Category Archives: Android

We’ve Reached Peak Smartphone

You don't really need a new smartphone. From a column on the Washington Post (may be paywalled): Sure, some of them squeeze more screen into a smaller form. The cameras keep getting better, if you look very close. And you had to live under a rock to miss the hoopla for Apple's 10th-anniversary iPhone X or the Samsung Galaxy S8. Many in the smartphone business were sure this latest crop would bring a "super cycle" of upgrades. But here's the reality: More and more of Americans have decided we don't need to upgrade every year. Or every other year. We're no longer locked into two-year contracts and phones are way sturdier than they used to be. And the new stuff just isn't that tantalizing even to me, a professional gadget guy. Holding onto our phones is better for our budgets, not to mention the environment. This just means we -- and phone makers -- need to start thinking of them more like cars. We may have reached peak smartphone. Global shipments slipped 0.1 percent in 2017 -- the first ever decline, according to research firm IDC. In the United States, smartphone shipments grew just 1.6 percent, the smallest increase ever. Back in 2015, Americans replaced their phones after 23.6 months, on average, according to research firm Kantar Worldpanel. By the end of 2017, we were holding onto them for 25.3 months.

Read more of this story at Slashdot.

Top 10 Photo Editor Apps For Android in 2018

10 Best Photo Editor Apps For Android – 2018 Edition

Over the years, not only have the smartphones evolved but also their in-built cameras. Thanks to the advancement in technology, several high-end smartphones these days have higher resolution cameras which in turn has reduced one’s need to possess a digicam or a digital camera. Several smartphone owners look to spend a little more on these devices, which are not only convenient to carry around but also lets one take pictures instantly on the go, or during outings or occasions.

In spite of having smartphones with higher image sensors and good optical image stabilization (OIS), there are times when you are looking to click that perfect picture from your phone but it still doesn’t turn out right even after a dozen attempts? That’s when photo-editing apps come to your rescue.

While there are hundreds, maybe even thousands, of photo editor apps available, in this article we bring to you the best photo editing apps for Android that can be downloaded free of cost and be used to enhance the beauty of your favorite pictures.

Note: Even though the below mentioned photo-editor apps for Android are free, there is no guarantee that these may not cost you down the line via in-app purchases.

  1. Adobe Photoshop Express

Adobe Photoshop Express is an image editing and collage making mobile application from Adobe Systems Pvt. Ltd. You can avail some of the basic image editing functions, adjust aspects such as contrast, exposure and white balance in one-touch, removes dirt, spots, dirt and dust, allows to add text, borders, frames, has over 60+ professional looks and advance corrections and various other adjustments. You can also select from a range of dynamic effects such as Nature, Black and White, and Portrait.

To download the free app, click here.

  1. Photo Editor By Aviary

This app offers some of the standard features of a photo editor that includes rotating, cropping, correcting, which can be achieved by one tap auto enhancing feature. It also contains a large collection of easy-to-use editing tools such as custom photo filters, frames, graphics, and overlays. The app also has a cosmetic tool to remove flaws and blemishes from any photograph. The image correction feature can help you to fix the photographs that has been burnt by over flash or even those that were clicked with a dusty camera lens.

The app allows you to share their photos across all the popular social media platforms. There is special focus feature wherein you can use the Tilt shift effect. Other in-app purchases are available for additional effects such as frames and stickers, otherwise this is a free app.

To download the free app, click here.

  1. Snapseed

Created by the developers at the Nik Software Inc. and integrated with Google+, this free app has a clean and easy-to-use interface. It features options that allows you to modify depth of field, perspective, curves and brightness. You can also edit pictures using swiping gestures to choose different types of effects and enhancements. Alternatively, you can also opt for an “automatic” adjustment of color and contrast.

The list of special effects and filters includes Drama, Grunge, Vintage, Center-focus, Frames, and a Tilt-shift (which resizes photos). By using the Tune Image feature, you can adjust the background components such as white balance, shadow etc. Snapseed 2.0 introduced new filters such as lens blur, glamour glow, HDR scape and noir, while also reformatting the tools section with a clearer user interface. It also saves your personal looks to apply them to new photos later. You can directly share the images on social networking sites like Facebook and Instagram.

To download the free app, click here.

  1. PicsArt Photo Studio

PicsArt is one of the most popular photo editing apps in the Play Store that is easy-to-use and attractive. You get loads of tools, effects, collage maker, camera, free clipart library, millions of user-created stickers, and drawing tools. The app provides you with unlimited options to manipulate any photograph using variety of features like borders, stickers, masks, clip art graphics and many more. PicsArt enables you to take and edit pictures, draw with layers, and share their images with the PicsArt community and on other networks like Facebook and Instagram. It also supports raw photos and you don’t need the in-app buys.

To download the free app, click here.

  1. Pixlr Express

Pixlr by AutoDesk, also known as Pixlr Express, is a powerful photo editor for people who believe in quick editing of the photograph. One of the best one-touch enhance tools, it has some of the advanced features such as cosmetic editing tools to remove blemishes and red eye, teeth whiteners, smoothen and brighten any photograph along with quick cropping and resizing. You can create photo collages with a variety of choices for layout, background, and spacing. Also, it has Auto Fix feature that allows to balance out color in one easy click and various photoshop effects such as pencils, posters, water color, and many more. It also provides a feature “Frequently Used” settings that can be used for editing the photograph at a much faster speed. You can share photo directly with friends through Instagram, Facebook, Twitter, or email.

To download the free app, click here.

  1. AirBrush

AirBrush is an easy-to-use photo editor app that can easily give a stunning look to your photos. It includes basic editing tools like crop, stretch, blur, etc., and user-friendly retouch tools. It has tools like blemish and pimple remover, teeth whitener, brighten eye tool, and cool, natural, radiant filter options. You can also trim, reshape and increase your selfie or photo. It also allows you to edit your selfie before taking the picture with real-time editing tools. You can instantly share your pictures to popular social sites like Facebook, Instagram, Twitter and Snapchat right from AirBrush!

To download the free app, click here.

  1. Fotor Photo Editor

Fotor is an all-in-one photo editing toolkit that includes the ability to enhance photos with a one-tap tool for your convenience. It includes tools such as crop, rotate, brightness, contrast, saturation, exposure, vignetting, shadow, highlights, temperature, tint, RGB, etc. It has enhanced camera
with six photo-taking modes, with features like Grid, Big Button, Burst, Timer, Stabilizer, and Square. The ‘Enhance’ function, complete with ‘slide on screen’ capability, allows for rapid adjustments in details and gradation. You can easily customize your photography to different lighting situations, allowing for the alteration of saturation, brightness and contrast using the ‘Scene effects’ feature. The app allows you to share their photos across all the popular social media platforms.

To download the free app, click here.

  1. PhotoDirector Photo Editor App

PhotoDirector is a simple and easy to use photo editing tool that allows you to quickly and easily add effects to your mobile images. It lets you remove an unwanted person or object from your photo, adjust saturation, tweak the tone, apply one-click photo presets, or even add HDR effects, to create vivid, stunning images on the go. Anyone can achieve outstanding, DSLR-like results in a matter of seconds with PhotoDirector. You can edit, adjust and then combine your favorite photos to create beautiful collages.You can share the edited images on Facebook, Flickr and more.

To download the free app, click here.

