- Android -
Last update 04.10.2017 16:16:35
Introduction List Kategorie Subcategory 0 1 2 3 4 5 6 7 8
Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures
10.12.2017 thehackernews Android
Millions of Android devices are at serious risk of a newly disclosed critical vulnerability that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.
Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.
The vulnerability (CVE-2017-13156) was discovered and reported to Google by security researchers from mobile security firm GuardSquare this summer and has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.
However, the worrisome part is that majority of Android users would not receive these patches for next few month, until their device manufacturers (OEMs) release custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.
The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) and 6 (Marshmallow).
Explained: How Android Janus Vulnerability Works?
The vulnerability resides in the way Android handles APK installation for some apps, leaving a possibility to add extra bytes of code to an APK file without affecting the application's signature.
Before proceeding further, you need to know some basics about an APK file.
A valid APK file is a type of archive file, just like Zip, which includes application code, resources, assets, signatures, certificates, and manifest file.
Earlier versions of Android operating system 5.0 (Lollipop) and 6.0 (Marshmallow) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.
While installing an Android app or its update, your device checks APK header information to determine if the archive contains code in the compressed DEX files.
If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.
It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.
Researchers find that this ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.
In other words, the hack doesn't require attackers to modify the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.
After creating malicious but valid versions of legitimate applications, hackers can distribute them using various attack vectors, including spam emails, third-party app stores delivering fake apps and updates, social engineering, and even man-in-the-middle attacks.
According to the researchers, it may be "relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature."
I find man-in-the-middle attack more interesting, as it could allow hackers to push malicious installation for the apps designed to receive its updates over an unencrypted HTTP connection.
"When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update," GuardSquare explains.
"The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get an unverified code with powerful permissions installed on the devices of unsuspecting users."
"For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates," the security firm added.
Since this vulnerability does not affect Android 7 (Nougat) and latest, which supports APK signature scheme version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).
It's unfortunate, but if your device manufacturer neither offers security patches nor the latest Android version, then you should not install apps and updates from outside of Google Play Store to minimise the risk of being hacked.
Researchers also advised Android developers always to apply signature scheme v2 in order to ensure their apps cannot be tampered with.
Android Janus vulnerability allows attackers to inject Malware into legitimate apps avoiding detection
9.12.2017 securityaffairs Android
Google fixed a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature.
Google fixed four dozen vulnerabilities this week, including a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature verification certificates.
Millions of Android devices are at risk of a cyber attack due to this flaw (CVE-2017-13156), that allows attackers to secretly overwrite legitimate applications installed on victims’ mobile devices with a malware.
The vulnerability was reported to Google by security researchers from mobile security firm GuardSquare this summer and has been fixed now as part of the December Android Security Bulletin.
The attack technique discovered by Guardsquare allows by bypass anti-malware protection mechanisms and escalate privileges on targeted devices using signed apps that appear to be from trusted publishers.
“A serious vulnerability (CVE-2017-13156) in Android allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman god of duality.” states the analysis published by Guardsquare.
The vulnerability affects in the way Android handles APK installation for some apps, allowing to add extra bytes of code to an APK file without modifying the app’s signature.
An APK file is an archive, just like Zip, that includes application code, resources, assets, signatures, certificates, and manifest file.
Earlier versions of Android (5.0 Lollipop and Marshmallow 6.0) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.
While installing an app, the OS checks APK header information to determine if the archive contains code in the compressed DEX files. If the APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.
It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.Researchers discovered that it is possible to add extra bytes of code to the archive due to lack of file integrity checking.
“The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application’s signature.” continue the analysis.
“On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time.”
Attackers can prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, tricking app installation process to execute both codes on the device avoid detection.
The researchers developed a simple tool to create Janus applications as a proof of concept, the good news is that according to the experts, at this time, there are similar applications in the wild.
The Janus tool allows an attacker to inject an APK file with a malicious DEX (Dalvik Executable) file. DEX files make up the code inside Android programs that are zipped into single APKs.
The researchers described also possible attack scenarios, for example, an attacker can replace a trusted application with high privileges (i.e. a system app) by a modified update to abuse its permissions. Another attack scenario sees a hacker passing a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications.
Android versions older than Nougat (7.0) and any Android devices that support the APK signature scheme v1 are affected by the Janus vulnerability.
The Android devices updated to support APK signature scheme v2, introduced in July 2016, are not impacted.
Unfortunately, most of Android users would not receive these patches for the next month, until their device manufacturers (OEMs) release custom updates for them.
Android Development Tools Riddled with Nasty Vulnerabilities
6.12.2017 securityweek Android
Java/Android developers are exposed to vulnerabilities affecting the development tools, both downloadable and cloud based, used in the Android application ecosystem, Check Point warns.
Check Point security researchers have discovered several vulnerabilities impacting the most common Android Integrated Development Environments (IDEs), namely Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, along with major reverse engineering tools for Android applications, including APKTool, the Cuckoo-Droid service, and more.
The bugs were reported to the impacted IDE companies in May 2017 and have been already resolved in Google and JetBrains tools.
According to Check Point, their research focused on APKTool (Android Application Package Tool), which emerges as the most popular tool for reverse engineering third party Android apps, and which allows developers to decompile and build APK files.
Both of the tool’s features, however, are plagued by vulnerabilities, the researchers argue. The program’s source code revealed an XML External Entity (XXE) vulnerability in a function called “loadDocument,” which is being used in both core functionalities.
Because of this vulnerability, the entire OS file system of APKTool’s user is exposed, which allows an attacker exploiting the vulnerability to “potentially retrieve any file on the victim’s PC.” For that, a malicious “AndroidManifest.xml” file that exploits the issue is needed.
The researchers also analyzed the XML parser called “DocumentBuilderFactory” that is being used in the APKTool project and discovered multiple vulnerable implementations of the XML parser within other projects. It also led to the discovery that IDEs such as Intellij, Eclipse, and Android Studio are affected as well.
“By simply loading the malicious ‘AndroidManifest.xml’ file as part of any Android project, the IDEs start spitting out any file configured by the attacker,” the security researchers explain.
The researchers uploaded a malicious project library to GitHub and cloned it to an Android Studio project, which demonstrated that an attack abusing this vulnerability is successful. Other attack vectors were discovered as well, such as injecting a malicious AAR (Android Archive Library) containing the XXE payload into repositories.
“It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system,” Check Point says.
Next, the researchers discovered a vulnerability in APKTool that could allow an attacker to execute commands on the victim’s PC.
The issue was discovered in the configuration file “APKTOOL.YML,” which is employed for the advanced use of the tool, and which contains a section called “unknownFiles” that “allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK.”
The selected files are saved in a ‘Unknown’ folder and modifying the path of the “unknownFiles” section can result in injecting arbitrary files anywhere on the file system, because APKTool “does not validate the path of which the unknown files will be extracted from the packed APK.”
Injecting arbitrary files in the filesystem can lead to remote code execution, and any APKTool user/service is vulnerable when attempting to decode a crafted malicious APK.
“It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies, we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products,” Check Point concludes.
Android Security Bulletin—December 2017
5.12.2017 Google Android
2017-12-01 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-12-01 patch level. Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2017-0807 A-35056974 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0870 A-62134807 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0871 A-65281159 EoP High 8.0
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2017-0872 A-65290323 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0876 A-64964675 RCE Critical 6.0
CVE-2017-0877 A-66372937 RCE Critical 6.0
CVE-2017-0878 A-65186291 RCE Critical 8.0
CVE-2017-13151 A-63874456 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13153 A-65280854 EoP High 8.0
CVE-2017-0837 A-64340921 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0873 A-63316255 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0874 A-63315932 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0880 A-65646012 DoS High 7.0, 7.1.1, 7.1.2
CVE-2017-13148 A-65717533 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
The most severe vulnerability in this section could enable a proximate attacker to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2017-13160 A-37160362 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13156 A-64211847 EoP High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13157 A-32990341 ID High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13158 A-32879915 ID High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13159 A-32879772 ID High 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
2017-12-05 security patch level—Vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-12-05 patch level. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Component
CVE-2017-13162 A-64216036* EoP High Binder
CVE-2017-0564 A-34276203* EoP High ION
Upstream kernel EoP High File handling
CVE-2017-13174 A-63100473* EoP High EDL
The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Component
M-ALPS03359280 EoP High Display driver
M-ALPS03479086 EoP High Performance service
M-ALPS02672361 EoP High System server
The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Component
N-CVE-2017-6262 EoP High NVIDIA driver
N-CVE-2017-6263 EoP High NVIDIA driver
N-CVE-2017-6276 EoP High Mediaserver
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
CVE References Type Severity Component
QC-CR#2067820 RCE Critical WLAN
QC-CR#1058691  RCE Critical UDP RPC
QC-CR#1058691  RCE Critical UDP RPC
QC-CR#2068824 EoP High Fastboot
QC-CR#2109325 EoP High Gralloc
QC-CR#2006695 EoP High Qbt1000 driver
QC-CR#2054091 EoP High RPMB driver
QC-CR#2061287 EoP High MProc
QC-CR#2009308 EoP High WLAN
Qualcomm closed-source components
These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm AMSS security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2017-6211 A-36217326* N/A Critical Closed-source component
CVE-2017-14908 A-62212840* N/A High Closed-source component
CVE-2017-14909 A-62212839* N/A High Closed-source component
CVE-2017-14914 A-62212297* N/A High Closed-source component
CVE-2017-14916 A-62212841* N/A High Closed-source component
CVE-2017-14917 A-62212740* N/A High Closed-source component
CVE-2017-14918 A-65946406* N/A High Closed-source component
CVE-2017-11005 A-66913715* N/A High Closed-source component
CVE-2017-11006 A-66913717* N/A High Closed-source component
Android's December 2017 Patches Resolve Critical Flaws
5.12.2017 securityweek Android
The December 2017 Android security patches that Google released this week resolve 47 vulnerabilities, including 10 rated Critical severity.
The patches affect a variety of platform components and were split in two packages, or security patch levels, as Google calls them. The first addresses 19 vulnerabilities while the second resolves 28 issues.
The 2017-12-01 security patch level resolves 6 Critical severity vulnerabilities and 13 High risk flaws, Google notes in a security bulletin.
The issues affect the framework (3 High risk elevation of privilege bugs), Media framework (5 Critical remote code execution, 2 High elevation of privilege, and 4 High denial-of-service bugs), and System components (1 Critical remote code execution, 1 High elevation of privilege, and 3 High information disclosure issues).
The 2017-12-05 security patch level addresses 4 Critical risk vulnerabilities and 24 High severity issues.
The vulnerabilities were found in Kernel components (4 High elevation of privilege bugs), MediaTek components (3 High elevation of privilege flaws), NVIDIA components (3 High elevation of privilege issues), Qualcomm components (3 Critical remote code execution and 6 High elevation of privilege flaws), and Qualcomm closed-source components (1 Critical and 8 High flaws of undisclosed type).
Devices updated with the 2017-12-01 or later patch level are safe from all issues associated with the 2017-12-01 security patch level. The security patch levels of 2017-12-05 or later, on the other hand, resolve the issues associated with all previous patch levels as well.
Along with the Android security bulletin for December 2017, Google announced a separate set of security updates for Nexus and Pixels devices, meant to address vulnerabilities and bring functional improvements to supported Google devices.
As part of this month’s set of patches, Google resolved a total of 48 issues in Media framework, Broadcom, Kernel, MediaTek, NVIDIA, and Qualcomm components, as well as in Qualcomm closed-source components.
Most of the resolved vulnerabilities were elevation of privilege bugs, but Google also addressed DoS and information disclosure bugs. The vast majority of the issues were Moderate severity, except for a Critical bug in Qualcomm closed-source components and a High severity issue in Kernel components.
All supported Nexus and Pixel devices will receive these patches as part of the 2017-12-05 security patch level.
Google to Warn Android Users on Apps Collecting Data
4.12.2017 securityweek Android
Google is stepping its fight against unwanted and harmful applications on Android up and will soon alert users on apps and websites leading to apps that collect personal data without their consent.
Produced by Google Safe Browsing, the alerts will start popping up on Android devices in a couple of months, as part of expanded enforcement of Google’s Unwanted Software Policy, the Internet giant announced.
What’s more, Google is now requesting applications that collect and transmit personal data unrelated to the functionality of the app to “prominently highlight how the user data will be used and have the user provide affirmative consent for such use,” prior to performing the collection and transmission operations.
“These data collection requirements apply to all functions of the app. For example, during analytics and crash reporting, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent,” Paul Stanton, Safe Browsing Team, explains in a blog post.
The Internet search provider is enforcing the new requirements to applications in both Google Play and non-Google Play app markets. The company also published guidelines for how Google Play apps should handle user data and provide disclosure.
The warnings might start appearing in late January 2018 on user devices via Google Play Protect or on webpages that lead to these apps.
