How Google secures its Data Centers

Information Security Interview Questions

The number of Information Security related jobs are growing extensively…. There is a huge requirement for skilled InfoSec professionals across the globe.. the jobs positions are available for freshers, experienced guys and top management (typically CISO etc)… This post is my attempt to collect typical InfoSec interview question and answers to help those looking out opportunities in this field… I’ll keep on updating the questions regularly.. You can also share/contribute any questions you might have faced during your InfoSec interviews….

Category I: General Security Concepts / Network Security / OS Security

1) Is there any difference between Information Security and IT Security? If yes, please explain the difference.

Ans– Yes. Information Security and IT Security are both different terms often used interchangeably. IT Security focuses on purely technical controls (like implementing antivirus, firewall, hardening systems etc) while Information Security is more wider term which implies securing “information” as an asset be it in any form. (ex shredding of paper documents to prevent dumpster driving etc). So IT security can be considered as a subset of Information Security.

2) What is the difference between Encoding, Encryption and Hashing?

Ans– At a very high level, all these 3 terms might appear to be similar and people often confuse between them. But each of the technique is distinct and has different use case. The purpose of encoding is to transform data so that it can be properly (and safely) consumed by a different type of system, e.g. binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it’s able to be properly consumed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it. Examples: ASCII, Unicode, URL Encoding, Base64. The purpose of encryption is to transform data in order to keep it secret from others. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. Examples: AES, Blowfish, RSA. The purpose of hashing is to take arbitrary input and produce a fixed-length string that has the following attributes:

1. The same input will always produce the same output.
2. Multiple disparate inputs should not produce the same output.
3. It should not be possible to go from the output to the input.
4. Any modification of a given input should result in drastic change to the hash.

Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify integrity of the digital evidence.

3) What is the difference between proxy, firewall, IDS and IPS?

A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules)
Examples:

1. proxy – Squid
2. Firewall- IPTables, CISCO Pix, ZoneAlarm
3. IDS- SNORT
4. IPS- IBM Proventia

4) How does asymmetric encryption work?

5) How does SSL work? Are you aware about some of the latest vulnerabilities that were found in SSL implementation?

6) What is port scanning? What are the countermeasures to prevent it?

7) What is Man in Middle attack? Can it be prevented?

8) What is the difference between false positive and false negative?

9) Explain the term ‘Defense in depth’.

10) What do you mean by stateful inspection by a firewall?

11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems?

12) What is DLP? How does it work?

13) In what scenario, AD authentication should be used?

14) Is SSH completely secured? If not, can it be hardened more?

15) What is Virtualization? What are the security risks in it?

16) What do you mean by ‘BYOD’ ? Explain security concerns related with it.

17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer?

18) What are honeypots?

19) Tell about any of the major security incident that happened recently.

20) How do you keep yourself updated with latest trends in Information Security?

Ans: I refer to various security news sites , blogs etc (Like thehackernews, Rapid7 blog etc) Also I am subscribed to various online security magazines like Pentest magazine, HackInsight etc and I surf through the archives of various security conferences held worldwide.

21) Which OS do you feel is more secure? Linux or Windows?

Ans: No OS is secured unless and until its administrator is smart enough to secure it. Though Windows has more publicly found security issues, it can still be hardened appropriately. Its all about perception and having right sense of security. Linux definitely provides robust security, however a mis-configured Linux box could really pose a big threat to security.

22) Explain in brief, Multi Factor authentication.

23) Explain in short how Kerberos works.

24) How to harden a Windows Machine?

25) How to harden a Linux Machine?

26) How can you prevent DOS/DDOS attack?

27) What is a 0-Day Vulnerability? Can it be prevented?

28) What is the biggest difference between Windows OS and Linux OS?

29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)

30) Explain any type of Wi-Fi Attack and how to prevent it.

31) What is SIEM? Why it is useful?

32) What is rainbow attack? Is there a way to prevent it?

33) Explain the difference between hub, switch and router.

34) What do you mean by reverse shell in Linux?

35) Explain file ACL’s (permissions) in Linux. What is the use of sticky bit?

36) What is NAT and PAT? Explain difference between them and how do they work.

37) Comment on security concerns in Cloud Computing.

38) What is the use of ‘salt’ in reference to passwords? Are there any limitations of using it?

39) What is single sign-on? What are security risks with it?

Category II: VA/PT

1) What is the difference between Vulnerability Assessment and Penetration Testing? Which one needs to be performed first?