  1. Photo Effects Pro

Photo Effects Pro is an easy and fun way app for those who like to play with filters, effects, stickers, and things like that. It includes basic editing tools like crop, rotate, saturation, flip, contrast, brightness etc. It has more than 40 filters and effects such as Autumn, Twin, Contrast, Pencil, Blackout, Engrave, Desaturate, Border, Desert, Draft, Displace, Reflection, G & B, Shadow, and many more. It allows you to add to add text, stickers, and frames as well. Photo Effects Pro has the ability to finger paint on your photo to make it something unique. The ‘artwork’ feature allows you to customize your images by feeding photos through an artificial intelligence as the styles of famous artists. You can share the pictures on most popular social networks such as Facebook, Twitter, Instagram, Flickr and others.

To download the free app, click here.

  1. Toolwiz Photos – Pro Editor

Toolwiz Photos – Pro Editor is the best all-in-one PRO photo editor app that offers more than 200+ powerful tools to make gorgeous photos on Android. It has an easy-to-use interface and comes with over 40 Prisma style filters for enhancement of pictures. You can add text, filters, MEME. It has over 10 painting style that includes fire, freeze, crayon drawing, wall painting and more. You can swap faces, brighten eye, remove blemishes, teeth whitener, slim face, adjust saturation, and much more. Other key features include art filters, image tone, image enhance, HDR, art effect, 20+ blurs, free online resources such as 150+ PIP frames, 400+ layouts, 2000+ stickers, and much more.

To download the free app, click here.

Well, these are Top 10 Photo Editor apps for Android on our list. If you feel that we may missed any of the best photo editor apps for Android and should have been part of this, do let us know in the comments section below.

The post Top 10 Photo Editor Apps For Android in 2018 appeared first on TechWorm.

McAfee Blogs: Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.



McAfee Blogs

Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.

Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities

Android Security Bulletin for February 2018 – Google has fixed tens of vulnerabilities for Android OS, including several critical remote code execution (RCE) flaws.

The Android Security Bulletin for February 2018 addresses 26 vulnerabilities in the mobile operating system, most of which are elevation of privilege flaws.

The 2018-02-01 security patch level fixed 7 vulnerabilities, 6 in Media Framework and one issue affecting the System component.

The tech giant has fixed two critical RCE vulnerabilities in Media Framework. The first issue is the CVE-2017-13228 that affects Android 6.0 and newer, the second one, tracked as CVE-2017-13230, impacts Android 5.1.1 and later.

Android Security Bulletin

Google also fixed other vulnerabilities in Media Framework, including an information disclosure vulnerability, an elevation of privilege bug, and several denial-of-service flaws.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” states the advisory.

The most severe of these vulnerabilities is tracked as CVE-2017-13236, it is a System issue that could be exploited by an attacker to achieve remote code execution in the context of a privileged process. The attacker can trigger the flaw via email, web browsing, and MMS when processing media files.

The 2018-02-05 security patch level includes fixes for 19 vulnerabilities in HTC, Kernel, NVIDIA, Qualcomm, and Qualcomm closed-source components.

The most severe flaws included in the 2018-02-05 security patch level are two remote code execution vulnerabilities in Qualcomm components tracked as CVE-2017-15817 and CVE-2017-17760.

Google also released the Pixel / Nexus Security Bulletin that addresses 29 vulnerabilities in Google devices.

“The Pixel / Nexus Security Bulletin contains details of security vulnerabilities and functional improvements affecting supported Google Pixel and Nexus devices (Google devices). For Google devices, security patch levels of 2018-02-05 or later address all issues in this bulletin and all issues in the February 2018 Android Security Bulletin.” states Google.

“All supported Google devices will receive an update to the 2018-02-05 patch level. We encourage all customers to accept these updates to their devices.”

Pierluigi Paganini

(Security Affairs – Google, Android)

The post Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities appeared first on Security Affairs.

FBI, CIA, and NSA: Don’t Use Huawei Phones

The heads of six top U.S. intelligence agencies told the Senate Intelligence Committee on Tuesday they would not advise Americans to use products or services from Chinese smartphone maker Huawei. "The six -- including the heads of the CIA, FBI, NSA and the director of national intelligence -- first expressed their distrust of Apple-rival Huawei and fellow Chinese telecom company ZTE in reference to public servants and state agencies," reports CNBC. From the report: "We're deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don't share our values to gain positions of power inside our telecommunications networks," FBI Director Chris Wray testified. "That provides the capacity to exert pressure or control over our telecommunications infrastructure," Wray said. "It provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage." In a response, Huawei said that it "poses no greater cybersecurity risk than any ICT vendor." A spokesman said in a statement: "Huawei is aware of a range of U.S. government activities seemingly aimed at inhibiting Huawei's business in the U.S. market. Huawei is trusted by governments and customers in 170 countries worldwide and poses no greater cybersecurity risk than any ICT vendor, sharing as we do common global supply chains and production capabilities."

Read more of this story at Slashdot.

Security Affairs: A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.



Security Affairs

A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.

Millions of Android devices forced to mine Monero for crooks

No device is safe from criminals looking to make it stealthily mine cryptocurrency for them. However weak its processing power is, it still costs them nothing. With that in mind, forced crypto mining attacks have also begun hitting mobile phones and tablets en masse, either via Trojanized apps or redirects and pop-unders. An example of the latter approach has been recently documented by Malwarebytes’ researchers. The attack “In a campaign we first observed in late … More

Blog | Avast EN: Avast Android App Report reveals: These apps crush your phone’s battery

It won’t be exactly groundbreaking news when we tell you that your apps consume your Android’s battery, data, and storage. But here’s what far fewer people know: most apps run invisible in the background and the worst offenders drain all three (battery, data, and storage) at the same time. To help you navigate the digital sea of apps and learn which ones are sapping your resources, Avast, the global leader in digital security products, regularly releases the Avast Android App Performance & Trend Report.



Blog | Avast EN

Android P to get new iPhone ‘X’ style notch design in 2018, says Google

Google’s next Android P update is said to embrace iPhone X style notch design

There is no denying that even the top smartphone manufacturers try to copy or clone some of the best smartphone features of its competitors and implement it in their devices so that they can attract more consumers and expand their market.

Apparently, Google is looking to enhance the design of its upcoming operating system, which is also expected to be a complete overhaul of its software, in a bid to attract more iOS users and make them switch to Android, reports Bloomberg citing sources close to Google.

Android P (internally referred as Pistachio Ice Cream), which is expected to be Google’s next major Android update, will be seen “mimicking” Apple’s new “notch” at the top of iPhone X that is assumed to be implemented in Google’s “new generation” of Android smartphones. By embracing the iPhone X style notch design, Google is looking to make its presence felt in the flagship and premium segment.

“While Android dominates the middle and low-end of the global smartphone market, Apple controls much of the high-end with users who spend more on apps and other services. Embracing the notch may help change that. The design will mean more new Android phones with cutouts at the top of their screens to fit cameras and other sensors. That will likely support new features, helping Android device makers keep up with similar Apple technology.

“What’s unlikely to change much is Android’s nagging problem: Most of the billion-plus Android devices globally run outdated versions of the operating system, exposing security holes and holding back Google’s newest mobile innovations.