Webmasters should refer to the Search Console for guidance on remediation and resolution of the warnings, while developers should refer to guidance in the Unwanted Software Help Center. Also, application builders can request app reviews.
Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Italian Job – Android malware masqueraded as Fake Tre Updater
4.12.2017 securityaffairs Android
The CSE CybSec Z-Lab Malware Lab analyzed a new strain of malware apparently developed to target the customers of the Italian telco operator “Tre”.
The malware researchers from ZLab analyzed a new strain of Android malware that appears as a fake 3MobileUpdater. The malware looks like a legitimate app used to retrieve the mobile system update, but it hides a powerful spyware which gathers user info from the smartphone.
In order to trick users, the malicious app pretends to be a software distributed by the Italian Telco company Tre H3G (see the app logo) to check and download smartphone updates.
Figure 1 – Fake Tre Updater – App logo and alert
When the user clicks on the “3 Mobile Updater”, the app shows the screen in the above picture, inviting the user to wait while the system configuration is updated.
In this way, the user will not remove the application waiting form the installation of the legitimate update, but in the background the malware is able to launch a service which periodically sends information and retrieves commands from a Command and Control available at the link “url[.]plus”.
The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.
Despite its capabilities, the app doesn’t appear well written. The DEBUG flag of the application is enabled, so many activities are logged on the Android logcat and are visible in a simple way.
The presence of the string “TEST” in many strings and some evident coding errors, along the absence of obfuscation mechanism, suggest the malicious app is not written by skilled developers.
The fake Tre updater is probably a “beta” release or in a test phase, this means that the application is not yet widespread.
Finally, it is interesting to highlight the fact that the malware authors used the Italian language, both in the logcat messages and in the code. This circumstance along with the fact that attackers masqueraded the malware as a a fake Tre updater suggest the vxers are Italian.
According to our analysis the fake Tre updater was developed by an Italian firm, targets and motivations are still not clear.
This report could be the starting point for an investigation of Italian law enforcement, it also includes Yara rules that could be used to detect the threat.
You can download the full ZLAB Malware Analysis Report at the following URL:
Malware Analysis Report: Fake 3MobileUpdater
Android Malware Steals Data from Social Media Apps
29.11.2017 securityweek Android
A newly discovered backdoor that has managed to infect over one thousand Android devices was designed to steal sensitive data from popular social media applications, Google reveals.
Dubbed Tizi, the malware comes with rooting capabilities and has been already used in a series of targeted attacks against victims in African countries such as Kenya, Nigeria, and Tanzania. Discovered by the Google Play Protect team in September 2017, the backdoor appears to have been in use since October 2015.
A fully featured backdoor, Tizi installs spyware that allows it to steal sensitive data from the targeted applications, Google says. The malware family attempts to exploit old vulnerabilities to gain root access on the infected Android devices, and its developer also uses a website and social media to lure users into installing more apps from Google Play and third-party websites.
To date, Google has identified over 1,300 devices affected by the malware. According to the company, newer Tizi variants include rooting capabilities that attempt to exploit a series of local vulnerabilities, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.
Since most of these vulnerabilities target older chipsets, devices, and Android versions, users running a security patch level of April 2016 or later are far less exposed to Tizi's capabilities. If none of the exploits work, the Tizi apps attempting to gain root will switch to perform the action through the high level of permissions it asks from the user.
Once it has gained root on the compromised device, the threat can proceed to stealing sensitive data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
After infection, the malware usually contacts its command and control (C&C) by sending an SMS with the device's GPS coordinates to a specific number. Subsequent communication with the C&C, however, is performed over HTTPS, but some versions of the malware also use the MQTT messaging protocol to connect to a custom server.
“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,” Google says.
On top of that, however, the malware can also record ambient audio and take pictures without displaying the image on the device's screen.
To stay safe, users are advised to pay close attention to the permissions they grant to newly installed applications; to enable a secure lock screen, such as PIN, pattern, or password; keeping their devices up-to-date at all times, given that the threat exploits old, known vulnerabilities; and ensure Google Play Protect is enabled.
Google Detects Android Spyware That Spies On WhatsApp, Skype Calls
29.11.2017 thehackernews Android
In an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service.
Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.
Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims' devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
"The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities," Google said in a blog post. "The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015."
Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.
Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.
Here's How Tizi Gains Root Access On Infected Devices
For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.
If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, "it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, " Google said.
Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.
The Tizi backdoor contains various capabilities common to commercial spyware, such as
Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
Recording calls from WhatsApp, Viber, and Skype.
Sending and receiving SMS messages.
Accessing calendar events, call log, contacts, photos, and list of installed apps
Stealing Wi-Fi encryption keys.
Recording ambient audio and taking pictures without displaying the image on the device's screen.
So far Google has identified 1,300 Android devices infected by Tizi and removed it.
Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.
How to Protect your Android device from Hackers?
Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself:
Ensure that you have already opted for Google Play Protect.
Download and install apps only from the official Play Store, and always check permissions for each app.
Enable 'verify apps' feature from settings.
Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
Keep "unknown sources" disabled while not using it.
Keep your device always up-to-date with the latest security patches.
Majority of Android Apps Contain Embedded User-Tracking: Report
28.11.2017 securityweek Android
Seventy-five percent of 300 Android apps tested by Exodus Privacy and analyzed by the Yale Privacy Lab contain embedded trackers, including Uber, Tinder, Skype, Twitter, Spotify and Snapchat. The trackers are primarily used for targeted advertising, behavioral analytics and location tracking. They come as part of the app, and their presence and operation is likely unknown to the user at the time of installation.
Details are published in an analysis by the Yale Privacy Lab. It looked at 25 of the 44 trackers known to the French non-profit Exodus Privacy. Exodus analyzed 300 apps using its app scanning platform. According to its own research, the five most common embedded trackers are CrashLytics, DoubleClick, Localytics, Flurry and HockeyApp.
Despite this high number of trackers located by the research, Privacy Lab fears the problem could be worse. "The Exodus platform identifies trackers via signatures, like an anti-virus or spyware scanner, and thus can only detect trackers previously identified by researchers at the time of the scan." It fears that trackers can be added to apps in software updates after installation, and that new trackers will simply not yet be identified by Exodus.
It also adds, "Tracker companies openly advertise Software Development Kits (SDKs) compatible with multiple platforms. Thus, advertising trackers may be concurrently packaged for Android and iOS, as well as more obscure mobile platforms."
The analysis from Privacy Lab provides two examples that demonstrate its concern. Fidzup claims it has developed communication between a sonic emitter and a mobile phone. By diffusing a tone, inaudible to the human ear, inside a building Fidzup can detect the presence of mobile phones and therefore their owners. "Users installing 'Bottin Gourmand', a guide to restaurants and hotels in France," warns Privacy Lab, "would thus have their physical location tracked via retail outlet speakers as they move around Paris. Their experience would be shared by readers of car magazine app 'Auto Journal' and TV guide app 'TeleStar'."
This type of technology has probably been replaced by simple WiFi tracking; but, warns the research, closely resembles the practices of Teemo and SafeGraph. Teemo was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens, and SafeGraph, who collected 17 trillion location markers for 10 million smartphones during [Thanksgiving] last year.
However, the organization is particularly concerned about the use of trackers on the finances and healthcare of users. It cites Mon AXA, developed by a multinational insurance and finance firm, and found by Exodus to contain six trackers. Privacy Lab does not know what information is shared by these trackers. Other AXA apps, including 'HealthLook', 'AXA Banque', and 'My Doctor' also contain trackers.
Other health and finance apps that contain trackers include those from Aetna, the American Red Cross, WebMD, American Express, Discover, HSBC, Wells Fargo, and PayPal.
Privacy Lab is calling for greater transparency from Google over privacy and security practices for trackers. "Android users, and users of all app stores, deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code."
Android commercial spyware
24.11.2017 Kaspersky Android
There’s certainly no shortage of commercial spying apps for Android, with most positioned as parental control tools. In reality, however, these apps barely differ from spyware, with the exception perhaps of the installation method. There’s no need to even resort to Tor Browser or other darknet activity either – all you need to do is type something like “android spy app” into Google.
They are called ‘commercial’ because anyone can buy an app like this for just a few dollars.
Kaspersky Lab mobile products detect this sort of commercial Android spyware as not-a-virus:Monitor.AndroidOS.*. According to our telemetry, the popularity of these apps has been growing in recent years:
Unique users attacked by not-a-virus:Monitor.AndroidOS.*, 2016-2017
That’s why we decided to take a closer look at this controversial type of mobile software.
Almost all commercial spyware apps are installed by manually accessing the target’s phone, and this is the only big difference between these apps and classic malicious spyware like DroidJack or Adwind. Customers have to download the app, install it and enter credentials that are received after purchasing. After that, the spying app becomes invisible on the phone. Installation usually only takes a couple of minutes.
Regular installation process (https://tispy.net/install-guide.html)
Some of these tools use device admin features to gain persistence and self-protection on the target’s phone.
So what does the customer get? Features may vary, but some of them are present in almost all these kinds of apps:
Stealing calls (logs/recordings)
Stealing browser data (history/bookmarks)
Stealing stored photos/videos
Stealing address books (with emails and even photos sometimes)
And if you’re still not impressed, then check out the actual feature lists (in addition to the above) of some popular commercial spyware for Android. We have added the infamous Pegasus APT and Droidjack spyware to our comparison table below to show the difference in features between them and monitoring apps. Pegasus is an advanced persistent threat, created by NSO Group. Droidjack is an RAT that was sold some time ago for a $210 lifetime license. This tool is more akin to TrojWare, because of features such as remote installation and customization of your own C&C server. However, even after several users in European countries were arrested, malware author Sanjeevi claimed that Droidjack is “very useful for users who use it legally”. He stated that “Droidjack is a parental tool for remote Android administration. It is strictly meant for that and no other reasons”. Anyone who breaks these rules, adds Sanjeevi, will have their license revoked.
Stealing emails Stealing surrounding voice Stealing scheduled tasks/ calendar/ notes Stealing social media/IM data Backdoor behavior (e.g., remote control) Photo/ video/ screenshot capture Keylogging Stealing clipboard
Pegasus + + + + + + + –
DroidJack – + – + + + – –
TiSpy + + + + – + + +
Exaspy + + + + + + – –
iKeyMonitor + + – + – + + +
Mobistealth + + + + – + + –
mSpy + – + + + – + –
iSpyoo + + + + + – – –
SpyHuman – + – + + + – –
TheftSpy – + – + + + – –
TheTruthSpy – + – + + – + –
OneSpy + + – + – + – –
Highster Mobile + – – + – – – –
Spymaster Pro – – – + – + – –
DroidWatcher – – – + – + – –
This comparison table shows that the difference between known sophisticated spyware and some commercial monitor apps is not that great and, in some cases, monitor applications can even grab more private user information.
Exaspy is an especially interesting case. This is a classic monitor application with a regular manual-access installation method (you have to enter license credentials after installation to start spying):
However, after news about a high-profile victim – a senior executive at a company – this monitor app is considered illegal for now. Note that there are a lot of similar apps that can result in cases like this.
Some special features (spying on social media apps, for example) only work on a rooted device, but the list is still impressive. The ‘Stealing social media/IM data’ feature is particularly important. It means that the spyware is able to attack other social media or messenger apps (depending on the specific product), for example, Facebook, Viber, Skype, WhatsApp, etc. As a result, an attacker can observe messenger conversations, feeds and other personal data from the victim’s social media profile.
These products use the same techniques as standard malicious spyware to steal data, and sometimes on a bigger scale. For example, here is a fragment of code from a commercial application called OneSpy with a list of external attacked applications:
As you can see, the commercial app is interested in all popular social media apps and messengers.
Above we mentioned that some commercial Android spyware apps like Exaspy were recognized as illegal after investigations. But many commercial spyware applications are still considered legitimate because, according to their sites, they were created “for everyone who needs a helping hand in protection of their loved-ones, their children, family and employees”.
Some of them claim that their products are ‘100% undetectable’. This may be true for the naked eye, but definitely not for our products.
But why do we think commercial spyware poses a danger and why do we detect it? There are several reasons:
Almost all commercial spyware is distributed from its own site and landing pages. This results in vendors prompting users to enable the “Allow install of non-market applications” setting. This setting is very important for device safety because enabling it makes an Android device vulnerable to malware installation. For security reasons this method of distribution is contrary to Google policy.
Because some spying features only work on a rooted device, many vendors recommend rooting the targeted device. This opens the door for potential malware infection, and moreover, device rooting is contrary to Google policy.
Not every vendor can guarantee the safety of personal data, and that applies not only to hacker attacks but also to simple methods of product security.
The last point is very important and our concerns aren’t baseless. I analyzed one commercial spyware app, investigating the vendor’s main site and C&C server. I soon found lots of files that had been uploaded to the server and that turned out to be users’ personal data collected by the app. Private files were stored on the server without any protection and could be accessed by anyone.