2) What are the steps to perform VA/PT?

3) What precautions are required to be taken while performing VA/PT?

4) With whom would you share the findings of VA/PT and how would you convey the risk of the findings effectively so that mitigation can be initiated immediately?

5) What tools do you normally use for VA and PT? Which tool you find the best and why?

6) What all should be included in report of VA/PT assessment?

7) Is it possible to hack into a system without using any tool? If yes, how would you do it? (Manually?)

8) How can you identify whether a remote machine is a Windows Machine or Linux Machine?

9) What is the difference between active and passive information gathering? (give 1 example of each)

10) How does sniffing works? Explain how can you sniff into a network. Can sniffing attack be prevented and how?

11) What would you do if nmap port scans are blocked by network security administrator? How would you gather host information in such case?

12) What are the different components of metasploit? Explain client side exploits/attacks.

Category III: Web Application Security

1) Why is Web Application Security Important?

2) “Making the website HTTPS would make it secure” share your comments on this.

3) What are cookies? What security threat do they pose?

4) What is SQL Injection attack? What are its types?

5) What are the ways to prevent SQL Injection?

6) What is XSS attack? What are its types?

7) What are the ways to prevent XSS attacks?

8) What is CSRF? How to prevent it?

9) What are the top 5 Web Application Vulnerabilities you know?

10) Explain any case wherein you found some critical web application vulnerability and you also provided solution to fix the same.

11) How would you mitigate vulnerabilities in a legacy application where much of code change is not feasible?

12) What tools do you use for performing Web Application security testing?

13) What are common security threats in Web Services and how do you test them?

14) What is the difference between White Box Application Security testing and Blackbox Application Security testing?

15) Do you have hands on knowledge of source code review? Give any example of vulnerability/bug you found during source code review.

16) What standards do you refer for Web Application Security and related vulnerabilities?

17) What are the most important steps you would recommend to secure your new web server?

18) Will L-3 firewall be useful in protecting the web application against common attacks? If yes, then to what extent?

19) What is Directory Listing? What is its impact? How to prevent it?

20) Can you explain any 2 vulnerabilities occurring due to poor session management?

21) Where should be the Web Server and Database server placed in network for optimal security?

21) Is there any risk when conducting Application Security testing on production instance?

Ans: Ideally, Application Security testing should never be performed on production instance. Automated scanners can insert, modify or even delete data from the target application. This could be a big risk. So the testing should be carried out on test instance which should contain exact replica of the application code running on production instance. If at all you have to test on production instance, its owner must take responsibility (in writing) of any data loss that may occur after testing.

22) How would you investigate or trace any security incident which occurred due to exploitation of some vulnerability in your web application?

23) Please explain how would you test a mobile application for security vulnerabilities?

24) Explain about Database Security. What are common controls for securing Databases.

25) How would you convince the developer to fix the vulnerabilities you found in the Web Application?

Ans: It is a normal human mentality not to accept our mistakes. Same applies in this case. No developer would easily accept that code written by him has serious security bugs. So, you have to demonstrate him the vulnerability you discovered with proper PoC. And explain him the severity and impact if the vulnerability gets exploited. You have to be polite while explaining and not get into arguments.

26) How does HTTP handles state?

Ans: HTTP is a stateless protocol.

27) How do you identify that an application is vulnerable to blind SQL Injection attack?

28) What is clickjacking and how do you prevent it?

29) What are the top 5 Mobile Application security threats?

30) At which stage of SDLC should the security controls be applied?

Category IV: Risk Management/ Compliance/ Security Frameworks

1) What is Risk Assessment and Risk Management? Are they same?

2) What are the standards available for Risk Management?

3) What are the types of Risks?

4) What are the possible ways to treat the risk?

5) What is the difference between threat, vulnerability , exploit and risk?

5) What is residual risk? Can it be eliminated?

6) What is ISO 27001? Why an organization should adopt it?

7) What is the difference between ISO 27001 and ISO 27002?

8) What is PCI-DSS? Is there any similarity between PCI-DSS and ISO27001?

9) What type of organizations are required to be compliant with PCI-DSS?

10) What is the difference between a standard, policy, procedure?

11) What would you do to make security program / initiative successful in the organization?

12) How would you convince the senior management to invest in certain security initiative?

13) How much would you ideally spend on securing a Windows Server? (This is a very generic question, but would really test whether the candidate is clear with the basics like asset value, impact analysis etc)

14) What is the difference between technical controls and procedural controls? (give 1 example of each)

15) Explain high level steps for initiating and implementing ISO27001.