“Alphabet Inc.’s Google controls the Android software, while other companies manufacture the devices. These partners can also tweak the software to their specific needs, so not all Android phones will have notches. Indeed, when the iPhone X came out in November, Samsung Electronics Co., the largest Android phone maker, mocked the feature in a commercial.

“Still, building notch capabilities into Android suggests Google expects the iPhone X look to catch on more broadly,” Bloomberg reported.

Android P is expected to integrate more tightly with Google’s Assistant, improve smartphone’s battery life and support new designs, like multiple screens and foldable displays. It will also allow third-party app developers to integrate the AI in their apps for a complete smooth function. Google is also thinking of adding the assistant into the search bar on the Android home screen, but “neither of these changes are finalized for introduction this year.”

Also, we had recently reported that Google’s Android P is expected to feature an inbuilt voice recorder with a call recording tone that will be played every fifteen seconds to warn the other person in the conversation that a recording is in progress. The sound will be added to the outgoing audio stream so that the party on the other side can hear it.

With Google expected to announce its next version of Android operating system, Android P, at the Google I/O Conference to be held later this year, we can expect more rumors and speculations coming our way until the official announcement is made.

Source: Bloomberg

The post Android P to get new iPhone ‘X’ style notch design in 2018, says Google appeared first on TechWorm.

Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

AndroRAT Exploiting Vulnerability to Escalate Privileges on Android Devices

A new variant of the Android Remote Access Tool (AndroRAT) is exploiting a vulnerability to escalate privileges on unpatched Android devices. The malware disguises itself as a utility app called “TrashCleaner” and waits for users to download it from a malicious URL. Upon running for the first time, the malicious app forces the device to […]… Read More

The post AndroRAT Exploiting Vulnerability to Escalate Privileges on Android Devices appeared first on The State of Security.

Qualcomm Snapdragon 845 Benchmarks Show An Incredible GPU, Faster CPU

MojoKid writes: Though the company has been evangelizing its new Snapdragon 845 Mobile Platform for a while now, Qualcomm is lifting the veil today on the new chip's benchmark performance profile. At the heart of the Snapdragon 845 is the new Kyro 385 CPU, which features four high-performance cores operating at 2.8GHz and four efficiency cores that are dialed back to 1.7GHz, all of which should culminate in a claimed 25 percent uplift over the previous generation Snapdragon 835, along with improved power efficiency. In addition, the Snapdragon 845's new Adreno 630 integrated GPU core should deliver a boost in performance over its predecessor as well, with up to a 30 percent increase in graphics throughput, allowing it to become the first mobile platform to enable room-scale VR/AR experiences. Armed with prototype reference devices, members of the press put the Snapdragon 845 through its paces and the chip proved to be anywhere from 15 to 35 percent faster, depending on workloads and benchmarks, with graphics showing especially strong. Next-generation Android smartphones and other devices based on the Snapdragon 845 are expected to be unveiled at Mobile World Congress in Barcelona at the end of this month.

Read more of this story at Slashdot.

Google’s Android Messages Could Soon Let You Text From Your Computer

Google looking to come up with web version for Android Messages

Although Google has its own standalone messaging apps, such as Allo, Hangouts, Voice, and Android Messages, it is still lagging behind its competitors such as Apple’s iMessage, Facebook’s Messenger and WhatsApp. Hence, Google is looking to enhance its default SMS application ‘Android Messages’ on its Nexus and Pixel devices by bringing some major changes.

In a recent update to Android Messages app, a hidden code was found within the app that indicates Google is preparing to release a web-based service of the app, which will allow users to send texts, photos/videos and share files or locations, reports Android Police.

Another upgrade that appears to be in the works is messaging over Wi-Fi and viewing the messaging status (typing, delivered, read, etc.). There are also clues of Google setting up payments sharing feature in the app via Google Pay.

Currently, the project is codenamed “Ditto”, but the launch title is expected to be “Messages for Web” when it is officially rolled out.

“There’s a new version of Android Messages rolling out for the phones. So far, we haven’t seen any significant changes to the UI, but huge things are happening under the surface,” reports Android Police.

Similar in functionality to WhatsApp Web, this feature may require users to scan a QR code to link their smartphones and PCs, after which it would allow them to send text. The feature appears to be partially implemented in the latest Android Messages 2.9 APK, but one cannot send an actual text yet. It might support for browsers such as Google Chrome, Microsoft Edge, Firefox, Opera, Safari and Internet Explorer.

“Users will be guided to visit a website on the computer they want to pair with the phone, then simply scan a QR code. They will be able to send and receive messages in the web interface and it will link with the device to do the actual SMS/MMS/RCS communication through their network carrier,” the report added.

Google has yet to make any official announcements regarding implementation of these new features in a future version of Android Messages.

“It’s possible that the guesses made here are totally and completely wrong. Even when predictions are correct, there is always a chance that plans could change or may be canceled entirely,” Android Police notes. “Much like rumors, nothing is certain until it’s officially announced and released.”

Therefore, until we officially hear from Google, it is better to take these rumors with a pinch of salt.

The post Google’s Android Messages Could Soon Let You Text From Your Computer appeared first on TechWorm.

Drive-by cryptomining campaign targets millions of Android users

Malvertising and online fraud through forced redirects and Trojanized apps—to cite the two most common examples—are increasingly plaguing Android users. In many cases, this is made worse by the fact that people often don’t use web filtering or security applications on their mobile devices.

A particular group is seizing this opportunity to deliver one of the most lucrative payloads at the moment: drive-by cryptomining for the Monero (XMR) currency. In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser cryptomining.

In our previous research on drive-by mining, we defined this technique as automated, without user consent, and mostly silent (apart from the noise coming out of the victim’s computer fan when their CPU is clocked at 100 percent). Here, however, visitors are presented with a CAPTCHA to solve in order to prove that they aren’t bots, but rather real humans.

“Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha.”

Until the code (w3FaSO5R) is entered and you press the Continue button, your phone or tablet will be mining Monero at full speed, maxing out the device’s processor.

Redirection mechanism

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January. We were testing various malvertising chains that often lead to tech support scams with an Internet Explorer or Chrome user-agent on Windows. However, when we switched to an Android, we were redirected via a series of hops to that cryptomining page.

It seems odd that a static code (which is also hardcoded in the page’s source) would efficiently validate traffic between human and bot. Similarly, upon clicking the Continue button, users are redirected to the Google home page, another odd choice for having proved you were not a robot.

While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.

It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.

We identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site keys (see our indicators of compromise for the full details). The first one was registered in late November 2017, and new domains have been created since then, always with the same template.

Domain name, registration date

Traffic stats

We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope behind this campaign. We shared two of the most active sites with ad fraud researcher Dr. Augustine Fou, who ran some stats via the SimilarWeb web analytics service. This confirmed our suspicions that the majority of traffic came via mobile and spiked in January.

We estimate that the traffic combined from the five domains we identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page. To find out the number of hashes that would be produced, we could take a conservative hash rate of 10 h/s based on a benchmark of ARM processors.

It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over.

Conclusion

The threat landscape has changed dramatically over the past few months, with many actors jumping on the cryptocurrency bandwagon. Malware-based miners, as well as their web-based counterparts, are booming and offering online criminals new revenue sources.

Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, but also via redirects and pop-unders. We strongly advise users to run the same security tools they have on their PC on their mobile devices, because unwanted cryptomining is not only a nuisance but can also cause permanent damage.

