 This episode of Android Invasion is brought to you by Mountain Gox and BitPay, Bit-Pay and Mezzy Grill and Carpe Veeam. Red Magic Gupertino, we have a problem. It's spreading. We're losing control over the entire system. We're being invaded. Invaded by air. There's nothing we can do, it's too late. And welcome to another episode of Android Invasion, post-hurricane Irene. But luckily nothing too bad happened here. Our condolences and thoughts go out to anybody who was affected by it. I know we didn't get hit that hard, but a little more south like Virginia, North Carolina did get hit a lot harder than us. So condolences go out there. Today we're going to be talking about a little quick Android news update and then we're going to get into some, a couple of Wi-Fi applications. Mostly they're concerned with Wi-Fi security or security auditing or as it's also called penetration testing, which is mostly for network security folks. But let's get to it with the Android news update. First we have that Android is now the most targeted mobile platform for malware, which actually makes sense compared to Apple's platform, the iOS. Apple is very restrictive and very controlling about what could be released on their market. They do a code review process and if they don't like one thing about it, they're going to reject it from the market. Android is completely different in that it's a completely open market. So with an open market, there are going to be some inherent risks. People are going to try to take advantage of that. And basically what's going on is they're using social engineering techniques to get you to download these malicious applications. A lot of times they'll copy another developer's work, release it as their own and it has this hidden code in there. And a lot of times people don't know this, but you could download one of these malicious applications and you didn't have to run the thing for it to actually do bad things. It could use what's called a state in the phone, something like receiving a phone call, sending an email out, screen turning on, you name it. Any one of those things could trigger that malicious application. So just because you downloaded it and did not run it does not mean that you're safe. There's some bad developers out there that they're pretty well known for releasing applications like this. I'll just go over the list very quickly. It's Magic Photo Studio, Mango Studio, which saddens me because mangoes are my favorite, so they're tarnishing that name. We have ET Teen, which I don't know what that means, BeGoo, Droid Plus, and Gloomobi. These are developers that are known to release applications under the guise of somebody else's legitimate work. They just keep the same name. Obviously, you'll see that the developer is different, so do your homework, do your fact-checking. You could use services like AppBrain from the Android Market. They have reviews on top of the regular reviews from the Android Market, which would be safe. And then another way is that they send out unsafe web links. You might get that in some of your SMSs or text messages. You'll see it's a random weird number that you never seen before with a weird URL in there. You'll be surprised. People actually do click it. So if you get one of those, don't click it. It could be some sort of exploit or something to get a malicious program installed and we don't want that. And then I just wanted to give you a, they also have, if we could pull that up, there's a new mobile malware for this quarter. It's a pie chart. And just to give you an idea to the breadth and just how, what kind of dominance Android has for these malware guys, it's over 60% of that market. So only download apps from trusted sources such as reputable app markets. Remember to look at the developer names, the reviews, and the star ratings. Always check the permission that an app requests. If you're downloading a GPS program and it's accessing your phone book, that's a red flag right there. There's no reason for it to access your phone book unless it has a sharing function where you could text somebody or something like that. Another thing is be alert for any unusual behavior on your phone. A sign that your phone could be infected might be something like unusual text messages that you're seeing that you didn't send out. That's usually a good indicator. And then download a mobile security app. There's a bunch of them that they'll scan the phone and they'll look for malicious things. And anything that's known out there, what they do is they create a signature signature this way if that tries to propagate or spread throughout the Android market. It'll let you know immediately upon downloading it or intending to download it. There's actually a couple. Just to give you an idea of some of the stuff that's out there, Shaki has a spacebar. And then the Skype machine shot. But if you do, there's a couple of apps out there. One is a calendar app. It's called Android JMSonus.A. That's what it's classified as in all those mobile security apps. And it's a calendar app that basically sends a text message to a premium number, like those premium 900 numbers. So basically you'd be charged an exorbitant amount from some random Cayman island or something like that, which is not cool. There's one called SMSMeCAP, which is a fake comedy app, and basically it sends malicious text messages to everybody in your address book. And there's also Droid Kung Fu, which is a malware that's capable of installing its own software and updates, obviously not good because then it could just run any code that it wants