Category V: Strategic / Scenario Based Questions

1) Please comment: Which one would be more securely built? Open Source software or Commercial/Proprietary software?

2) Whom do you get inspired from in the field of Information Security?

3) How many packets would travel from a laptop if a user initiates a traceroute to facebook.com?

4) Consider a scenario, the network has become extremely slow, there are many escalations coming to service desk, what would you do a as security professional? Do you see a possibility of any security threat in this? How would you face this situation?

5) Suppose business team wants to launch an application or urgent basis, but you know its vulnerable to some critical attacks, what would you do in such case? Should business requirement be given priority or security should be the priority?

6) What are the latest trends in Information Security?

7) Is Internet Banking really safe and secure? What are your views on this?

8) Where do you see yourself (in which role/position) after 3-4 years?

9) Should social networking websites (like facebook) be allowed or blocked? Justify with proper reason.

10) Anonymous hackers are hacking into some critical infrastructure around the world. Can you comment on how would they be doing this?

11) Have you heard about stuxnet? Explain your views on it and how could  it have been prevented?

Category VI: Computer Forensics/Laws

1) What do you mean by checksum? What are the popular algorithms for calculating checksums? What is its significance in computer forensics?

2) Describe steganography, its types and how to detect it?

3) What do you mean by file carving?

4) What is meant by bit stream image? Why it is important in forensics?

5) What is swap space? What is its relevance in forensics? What is page file?

6) Explain high level steps for seizing a live computer system.

7) What are the main challenges in computer forensics?

8) What is file shredding?

Ans: File Shredding is a technique used to securely erase/wipe or destroy the file (logical or physical) in such a way that it cannot be re-constructed to derive its original meaning.

9) Can data be recovered after shredding is performed?

10) What are the famous tools used in computer forensics?

11) What hardware is necessary for performing computer forensics?

12) What care should be taken while packaging the seized evidence?

13) What is slack space?

14) List few situations wherein lost data cannot be recovered.

Ans: If the data is stored on magnetic media, and that media comes in contact with very strong magnetic field then it may result in permanent loss of data. If data is on the disk is over-written more then 30 times, it may get in unrecoverable state. If the media is physically destroyed like completely burnt or turned into fine powder then it won’t be possible to recover the data.

15) How would you traced a spoofed email sent from spoofed IP address?

Security perceptions and mis-conceptions…..

Enough has already been said and written over security but it really doesn’t matter unless an untill there is sufficient individual awareness…. Its all about developing the thought process and aligning it with the security goals.. Well its really not that complicated 🙂

I just thought I would share some of the mis-conceptions about security that I observed at times…..

1) I have a Firewall  , my network is secured!

No Firewall in world alone can secure your network completely… firewall works mechanically as per the pre-defined rules…. so if your network gets attacked inspite of using firewall, don’t blame the firewall… blame your firewall administrator! The firewall administrator must be smart enough to place the firewall in right position and configure the rules correctly…. Also a typical firewall will just work at L3 and won’t be able to prevent L7 (application) attacks…

2) I have Anti Virus, my PC is secured!

No way this statement holds true…. Just installing any antivirus just for sake of peace of mind is not going to save u against those nasty bugs…. Choice of anti virus if of utmost important… I have seen some enterprise level AV’s not detecting simple viruses (ridiculous!!!) So u need to do some research before u spend ur bugs to fight against the e-bugs…. And again its not all over here… u have to make sure that ur AV gets updated frequently. An updated good AV will certainly protect u against common viral infections but no AV can guarantee 100% protection for sure….

3) I have a nice strong password, No can steal and hack it!

Wrong again….. Its not just about password being complicated there are lot other things which count in keeping your passwords safe… May your password be long complex alpha numeric but just imagine you keyed in your password from a cyber cafe wherein some keylogger was installed… what’s the use of the strong password then? all in vain!!! Or what if you got a phishing mail and u submitted your long password to fake website? So the point is being alert from security perspective all the time might help u keep your passwords and keys safe…its all dependent on human behavior how humans would react to different situations specially created by hackers and crackers all around….So beware while using ur password…and yes a simple technique of using on-screen keyboard would certainly reduce the risks of passwords getting compromised by keyloggers!! Good Luck 🙂

4) I have 1XXXXX $ Budget for IT security, Now my network and assets would be 100% safe!!