Malwarebytes mobile users are protected against this threat.

Indicators of compromise

Domains:

rcyclmnr[].com
rcylpd[.]com
recycloped[.]com
rcyclmnrhgntry[.]com
rcyclmnrepv[.]com

Referring websites (please note that they should not be necessarily considered malicious):

panelsave[.]com
offerreality[.]com
thewise[.]com
go.bestmobiworld[.]com
questionfly[.]com
goldoffer[.]online
exdynsrv[.]com
thewhizmarketing[.]com
laserveradedomaina[.]com
thewhizproducts[.]com
smartoffer[.]site
formulawire[.]com
machieved[.]com
wtm.monitoringservice[.]co
traffic.tc-clicks[.]com
stonecalcom[.]com
nametraff[.]com
becanium[.]com
afflow.18-plus[.]net
serie-vostfr[.]com
pertholin[.]com
yrdrtzmsmt[.]com
yrdrtzmsmt.com
traffic.tc-clicks[.]com

Conhive site keys:

gufKH0i0u47VVmUMCga8oNnjRKi1EbxL
P3IN11cxuF4kf2kviM1a7MntCPu00WTG
zEqkQef50Irljpr1X3BqbHdGjMWnNyCd
rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq

The post Drive-by cryptomining campaign targets millions of Android users appeared first on Malwarebytes Labs.

CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family

Researchers from CSE ZLAB malware Analysis Laboratory analyzed a set of samples of the Pallas malware family used by the Dark Caracal APT in its hacking operations.

The malware researchers from ZLab analyzed a collection of samples related to a new APT tracked as Dark Caracal, which was discovered by Electronic Frontier Foundation in collaboration with Lookout Mobile Security.

Dark Caracal has been active at least since 2012, but only recently it was identified as a powerful threat actor in the cyber arena.

The first analysis of the APT linked it to Lebanese General Directorate of General Security.

Dark Caracal is behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

One of their most powerful campaigns started in the first months of last year, using a series of trojanized Android applications to steal sensitive data from the victim’s mobile device. The trojan injected in these applications is known in the threat landscape with the name Pallas.

Threat actors use the “repackaging” technique to generate its samples, they start from a legitimate application and inject the malicious code before rebuilding the apk.

The target applications belongs to specific categories, such as social chat app (Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).

The attackers used social engineering techniques to trick victims into installing the malware. Attackers use SMS, a Facebook message or a Facebook post, which invites the victim to download a new version of the popular app through from a specific URL

http://secureandroid[.]info,

All the trojanized app are hosted at the same URL.

Dark Caracal

Figure 1 – Dark Caracal Repository – Malicious site

This malware is able to collect a large amount of data and to send it to a C&C through an encrypted URL that is decrypted at runtime. The capabilities of the trojan are:

  • Read SMS
  • Send SMS
  • Record calls
  • Read calls log
  • Retrieve account and contacts information
  • Gather all stored media and send them to C2C
  • Download and install other malicious software
  • Display a phishing window in order to try to steal credentials
  • Retrieve the list of all devices connected to the same network

Further details are included in the complete report published by CSE.

You can download the full ZLAB Malware Analysis Report at the following URL:

20180212_CSE_DARK_CARACAL_Pallas_Report.pdf

Pierluigi Paganini

(Security Affairs – Dark Caracal, Pallas malware)

The post CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family appeared first on Security Affairs.

BootStomp – Find Android Bootloader Vulnerabilities

BootStomp – Find Android Bootloader Vulnerabilities

BootStomp is a Python-based tool, with Docker support that helps you find two different classes of Android bootloader vulnerabilities and bugs. It looks for memory corruption and state storage vulnerabilities.

Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.

Read the rest of BootStomp – Find Android Bootloader Vulnerabilities now! Only available at Darknet.

Chinese Phone Maker Xiaomi Deletes a Public MIUI vs Android One Twitter Poll After Voting Didn’t Go Its Way

Chinese smartphone maker Xiaomi, which sells handsets at razor thin margins, is increasingly dominating in its home market and emerging places such as India and Indonesia. To make money, the company relies on a range of homegrown software features in its Android-based MIUI operating system. In a surprising move earlier this week, the company asked its Twitter followers to choose between MIUI and Android One (which runs pure Android OS). Things didn't go as it had planned. From a report: Presumably the company was rather hoping that Twitter users would vote for its own MIUI which it could then rub in Google's face -- but the poll actually went against Xiaomi. Rather than leave the results of the vote up for anyone to see, the company decided to simply delete it and pretend it never happened. Take a look at the Xiaomi account on Twitter, and you'll see no hint that any such poll has ever taken place. But over on Reddit, there's a thread which was started by someone posting a link to the poll. In the comments, one Redditor noticed after a period of voting that: "So far it's 53-47 for android one."

Read more of this story at Slashdot.

Android Wear Is Getting Killed, and It’s All Qualcomm’s Fault

The death of Android Wear is all Qualcomm's fault, largely due to the fact that the company "has a monopoly on smartwatch chips and doesn't seem interested in making any smartwatch chips," writes Ars Technica's Ron Amadeo. This weekend marks the second birthday of Qualcomm's Snapdragon Wear 2100 SoC, which was announced in February 2016 and is the "least awful smartwatch SoC you can use in an Android Wear device." Since Qualcomm skipped out on an upgrade last year, and it doesn't seem like we'll get a new smartwatch chip any time soon, the entire Android Wear market will continue to suffer. From the report: In a healthy SoC market, this would be fine. Qualcomm would ignore the smartwatch SoC market, make very little money, and all the Android Wear OEMs would buy their SoCs from a chip vendor that was addressing smartwatch demand with a quality chip. The problem is, the SoC market isn't healthy at all. Qualcomm has a monopoly on smartwatch chips and doesn't seem interested in making any smartwatch chips. For companies like Google, LG, Huawei, Motorola, and Asus, it is absolutely crippling. There are literally zero other options in a reasonable price range (although we'd like to give a shoutout to the $1,600 Intel Atom-equipped Tag Heuer Connected Modular 45), so companies either keep shipping two-year-old Qualcomm chips or stop building smartwatches. Android Wear is not a perfect smartwatch operating system, but the primary problem with Android Wear watches is the hardware, like size, design (which is closely related to size), speed, and battery life. All of these are primarily influenced by the SoC, and there hasn't been a new option for OEMs since 2016. There are only so many ways you can wrap a screen, battery, and body around an SoC, so Android smartwatch hardware has totally stagnated. To make matters worse, the Wear 2100 wasn't even a good chip when it was new.

Read more of this story at Slashdot.

Rejoice: Samsung’s Next Flagship Smartphone Looks To Keep the Headphone Jack Alive

Notorious smartphone leaker Evan Blass has leaked a couple press images of the Galaxy S9, giving us the first indication that it will still have a headphone jack. "The full information spill today is actually focused on a new Samsung DeX Pad, which appears to be an evolution of last year's DeX dock for the Galaxy S8," reports The Verge. From the report: Samsung, LG, and a couple of other companies like OnePlus have remained resolute in their inclusion of a headphone jack, but that was far from a certainty for the next Galaxy S iteration. This is a phone that will compete against the iPhone X, Huawei Mate 10 Pro, and more niche rivals like Google's Pixel 2: all of them surviving sans a headphone jack. So Samsung could have dumped the analog audio output, but it seems to have opted against it, and that's worthy of commendation. USB-C earphones are all still either bad or expensive -- or both -- and phones that retain compatibility with 3.5mm connectors remain profoundly useful to consumers that aren't yet convinced by Bluetooth.