Many users of spyware apps who want to monitor the private lives of their relatives simply don’t understand that they may not be the only ones who will have access to such information.
To sum up, installing such apps, even on your child’s device, is a risky step that could lead to malware infection, data leaks or other unpleasant consequences. In our products we use a special technology for Android OS that helps detect dangerous apps capable of violating a customer’s data privacy. There is one simple and very important tip for everyone – always protect your phone with a password, PIN or fingerprint, so an attacker won’t be able to manually access your device.
Google gathers Android users’ location data even when location services are disabled
23.11.2017 securityaffairs Android
Google is secretly gathering location data from billions of Android users, the news is disconcerting and once again raise the debate about user’s privacy.
The disconcerting discovery was made by researchers from Quartz.
Big G has been caught collecting location data on every Android device owner in the past 11 months. The worse news is that the Google is gathering location data even when location services are completely disabled.
“Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.” states Quartz.
The experts discovered that Android smartphones have been collecting the addresses of nearby cellular towers, an information that could be used to track the location of mobile devices with the “Cell Tower Triangulation” technique.
When an Android device is within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected via a WiFi network or cellular data network.
A source familiar with the matter said Quartz that the cell tower addresses were being sent to Google after a change in early 2017 to the Firebase Cloud Messaging service.
The Firebase Cloud Messaging service is the component responsible for collecting location data that manages push notifications and messages on the operating system, unfortunately it cannot be disabled.
“Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google.” continues Quartz media.
“Devices with a cellular data or WiFi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a WiFi network, they will send the tower addresses to Google even if they don’t have SIM cards installed.”
Quartz contacted Google for a comment and a spokesman for the company replied that the location-sharing practice was implemented to improve its service.
“We began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery.” said Google spokesperson.
“It has pretty concerning implications,” explained Bill Budington, a software engineer at the Electronic Frontier Foundation. “You can kind of envision any number of circumstances where that could be extremely sensitive information that puts a person at risk.”
According to the experts there is no doubt, the fact that the Google Android system is collecting location data is a complete violation of user’s privacy.
Why Google collects data from Android devices when all location services are disabled?
“We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points, and cell towers.”
Google declared that never used or stored this location data it collected and that it is now taking steps to end this practice.
According to Google, Android phones will no longer collect location data by the end of this month.
Google Collects Android Location Data Even When Location Service Is Disabled
21.11.2017 thehackernews Android
Do you own an Android smartphone?
If yes, then you are one of those billions of users whose smartphone is secretly gathering location data and sending it back to Google.
Google has been caught collecting location data on every Android device owner since the beginning of this year (that's for the past 11 months)—even when location services are entirely disabled, according to an investigation conducted by Quartz.
This location-sharing practice doesn't want your Android smartphone to use any app, or turn on location services, or even have a SIM card inserted.
All it wants is to have your Android device to be connected to the Internet.
The investigation revealed that Android smartphones have been collecting the addresses of nearby cellular towers, and this data could be used for "Cell Tower Triangulation"—a technique widely used to identify the location of a phone/device using data from three or more nearby cell towers.
Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled.
Since the component responsible for collecting location data resides in Android's core Firebase Cloud Messaging service that manages push notifications and messages on the operating system, it cannot be disabled and doesn't rely on what apps you have installed—even if you factory reset your smartphone or remove the SIM card.
When Quartz contacted the tech giant about this location-sharing practice, Google spokesperson replied: "We began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery."
Although it is still unknown how cell-tower data that helps identify a specific cell tower could have been helped Google improve message delivery, the fact that the company's mobile operating system is collecting location data is a complete violation of user's privacy.
"We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points, and cell towers."
Moreover, this location-sharing practice is not limited to any particular Android phone model or manufacturer, as the tech giant was apparently collecting cell tower data from all modern Android devices before being contacted by Quartz.
Although the company said that it never used or stored this location data it collected on its users and that it is now taking steps to end this practice, this data could be used to target location-based advertisement when the user enters any store or restaurant.
According to Google, Android phones will no longer gather and send cell-tower location data back to Google by the end of this month.
BankBot Returns On Play Store – A Never Ending Android Malware Story
20.11.2017 thehackernews Android
Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software.
A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users' login details.
BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.
With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts.
Google removed at least four previous versions of this banking trojan from its official Android app store platform earlier this year, but BankBot apps always made their ways to Play Store, targeting victims from major banks around the world.
The second campaign spotted by researchers not only spreads the same BankBot trojan as the first campaign but also Mazar and Red Alert. This campaign has been described in detail on ESET blog.
According to an analysis performed by the mobile threat intelligence team at Avast in collaboration with ESET and SfyLabs, the latest variant of BankBot has been hiding in Android apps that pose as supposedly trustworthy, innocent-looking flashlight apps.
First spotted by the researchers on 13 October, the malicious BankBot apps uses special techniques to circumvent Google's automated detection checks, such as starting malicious activities 2 hours after the user gave device admin rights to the app and publishing the apps under different developer names.
After tricking victims into downloading them, the malicious apps check for the applications that are installed on the infected device against a hard-coded, list of 160 mobile apps.
According to the researchers, this list includes apps from Wells Fargo and Chase in the U.S., Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many other financial institutions from around the world.
If it finds one or more apps on the infected smartphone, the malware downloads and installs the BankBot APK from its command-and-control server on the device, and tries to trick the victim into giving it administrator rights by pretending to be a Play Store or system update using a similar icon and package name.
Once it gets the admin privileges, the BankBot app displays overlay on the top of legitimate apps whenever victims launch one of the apps from the malware's list and steal whatever banking info the victim's types on it.
The Avast Threat Labs has also provided a video demonstration while testing this mechanism with the app of the local Czech Airbank. You can see how the app creates an overlay within milliseconds and tricks the user into giving out their bank details to criminals.
Since many banks use two-factor-authentication methods for secure transactions, BankBot includes functionality that allows it to intercept text messages, allowing criminals behind BankBot to steal mobile transaction number (mTAN) sent to the customer's phone and transfer money to their accounts.
Here's one important thing to note is that Android mechanism blocks apps installation from outside the Play Store. Even if you have already permitted installation from unknown sources, Google still requires you to press a button to continue such installations.
"Unlike this newer version of BankBot, droppers from previous campaigns were far more sophisticated," the researchers note. "They applied techniques such as performing clicks in the background via an Accessibility Service to enable the installation from unknown sources."
The latest BankBot version does not utilize this Accessibility Service feature due to Google's recent move of blocking this feature for all applications, except those designed to provide services for the blind.
Google has already removed all recently-discovered BankBot apps after being notified by the researchers.
Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps even from Google's official Play store. So, always verify app permissions and reviews before downloading an app from Google Play Store.
Even though the BankBot apps made it way into the Play Store, its payload was downloaded from an external source. So, don't allow any unknown third-party APK to be installed on your smartphone.
To do so, Go to Settings → Security and then Turn OFF "Allow installation of apps from sources other than the Play Store."
Most importantly, be careful which apps you give administrative rights to, as it is powerful and can provide a full app control of your device.
Screen/Audio Capture Vulnerability Impacts Lion's Share of Android Devices
20.11.2017 securityweek Android
A vulnerability that allows malicious applications to capture screen contents and record audio without a user’s knowledge impacts over 78% of Android devices, researchers claim.
The issue is caused by the MediaProjection service introduced by Google in the Android Framework on Android 5.0. This service allows applications to capture the screen or record audio without special permissions, by simply requesting access via an Intent.
Prior to Android 5.0, an application would either have to run with root privileges or be signed with the device’s release keys to use system protected permissions to capture screen contents, MWR Labs security researchers explain. With the introduction of MediaProjection, no permissions are required in the AndroidManifest.xml to use the service.
When an application requires access to this system Service, a SystemUI pop-up is displayed to warn the user that the program wants to capture the screen. According to MWR, however, an attacker could overlay the SystemUI pop-up with an arbitrary message meant to trick the user into granting the malicious app the ability to capture the screen.
“This vulnerability would allow an attacker to capture the user’s screen should the user tap of the SystemUI pop-up that has been overlayed by the attacker with an arbitrary message,” the security researchers explain in a security advisory (PDF).
MWR also explains that it is difficult to determine which applications use the MediaProjection service, given that there are no permission requirements. Furthermore, the researchers claim that the vulnerability is severe because the SystemUI pop-up is launched within the context of the attacker’s application, meaning that the app can detect it and draw the overlay without the user noticing.
“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect partially obscured SystemUI pop-ups. This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges,” the researchers argue.
Because the SystemUI pop-up is the only access control mechanism meant to prevent malicious applications from abusing the MediaProjection service, an attacker could also bypass the mechanism by tapjacking the pop-up using publicly available methods.
The vulnerability has been addressed in Android 8.0, but version fragmentation within the Android ecosystem means that there are a great deal of devices that will never receive a patch, thus remaining vulnerable. It’s unclear whether patches will be released for older Android iterations as well, MWR says.
As of November 9, 2017, vulnerable platform releases (Android 5.0 to Android 7.1) are running on 78.7% of Android devices out there.
The good news is that the attack is not entirely undetectable: “when an application gains access to the MediaProjection service, it generates a Virtual Display which activates the screencast icon in the notification bar,” the researchers explain.
Application developers can defend against this attack by enabling the FLAG_SECURE layout parameter via the application's WindowManager. Thus, the contents of applications are treated as secure and won’t appear in screenshots.
MWR reported the issue to Google in January this year. The Internet giant assessed the vulnerability as High risk and released Android 8.0 with a patch for it, but hasn’t provided information on patches for Android 7.1.2 to 5.0 as of now, the researchers reveal.
A bug in the Android MediaProjection service lets hackers to record audio and screen activity on 77% of all devices
20.11.2017 securityaffairs Android
A flaw in the Android MediaProjection service could be exploited by an attacker to record audio and screen activity on around 77.5% of all Android devices.
A vulnerability affecting Android smartphones running Lolipop, Marshmallow, and Nougat (Around 77.5% of all Android devices) could be exploited by an attacker to record audio and screen activity.
The vulnerability resides in the Android MediaProjection service that has the access to both screen contents and record system audio.
Starting with the release of Android Lolipop (5.0), the MediaProjection service is not restricted to users with root access.
“To use the MediaProjection service, an application would simply have to request access to this system Service via an Intent. Access to this system Service is granted by displaying a SystemUI pop-up that warns the user that the requesting application would like to capture the user’s screen.” the MWR team wrote in a report.
The researchers explained that an attacker could overlay this SystemUI pop-up which warns the user that the contents of the screen and system audio would be captured, with an arbitrary message to trick the user into granting a malicious application the ability to capture the user’s screen.
The lack of specific android permissions to use this API makes it difficult check if an application uses the MediaProjection service to record video and audio. The unique access control mechanism available to prevent the abuse of the MediaProjection service s the SystemUI pop-up that could be easily bypassed.
The root cause of this vulnerability is due to the fact that vulnerable Android versions don’t implement mechanisms to detect partially obscured SystemUI pop-ups.
An attacker can craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges.
“Furthermore, the SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service. An attacker could trivially bypass this mechanism by tap-jacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen.” added MWR.
“This vulnerability would allow an attacker to capture the user’s screen should the user tap of the SystemUI popup that has been overlayed by the attacker with an arbitrary message.”
Google patched the vulnerability only in Android Oreo Android Oreo (8.0), older versions are still affected by the bug.
Researchers highlighted that the attack exploiting this flaw is not entirely undetectable. When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar as the following image shows:
It is unclear if Google plans to fix the vulnerability also for older affected versions of Android, for this reason users should update their devices.
MWR also provided a workaround to Android application developers that can address the issue by enabling the FLAG_SECURE layout parameter via the application’s WindowManager. This would ensure that the content of the applications windows is treated as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays.
Multi-Stage Android Malware Evades Google Play Detection
16.11.2017 securityweek Android
A newly discovered multi-stage Android malware that managed to sneak into Google Play is using advanced anti-detection features, ESET security researchers reveal.
Eight malicious applications hiding the new threat were found in the official application store, all legitimate-looking but delaying the malicious activity to hide their true intent. Google has removed all eight programs after being alerted of the threat.
Detected as Android/TrojanDropper.Agent.BKY, the applications form a new family of multi-stage Android malware, ESET says. Although the most popular of these apps reached only several hundred downloads, the use of advanced anti-detection features makes this malware family interesting.
All samples of the mobile Trojan employ a multi-stage architecture and make use of encryption to stay under the radar, the security researchers say. The applications managed to keep their malicious intent hidden by not requesting suspicious permissions after installation and by mimicking the activity they were supposed to exhibit.
However, the apps also decrypt and execute a first-stage payload designed to decrypt and execute the second-stage payload from the assets of the app downloaded from Google Play. These steps, however, are not visible to the user but serve as obfuscatory measures, ESET says.
The second-stage payload downloads a malicious app from a hardcoded URL without the victim’s knowledge. After a delay of around 5 minutes, however, the victim is prompted to install this third-stage payload.
