Welcome and thank you for posting here in the community!
I understand that you have an inquiry regarding the Trend Micro Mobile Security app for Android. May I ask how were you able to come up with the idea that the Jcraft is being used?
You may provide screenshots or any documents necessary.
Thanks for your time and have a lovely day!
TrendMicro Home Users Community
The most recent one I read was this one: http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor...
A Better Version of DressCode?
To use its port forwarding feature, MilkyDoor smuggles various types of Internet traffic into or out of a network. This can be employed to avoid network monitoring or sniffers, or even bypass firewalls on the Internet. In this case, the attacker’s server, as an SSH server, lets the infected apps connect while the server also listens to local ports. Through this tunnel, all traffic traversing this port will then be forwarded to the client host’s internal network.DressCode was noted for building a proxy using the Socket Secure (SOCKS) protocol on Android devices in order to access internal networks. MilkyDoor leverages the SOCKS protocol and remote port forwarding via SSH to achieve dynamic port forwarding, which in turn allows data to traverse to all remote destinations and ports. Because the SSH tunnel uses Port 22, firewalls usually do not block traffic that go through this port; this enables data encryption of payloads transmitted over a network connection. In a nutshell, MilkyDoor’s routines resemble anonymizing and Internet censorship-bypassing services.
Thank you for the information and apologies for the late reply.
Upon checking on the blog that you posted on your reply SSH or Secure Shell tunnel uses port 22 that is commonly found on computers since computers uses ports for transmitting and receiving data. Now since Java is found in more or less 3 billion devices world wide it also uses SSH or Secure Shell tunnel similar to a computer, the SSH on Android devices is pure Java which attackers can use to attack the infected device. Now to prevent this kind of infection The Trend Micro Mobile Security for Android checks the Java based SSH to block MilkyDoor since it uses normal network traffic and masquerades itself as a normal application. Trend Micro has been working with Google to check and block applications that poses any threats to users.
I hope this answers your question, please feel free to comment or post in this community.
Trend Micro Home Users Community
I'm having a little difficulty wrapping my head around this.
If I wanted to have my Android to be able to tunnel data out to my laptop through a SOCKS proxy over SSH I would have to install an app that includes the Java based SSH client.
Or if I had installed a "malicious" app (such as the one mentioned in the blog) it too would need the Jcraft/JSch included inside the application.
Android OS does not have JSch "built in" it must be added.
As per your explanation:
The Trend Micro Mobile Security for Android checks the Java based SSH to block MilkyDoor since it uses normal network traffic and masquerades itself as a normal application.
Tell me if I'm understanding this correctly...The Trendmicro mobile security app has ADDED the Jcraft/JSch SSH package to see if a "malicious" app has ALSO added the same package?
Or is all the "normal network traffic" being tunneled over SSH through Trendmicro's Jcraft/JSch package to a Trendmicro and/or Google server to be "examined" for "malicious" traffic?
Trend Micro has been working with Google to check and block applications that poses any threats to users.
It just seems to me that by ADDING an SSH package where there wasn't one before just broadens "attack" vectors.
Why not just create a rule in the IPtables firewall to block port 22?
IPtables is native to the Android OS and doesn't need to be exported in.
Or just include detection "signatures" in the Trendmicro app that looks for instances of the Jcraft/Jsch package and send an alert notification to the user that an app that has been installed has the Jcraft/Jsch package installed in it to warn users?
I'm more confused than ever!
A simple answer was all I asked for, not a "story" about checking for instances of "Milkydoor".
Unless of course you have NO IDEA about how your product actually works?
"Have a lovely day"
We sincerely apologize for not being able to get back to you immediately as we have consulted this case to our Technical Team. Thank you so much for the patience.
You need not to worry about your protection as the Trend Micro Mobile Security detects applications installed on the mobile device based on the app's behavior. This detection feature runs on a real-time basis and will delete the file as soon as it get detected.
It also has a feature which could allow you to prevent installing malicious applications to your device which is the Pre-Installation Scan--an extra-layer protection from Trend Micro on Google Playstore. This engine runs before you install an application from the Google Playstore.
Safe Install can also help on preventing installation of applications outside the Google Playstore. If in case the application will be installed on your device, as soon as the Mobile Security detected that it is doing a malicious activities on your device, regardless if you have allowed all the permissions for a specific app on the device, the Mobile Security will prompt you to delete this app and you will be informed about the malicious activities it does on your mobile device.
We also have the Mobile Application Reputation Service or MARS which is a cloud-based service that automatically identifies mobile threats based on app behaviors. If you wish to check a specific app installation file, you may visit our MARS website at https://mars.trendmicro.com.
(Note: Please do not click the link but copy the entire link and paste it on the address bar of your Internet browser
then press Enter on your keyboard.)
Lastly, though Trend Micro does not have a JSCh to filter out SSH yet, we assure you that all the protection you needed for your device is available from our Trend Micro Mobile Security app.
We hope this helps you with your concern. Should you have further inquiries, please do not hesitate to post here.
Again, thank you for your patience and you have a lovely day!
Trend Micro Home Users Community