Its not about how much u spend on security, spending on correct security controls is important…. And “Human Link is the weakest link in security” so spending only on technical controls won’t help unless people using the technology are aware of the risks associated with it. Remember will always behave and perform the way it has been configured but same cannot be assured about a person…people can always be manipulated ….for eye opening live case studies on how people can be manipulated to break the security please go through “Art of Intrusion” by Kevin Metnick. So if people are well aware of technology, risks and there mitigating controls it would really be much easier to defend against many of the cyber attacks!!!

5) My Web Site is HTTPS enabled and my Server is in DMZ so no one can hack into my Web Site!!

This is very common perception for many of the IT architects and application developers. Both of these things have very less to do with actual core security of your website. Enabling HTTPS facilitates encrypting the data at transport layer and but if some one sniffs data at application layer, HTTPS is of no use!!! And DMZ is used so that the application can be accessed over internet… well for those who don’t know, DMZ stands for de-militarized zone which is transitional area between local intranet and internet. It has nothing to do with application level vulnerabilities. So there is no way you could prevent cross site scripting or SQL injection just by enabling HTTPS and placing the server in DMZ…. A security strategy designed for all layers would certainly help but its better to stay away from such mis-conceptions!!!

GateOne Beta – Terminal emulator for HTML5 web browsers

The software makes use of WebSockets to connect a server backend written in Python and a frontend written for modern browsers in JavaScript, HTML5 and CSS. The frontend doesn’t require any browser plug-ins to be installed.Gate One also supports HTTP over SSL (https) secure connections from the browser to the server and authentication technologies such as Kerberos. It has its own internal plug-in system (plug-ins can be written in Python, JavaScript and CSS); currently available plug-ins for Gate One include SSH client connections, session recording and playback, and a bookmark manager for storing terminal sessions.
Top features:
* No browser plugins required!
* Supports multiple simultaneous terminal sessions. As many as your hardware can handle.
* Users can re-connect to their running terminals whenever they like from anywhere.
* Can be embedded into other applications. Add a terminal–running whatever application(s) you want–to your web app! Would be vastly superior to say, a Java-based serial console applet (hint hint).
* Includes powerful plugin system that supports plugins written in Python, JavaScript, and even CSS (yes, you can write a CSS-only plugin).
* The Gate One server can be stopped & started without users losing their running terminal applications (even SSH sessions stay connected!). In essence, worry-free upgrades!
* The SSH plugin allows users to duplicate sessions without having to re-enter their username and password (it re-uses the existing SSH tunnel).
* Provides users with the ability to play back and save/share their terminal sessions via a self-contained HTML playback file.
* Similarly, supports server-side logging, recording, and video-like playback of user sessions. It can even log to syslog to support whatever centralized logging system you want.
* Keberos-based Single Sign-on support is included. It even works with Active Directory. Other  authentication options are available as well.Demo:

Download GateOne Here

Application Security With Apache Shiro : Java security framework

Are you frustrated when you try to secure your applications? Do you feel existing Java security solutions are difficult to use and only confuse you further? Les Hazlewood is the Apache Shiro PMC Chair and co-founder and CTO of Katasoft, a start-up focusing on application security products and Apache Shiro professional support. Apache Shiro, a Java security framework that provides a simple but powerful approach to application security.

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management and can be used to secure any application – from the command line applications, mobile applications to the largest web and enterprise applications. Shiro provides the application security API to perform the following aspects :

• Authentication – proving user identity, often called user ‘login’.
• Authorization – access control
• Cryptography – protecting or hiding data from prying eyes
• Session Management – per-user time-sensitive state

Shiro also supports some auxiliary features, such as web application security, unit testing, and multithreading support, but these exist to reinforce the above four primary concerns.

The framework landscape has changed quite a bit since 2003, so there should still be a compelling reason to use Shiro today. There are quite a few reasons actually. Apache Shiro is:

• Easy To Use – Ease of use is the project’s ultimate goal. Application security can be extremely confusing and frustrating and thought of as a ‘necessary evil’. If you make it so easy to use that novice programmers can start using it, it doesn’t have to be painful anymore.
• Comprehensive – There is no other security framework with the breadth of scope that Apache Shiro claims, so it can likely be your ‘one stop shop’ for your security needs.
• Flexible – Apache Shiro can work in any application environment. While it works in web, EJB, and IoC environments it does not require them. Nor does Shiro mandate any specification or even have many dependencies.
• Web Capable – Apache Shiro has fantastic web application support, allowing you to create flexible security policies based on application URLs and web protocols (e.g. REST), while also providing a set of JSP libraries to control page output.
• Pluggable – Shiro’s clean API and design patterns make it easy to integrate with many other frameworks and applications. You’ll see Shiro integrated seamlessly with frameworks like Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin, and many others.
• Supported – Apache Shiro is part of the Apache Software Foundation, an organization proven to act in the best interest of its community. The project development and user groups have friendly citizens ready to help.