This application masquerades as Adobe Flash Player or another popular app. To appear legitimate to the user, the app uses a name such as Android Update or Adobe Update to trick the user into allowing it to execute and into granting the necessary permissions for the payload to perform nefarious actions.
Once installed and with the requested permissions granted, the app decrypts and executes a final, fourth-stage payload. According to ESET, this payload was a mobile banking Trojan in all analyzed cases.
The Trojan was designed to present the victim with fake login forms to steal their credentials or credit card details.
Because one of the malicious apps downloads the final payload using the bit.ly URL shortener, the security researchers discovered that the link had been used almost 3000 times as of November 14, and that most of the hits came from the Netherlands.
Two of most recent samples of this malware downloader were observed dropping either the notorious MazarBot banking Trojan or spyware. According to ESET, the downloader’s nature allows its operators to deliver any payload through it, “as long as it doesn’t get flagged by the Google Protect mechanism.”
Impacted users are advised to first deactivate the admin rights for the installed payload, and then uninstall the surreptitiously-installed apps, along with the application initially downloaded from the Play Store.
Users should head to Settings > (General) > Security > Device administrators and deactivate the admin rights that Adobe Flash Player, Adobe Update, or Android Update might have. The installed payload can be removed from the Application manager.
The nefarious apps involved in this malicious campaign include MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн, and Слоты Онлайн Клуб Игровые Автоматы.
“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,” ESET concludes.
Multi-Stage Android/TrojanDropper.Agent.BKY Malware bypasses Google Play detection once again
16.11.2017 securityaffairs Android
Researchers from security firm ESET, discovered a multi-stage Malware dubbed Android/TrojanDropper.Agent.BKY that evaded Google Play detection.
Security experts at ESET have discovered a multi-stage Android malware, tracked as Android/TrojanDropper.Agent.BKY, that was available for download in the official Google Play store.
The researchers have found eight malicious applications in the official application store (MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн, and Слоты Онлайн Клуб Игровые Автоматы), they appear as legitimate applications and use advanced anti-detection features.
“Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these apps form a new family of multi-stage Android malware, legitimate-looking and with delayed onset of malicious activity.” states the analysis published by ESET.
The experts highlighted the use of advanced anti-detection features implemented by these apps that were downloaded only by several hundred users.
The Android/TrojanDropper.Agent.BKY samples analyzed by ESET employ a multi-stage architecture along with encryption.
Once downloaded and installed, the malicious apps do not request any suspicious permissions and even mimic the activity they were supposed to.
In background, the apps decrypt and execute a first-stage payload designed to decrypt and execute the second-stage payload from the assets of the app downloaded from Google Play.Android
The malware implements obfuscatory measures to remain under the radar.
The second-stage payload downloads a malicious application from a hardcoded URL it waits around 5 minutes before asking users to install the third-stage payload that masquerades as Adobe Flash Player or another popular app.
“The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions.” continues the analysis.
Once the third-stage payload is installed it decrypts and executes the final fourth-stage payload that was a mobile banking Trojan.
The Trojan displays a fake login forms to steal their credentials or credit card details.
Experts noticed that one of the malicious apps downloads the trojan using the bit.ly URL shortener, this allowed them to discover that the link had been used almost 3000 times as of November 14, that most of the connections were from infected hosts in the Netherlands.
Two of most recent samples of the TrojanDropper malware were observed dropping either the MazarBot banking Trojan or spyware.
ESET suggests the impacted users to first deactivate the admin rights for the installed payload, and then uninstall the installed payload uninstall the app initially downloaded from the Play Store.
Further technical details, including the IoCs are included in the report published by ESET.
“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does.” concluded ESET. “Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,”
Google to Ban Android Apps Misusing Accessibility Service
13.11.2017 securityweek Android
Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.
Much of the adware and malware that makes it onto the Google Play store abuses the BIND_ACCESSIBILITY_SERVICE permission. The permission is designed to allow apps to assist users with disabilities, but malware developers have found ways to misuse it in order to obtain device administrator privileges and conduct other malicious activities without raising suspicion.
One example is TOASTAMIGO, a piece of malware that exploits a recently patched vulnerability affecting the Toast feature in Android.
In an effort to prevent abuse, Google has decided that accessibility services should only be used to help people with disabilities. The tech giant has started contacting developers whose applications use the BIND_ACCESSIBILITY_SERVICE permission and informed them of the steps they need to take.
Developers who use the aforementioned permission to help people with disabilities must clearly state this in the app’s description on Google Play, and they must describe the functionality provided by the Accessibility Service permission. All other developers will have to remove the permission from their products within 30 days or risk having it pulled from the official app store.
“Alternatively, you can choose to unpublish the app,” Google told developers. “All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.”
Many users and developers have raised concerns regarding Google’s decision, pointing out that legitimate apps often use the Accessibility Service as a workaround for features that otherwise might be difficult or impossible to implement.
Popular applications such as the LastPass password manager are set to lose important functionality if Google moves forward with its decision. There is also a lot of concern regarding the automation app Tasker, which is not specifically designed for individuals with disabilities, but which appears to be of great aid to some people with Parkinson's disease and Asperger syndrome.
Some have offered advice on how app developers may be able to bypass the new restrictions, and shared thoughts on what alternative routes Google could take to prevent abuse while allowing legitimate apps to continue using the service.
TOASTAMIGO – the first known strain of malware that uses the Toast Overlay exploit
10.11.2017 securityaffairs Android
Trend Micro spotted TOASTAMIGO, the first known malware that uses the recently patched vulnerability that ties with the Toast Overlay attacks.
Malware researchers at Trend Micro have spotted the first known strain of malware that triggers the recently patched vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks.
The vulnerability was discovered in September by security researchers with Palo Alto Networks Unit 42.
The experts reported that it is possible to abuse Android’s toast notification, a feature that is used to provide feedback about an operation in a small short-lived pop up notification, to obtain admin rights on targeted phones and take over the device.
The vulnerability affects all versions of the Android operating system prior to the latest Android 8.0, (Oreo), nearly all Android users.
“What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device.” reads the analysis published by Palo Alto Networks. “This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.”
The toast attack is exploitable for “overlay” attacks on Android phones, attackers use them to create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.
Google fixed the flaw in its monthly Android security updates.
This week, Trend Micro experts reported seeing the first piece of malware exploiting the Toast overlay flaw, for this reason, it was dubbed TOASTAMIGO. The Android malware was disguised as apps named Smart AppLocker that had been available on Google Play, it has been downloaded hundreds of thousands of times before Google removed it.
The TOASTAMIGO app claims to secure devices with a PIN code, but once the victim installed it, the app requests Accessibility permissions and inform the user that they need to scan the phone for unsecure apps. The malware uses the Toast exploit to display a progress screen for the “scan,” while it executes commands from the attackers in background and installs a second-stage malware named by Trend Micro AMIGOCLICKER.
“The malware ironically pose as legitimate app lockers that supposedly secure the device’s applications with a PIN code. Upon installation, these apps will notify the user that they need to be granted Accessibility permissions for it to work. It’s all a ruse to sidestep Android’s countermeasure that requires apps to have explicit user permission.” states Trend Micro. “After granting permissions, the apps will launch a window to purportedly “analyze” the apps. Behind the scenes, however, the apps carry out actions or commands, including the installation of a second malware (since it already has the permissions).”
TOASTAMIGO also implements features to prevent its removal by security software. AMIGOCLICKER is able to collect Google accounts and perform other actions, including click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.
“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”
Android Malware Exploits Recently Patched 'Toast' Flaw
10.11.2017 securityweek Android
Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.
The flaw, reported to Google by researchers at Palo Alto Networks, enables malicious actors to launch overlay attacks by abusing Android’s Toast feature, which allows applications to display messages and notifications on top of other apps. The feature is named Toast because the notifications pop up on the screen just like toast.
Overlay attacks are commonly used by Android malware for phishing attacks, but using Toast provides some advantages, including the fact that it does not require the same types of permissions as other windows, and it allows an app to display a window that covers the device’s entire screen.
The vulnerability, tracked as CVE-2017-0752 and classified as high risk, was patched by Google in September with its monthly Android security updates. Toast overlay attacks don’t work against devices running Android 8.0 Oreo.
On Thursday, Trend Micro researchers reported seeing the first piece of malware leveraging the Toast overlay exploit. The threat, detected by the company as TOASTAMIGO, was disguised as apps named Smart AppLocker that had been available on Google Play, from where they were downloaded hundreds of thousands of times. The applications have since been removed from Google Play.
The malicious apps claim to secure devices with a PIN code. Once installed, they request Accessibility permissions and inform the user that they need to scan the phone for unprotected apps. The Toast exploit is used to display a progress screen for the “scan,” but in the background the malware executes commands from the attackers and installs a second piece of malware named by Trend Micro AMIGOCLICKER.
In addition to downloading other malware, TOASTAMIGO can terminate mobile security apps and perform other actions that prevent it from being removed. AMIGOCLICKER has self-preservation capabilities as well, but it can also collect Google accounts, click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.
“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”
Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts
9.11.2017 securityweek Mobil Android iOS
Hundreds of mobile applications that use the Twilio SDK or REST API include hardcoded credentials that could be abused to access millions of calls and text messages, researchers warned on Thursday.
Appthority’s Mobile Threat Team has analyzed more than 1,100 iOS and Android applications that use Twilio, a cloud communications platform designed for developing voice and messaging apps.
Twilio’s documentation provides guidance on best security practices, but researchers found that 686 apps from 85 developers exposed Twilio account IDs and access tokens (i.e. passwords). Roughly one-third of the applications containing hardcoded Twilio credentials are business-related, and the ones designed for Android have been downloaded between 40 and 180 million times.
The affected apps, more than 170 of which are still available on Google Play and the Apple App Store, include software used for secure communications by a federal law enforcement agency, one that allows sales teams to record audio and annotate discussions in real-time, and navigation apps for AT&T and US Cellular customers.
Researchers estimated that by extracting the Twilio account credentials from the source code of these apps, malicious actors could have gained access to hundreds of millions of call records, calls and call audio recordings, and SMS and MMS messages. North America, the U.K. and Australia are the most affected regions.
The vulnerability, which Appthority has dubbed “Eavesdropper,” was discovered in April and Twilio was notified in July. The service provider has been working with the developers of the impacted apps to address the issue.
However, researchers pointed out that the only way for developers to properly address the problem is to get their users to install an updated version of their app that does not include hardcoded credentials and change their Twilio account tokens.
Hardcoded credentials can pose a serious risk, not just for apps that use Twilio. Appthority warned that roughly 40% of the analyzed applications also expose Amazon S3 credentials.
Researchers have found credentials for more than 2,000 Amazon accounts in the analyzed apps. A closer analysis showed that roughly 900 of the accounts are still active and they provide access to nearly 22,000 S3 buckets, including ones that store potentially sensitive information.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” warned Seth Hardy, Appthority Director of Security Research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
Earlier this year, Appthority reported that more than 1,000 iOS and Android applications installed on enterprise mobile devices had been exposing sensitive data via backend systems.
Android Security Bulletin—November 2017 – Google addresses critical flaws and high-risk KRACK vulnerabilities in Android
8.11.2017 securityaffairs Android
Android Security Bulletin—November 2017 – Google addresses critical vulnerabilities and high-risk KRACK flaws in Android OS.
Google released the Android Security Bulletin—November 2017 that address 31 vulnerabilities, 9 of which are critical remote code execution flaws.
The Android Security Bulletin includes three different security patch levels.
The 2017-11-01 and 2017-11-05 patch levels contain fixes for both Critical and High severity issues.
The 2017-11-06 patch level addresses only High-risk KRACK vulnerabilities.
“Android partners were notified of all issues in the 2017-11-01 and 2017-11-05 patch levels at least a month before publication. Android partners were notified of all issues in the 2017-11-06 patch level within the last month. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.” states the Android Security Bulletin—November 2017.
The 2017-11-01 security patch level addresses 11 issues, 6 of which are Critical RCE, 3 High severity elevation of privilege bugs, and 2 High severity information disclosure vulnerabilities.
The largest number of vulnerabilities affects the Media framework, the security patchers addressed 7 issues.
CVE REFERENCES TYPE SEVERITY UPDATED AOSP VERSIONS
CVE-2017-0832 A-62887820 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0833 A-62896384 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0834 A-63125953 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0835 A-63316832 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0836 A-64893226 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0839 A-64478003 ID High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0840 A-62948670 ID High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
The 2017-11-05 security patch level addressed 11 vulnerabilities, including 3 Critical RCE vulnerabilities, 7 High risk elevation of privilege bugs, and 1 High severity information disclosure. Qualcomm components were most impacted, the bulletin addressed 7 issues, one of the vulnerabilities could be exploited by a remote attacker to execute arbitrary code within the context of a privileged process.