Read more of this story at Slashdot.

Android Messages May Soon Let You Text From the Web

Android Police dug into the code for the latest version of Android Messages and found two very intriguing features: Rich Communication Services (RCS) support and support for all the popular web browsers. From the report: Google is developing a web interface to run on a desktop or laptop, and it will pair with your phone for sending messages. Internally, the codename for this feature is "Ditto," but it looks like it will be labeled "Messages for web" when it launches. You'll be guided to visit a website on the computer you want to pair with your phone, then simply scan a QR code. Once that's done, you'll be able to send and receive messages in the web interface and it will link with the phone to do the actual communication through your carrier. I can't say with any certainty that all mainstream browsers will be supported right away, but all of them are named, so most users should be covered. Another major move appears to be happening with RCS, and it looks like Google may be tired of letting it progress slowly. A lot of new promotional text has been added to encourage people to "text over Wi-Fi" and suggesting that they "upgrade" immediately. There's a lot of text in that block, but most of it is purely promotional. It describes features that are already largely familiar as capabilities of RCS, including texting through a data connection, seeing messaging status (if somebody is typing) and read receipts, and sending photos. Google does put a lot of emphasis that if it's handling the photos, that they are high-quality. Android Police also notes the ability to make purchases via Messages.

Read more of this story at Slashdot.

EFF Seeks Right to Jailbreak Alexa, Voice Assistants

The Electronic Frontier Foundation (EFF) is asking the Library of Congress to give owners of voice assistant devices like Amazon’s Echo, Google Home and other voice assistants the right to “jailbreak” the devices: freeing them from content control features designed to prevent users from running unauthorized code on those...

Read the whole entry... »

Related Stories

Smartphone Users Tracked Even with GPS, WiFi Turned Off

A team of researchers from Princeton has demonstrated that they can track the location of smartphone users even when location services like GPS and WiFi are turned off. The recent military security breach involving the Strava mobile fitness app proved the persistent vulnerabilities of location-based services on mobile devices. However, turning off...

Read the whole entry... »

Related Stories

Bogus hack apps hack users back for cryptocash

Recently, we discovered a gold…er…APK mine of fake hacking apps. The “legitimate” versions of hack apps are intended to hack other apps in order to get something for free. Although it’s unclear what exactly these fake apps claim to hack, the real hack job is done to unsuspecting users.

Search and you will find

Disclaimer:  I, and Malwarebytes, do not recommend the process I’m about to outline below. Be that as it may, I’m also not naïve and know people do this all the time. In order to demonstrate the pitfalls of such an approach, I’ll lay it all out for you.

Say you want a hack for a particular app. Obviously, you aren’t going to find such a hack on Google Play. So you fire up your favorite search engine and type in something like <app name> hack apk. In this example, let’s use Lyft hack apk—Lyft being, of course, the popular on-demand transportation company. There, right at the top of the results, is the link to the hack app you desire. You decide to play it safe and navigate to the source domain rather than the direct link to the hack app. It’s a clean but simply looking website called androidapk.world.

Convinced that such a clean-looking site has to be legitimate, you proceed to the Lyft hack app.

Click to view slideshow.

Complete with app screenshots, description of the app (stolen from Google Play), a FAQ, and a How to Install section, it looks promising. There is even a long list of tags so it can be easily searched—which is how you navigated there in the first place. You roll the dice and click Download APK…

A bad roll of the dice

After install, you open the app and get a message that states you need to install one of three apps listed to unlock premium content.

Click to view slideshow.

At this point, I suspect that a seasoned user would conclude that the jig is up and rush to uninstall, but let’s just play this out anyway. The first link for Castle Clash redirects you to the legit Google Play version of the game—okay, easy enough.  The second link for Final Fantasy XV redirects to a broken link—fail. The third and final link for AppMatch Survey redirects to a dreaded, but harmless survey that ends in, once again, installing an app from Google Play.

Besides the failed link, all the redirects equal a small payout to the evil doers if an app is installed. Thus the “run it for 30 seconds” disclaimer pop-up.

After installing said app, and still no hack app and/or premium content, you should be ready to uninstall this bogus hack job. Good luck finding the app’s shortcut icon though, because it doesn’t exist. Luckily, it’s not too hard to find in your apps list.

In reality, I’m a little disappointed and confused that the malware developers didn’t hide their efforts more thoroughly. But hey, it’s good news if you did unsuspectingly install it. Hopefully if you did install, you go through the steps to uninstall in leu of the missing shortcut. However, there is going to be small percentage that don’t bother and forget about its existence—which is exactly what the bad actors are “banking” on. (Pun intended. Wait for it…)

Oh, mine!

So far, the attempts to dupe users seem bush league. Meanwhile, the true malicious intent has been running in the background all along. During the entire process of clicking through redirect links, the user may notice their mobile device being a tad slow. That’s because a bitcoin miner has been running the whole time. Under the Java class com.coinhiveminer.CoinHive is a Monero JavaScript miner. Thus, we classify this bogus hack app as Android/Trojan.CoinMiner.kki.

Just a dish of adware

As if things couldn’t get worse, this fake hack app also comes with adware. Not surprising, as we are seeing a trend of adware being added to various malware variants as way to gain extra revenue. This particular adware serves ad pop-ups, as seen below.

Snake eyes

At the beginning of this blog post, I mentioned that I was not naïve to the fact that people willingly install hack apps. I ask you, dear readers, to not be naïve as well. Trying to find workarounds to get apps for free that are otherwise paid apps on Google Play is a gamble. The odds are against you by going to third-party app stores to install apps for free, or finding hack apps like the one described above.  This roll of the dice ends in snake eyes.

In the scenario above, I’m not sure how anything is being hacked from the aforementioned Lyft Hack app. As a matter of fact, this should be the first clue something is fishy. As with anything in life, use your best judgment when installing apps onto your mobile device. Consequently, installing an app from a shady app store, even if it does look legit, could cost you. Stay safe out there!

The post Bogus hack apps hack users back for cryptocash appeared first on Malwarebytes Labs.

Android devices roped into new Monero-mining botnet

A new Monero-mining bot sprang up a few days ago and, in just a few days, has created a botnet consisting of over 7,000 Android devices, most of which are located in China (39%) and Korea (39%). Spreading capabilities The rise of the botnet has been flagged by researchers with Qihoo 360’s Netlab, who analyzed the mining malware and discovered that it has worm-like spreading capabilities. Once ADB.miner – as they’ve dubbed the threat – … More

Android P might include native function to record calls

Android P: The next version of Android to offer call recording support

While call recording functionality has existed within Android over the years, Google often places restrictions on developers’ access. To use the call recording functionality on Android, one needs to install a third party application, as the system itself does not allow call recordings directly.

However, the latest commits which are available in AOSP (Android Open Source Project) site since February 2 indicate that this could change with Android P (or Android 9.0), the next iteration of Android’s operating system.

Apparently, some codes refer to the existence of “call recording tone”, which means Google is likely to integrate call recording capabilities. The codes reveal the support of a 1400Hz frequency tone that will be played every fifteen seconds to warn the other person in the conversation that a recording is in progress. The note indicates that the sound will be added to the outgoing audio stream so that the party on the other side can hear it.

