an ‘IoT botnet’ because most of the devices it recruits are classic IoT gadgets such as IP-connected security cameras and their associated DVRs, and home routers.
As more IoT, or ‘smart’, devices connect to the internet, we expect to see the IoT botnet problem get worse. Sadly, this is because of the generally very poor state of security implemented on so many of these devices. This is exacerbated by so few of these devices having the kinds of automatic update mechanisms we depend on to keep the security of our PCs, laptops and smartphones up to scratch.”
Do you think electronic devices will ever be safe from cybercriminals?
Back in 1989, one of the first academics to specialise in computer security, Eugene (‘Gene’) Spafford said, ‘the only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts’. I agreed with him then, and I still don’t think there’s much hope for change.
How do you think the cybercrime landscape will change in the next 10 years?
Given the above, ‘not much’ might be the expected answer. Realistically though, since the mid-to-late 1990s, no ‘successful’ form of malware and its associated cybercrime platforms have remained dominant for more than a few years. This mostly reflects the dynamic of any truly successful or dominant malware tactic drawing sufficient attention to itself, in that ‘something’s gotta give’.
For example, in the mid-1990s, as macro viruses emerged as an obvious threat, Microsoft did not take malicious macros in Office, particularly Word, document files at all seriously, but as the damage wrought by macro viruses increased, perhaps culminating in the Melissa mass-mailer worm incident, Microsoft made several changes to the macro functionality in Office’s components. While those changes made life a little more difficult for a tiny proportion of Office users, the vast majority noticed little, if any, change in their use of Office, but macro viruses rapidly became a thing of the past because Microsoft finally chose to annoy a few power users in return for vastly improved security for the overall ecosystem.
Likewise, while spam is unlikely to ever be a fully solved problem, specific spammers or spamming operations are often shuttered through the cooperative efforts of several security vendors, network service providers and major players such as Google or Microsoft, combined with appropriate law enforcement.