CVE REFERENCES TYPE SEVERITY COMPONENT
QC-CR#2058261  RCE Critical WLAN
QC-CR#2060959  RCE Critical WLAN
QC-CR#2060959 RCE Critical WLAN
QC-CR#2077454 EoP High GPU driver
QC-CR#2045285 EoP High QBT1000 driver
QC-CR#2055629 EoP High Linux boot
QC-CR#2008683  ID High Camera
The 2017-11-06 security patch level addresses 9 vulnerabilities related to the KRACK attack.
Starting in October 2017, Google began releasing a separate security bulletin for Nexus and Pixel devices.
The Pixel / Nexus Security Bulletin—November 2017 includes patches for over 50 bugs affecting components such as Framework, Media framework, Runtime, System, and Kernel, MediaTek, NVIDIA, and Qualcomm components.
25.10.2017 Kaspersky Android iOS
Investigating the security of online dating apps
It seems just about everyone has written about the dangers of online dating, from psychology magazines to crime chronicles. But there is one less obvious threat not related to hooking up with strangers – and that is the mobile apps used to facilitate the process. We’re talking here about intercepting and stealing personal information and the de-anonymization of a dating service that could cause victims no end of troubles – from messages being sent out in their names to blackmail. We took the most popular apps and analyzed what sort of user data they were capable of handing over to criminals and under what conditions.
We studied the following online dating applications:
Tinder for Android and iOS
Bumble for Android and iOS
OK Cupid for Android and iOS
Badoo for Android and iOS
Mamba for Android and iOS
Zoosk for Android and iOS
Happn for Android and iOS
WeChat for Android and iOS
Paktor for Android and iOS
By de-anonymization we mean the user’s real name being established from a social media network profile where use of an alias is meaningless.
User tracking capabilities
First of all, we checked how easy it was to track users with the data available in the app. If the app included an option to show your place of work, it was fairly easy to match the name of a user and their page on a social network. This in turn could allow criminals to gather much more data about the victim, track their movements, identify their circle of friends and acquaintances. This data can then be used to stalk the victim.
Discovering a user’s profile on a social network also means other app restrictions, such as the ban on writing each other messages, can be circumvented. Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation. These restrictions don’t usually apply on social media, and anyone can write to whomever they like.
More specifically, in Tinder, Happn and Bumble users can add information about their job and education. Using that information, we managed in 60% of cases to identify users’ pages on various social media, including Facebook and LinkedIn, as well as their full names and surnames.
An example of an account that gives workplace information that was used to identify the user on other social media networks
In Happn for Android there is an additional search option: among the data about the users being viewed that the server sends to the application, there is the parameter fb_id – a specially generated identification number for the Facebook account. The app uses it to find out how many friends the user has in common on Facebook. This is done using the authentication token the app receives from Facebook. By modifying this request slightly – removing some of the original request and leaving the token – you can find out the name of the user in the Facebook account for any Happn users viewed.
Data received by the Android version of Happn
It’s even easier to find a user account with the iOS version: the server returns the user’s real Facebook user ID to the application.
Data received by the iOS version of Happn
Information about users in all the other apps is usually limited to just photos, age, first name or nickname. We couldn’t find any accounts for people on other social networks using just this information. Even a search of Google images didn’t help. In one case the search recognized Adam Sandler in a photo, despite it being of a woman that looked nothing like the actor.
The Paktor app allows you to find out email addresses, and not just of those users that are viewed. All you need to do is intercept the traffic, which is easy enough to do on your own device. As a result, an attacker can end up with the email addresses not only of those users whose profiles they viewed but also for other users – the app receives a list of users from the server with data that includes email addresses. This problem is found in both the Android and iOS versions of the app. We have reported it to the developers.
Fragment of data that includes a user’s email address
Some of the apps in our study allow you to attach an Instagram account to your profile. The information extracted from it also helped us establish real names: many people on Instagram use their real name, while others include it in the account name. Using this information, you can then find a Facebook or LinkedIn account.
Most of the apps in our research are vulnerable when it comes to identifying user locations prior to an attack, although this threat has already been mentioned in several studies (for instance, here and here). We found that users of Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor are particularly susceptible to this.
Screenshot of the Android version of WeChat showing the distance to users
The attack is based on a function that displays the distance to other users, usually to those whose profile is currently being viewed. Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them. This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.
Mamba for Android displays the distance to a user
Different apps show the distance to a user with varying accuracy: from a few dozen meters up to a kilometer. The less accurate an app is, the more measurements you need to make.
As well as the distance to a user, Happn shows how many times “you’ve crossed paths” with them
Unprotected transmission of traffic
During our research, we also checked what sort of data the apps exchange with their servers. We were interested in what could be intercepted if, for example, the user connects to an unprotected wireless network – to carry out an attack it’s sufficient for a cybercriminal to be on the same network. Even if the Wi-Fi traffic is encrypted, it can still be intercepted on an access point if it’s controlled by a cybercriminal.
Most of the applications use SSL when communicating with a server, but some things remain unencrypted. For example, Tinder, Paktor and Bumble for Android and the iOS version of Badoo upload photos via HTTP, i.e., in unencrypted format. This allows an attacker, for example, to see which accounts the victim is currently viewing.
HTTP requests for photos from the Tinder app
The Android version of Paktor uses the quantumgraph analytics module that transmits a lot of information in unencrypted format, including the user’s name, date of birth and GPS coordinates. In addition, the module sends the server information about which app functions the victim is currently using. It should be noted that in the iOS version of Paktor all traffic is encrypted.
The unencrypted data the quantumgraph module transmits to the server includes the user’s coordinates
Although Badoo uses encryption, its Android version uploads data (GPS coordinates, device and mobile operator information, etc.) to the server in an unencrypted format if it can’t connect to the server via HTTPS.
Badoo transmitting the user’s coordinates in an unencrypted format
The Mamba dating service stands apart from all the other apps. First of all, the Android version of Mamba includes a flurry analytics module that uploads information about the device (producer, model, etc.) to the server in an unencrypted format. Secondly, the iOS version of the Mamba application connects to the server using the HTTP protocol, without any encryption at all.
Mamba transmits data in an unencrypted format, including messages
This makes it easy for an attacker to view and even modify all the data that the app exchanges with the servers, including personal information. Moreover, by using part of the intercepted data, it is possible to gain access to account management.
Using intercepted data, it’s possible to access account management and, for example, send messages
Mamba: messages sent following the interception of data
Despite data being encrypted by default in the Android version of Mamba, the application sometimes connects to the server via unencrypted HTTP. By intercepting the data used for these connections, an attacker can also get control of someone else’s account. We reported our findings to the developers, and they promised to fix these problems.
An unencrypted request by Mamba
We also managed to detect this in Zoosk for both platforms – some of the communication between the app and the server is via HTTP, and the data is transmitted in requests, which can be intercepted to give an attacker the temporary ability to manage the account. It should be noted that the data can only be intercepted at that moment when the user is loading new photos or videos to the application, i.e., not always. We told the developers about this problem, and they fixed it.
Unencrypted request by Zoosk
In addition, the Android version of Zoosk uses the mobup advertising module. By intercepting this module’s requests, you can find out the GPS coordinates of the user, their age, sex, model of smartphone – all this is transmitted in unencrypted format. If an attacker controls a Wi-Fi access point, they can change the ads shown in the app to any they like, including malicious ads.
An unencrypted request from the mopub ad unit also contains the user’s coordinates
The iOS version of the WeChat app connects to the server via HTTP, but all data transmitted in this way remains encrypted.
Data in SSL
In general, the apps in our investigation and their additional modules use the HTTPS protocol (HTTP Secure) to communicate with their servers. The security of HTTPS is based on the server having a certificate, the reliability of which can be verified. In other words, the protocol makes it possible to protect against man-in-the-middle attacks (MITM): the certificate must be checked to ensure it really does belong to the specified server.
We checked how good the dating apps are at withstanding this type of attack. This involved installing a ‘homemade’ certificate on the test device that allowed us to ‘spy on’ the encrypted traffic between the server and the application, and whether the latter verifies the validity of the certificate.
It’s worth noting that installing a third-party certificate on an Android device is very easy, and the user can be tricked into doing it. All you need to do is lure the victim to a site containing the certificate (if the attacker controls the network, this can be any resource) and convince them to click a download button. After that, the system itself will start installation of the certificate, requesting the PIN once (if it is installed) and suggesting a certificate name.
Everything’s a lot more complicated with iOS. First, you need to install a configuration profile, and the user needs to confirm this action several times and enter the password or PIN number of the device several times. Then you need to go into the settings and add the certificate from the installed profile to the list of trusted certificates.
It turned out that most of the apps in our investigation are to some extent vulnerable to an MITM attack. Only Badoo and Bumble, plus the Android version of Zoosk, use the right approach and check the server certificate.
It should be noted that though WeChat continued to work with a fake certificate, it encrypted all the transmitted data that we intercepted, which can be considered a success since the gathered information can’t be used.
Message from Happn in intercepted traffic
Remember that most of the programs in our study use authorization via Facebook. This means the user’s password is protected, though a token that allows temporary authorization in the app can be stolen.
Token in a Tinder app request
A token is a key used for authorization that is issued by the authentication service (in our example Facebook) at the request of the user. It is issued for a limited time, usually two to three weeks, after which the app must request access again. Using the token, the program gets all the necessary data for authentication and can authenticate the user on its servers by simply verifying the credibility of the token.
Example of authorization via Facebook
It’s interesting that Mamba sends a generated password to the email address after registration using the Facebook account. The same password is then used for authorization on the server. Thus, in the app, you can intercept a token or even a login and password pairing, meaning an attacker can log in to the app.
App files (Android)
We decided to check what sort of app data is stored on the device. Although the data is protected by the system, and other applications don’t have access to it, it can be obtained with superuser rights (root). Because there are no widespread malicious programs for iOS that can get superuser rights, we believe that for Apple device owners this threat is not relevant. So only Android applications were considered in this part of the study.
Superuser rights are not that rare when it comes to Android devices. According to KSN, in the second quarter of 2017 they were installed on smartphones by more than 5% of users. In addition, some Trojans can gain root access themselves, taking advantage of vulnerabilities in the operating system. Studies on the availability of personal information in mobile apps were carried out a couple of years ago and, as we can see, little has changed since then.
Analysis showed that most dating applications are not ready for such attacks; by taking advantage of superuser rights, we managed to get authorization tokens (mainly from Facebook) from almost all the apps. Authorization via Facebook, when the user doesn’t need to come up with new logins and passwords, is a good strategy that increases the security of the account, but only if the Facebook account is protected with a strong password. However, the application token itself is often not stored securely enough.
Tinder app file with a token
Using the generated Facebook token, you can get temporary authorization in the dating application, gaining full access to the account. In the case of Mamba, we even managed to get a password and login – they can be easily decrypted using a key stored in the app itself.
Mamba app file with encrypted password
Most of the apps in our study (Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor) store the message history in the same folder as the token. As a result, once the attacker has obtained superuser rights, they will have access to correspondence.
Paktor app database with messages
In addition, almost all the apps store photos of other users in the smartphone’s memory. This is because apps use standard methods to open web pages: the system caches photos that can be opened. With access to the cache folder, you can find out which profiles the user has viewed.
Having gathered together all the vulnerabilities found in the studied dating apps, we get the following table:
App Location Stalking HTTP (Android) HTTP (iOS) HTTPS Messages Token
Tinder + 60% Low Low + + +
Bumble – 50% Low NO – + +
OK Cupid – 0% NO NO + + +
Badoo – 0% Medium NO – + +
Mamba + 0% High High + – +
Zoosk + 0% High High –
(+ iOS) – +
Happn + 100% NO NO + + +
WeChat + 0% NO NO – – –
Paktor + 100% emails Medium NO + + +
Location — determining user location (“+” – possible, “-” not possible)
Stalking — finding the full name of the user, as well as their accounts in other social networks, the percentage of detected users (percentage indicates the number of successful identifications)
HTTP — the ability to intercept any data from the application sent in an unencrypted form (“NO” – could not find the data, “Low” – non-dangerous data, “Medium” – data that can be dangerous, “High” – intercepted data that can be used to get account management).
HTTPS — interception of data transmitted inside the encrypted connection (“+” – possible, “-” not possible).
Messages — access to user messages by using root rights (“+” – possible, “-” not possible).
TOKEN — possibility to steal authentication token by using root rights (“+” – possible, “-” not possible).
As you can see from the table, some apps practically do not protect users’ personal information. However, overall, things could be worse, even with the proviso that in practice we didn’t study too closely the possibility of locating specific users of the services. Of course, we are not going to discourage people from using dating apps, but we would like to give some recommendations on how to use them more safely. First, our universal advice is to avoid public Wi-Fi access points, especially those that are not protected by a password, use a VPN, and install a security solution on your smartphone that can detect malware. These are all very relevant for the situation in question and help prevent the theft of personal information. Secondly, do not specify your place of work, or any other information that could identify you. Safe dating!