“The tone itself is said to be of the 1,400Hz variety, meaning people of all ages should be able to hear it without any issues, with one of the commits referring to it revealing that it’s meant to be played every 15 seconds while the conversation is being recorded, presumably as to remind the person who didn’t initiate the recording that it’s still participating in one,” the report says.

In this way, the recording function will “meet regulatory compliance requirements,” cites commits note. However, each country may set different rules for privacy protection. As a result, the commits have implemented a feature that will allow the carriers to decide whether or not they want the call recording and the sound to be heard every 15 seconds.

“Adding carrier configuration option to specify whether the carrier requires the incall recording tone be played,” reads the information available on one of the commits.

Currently, it is unclear whether Google will new provide APIs (application programming interface) that will allow developers to integrate the call recording functionality into their apps. However, the built-in Android P feature is likely to work with recording apps after getting the required permissions, as noted in the commits.

Google will be announcing its next version of Android operating system, Android P, at the Google I/O Conference to be held later this year.

The post Android P might include native function to record calls appeared first on TechWorm.

ADB.Miner, the Android mining botnet that targets devices with ADB interface open

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet that targets devices with ADB interface open.

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet over the weekend. The malicious code ADB.Miner targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

Spread of time : the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the afternoon of 2018-02-03 and is still on the rise.” reads the analysis published by Netlab.

“Infected port : 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened.”

Starting from February 3, the expert noticed a rapid growth of the volume of scan traffic on port 5555 associated with the ADB.Miner:

ADB.Miner

Once the ADB.Miner has infected a device, the compromised system start scanning the Internet for other devices to infect.

According to the experts, ADB.miner borrowed the scanning code implemented by the Mirai botnet, this is the first time that the Mirai code is used by an Android threat.

The researchers did not reveal the way the malware infects the Android devices, it is likely it exploits a flaw in the ADB interface.

The number of infected devices is rapidly growing, according to different caliber statistics, there are 2.75 ~ 5.5k, and this figure is rapidly growing.

The two sources reported by Netlab are:

  • Statistics from scanmon : 2.75k, mainly from China (40%) and South Korea (31%).
  • Statistics from our botnet tracking system: 5.5k

At the time of writing the number of ADB.miner scans reached 75,900 unique IP addresses.

ADB.Miner traffic 2.png

Most IP addresses scanning the port 5555 are located in China (~40%) and South Korea (~30%).

The operators of the botnet are using the following Monero wallet address:

  • 44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr

That still has not received the first payment for the mine.

Pierluigi Paganini 

(Security Affairs – Monero, ADB.Miner)

The post ADB.Miner, the Android mining botnet that targets devices with ADB interface open appeared first on Security Affairs.

Android Oreo Passes 1 Percent Adoption After 5 Months, Nougat Finally Takes First Place

According to Google's Platform Versions page, Android 8.0 Oreo mobile operating system finally has 1.1 percent adoption. Like Android Nougat before it, Android Oreo took five months to pass the 1 percent adoption mark. VentureBeat reports: On the bright side, Nougat this month has passed Marshmallow, meaning the second newest Android version is now the most widely used. The latest version of Android typically takes more than a year to become the most-used release, and so far it doesn't look like Oreo's story will be any different. Google's Platform Versions tool uses data gathered from the Google Play Store app, which requires Android 2.2 and above. This means devices running older versions are not included, nor are devices that don't have Google Play installed (such as many Android phones and tablets in China, Amazon's Fire line, and so on). Also, Android versions that have less than 0.1 percent adoption, such as Android 3.0 Honeycomb and Android 2.2 Froyo, are not listed. The two next-oldest Android versions are thus set to drop off the list sometime this year. The Android adoption order now stands as follows: Nougat in first place, Marshmallow in second place, Lollipop in third, KitKat in fourth, Jelly Bean in fifth, Oreo in sixth, ICS in seventh, and Gingerbread in last. All eyes are now on Oreo to see how slowly it can climb the ranks.

Read more of this story at Slashdot.

Chrome OS Is Almost Ready To Replace Android On Tablets

Several news features rolling out to Chromebooks paint a picture of the future of Chrome OS as the rightful replacement for Android tablet software. Those include a new split-screen feature for multitasking while in tablet mode, and a screenshot feature borrowed from Android. The Verge reports: As it stands now, Chrome OS is very close to taking up the mantle there, and features like this push it ever closer to becoming the hybrid OS for all types of Google-powered screens. This has been in the works for quite a while as Google's Chrome and Android teams have coordinated closely to ensure the influx of low-cost, hybrid computing devices like 2-in-1 Chromebooks get the best of both worlds. There is, of course, Android app compatibility on Chrome OS, an initiative that first arrived somewhat half-baked last year and has taken months to fully jell as Google worked out the kinks. For instance, just last month Google added the ability for Android apps on Chromebooks run in the background. In July of last year, Google also began embarking on a touch-focused redesign of Chrome OS to make the software more functional in tablet mode. We're likely not getting the full-blown merging of the two divisions and their respective platforms anytime soon, or perhaps ever, as Google has played with the idea for years without ever seeming to decide that one platform should supersede the other. In essence, however, Android remains Google's dominant mobile OS, while Chrome OS has been taking on more responsibility as Chromebooks have steadily become more capable and tablet-like.

Read more of this story at Slashdot.

Android Device Management: Sweet Features, No Toothache

People love their Android devices. In fact, it has become one of the world’s most popular mobile operating systems (OS). Consumers expect to put this technology to work, not just use it outside the office. This has made Android device management a critical tool in any security team’s arsenal.

In addition, Google’s commitment to making compatible devices enterprise-ready has made the Android OS so good, organizations won’t want to miss out on the full potential of the platform. Since its initial release, Google has added more features to maximize productivity, bolster security and improve the OS’s overall adaptability in the enterprise.

Learn More about putting the Sweet Features of Android to Work!

Tracking the Evolution of the Android OS

Below is an abbreviated look at the evolution of the OS and the key security features associated with each iteration.

  • When Android 5.0 (Lollipop) was released in 2014, a key feature was adding work profiles. This addition was designed to separate work from play and help protect user privacy. Only approved applications can be installed in these profiles, and work data is encrypted to keep it safe if the device is lost or stolen.
  • Android 6.0 (Marshmallow), released in 2015, included security and management enhancements, such as fingerprint access, which improves the user experience without compromising security.
  • The following year, Android 7.0 (Nougat) added an always-on virtual private network (VPN) feature, which directed all traffic from the work profile or specific apps through a secure connection.
  • The newest release, Android 8.0 (Oreo), brings zero-touch enrollment, which saves users time and hassle when getting set up for Android device management.

Three Tips for Managing Android Devices

When implementing Android in the enterprise, organizations should follow the key steps outlined below to make sure the deployment is successful.

Use a UEM Solution

Industry analysts have adopted the term unified endpoint management (UEM) to describe a solution that encompasses all types of data and devices, from smartphones and tablets to laptops, desktops and Internet of Things (IoT) devices. This tool should be able to manage any enrolled Android device, along with all other commonly used platforms, with ease.