to. And then there's also a DRD Dreamlight. It's capable of sending data back to the attacker, so it could collect some information and then it could literally send out your phone number, your contacts, all that bad stuff that nobody wants. And then also in the news is that BlackBerry is said to get some Android apps. They're planning to release the first quarter, I believe it is, of the U.S., something called QNX Phones. What's special about these is that it's going to run both BlackBerry and Android apps. So that's going to be pretty cool. Android has hundreds of thousands of apps in the market. BlackBerry, just my personal opinion, has always been lacking in that department. They have one or two good things in there. And there's also talks about a possible update to the BlackBerry Playbook so it could indeed run Android apps. I think they're doing this because of the declining sales in the U.S., although internationally it is picking up a bit. Also Android is now the leader in ad impressions, which is pretty awesome. We also have pie chart on that, which is pretty awesome. Android has surpassed a total number of mobile devices in the actual market segment for selling their phones, which is good. But what's also good is to see that it's profitable for anybody who's writing applications and usually they're free applications and they're supported with ads. This way we don't have to shell out a couple of dollars every time we want to try an app. What a lot of developers are doing is they're combining the ad sales and then they have a donation or premium version that you pay a couple of dollars for, which was interesting as well. A popular game like Angry Birds, they generated over a million dollars a month just from ad impressions. That should motivate a lot of developers and a lot of people to use the Android platform versus the Apple iOS platform. Then I'm sure you heard of it already, Google buys out Motorola Mobile Division for 12.5 billion dollars, which is interesting as well. Some of the shareholders sued Motorola because they thought that wasn't enough. I think 12.5 billion dollars is more than enough. It should be interesting to see how this plays out. What kind of consequences or what's going to transpire for Android in the future from this, because Google has in the past done exclusive phone contracts with different manufacturers, most notably HTC and Samsung, so we'll see how that plays out in the future. Then also, there is a gentleman that has recorded nearly 20 hours of Android developer tutorials, videos on how to program for Android, how to make apps. He has over 200 videos. They're all shot in high quality HD. If you go to tinyurl forward slash Android Dev Tuts, it's on the lower third there, so you could copy it down. It's going to link you to the Droid project and there it's going to have all the information on those videos. Very big thank you to Bucky, aka the new Boston, and MyBringBack. If it weren't for them, we wouldn't have this. I'm definitely going to be checking them out. If you're interested at all in developing for Android, definitely check it out. It should make it way easy for you. Now, let's give a quick thanks to our sponsors. First up, we have Mt. Gox, the largest exchange for bitcoins. If you don't know what bitcoins are, Google that right now. Bitcoins are the new thing. They also have the Mt. Gox mobile app on the Android market. They're supporting 16 currencies now, something crazy like that. And they have the UB key, which provides two-factor authentication for your password. This way, it's nice and protected. And it's also provided by BitPay. That's bit-pay. They are the merchant processor for bitcoin. They were the official processor for the bitcoin conference that just passed two weeks ago. It's super easy to integrate into your website. You could actually accept payment in bitcoins and not know anything about bitcoins because you could cash out immediately in dollars, which is pretty awesome. Then it's also provided by MezzyGrill.com. It's where authentic Mediterranean food meets modern flavor. I finally had the pleasure to eat over there. Amazing food. Really good. It's a couple blocks south of Columbus Circle at 8th Ave and 55th Street right here in New York City. And there are worldwide franchising opportunities available. And Carpe Viem sees your market, say it with video. Charlie works closely with you, beginning to end to ensure that your video makes an impact. Anything that has to do with your image and who you are and what you represent as yourself or a company. Everybody is going to work with you. They do amazing work. And it's video on the web that's ideal to engage your viewers. So very big thank you to all of our sponsors. If it weren't for them, we would not be here. And now to talk about what we came here to talk about. I have some Android security apps that I want to go over. It's basically two, the two main ones that I want to go over. And it's pretty cool. It shows you a little bit about security and also gives you a wow factor. Because most people don't know that you can actually do this with Android. And what they are are penetration testing tools for Wi-Fi routers. And basically the way that they're able to work is there's some sort of flaw in the way that the default SSID, the SSID is when you're looking for a Wi-Fi network, that's a name that shows up. Basically it's something cryptic, if it's default one, or I might say, you know, like Linksys or Netgear, Router, something like that, of course, you know, you could change it. Now, the flaw comes when you