Google to add "DNS over TLS" security feature to Android OS
24.10.2017 thehackernews Android
No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications.
But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit.
Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks.
Almost every Internet activity starts with a DNS query, making it a fundamental building block of the Internet. DNS works as an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against their IP addresses.
DNS queries and responses are sent in clear text (using UDP or TCP) without encryption, which makes it vulnerable to eavesdropping and compromises privacy.
ISPs by default resolve DNS queries from their servers. So when you type a website name in your browser, the query first goes to their DNS servers to find the website's IP address, which eventually exposes this information (metadata) to your ISPs.
Moreover, DNS Security Extensions — widely known as DNSSEC — only offers data integrity, not privacy.
To address this problem, Internet Engineering Task Force (IETF) last year proposed an experimental feature called — DNS over TLS (RFC 7858), which works approximately the same way https does.
Just like Transport Layer Security (TLS) encrypted protocol secures HTTPS connections cryptographically, DNS-over-TLS dramatically enhances privacy and security with end-to-end authenticated DNS lookups.
Google is reportedly adding "DNS over TLS" support to the Android Open Source Project (AOSP), currently at an experimental stage, to allow smartphone users to turn on or off "DNS over TLS" feature under Developer Options settings.
"Presumably, if such an option is being added to Developer Options, then that means it is in testing and may arrive in a future version of Android such as version 8.1." Xda-developers said in a blog post.
However, just enabling "DNS over TLS" feature would not prevent your ISP to know what websites you visit.
Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at the beginning of the 'handshake' process.
So to enjoy full anonymity, users are still required to use a trusted secure VPN service in combination with DNS-over-TLS protocol.
Google launched Google Play Security Reward bug bounty program to protect apps in Play Store
20.10.2017 securityaffairs Android
Google has launched Google Play Security Reward, the bug bounty program that will pay $1,000 rewards for flaws in popular apps.
Google has officially launched a bug bounty program for Android apps on Google Play Store, a measure that aims to improve the security of Android apps. The initiative, called Google Play Security Reward, will involve the security community in finding and reporting vulnerabilities in some of the most popular Android apps available in the official store.
The Google Play Security Reward offers security researchers to work directly with Android app developers to find and fix security issues in their applications, the experts will receive $1000 in rewards.
“The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure. ” read a blog post published by Google.
“All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program. Interested developers who aren’t currently in the program should discuss it with their Google Play partner manager. Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosyste“
The Google Play Security Reward Program is operated in collaboration with the bug bounty platform HackerOne.
Everyone that wants to participate the bug bounty program can submit his/her findings directly to the app development team. Once the vulnerability has been fixed, the expert only needs to submit his/her bug report through the HackerOne platform.
According to the Google Vulnerability Criteria, the experts will receive their $1,000 rewards. Currently, the program is focused on finding RCE (remote-code-execution) vulnerabilities and related exploit codes that work on Android 4.4 devices and higher. An attacker must to able to run arbitrary code on a user’s device without user knowledge or interaction.
“All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer.” reads the announcement published on the HackerOne.
“For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher.”
Recently, security experts reported numerous cases of malicious apps deployed on the Google Play store that infected millions of Android users.
The Google Play Security Reward program does not include reporting fake or bogus apps available on Google play store, this means that it will not allow limiting the number of malicious applications in the official store.
At the time, only a few Android apps have been added to Google Play Security Reward Program, including Alibaba, Snapchat, Duolingo, Line, Dropbox, Headspace, Mail.ru and Tinder.
Google Play Store Launches Bug Bounty Program to Protect Popular Android Apps
20.10.2017 thehackernews Android
Better late than never.
Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps.
Dubbed "Google Play Security Reward," the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards.
"The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem," the technology giant says in a blog post published today.
Google has collaborated with bug bounty platform, HackerOne, to manage backend for this program, like submitting reports and inviting white-hat hackers and researchers.
White-hat hackers who wish to participate can submit their findings directly to the app developers. Once the security vulnerability has been resolved, the hacker needs to submit his/her bug report to HackerOne.
Google will then pay out a reward of $1,000 based on its Vulnerability Criteria, wherein, according to the company, more criteria may be added in the future, creating more scope for rewards.
"All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer." HackerOne said.
"For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher."
It is an unfortunate truth that even after so many efforts by Google, malicious apps continuously somehow managed to fool its Play Store's security mechanism and infect millions of Android users.
It's notable that Google Play Security Reward program does not include finding and reporting fake, adware or malware apps available on Google play store, so the program will not affect the increase in malicious apps on Google's app platform.
For now, a limited number of Android apps have been added to Google Play Security Reward Program, including Alibaba, Snapchat, Duolingo, Line, Dropbox, Headspace, Mail.ru and Tinder.
So what you are waiting for?
Roll up your sleeves and start hunting for vulnerabilities. For more details about Google Play Security Reward Program, visit HackerOne.
Android Ransomware Abuses Accessibility Services
17.10.2017 securityweek Android
A newly discovered ransomware family targeting Android devices is abusing the platform’s accessibility services, ESET warns.
Dubbed DoubleLocker, this innovative Android malware doesn’t merely encrypt users’ data, but also locks the infected devices down, security researchers from ESET say.
The ransomware is based on the source code of BankBot banking Trojan, which is already known for misusing accessibility services on Android. However, the new malware family lacks the functions related to harvesting users’ banking credentials and instead uses two other tools for extorting money from its victims.
BankBot had its source code leaked online in late 2016, which already spawned numerous banking Trojan variations. However, DoubleLocker is the first Android ransomware to leverage the leaked code.
DoubleLocker mainly spreads as a fake Adobe Flash Player application downloadable through compromised websites. Once installed on the victim’s device, it requests activation of the accessibility service called “Google Play Service,” which allows it to gain administrator rights and set itself as the default Home application, without the user’s consent.
The malware also changes the device’s PIN code, thus blocking the victim out. The new PIN is a randomly generated value that isn’t stored on the device or sent out, thus preventing the user from recovering it. The attackers, however, have the possibility to remotely reset the PIN and unlock the device.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the Home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launched malware by hitting Home,” explains ESET Malware Researcher Lukáš Štefanko.
Next, the ransomware encrypts all of the files located in the device’s primary storage directory. The malware uses the AES encryption algorithm for this operation and appends the .cryeye extension to the affected files.
The ransom note claims that the original files have been deleted and that users should pay the ransom within 24 hours. The malware asks for a 0.0130 Bitcoin ransom (around $50) and displays a QR code that should make it easier for victims to pay.
“DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals. Its payload can change the device’s PIN, preventing the victim from accessing their device and encrypts the victim’s data. Such a combination hasn’t been seen yet in the Android ecosystem,” Štefanko says.
The security researcher also points out that, although the ransomware lacks the credential harvesting capabilities BankBot has, such functionality could be easily added to it.
“Given its banking malware roots, DoubleLocker may well be turned into what can be called ransom-bankers. Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom… Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017,” warns Štefanko.
Android Trojan Infrastructure Serves Fake Adobe Flash Apps
15.10.2017 securityweek Android
The recently discovered Red Alert 2 Android Trojan is using an infrastructure that serves fake Adobe Flash Android apps to unsuspecting users, RiskIQ has discovered.
The threat was first detailed last month, when SfyLabs researchers revealed that communication between infected bots and the command and control (C&C) server was performed using Twitter. Written from scratch, Red Alert is capable of stealing login credentials, intercepting SMS messages, and stealing contacts.
Targeting financial institutions and media organizations, the malware is using overlays to steal banking credentials and can also block and log incoming calls from banks, thus preventing intrusion detection.
Now, the RiskIQ researchers say they have managed to identify the infrastructure related to the malware. Starting from a single domain (that resolves to IP address 185.48.56[.]83), the researchers were able to find the email address used to register the domain (email@example.com), and discovered additional eight domains of interest.
Thus, the researchers found two malicious apps purporting to be Adobe Flash Player updates and which were hosted on two of these sites, namely g-shoock[.]xyz and g-shoock[.]ru.
These malicious apps can access network state, get tasks, connect to the Internet, read phone state and SMS, receive SMS messages, and write SMS. They also support commands such as RECEIVE_BOOT_COMPLETED, SYSTEM_ALERT_WINDOW, and WAKE_LOCK.
The two domains, which started resolving around the beginning of June 2017, revealed connections to a larger actor-owned infrastructure. They overlap via passive DNS on the same IP address first associated with Red Alert.
The security researchers also discovered that the infrastructure is still active and that additional Adobe Flash typosquatting domains have been registered by the actor in recent days. These domains too are used for the downloading of APK files.
“While, at this time, VirusTotal shows the APK file in question as not malicious, its connection to infrastructure previously connected to known malicious apps and the fact that the domains are typosquatting Adobe’s brand leads RiskIQ to assess that this is, in fact, malicious,” the security researchers note.
Last month, SfyLabs revealed that Red Alert would also masquerade as popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates. The researchers also noted that the Trojan was targeting at least 60 banking applications with HTML overlays.
DoubleLocker, the Android Ransomware that encrypts files and changes PIN Lock
14.10.2017 securityaffairs Android
Crooks have developed a strain of Android ransomware dubbed Doublelocker that both encrypts user data and changes PIN Lock.
DoubleLocker, the name says it all, is a new malware that not only encrypts the Android mobile devices but also changes PIN lock.
The DoubleLocker ransomware was discovered by security researchers from cybersecurity firm ESET.
DoubleLocker is the first-ever ransomware to abuse the Android accessibility feature that implements alternative ways to interact with a mobile device.
The Android accessibility services are abused by several mobile malware including banking Trojan and adware.
“Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers.” explained Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker. “Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom… Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017.”
Researchers first detected the DoubleLocker ransomware in May, crooks spread it as a fake Adobe Flash update via compromised websites.
Once the victim launched the app, it requests activation of the malware’s accessibility service, named “Google Play Service”. Once the malicious code has obtained the accessibility permissions, it uses them to activate device administrator rights and set itself as the default Home application without the user’s consent.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home,” explains Štefanko.
DoubleLockerr, once executed on the device, first changes the device PIN to a random value that neither crooks know nor stored anywhere. At the same time, the ransomware encrypts all the files using AES encryption algorithm, it appends the extension “.cryeye” to each file.
Unfortunately, encryption process has no bugs making impossible to recover the files without receiving the encryption key from the crooks.
The ransomware demands 0.0130 BTC (approximately USD 73.83 at time of writing). the ransom payment must be completed within 24 hours.
If the victim pays the ransom, he will receive the decryption key to unlock the files and the crooks will remotely reset the PIN to unlock the victim’s device.
The researchers highlighted that there is no way to unlock encrypted files for non-rooted devices, in this case, the unique way to clean the device is to factory-reset their phone.
Users with rooted Android devices with debugging mode enabled can use the Android Debug Bridge (ADB) tool to reset PIN without formatting their phones.
“For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated.” reads the analysis from ESET.
As usual, the best way to protect your device is to install applications only from trusted stores, like Google Play and pay attention to the reputation of the developers.
Be vigilant with any links provided in an unsolicited email, SMS or instant messaging app message.
Do not forget to install an antivirus app on your mobile device and keep all running software up-to-date.
Enterprises Blacklist iOS Apps Due to Data Leakage: Report
4.10.2017 securityweek Android iOS
A report published on Tuesday by mobile security firm Appthority reveals which Android and iOS applications are most frequently blacklisted by enterprises.
According to data collected by Appthority, iOS apps are typically blacklisted due to the fact that they leak data. The most commonly blacklisted iOS app is WhatsApp, which has a high risk rating due to the fact that it sends information from the device’s address book to a remote server.
Another commonly blacklisted iOS app is Pokemon GO, which accesses a device’s address book and camera, and tracks the user’s location. WinZip is also banned by many organizations due to the fact that it sends SMS messages.
This type of behavior can pose a serious risk in an enterprise environment, especially if the data is transmitted without being encrypted.
A majority of the top blacklisted iOS apps are in the social networking and entertainment category, as opposed to Android where many of the blacklisted applications are tools.
The most frequently blacklisted Android app is Poot, a tool that allows users to root their devices. Other commonly banned programs are AndroidSystemTheme, Where’s My Droid Pro, Weather, and Wild Crocodile Simulator.
While some Android apps have been blacklisted for tracking the user’s location or sending data unencrypted, in most cases the problem is that they exhibit malicious behavior.
An analysis of the top 150 mobile apps found in enterprise environments showed that in the case of Android applications, 86.7% of connections are to a server located in the United States, followed by Ireland (7.7%), Germany (2.1%) and Sweden (0.7%). In the case of iOS apps, nearly 94% of connections go to servers in the United States, followed by Ireland (3.82%), the Netherlands (0.86%) and Germany (0.86%).
Appthority’s report also lists the top 100 Android and iOS applications used in enterprises, along with their risk score, which can help organizations assess the risks associated with apps commonly used by their employees.