Manage Devices With Remote Support and Simple Enrollment

Over-the-air (OTA) and remote support are some of the best tools to have when managing Android devices. Even if a device is miles away, IT can see exactly what the end user sees and provide technical support from afar. With Android zero-touch enrollment, the IT team can manage devices without physically touching them at all.

Be Secure, but Don’t Burn Trust

Today’s technology landscape has raised user, device and data security as one of the most important issues for IT and security leaders to address. When managing Android devices, security teams should set rules to ensure that the organization’s data is encrypted in case of a breach. It’s also important for end users to feel confident that their personal data is truly private, even from the IT team. Trust and reassurance between IT and the user population is key.

Android Device Management Can Be Easy

When implementing an Android device management solution, it’s important to assess the needs of the organization, the IT department and end users, especially when it comes to privacy. Security leaders should be sure to follow all the proper steps for a successful UEM rollout.

Managing Android devices doesn’t need to be difficult — especially when you’re using a UEM solution that provides fast deployment and management of all the organization’s users, devices, apps and content — Android and otherwise — from a single console. After enrolling devices, IT can implement security policies and compliance rules to help protect users and their data without impeding productivity or violating user privacy.

Learn More about putting the Sweet Features of Android to Work!

The post Android Device Management: Sweet Features, No Toothache appeared first on Security Intelligence.

LG Settles Bootloop Lawsuit With $425 Cash Or a $700 Rebate Toward a New LG Phone

Early last year, a class-action lawsuit was filed against LG over bootloop issues affecting their G4 and V10 smartphones. Now, according to a settlement website set up by the law firm Girard Gibbs, members of the lawsuit have received a settlement offer. The only catch is that the settlement is only for plaintiffs of the initial case. Android Police reports: LG is offering plaintiffs either $425 as a cash settlement or a $700 rebate toward the purchase of a new LG phone. That's pretty generous, and it's clear that's going to help offset some of the anger LG's created with this whole incident. If you're one of the plaintiffs, you don't have to mail in your broken phone or anything, you just get the settlement offer, straight up. Members of the class will be contacted shortly with instructions on how to take advantage of the settlement. Payments will be distributed beginning in March.

Read more of this story at Slashdot.

Google booted 100,000 malicious developers from Google Play

New malware and unwanted apps are discovered on Google Play nearly every day – or so it seems. According to Google’s statistics, in 2017 the company has taken down more than 700,000 apps that violated the Google Play policies: copycat apps, apps showing inappropriate content, and outright malware (apps that conduct SMS fraud, act as trojans, or phishing user’s information). The number might seem small to some and significant to others, but it is definitely … More

Time to stop watching Porn on Smartphones as they are Vulnerable to Hacking and Ransomware

Android smartphones are used all around the world and are become popular by the day. If you are an owner of an Android smartphone and use to watch porn on it, its time you should start avoiding that. Android smartphones have been found to be vulnerable to hacking and ransomware in the recent times. According

The post Time to stop watching Porn on Smartphones as they are Vulnerable to Hacking and Ransomware appeared first on Hacker News Bulletin | Find the Latest Hackers News.

Google Play Removed 700,000 Bad Apps In 2017, 70 Percent More Than In 2016

Today, Google announced that it removed more than 700,000 apps that violated Google Play's policies, or 70 percent more apps than the year before. "Google does not share total Google Play app numbers anymore, so we have to rely on third-party estimates to put this 70 percent figure into perspective," reports VentureBeat. "Statista pegs the total number of apps on Google Play at 2.6 million in December 2016 and 3.5 million in December 2017, a 35 percent growth. How many of those were bad apps, however, is anyone's guess." From the report: All we know is that the number of bad apps removed grew faster than the total number of apps in the store, which makes sense if you take into account the next statistic Google revealed today: 99 percent of apps with abusive content were identified and rejected before anyone could install them in 2017. This was possible, Google says, thanks to its implementation of machine learning models and techniques to detect abusive app content and behaviors such as impersonation, inappropriate content, or malware. The company claims that the odds of getting malware is 10x lower via Google Play than if you install apps from outside sources.

Read more of this story at Slashdot.

OnePlus Is Again Sending User Data To a Chinese Company Without User Consent

In October 2017, a researcher caught OnePlus silently collecting all sorts of data from its users. Now, a new report says that there's still a OnePlus app that can grab data from the phone and send it to servers in China without a user's knowledge or express consent. BGR reports: The French security researcher hiding behind the name Elliot Alderson on Twitter detailed OnePlus's data collection practices back in October, and he has now discovered a strange file in the OnePlus clipboard app. A Badword.txt file contains various keywords, including "Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email," and others. The file is then duplicated in a zip file called pattern alongside six other .txt files. All these files are apparently used in "in an obfuscated package which seems to be an #Android library from teddymobile." Now, TeddyMobile is a Chinese company that works with plenty of smartphone makers from China. The company seems to be able to recognize words and numbers in text messages. And OnePlus is apparently sending your phone's IMEI number to a TeddyMobile server, too. It looks like the TeddyMobile package might be able to grab all sorts of data from a phone. Even bank numbers are apparently recognized. OnePlus has yet to issue a statement on the matter.

Read more of this story at Slashdot.

Kaspersky Lab official blog: Transatlantic Cable podcast, episode 21

In this week’s edition of the Transatlantic Cable podcast, Dave and I discuss teenage hackers, a woman who has a bad habit of sneaking onto airplanes, Sonic the Hedgehog and more.

For more on this week’s topics, see:

rss-podcasts rss-podcasts



Kaspersky Lab official blog

Kaspersky Lab official blog: Which protection from Kaspersky Lab is right for you?

You might’ve wondered why Kaspersky Lab has so many different products for consumers. On the website, you’ll find Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Antivirus, and more. Which one should you choose? Well, it depends, but we can help you here.

Different users have different expectations of a security solution, which is why we created a variety of solutions. Here, we provide an infographic guide that will help you choose the protection that is right for you.

We hope that helped you choose the right security solution. To download your choice, just click on its icon in the infographic and then install it on the devices you want to protect.

If you need some more help in choosing a product, you can go to our website and click “HELP ME CHOOSE” in the upper right corner to go directly to the helping tool.

No matter what you’ve chosen, you’ll get a state-of-the-art security solution that provides top-notch protection. They have different features, but all of them have won a lot of awards from different independent testers.



Kaspersky Lab official blog

Smashing Security #062: Tinder spying, Amazon shoplifting, and petrol pump malware

Smashing Security #062: Tinder spying, Amazon shoplifting, and petrol pump malware

Your Tinder swipes can be spied upon, Amazon is opening high street stores that don't require any staff, and Russian fuel pumps are being infected with malware in an elaborate scheme to make large amounts of money.

With Carole on a top secret special assignment, it's left to security veteran Graham Cluley to discuss all this and much much more on the "Smashing Security" podcast with special guests David McClelland and Vanja Švajcer.