just hook up a router and you use the default SSID, that display name, and you use a default generated what's called a WEP key. WEP stands for Web Equivalent Privacy. And it's actually very, I'm not going to say insecure, it's more secure than nothing, but it's pretty insecure that it's very easy to crack. And if you're using the default SSID and the default, you know, passphrase for that, which is, you know, just a bunch of ASCII characters, which are 0-9, 8-F. And if you have one of those, there's our applications that can actually see what the default is. And if it's the default, sometimes it's able to calculate what the correct key is for that. So this is a great way to test your network security at home. Make sure that you're not using an insecure password or a flawed password that's easy to crack. And also just as a general tip, nothing to do with Android, if you're at home, use WPA versus, you know, WEP, WPA is more secure. It's a little tougher to crack, you know, depending on how simple the password is. It could still take a few minutes, but if you have a decent password in there, it should take considerably, considerably longer time for that. So let's jump right into it. So we have RouterKegen and WPA Tester. Now I know they basically do the same function, but what I want to do is I want to go over first with WPA Tester, because I know that this didn't define anything, but RouterKegen did. So basically it has a disclaimer, you know, don't do this for any illegal purposes. You know, it's okay to test your home network, but, you know, don't go around, you know, your whole blog trying to get free internet or something like that. It's not going to work from what I find. And just hit continue, and then it's going to allow us to scan. So what this is doing, it's scanning the different SSIDs that we have over here. So you'll see that most of these show up with the red lock on there. They're WPA. So this application is not capable of testing them over here. And if it weren't for that stupid ad, we could see over here, oh, let's scan this again. We have television over here. Oh, there we go. So let's hit scan again. It did find one. I found the netgear. But why would you put the ads on there? You see, this is something that developers need to look out for, because that is not cool. All right. Yeah, so the ad is hiding. It's literally hiding the scan button. Like, how are you supposed to work with this? That is just redonkulous. Okay. So here's the netgear. I actually found two. So here's the netgear. We have the green light that it's unlocked. That's because it has no password. So silly me. So yeah, so if it has no password, or if it's actually something that it could muster a connection to, it's going to show up in there. And so that shows up as a green. Now let's go to, so you could also do a manual mode where you're specifically targeting a specific brand of router, like D-Link and all that. Again, this works only with WP keys that you're using the default SSID as well. So now we have one called Router Key Gen. Router Key Gen works similarly. Sometimes it's able to pick up a couple of different ones that did not show up in WPA or faster, trying to pull up. We were able to pull one up earlier, but it's not showing up. Just wanted to show it to you because it was actually able to get the key for these people's Wi-Fi. It's not showing up the magic of live television. Okay, here it is. So we found one. It's TNRA3. The signal is very low. We have a green bar over here indicating that it is good to go. So let me just put this over here so you guys can see that much more clear. And then if we actually click on it, it gives us the password right there. It's in ASCII of course, so that's 0 through 9 and A through F. And I could literally save it to my SD card so I could pull it up later. I could share this. I could send it to my neighbor and say, hey, look what I found, email it or what have you. And that's it. That just shows you how easy it is to get somebody's Wi-Fi password. If you're in a densely populated city, just give me an example. I saw this work in Jersey City. We're here in New York City, so it's densely populated as well. You'll get some luck in finding some unsecure ones, but just download them. It's router, key gen, and WPA tester. Walk around your home and see what you can find. If you do find one, it's definitely a wow factor that you can show your friends. Interesting what you can do with Android. There's also a review I'm going to do on another application that is supposed to be released from DEFCON, this past DEFCON. Somebody did a similar suite of penetration testing tools, much more advanced than this. Definitely be interesting to play with that. It's supposed to make it easier and accessible for anybody to be able to do it. Of course, there's always White Hat, which is usually deemed anything good, positive, beneficial to others. There's Gray Hat, which is sort of in the middle of that. Then there's Black Hat, which is usually malicious intent. All of these are released under the guise of White Hat tools. Use them as such. If you try to do anything illegal, if you actually break that password and you get in there, they're going to be legal repercussions for that, so check your local state law for that. That should do it for this episode of Android Invasion. Until next time, we're going to do some quick tips and tricks for the next episode, some stuff that most people don't know, or they're uncommon tips and tricks, so it should be a fun episode. We'll see you next time. Take care, guys, and v'en voyage.