“Enterprise security teams need to understand which mobile apps are being used, the risks they bring, and how their peers are utilizing mobile threat policies to more effectively secure corporate data,” explained Domingo Guerra, president and co-founder of Appthority. “With BYOD and COPE, many commonly used app-store approved apps are making their way into enterprises and posing risks to sensitive corporate data.”
Android Malware Exploits Dirty COW Vulnerability
27.9.2017 securityweek Android
A recently discovered piece of Android malware is exploiting the infamous "Dirty COW" Linux vulnerability discovered nearly a year ago, Trend Micro researchers warn.
Dubbed ZNIU, the malware attempts to exploit Dirty COW, which was disclosed in October 2016. The issue is caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
Tracked as CVE-2016-5195, the vulnerability was found to affect Android devices as well, and Google released a patch for Google devices in December, as part of its monthly set of security updates.
While all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW, Trend Micro revealed in early December that the vulnerability can be leveraged to write malicious code directly into processes. They also said that the flaw can be triggered in a manner different from previously observed attacks.
Now, the security firm claims to have discovered “the first malware family to exploit the vulnerability on the Android platform,” namely ZNIU. Observed in attacks in over 40 countries last month, the threat appears mainly focused on China and India.
The researchers say that over 5,000 users have been already infected with the malware, and that the U.S., Japan, Canada, Germany, and Indonesia are among the affected countries. They also reveal that “more than 1,200 malicious apps that carry ZNIU were found in malicious websites with an existing rootkit that exploits Dirty COW.”
The exploit code only works on Android devices with ARM/X86 64-bit architecture, but was designed to bypass SELinux and plant a root backdoor. Four out of six ZNIU rootkits the researchers have been keeping an eye on were Dirty COW exploits, while the other two were KingoRoot and Iovyroot (they can root ARM 32-bit CPU devices).
The malware usually masquerades as a porn app. Once installed, it establishes communication with the command and control (C&C) server and updates itself if a new version is available. It also fetches the appropriate rootkits from the remote server and uses them to escalate privileges and plant a backdoor for potential remote control attacks.
The malware was found to use encryption when communicating with the server. The researchers determined that the domain and server host is located in China.
ZNIU collects the carrier information of the device and starts interacting with the carrier through an SMS-enabled payment service. Thus, the malware operators collect money through the carrier’s payment service. However, such SMS transactions are possible only with carriers in China, meaning that, on devices outside the country, the malware would only install the backdoor.
“In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China censored in the picture below. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator,” the researchers say.
Vulnerabilities Found in Many Mobile Stock Trading Apps
27.9.2017 securityweek Android
An analysis of popular mobile stock trading apps showed that many of them are vulnerable to hacker attacks due to the existence of flaws and the lack of important security features.
IOActive researcher Alejandro Hernández tested a total of 21 widely used stock trading applications for Android and iOS. The expert’s tests focused on 14 security controls and they were conducted on a non-jailbroken iPhone 6 running iOS 10.3.3 and an emulation of a rooted device running Android 7.1.1.
The companies whose apps have been targeted have not been named, but Hernandez pointed out that the most secure application was developed by a brokerage firm that suffered a data breach many years ago.
Some of the issues discovered by the researcher can be exploited by having physical access to the targeted device. This includes passwords stored in clear text by 19% of the tested apps, and logging various types of sensitive data without encrypting it by roughly two-thirds of the apps.
Mobile stock trading applications typically allow users to buy or sell stock, transfer funds from their bank accounts, keep track of equity, monitor owned securities and profit, create alerts for specified thresholds, and communicate with other traders.
These operations involve highly sensitive personal and financial information, which should not be stored without encryption and should not be protected by a password that can be easily obtained by unauthorized users. In some cases, poor policies prevent users from setting strong passwords.
The list of problems identified by the researcher also includes the lack of detection for rooted devices (in the case of Android apps), the lack of proper obfuscation, hardcoded cryptographic keys and passwords, and data leakage. Hardcoded secrets were found in the code of 62 percent of the targeted applications.
IOActive has informed 13 of the brokerage firms whose apps had high risk vulnerabilities, but only two of them replied to the security firm’s emails.
“Digging in some US regulators’ websites, I noticed that they are already aware of the cybersecurity threats that might negatively impact financial markets and stakeholders,” Hernandez said in a blog post. “Most of the published content focuses on general threats that could impact end-users or institutions such as phishing, identity theft, antivirus software, social media risks, privacy, and procedures to follow in case of cybersecurity incidents, such as data breaches or disruptive attacks.”
“Nevertheless, I did not find any documentation related to the security risks of electronic trading nor any recommended guidance for secure software development to educate brokers and FinTech companies on how to create quality products,” he added.
Android App Siphons Data on 200 Million Users
27.9.2017 securityweek Android
A popular Android keyboard application with over 200 million downloads was found gathering user information sending the data a remote server, Adguard reveals.
The offending application, GO Keyboard, has two versions available in Google Play, namely GO Keyboard - Emoji keyboard, Swipe input, GIFs and GO Keyboard - Emoticon keyboard, Free Theme, GIF, each with over 100 million downloads to date.
The keyboard is developed by Chinese firm GOMO, which has numerous applications in the mobile app store, under two developer accounts, namely GOMO Dev Team and GOMO Apps.
According to Adguard security researchers, the applications were designed to siphon a large amount of user data, including Google account emails, device language, IMSI, location, network type, screen size, Android version and build, and device model.
On top of that, the researchers also discovered that, shortly after installation, both applications would download and execute code from a remote server. Among the downloaded plugins, the researchers discovered some that have been marked as adware or potentially unwanted programs.
Because of this behavior, the applications are considered malicious in nature, the researchers say. They clearly violate the Google Play content policies, which state that apps are prohibited from stealing a user’s authentication information, as well as from downloading executable code from a source other than Google Play.
Another worrying aspect is that, because these applications are keyboards, everything that the user enters on the phone goes through them. The apps also communicate with dozens of third-party trackers and ad networks, in addition to getting access to sensitive data such as users’ identity, phone calls log, contacts, and microphone.
“Given the apps' extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants,” Andrey Meshkov, Co-founder, Adguard, points out.
The security researchers have reported their findings to Google but it appears that the company hasn’t taken a decision yet and that both GO Keyboard versions continue to be available in Google Play.
ZNIU, the first Android malware family to exploit the Dirty COW vulnerability
27.9.2017 securityaffairs Android
Security experts at Trend Micro have recently spotted a new strain of Android malware, dubbed ZNIU, that exploits the Dirty COW Linux kernel vulnerability.
The Dirty COW vulnerability was discovered by the security expert Phil Oester in October 2016, it could be exploited by a local attacker to escalate privileges.
The name ‘Dirty COW’ is due to the fact that it’s triggered by a race condition in the way the Linux kernel memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.
The flaw affects Android devices as well, for this reason, Google issued a security patch for its mobile OS in December, as part of its monthly set of security updates.
Researchers with Trend Micro revealed in early December that the flaw can be exploited by attackers is many ways to write malicious code directly into processes.
Back to the present, Trend Micro discovered the first malware family that exploits the Dirty COW flaw on the Android platform.
“Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.” reads the analysis published by Trend Micro.
“The ZNIU malware was detected in more than 40 countries last month,”
The infections spread across more than 40 countries last month, 5,000 users have been already infected by the ZNIU malware, most of the attacks have been observed in China and India, followed by the U.S., Japan, Canada, Germany, and Indonesia.
The experts discovered more than 1,200 malicious apps that carry ZNIU in malicious websites, the applications include a rootkit that exploits Dirty COW.
According to the experts, the malicious code only works on Android devices based on ARM/X86 64-bit architecture. The exploit is able to bypass SELinux and establish a root backdoor.
“We worked on a Proof-of-Concept (PoC) for Dirty COW last year and found out that all versions of the Android OS were susceptible to exploitation, while ZNIU’s leveraging of Dirty COW only works on Android devices with ARM/X86 64-bit architecture. However, this recent exploit can bypass SELinux and plant a root backdoor, while the PoC can only modify the service code of the system.” continues the analysis.
“We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805). ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot.”
The malicious code is concealed behind an apparent porn app that once installed contact the C&C server to updates itself. The malware fetches the appropriate rootkits from the C&C server, use the exploit to escalate privileges and establish a backdoor.
The domain and command and control server used by the ZNIU malware is located in China.
ZNIU harvest the carrier information and starts interacting with the carrier through a SMS-enabled payment service. The malware operators collect money through the carrier’s payment service, this specific service leveraging on SMS transactions is available only with carriers in China. This means that the malware would not be effective outside the country.
“In one of our samples, we saw in its code that payments were directed to a dummy company, which, based on network traffic, we were able to locate in a city in China censored in the picture below. When the SMS transaction is over, the malware will delete the messages from the device, leaving no sign of the transaction between the carrier and the malware operator,” states Trend Micro.
As usual, to stay safe install only apps from the Google Play or trusted third-party app stores, and use mobile security solutions
First Android Malware Found Exploiting Dirty COW Linux Flaw to Gain Root Privileges
26.9.2017 thehackernews Android
Nearly a year after the disclosure of the Dirty COW vulnerability that affected the Linux kernel, cybercriminals have started exploiting the vulnerability against Android users, researchers have warned.
Publicly disclosed last year in October, Dirty COW was present in a section of the Linux kernel—a part of virtually every Linux distribution, including Red Hat, Debian, and Ubuntu—for years and was actively exploited in the wild.
The vulnerability allows an unprivileged local attacker to gain root access through a race condition issue, gain access to read-only root-owned executable files, and permit remote attacks.
However, security researchers from Trend Micro published a blog post on Monday disclosing that the privilege escalation vulnerability (CVE-2016-5195), known as Dirty COW, has now been actively exploited by a malware sample of ZNIU, detected as AndroidOS_ZNIU.
This is the first time we have seen a malware sample to contain an exploit for the vulnerability designed to compromise devices running on the mobile platform.
This Dirty Cow Exploit found in Over 1,200 Android Apps
The malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) mechanism in Android's Linux kernel and install a backdoor which can then be used by attackers to collect data and generate profit through a premium rate phone number.
Trend Micro researchers detected the ZNIU malware in more than 1,200 malicious Android apps—some of which disguised themselves as pornography and gaming apps—alongside host websites containing malware rootkits that exploit Dirty Cow.
While the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit only affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit can be used to bypass SELinux and plant backdoors.
"We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805)," the researchers said.
"ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot."
Here's How the ZNIU's Dirty Cow exploit Works
Once downloaded and installed, the ZNIU malware-carrying app communicates with its command-and-control (C&C) server to check for code updates, while simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass system restrictions and "plant a backdoor for potential remote control attacks in the future."
The malware also harvests the carrier information of the user and attempts to send payments via premium SMS messages that were directed to a dummy company in China.
Once the SMS transaction is over, the malware also deletes the messages from the device in order to erase evidence of any compromise.
The researchers found the malware has already infected more than 5,000 Android users across 40 countries in recent weeks, with the majority of victims found in China and India, while other resides in the United States, Japan, Canada, Germany and Indonesia.
Google has released an update for Android that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its Play Protect now protects Android users against this malware.
The easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.
Google Discloses Critical Wi-Fi Flaws Affecting iOS, Android
26.9.2017 securityweek Android Apple
Google Project Zero has disclosed the details of two critical remote code execution vulnerabilities affecting the Broadcom Wi-Fi chips found in many Android and iOS devices.
The flaws, identified as CVE-2017-11120 and CVE-2017-11121, were patched in Android on September 5 with this month’s security updates and in iOS on September 19 with the release of iOS 11. tvOS versions prior to 11 are also impacted.
Until now, the only details known about these vulnerabilities were the fact that they are memory corruptions that could allow arbitrary code execution, and that they affect Broadcom Wi-Fi drivers.
Advisories made public late on Monday by Gal Beniamini of Google Project Zero provide additional details about the flaws and the Broadcom chips they affect.
“Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS,” the researcher explained.
The weakness tracked as CVE-2017-11120 is an out-of-bounds write issue that exists due to the way the Broadcom firmware handles the Neighbor Report Response frame of the Radio Resource Management standard. By injecting a large value into one of the buffers, an attacker within Wi-Fi range can achieve arbitrary code execution.
Beniamini said he found the problematic code in different versions of the Wi-Fi firmware, including on iPhone 7 and Samsung S7 Edge smartphones. The researcher has published a proof-of-concept (PoC) exploit for the iPhone 7. He believes the attack, which requires the targeted device to connect to a Wi-Fi network set up by the attacker, should work on all versions prior to iOS 11.
“Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” he explained.
The second flaw, CVE-2017-11121, allows remote code execution due to multiple buffer overflows when handling reassociation responses via the Fast BSS Transition feature. Beniamini has provided detailed technical information on how the vulnerability can be exploited, but he has not released an actual exploit.
This was not the first time Beniamini discovered critical Android and iOS vulnerabilities introduced by Broadcom Wi-Fi chips. In April, the researcher reported finding several remote code execution, privilege escalation and information disclosure flaws that could have been exploited without user interaction.