Download Apache Shiro

Code 2600: A Hacking Documentary

Following the success of his debut documentary feature, Land of Confusion, award winning Pittsburgh filmmaker Jeremy Zerechak is already garnering early accolades for his newest project, CODE 2600. The film—a no-holds-barred look at the ramifications of the Information Technology era—has been selected from to have its world premiere at the 2012 CINEQUEST FILM FESTIVAL (February 28th – March 11th) in San Jose, CA. Appropriately located in the heart of silicon valley, CINEQUEST is one of the country’s top film festivals—a 13-day event of 200 international films with over 600+ film artists, technologists, and professionals from 44 countries in attendance.

 

CODE 2600 documents the rise of the Information Technology Age as told through the events and people who helped build and manipulate it. The film explores the impact this new connectivity has on our ability to remain human while maintaining our personal privacy and security. As we struggle to comprehend the wide-spanning socio-technical fallout caused by data collection and social networks, our modern culture is caught in an undercurrent of cyber-attacks, identity theft and privacy invasion. Both enlightening and disturbing, CODE 2600 is a provocative wake-up call for a society caught in the grips of a global IT takeover.

“Born out of curiosity and compulsion, CODE 2600 wasn’t about making a film that simply told the story of the computer revolution,” said Zerechak. “It is a journey that explores the eras and events that led up to modern society’s current love affair with technology and all the dangers that come with being wildly in love.”

It seemed that although most of the modern world now rested on a digital platform, few people understood how it all worked or, more importantly, about the perils that lurked behind their addictive personal tech devices and the implications of their ignorance. Moreover, the history of hacking and the Internet was, by cinema standards, an untold epic tale full of great characters, events, and David-Goliath-battles.

System monitoring tool for Linux- Glances v1.3.7 released

 

 

Glances is a system monitoring tool for GNU/Linux distributions. It grabs information from your system and display its in a CLI curses screen.Glances can monitor CPU, average load, memory, network interface, disk IO, file system space and processes. When a alert is detected, stat is automatically colored and the processes list sorted by CPU or memory.The latest version (1.3.7) displays a log history in the bottom of the screen with the latests alerts.

Glances use a standard GNU style installer:

$ tar zxvf glances-1.3.7.tar.gz
$ cd glances-1.3.7
$ ./configure
$ make
$ sudo make install

Get More info from Documentation and Official site. Download Glances v1.3.7 from Here.

Security Enhanced (SE) Android Released by National Security Agency (NSA)

 

The National Security Agency (NSA) releases the first version of Android Security Enhanced . The system is designed to minimize the impact of security holes on Android . SE Android project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the SE Android project is not limited to SELinux.

How can SELinux help Android?

• Confine privileged daemons.
• Protect them from misuse.
• Limit the damage that can be done via them.
• Sandbox and isolate apps.
• Strongly separate apps from each other and from the system.
• Prevent privilege escalation by apps.
• Provide centralized, analyzable policy.

Distinctive features SE Android:

• Per-file security labeling support for yaffs2,
• Filesystem images (yaffs2 and ext4) labeled at build time,
• Kernel permission checks controlling Binder IPC,
• Labeling of service sockets and socket files created by init,
• Labeling of device nodes created by ueventd,
• Flexible, configurable labeling of apps and app data directories,
• Userspace permission checks controlling use of the Zygote socket commands,
• Minimal port of SELinux userspace,
• SELinux support for the Android toolbox,
• Small TE policy written from scratch for Android,
• Confined domains for system services and apps,
• Use of MLS categories to isolate apps.

The Goal of Security Enhanced (SE) Android is to improve our understanding of Android security, Integrate SELinux into Android in acomprehensive and coherent manner,Demonstrate useful security functionality inAndroid using SELinux, Improve the suitability of SELinux for Android and Identify other security gaps in Android that needto be addressed.

Print of one malicious document can expose your whole LAN

 

 

This year at Chaos Communications Congress (28C3) Ang Cui presents Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers and In Andrei Costin’s presentation “Hacking MFPs” he covered the history of printer and copier hacks from the 1960s to today.

Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to a printer that contained a malicious version of the OS that caused it to copy the documents it printed and post them to an IP address on the Internet; in the second, he took over a remote printer with a malicious document, caused that printer to scan the LAN for vulnerable PCs, compromise a PC, and turn it into a proxy that gave him access through the firewall.

Costin found a method to exploit the firmware update capability of certain Xerox MFPs to upload his crafted PostScript code. He was able to run code to dump memory from the printer. This could allow an attacker to grab passwords for the administration interface or access or print PIN-protected documents.

 

MFPs are trusted devices connected to the office network, but sometimes they’re also accessible from the Internet. The numbers of publicly accessible office MFPs range in the tens of thousands. An attacker could craft PostScript code tied with exploits from the Metasploit framework and upload it to an MFP to attack a corporate network.

Cui’s technique for infecting printers involves the more limited Printer Job Language, rather than PostScript, and injects code into processes running on the printer. This was effectively a custom rootkit for the printer’s OS. Cui gave HP a month to issue patches for the vulnerabilities he discovered, and HP now has new firmware available that fixes this (his initial disclosure was misreported in the press as making printers vulnerable to being overheated and turning into “flaming death bombs” he showed a lightly singed sheet of paper that represented the closest he could come to this claim). He urges anyone with an HP printer to apply the latest patch, because malware could be crafted to take over your printer and then falsely report that it has accepted the patch while discarding it.

Fake Angry Birds Game spreading Malware from Android Market

From last week premium rate SMS Trojans surfaced in the Android Market. Google has pulled 22 apps that are masquerading as legitimate versions of popular games like Angry Birds and Cut the Rope. Security researchers have discovered a way to bypass an Android smartphone owner’s permissions and access private data stored on their smartphone.

Avast Blog explain this as – For example, if someone tried to look for “Cut the rope free”, this malicious application was in the fourth place in the search results. Apps published by the developer Miriada Production may look like well known Android games (Angry birds, Need for speed, World of Goo and others) and users could be easily confused.

The fake apps include “Cut the Rope”, “Need for Speed”, “Assassins Creed”, “Where’s My Water? “,”Riptide GP”, “Great Little War Game”, “World of Goo”, “Angry Birds”, “Shoot The Birds”, “Talking Tom Cat 2”, “Bag It!” and “Talking Larry the Bird”. The apps have been pulled from the Android Market.

The fraudulent apps would install a premium rate SMS Trojan that would rack up hidden charges on the user’s phone bill. The apps would lure customers into clicking on options that would send text messages to premium line numbers leaving the user to foot the bill. According to Lookout Mobile Security, the new threat called RuFraud has been found in an initial batch of apps on the Android Market that include horoscope apps, wallpapers, and game apps that pretend to be legitimate games like Angry Birds.

What will happens if these threats are installed in your mobile devices? 
It will attempts to send text messages containing the string “798657” to premium-rate numbers using the infected device’s current default SMS Center (SMSC) by exploiting the Permissions function (android.permission.SEND_SMS), Capable of sending an affected user’s GPS location via HTTP POST, Opens several ports and connects to specific URLs to receive and execute commands from a remote user, Gathers information like International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers from infected systems, which is then sent to a specific site and Secretly forwards all incoming text messages to a remote user.

How do users get these threats?

Trend Micro has reported several incidents wherein malware came disguised as Android apps. Samples of Android malware found in the wild include:

• ANDROIDOS_DROIDSMS.A: Came disguised as Windows Media Player.
• ANDROIDOS_DROISNAKE.A: Came in the form of a game known as Tap Snake.
• ANDROIDOS_GEINIMI.A: Came in the form of Trojanized apps hosted in certain third-party app stores in China.
• ANDROIDOS_ADRD.A: Comes in the form of a Trojanized wallpaper app.
• ANDROIDOS_LOTOOR.A: Trend Micro’s detection for Trojanized versions of legitimate apps like “Falling Down”.
• ANDROIDOS_BGSERV.A: Trojanized version of Android Market Security Tool, which was released to address the modifications done by AndroidOS_LOTOOR.A.

Trend Micro Suggest “Users can also check the developer’s profile for other apps. Google also offers developer ratings, as well as the status ‘Editor’s Choice’ that can further validate the developer’s legitimacy. It is also a good practice to check app ratings and user feedback for more verification. The user rating and feedback feature give people a more accurate view of the experiences users have when using or installing the app. You can find it just below the app icon.,”.