Another similar vulnerability, dubbed “Broadpwn,” was discovered earlier this year by Exodus Intelligence researcher Nitay Artenstein.
Red Alert 2.0: New Android Banking Trojan for Sale on Hacking Forums
19.9.2017 thehackernews Android
The Recent discoveries of dangerous variants of the Android banking Trojan families, including Faketoken, Svpeng, and BankBot, present a significant threat to online users who may have their login credentials and valuable personal data stolen.
Security researchers from SfyLabs have now discovered a new Android banking Trojan that is being rented on many dark websites for $500 per month, SfyLabs' researcher Han Sahin told The Hacker News.
Dubbed Red Alert 2.0, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as BankBot and ExoBot, which were evolved from the leaked source code of older trojans.
The Red Alert banking malware has been distributed via many online hacking forums since last few months, and its creators have continuously been updating the malware to add new functionalities in an effort to make it a dangerous threat to potential victims.
Malware Blocks Incoming Calls from Banks
Like most other Android banking trojans, Red Alert has a large number of capabilities such as stealing login credentials, hijacking SMS messages, displaying an overlay on the top of legitimate apps, contact list harvesting, among others.
Besides this, Red Alert actors have also added an interesting functionality to its malware, like blocking and logging all incoming calls associated with banks and financial associations.
This would potentially allow the Red Alert malware to prevent warnings of a compromised account to be received by the victims from their associated banks.
Malware Uses Twitter As Backup C&C Infrastructure
Another most interesting thing about Red Alert 2.0 is that it uses Twitter to prevent losing bots when its command and control server is knocked offline.
"When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account," SfyLabs researchers said in a blog post.
"This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan."
The Red Alert 2.0 is currently targeting victims from more than 60 banks and social media apps across the world and works on Android 6.0 (Marshmallow) and previous versions.
Here's How the Red Alert 2.0 Trojan Works:
Once installed on victim's phone via the third-party app store, the malware waits for the victim to open a banking or social media app, whose interface it can simulate, and once detected, the Trojan immediately overlays the original app with a fake user interface.
The fake interface then informs the victim that there is an error while logging the user in and requests the user to re-authenticate his/her account.
As soon as the user enters the credentials into the fake user interface, Red Alert records them and sends them to the attacker-controlled command and control (C&C) server to be used by the attackers to hijack the account.
In case of banking apps, the recorded information is being used by attackers to initiate fraudulent transactions and drain the victim's bank account.
Since Red Alert 2.0 can also intercept SMS text messages received by the infected smartphone, the trojan could work around two-factor authentication techniques that otherwise are designed to throttle such attacks.
Ways to Protect Yourself Against Such Android Banking Trojans
The easiest way to prevent yourself from being a victim of one such mobile banking Trojan is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.
Just to be on the safer side, go to Settings → Security and make sure "Unknown sources" option is turned off on your Android device that blocks installation of apps from unknown sources.
Most importantly, verify app permissions before installing any app, even from official Google Play Store, and if you find any application asking more than what it is meant for, just do not install it.
It is always a good idea to install an anti-virus app from a reputed vendor that can detect and block such Trojan before it can infect your device.
Also, always keep your system and apps up-to-date.
Android AV App Collected Data on Tens of Millions Users
19.9.2017 securityweek Android
Tens of millions of Android users potentially had their information collected by a security application distributed through Google Play, Check Point security researchers warn.
Called DU Antivirus Security, the software had between 10 and 50 million downloads when the security researchers alerted Google on its data collection practices on August 21. The application was removed from the store on August 24, but was reinstated on August 28, after its developers removed the information-collecting code.
Offered for free, the security software is developed by the DU group, and was discovered to collect a variety of user data without requesting consent from the device owner. The data collection activities, the security researchers discovered, were performed only at the application’s first run.
According to Check Point, the information collected by the application from Android devices included unique identifiers, contact list, call logs, and potentially the location of the device. After gathering the information, the app was encrypting it and sending it to a remote server.
The security researchers also discovered that the collected information was then used by another app offered by the DU group, namely Caller ID & Call Block – DU Caller. The software is designed to provide users with information about incoming phone calls.
“While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes,” Check Point notes.
The software would log information on personal calls, as well as details on who and for how long the user talked to. DU Antivirus Security 3.1.5 includes the malicious code, and potentially so do previous application releases.
The same data-collecting code was found in 30 other applications, including 12 programs distributed through Google Play, Check Point reveals in a report. The apps, which have been removed, had between 24 and 89 million downloads in total. Affected users are advised to upgrade to newer versions of DU Antivirus Security and any other impacted app.
The malicious code was supposedly implemented in these applications through an external library, but they transmitted the collected data to the same server used by DU Caller, the security researchers say.
“Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them,” Check Point notes.
The security researchers discovered that the malicious code would send the gathered data to the server caller.work. While the domain isn’t registered to DU apps, it has two subdomains that reveal a connection to the developer.
One is reg.caller.work, a PHP webpage that specifies hostname us02-Du_caller02.usaws02 (which contains the name of the DU Caller app). The other is vfun.caller.work, hosted on a private server that also hosts the domain dailypush.news, which is registered to a Baidu employee. DU apps are part of the Baidu group and the employee posted about functionality related to the caller app, which indicates a connection with the data collected by the malicious code.
New Android Banking Trojan Red Alert 2.0 available for sale on crime forums
19.9.2017 securityaffairs Android
Researchers discovered a new Android banking Trojan, dubbed Red Alert 2.0, that is being offered for rent on many dark websites for $500 per month.
Researchers with security firm SfyLabs have discovered a new Android banking Trojan, dubbed Red Alert 2.0, that is being offered for rent on many dark websites for $500 per month.
“The last several months a new actor has been very busy developing and distributing a new Android trojan dubbed ‘Red Alert 2.0’ by the actor. The bot and panel (C&C) are fully written from scratch, while many other trojans are evolutions of leaked sources of older trojans.” reads a blog post published by SfyLabs.
The Red Alert 2.0 Android banking malware has been developed from scratch and has been offered for rent via many online hacking forums since last few months. The authors of the malware are continuously updating it, adding new features.
The Red Alert 2.0 is currently targeting over 60 banks and social media apps across the world, it works on Android 6.0 Marshmallow and previous versions.
The malware implements features that are common to many other similar threats, it is able to steal login credentials, hijack SMS messages, display an overlay on the top of legitimate apps, steal the contact.
Researchers noticed the authors also added interesting features to Red Alert 2.0, including blocking and logging all incoming calls associated with banks and financial associations.
“Red Alert actors are regularly adding new functionality, such as blocking and logging incoming calls of banks (see image below), which could affect the process of fraud operation departments at financials that are calling users on their infected Android phone regarding potential malicious activity.” continues the post.
This would potentially allow the Red Alert malware to intercept warnings of a compromised account to be received by the victims.
Red Alert banking trojan also leverages Twitter as backup C&C Infrastructure when the C2 server is taken offline,
“Another interesting vector is the use of Twitter to avoid losing bots when the C2 server is taken offline (NTD). When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account. ” continues SfyLabs researchers.
“This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan.”
Once installed on victim’s device, the malware remains silent waiting for the victim to open a banking or social media app, then it overlays the original app with a fake user interface.
The Red Alert 2.0 malware attempts to trick victims into providing login credentials by displaying a fake interface then informs him that the authentication failed.
“Upon opening an application that is targeted by Red Alert an overlay is shown to the user. When the user tries to log in he is greeted with an error page. The credentials themselves are then sent to the C2 server. To determine when to show the overlay and which overlay to show, the topmost application is requested periodically.” continues the post.
The stolen credentials are used by the attackers to operate on behalf of the victims and initiate fraudulent transactions.
Red Alert 2.0 can also intercept SMS text messages an ability that would allow it to bypass two-factor authentication mechanisms implemented by the banks.
To Protect yourself against this threat don’t download apps via third-party app stores, never click on suspicious links provided in SMS messages or emails, and keep your system and apps up-to-date.
New "Red Alert" Android Banking Trojan Emerges
19.9.2017 securityweek Android
A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.
Dubbed Red Alert 2.0, the malware has been designed and distributed over the past several months by a new threat actor, the researchers say. The threat features new code but its capabilities are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or the ability to intercept SMS messages and steal users’ contacts.
According to SfyLabs, the Red Alert actors have been adding new functionality to the threat to ensure it continues to be effective. The mobile malware can block and log incoming calls from banks, thus ensuring that financial firms can’t contact users of the infected Android phone to alert them regarding potential malicious activity.
The malware also uses Twitter to avoid losing bots when the command and control (C&C) server is taken offline. The researchers observed that, should the bot fail to connect to the hardcoded C&C, it would retrieve a new server from a Twitter account.
This approach isn’t new to the malware world, but has been associated mainly with Windows Trojans. In fact, SfyLabs claims that Red Alert 2.0 is the first Android banking Trojan they observed to pack such functionality. Given that more and more users perform banking operations directly from their mobile devices, it’s no surprise that miscreants switch focus to Android, the most popular mobile OS.
Should the C&C server be unavailable, a connection error is triggered. Code within the malware uses the current date combined with a salt stored in strings.xml to create a new MD5 hash. The first 16 characters of the hash are used as a Twitter handle registered by the Red Alert actors. The bot requests the Twitter page of the handle and parses the response to obtain the new C&C server address.
Unlike other Android banking Trojans that use overlays to steal login credentials, Red Alert 2.0 doesn’t receive the full list of targets from its C&C server. Keeping that list only on the server makes it more difficult to determine which banks the threat targets, but SfyLabs uncovered around 60 HTML overlays the actor is using at the moment.
Once the user launches a targeted application on an infected Android device, the malware displays an overlay page that mimics the legitimate one. However, when the user tries to log in, an error page is displayed, while the entered credentials are sent to the C&C server.
To know when to display the overlay and which fake page to show, the malware requests the topmost application periodically. On Android 5.0 and higher devices, the malware uses Android toolbox for this activity, an approach different from those used by Android Trojans such as Mazar, Exobot and BankBot, the security researchers explain.
The security researchers also discovered that the attackers can control the Trojan through commands sent directly from the C&C server. Commands include start/stop SMS interception, send SMS, set/reset default SMS, get SMS/call/contact list, set admin, launch app, send USSD, and block and notify.
Observed samples would masquerade as Flash Player updates, popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates.
Millions Download "ExpensiveWall" Malware via Google Play
18.9.2017 securityweek Android
A newly discovered Android malware that managed to infect at least 50 applications in Google Play has been downloaded between 1 million and 4.2 million times, Check Point researchers warn.
Dubbed ExpensiveWall, the threat was designed to send fraudulent premium SMS messages and to charge users’ accounts for fake services without their knowledge.
The total number of affected users, Check Point says, could be between 5.9 million and 21.1 million, as ExpensiveWall iw a variant of malware found in Google Play earlier this year. Unlike previous iterations, however, the new sample uses advanced obfuscation techniques to evade Google Play’s built-in anti-malware protections.
The first time the malware was detailed was in January 2017, when McAfee warned that a highly popular app called “I Love Filter” was in fact an SMS Trojan. The security researchers discovered that someone infected the free legitimate app Retro Live and that the Trojan would charge users via SMS messages while also leaking device and user information such as phone number, GPS location, installed apps, and IP address.
In a technical report describing the threat, Check Point reveals that this first variant of the malware wasn’t obfuscated. The security firm also notes that, while ExpensiveWall represents the obfuscated variant of the malware, there is also a third version that only contains the malicious code, but isn’t active.
“After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called ‘gtk’, which developers embed in their own apps,” the researchers note.
ExpensiveWall was first observed on August 7, 2017. Check Point informed Google on it and the reported samples were removed from the store. Within days, another sample infiltrated Google Play and was downloaded more than 5,000 times before being removed.
The malware was designed to register victims to premium services without their knowledge, thus generating profits for its operators. However, the same infrastructure could easily be modified by other malware to spy on victims by capturing photos and recording audio, and even to steal sensitive data and send it to a command and control (C&C) server.
“Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” Check Point argues.
Once installed, ExpensiveWall requests several common permissions, such as Internet access, and SMS permissions. Given that many apps might request similar permissions, most users might grant them without questioning the app’s intentions, especially when installing from Google Play.
The malware then sends device data to its C&C server, including location and unique identifiers, such as MAC address, IP addresses, IMSI, and IMEI. Each time the device is switched on or its connectivity changes, the threat connects to the C&C to receive a URL.
After obtaining the device’s phone number, the malware uses it to subscribe the user to different paid services. While in some cases the activity is performed without notifying the user, in others the user is asked to click a “Continue” button to activate the subscription or send a premium SMS.
CheckPoint has provided a list of all infected applications detected to date. Users who might have installed any of them should manually uninstall the apps from their devices. Although Google removed the impacted software from Google Play, the infected devices haven’t been cleaned.