DuckDuckGo offers new privacy extension and app

DuckDuckGo, the company behind the eponymous privacy-minded Internet search engine, has announced a new browser extension and mobile app: DuckDuckGo Privacy Essentials. DuckDuckGo Privacy Essentials does four things: It makes DuckDuckGo the default search engine (this features is optional – it can be switched off). Forces websites to serve users with an encrypted version (i.e., HTTPS version) of the site – if it’s available. Blocks all hidden, third-party trackers it can find and provides users … More

Android Can Now Tell You How Fast Wi-Fi Networks Are Before You Join Them

Today, Google announced that Android 8.1 Oreo will now display the speed of nearby open Wi-Fi networks to help you decide whether they're even worth the effort of connecting to. The Wi-Fi settings menu will now display one of four speed labels: Very Fast, Fast, OK, or Slow. The Verge reports: The difference between Very Fast and Fast, according to Google, is that you can stream "very high-quality videos" on the former and "most videos" on the latter. Most coffee shop dwellers should be fine with the OK level, as that's enough for web browsing, social media, and Spotify streaming. Private Wi-Fi networks that require passwords don't display any speed data since it's really none of your business and Google can't randomly test them, but they do continue to indicate signal strength. Google says network administrators can also opt out of Android's Wi-Fi Assistant showing speed info by using a "canary URL."

Read more of this story at Slashdot.

Skygofree: New Government Malware for Android

Kaspersky Labs is reporting on a new piece of sophisticated malware:

We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.

Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.

It seems to be Italian. Ars Technica speculates that it is related to Hacking Team:

That's not to say the malware is perfect. The various versions examined by Kaspersky Lab contained several artifacts that provide valuable clues about the people who may have developed and maintained the code. Traces include the domain name h3g.co, which was registered by Italian IT firm Negg International. Negg officials didn't respond to an email requesting comment for this post. The malware may be filling a void left after the epic hack in 2015 of Hacking Team, another Italy-based developer of spyware.

BoingBoing post.

Yale Privacy Lab and Exodus Privacy’s F-Droid Android App Store is a Replacement for Google Play That Features Only FOSS Apps That Don’t Do Any Tracking

Google Play, the marquee Android apps store, is filled with apps that are riddled with hidden trackers that siphon a smorgasbord of data from all sensors, in all directions, unknown to the Android user. Not content with the strides Google has made to curtail the issue, Yale Privacy Lab has collaborated with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. From a report on Wired: F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. F-Droid doesn't offer the millions of apps available in Google Play, so some people will not want to use it exclusively. It's true that Google does screen apps submitted to the Play store to filter out malware, but the process is still mostly automated and very quick -- too quick to detect Android malware before it's published, as we've seen. Installing F-Droid isn't a silver bullet, but it's the first step in protecting yourself from malware.

Read more of this story at Slashdot.

Security Affairs: Google awarded Chinese hacker record $112,500 for Android exploit chain

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.

Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.

Android exploit chain

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.

Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.

Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.

Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.

“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.

The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.

Pierluigi Paganini

(Security Affairs – Android exploit chain, hacking)

The post Google awarded Chinese hacker record $112,500 for Android exploit chain appeared first on Security Affairs.



Security Affairs

Google awarded Chinese hacker record $112,500 for Android exploit chain

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.

Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.

Android exploit chain

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.

Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.

Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.

Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.

“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.

The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.

Pierluigi Paganini

(Security Affairs – Android exploit chain, hacking)

The post Google awarded Chinese hacker record $112,500 for Android exploit chain appeared first on Security Affairs.

Infosec expert viewpoint: Google Play malware

Researchers routinely discover a variety of malicious apps on Google Play, some of which have been downloaded and installed on millions of devices worldwide. Here’s what infosec experts think about the security of Google Play, what they think Google should do better, and what users can do in order to protect themselves from malicious apps on the official Android app store. Chris Boyd, Lead Malware Intelligence Analyst, Malwarebytes Google Play continues to have issues where … More

Security Affairs: Dark Caracal APT – Lebanese intelligence is spying on targets for years

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.

Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.

The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

 Dark caracal

 

The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

 Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).

Pierluigi Paganini

(Security Affairs – Dark Caracal, APT)

The post Dark Caracal APT – Lebanese intelligence is spying on targets for years appeared first on Security Affairs.



Security Affairs

Dark Caracal APT – Lebanese intelligence is spying on targets for years

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.

Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.

The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

 Dark caracal

 

The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

 Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).

Pierluigi Paganini

(Security Affairs – Dark Caracal, APT)

The post Dark Caracal APT – Lebanese intelligence is spying on targets for years appeared first on Security Affairs.

Skygofree is the most powerful surveillance tool for Android, Kaspersky says

Skygofree Android Spyware Can Steal Almost Everything In Your Mobile

Security researchers at Kaspersky Lab have identified a new sophisticated espionage software for Android, which can gain complete control of users’ phones and steal information.

The software dubbed as ‘Skygofree’ is “one of the most powerful spyware tools” ever seen for Android that “display capabilities more reminiscent of Hollywood spy movies,” says Kaspersky.

This Android software can trace user’s location, record audio conversations, intercept SMS, calendar entries, monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp, and even read WhatsApp messages through Accessibility Services. It can also connect a device to a Wi-Fi network controlled by hackers, even when the user has disabled Wi-Fi connections or take photos every time the user unlocks his device. The software can also operate in standby mode.

“In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home,” said Kaspersky Lab. “This lets the victim’s traffic be collected and analysed.”

Although the spyware was identified by Kaspersky’s researchers at the end of 2017, but its existence dates back to 2014. Apparently, Skygofree has already infected several Italian Android users and the software has evolved considerably during the three year period.

“The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion,” says Kaspersky.

In order to safeguard against the software, Kaspersky firstly recommends users to install apps only from official online stores (such as Play Store, App Store) and disable installation of apps from third-party sources. Secondly, pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions. Lastly, install a reliable security solution that will protect your device from most suspicious websites, dangerous links, and malicious apps and files.

Source: Kaspersky

The post Skygofree is the most powerful surveillance tool for Android, Kaspersky says appeared first on TechWorm.

Smashing Security #061: Fallout over Hawaii missile false alarm

Smashing Security #061: Fallout over Hawaii missile false alarm

User interfaces and poor procedures lead to pandemonium in Hawaii, hackers are attempting to trick victims into opening cryptocurrency-related email attachments, and yet more pox-ridden apps are found in Android's Google Play store.

All this and much much more is discussed in latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.

Skygofree — Powerful Android Spyware Discovered

Security researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely. Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years. Since 2014, the Skygofree implant has gained several

Malware found guilty of populating apps with pornographic adverts

In the month of April last year, a popup alerting users through fake messages appeared that took many users by surprise. It was basically a web advertisement that was used to scare visitors of websites to make them believe that their device has been affected with adware or a possible hacking has taken place. Such

The post Malware found guilty of populating apps with pornographic adverts appeared first on Hacker News Bulletin | Find the Latest Hackers News.

Google removes 60+ fake game apps displaying porn ads from Google Play

Google has removed some 60+ game apps from Google Play, as they were found to contain code that either delivered inappropriate and pornographic ads, attempted to trick users into installing fake security apps or into signing up for (paid) premium services. About the apps The offending apps have been first flagged by Check Point researchers, who named the threat “AdultSwine.” The threat posed as different game apps – “Drawing Lessons Angry Birds,” “Temple Crash Jungle … More

Coprocessor Attacks: the Hidden Threat

Botnets, DDoS and ransomware attacks, vulnerabilities in Internet of Things devices and Open Source Software, and the generally poor state of information security, dominate the discussion of cybersecurity. These same

The post Coprocessor Attacks: the Hidden Threat appeared first on The Cyber Security Place.

Adult Themed Virtual Reality App spills Names, Emails of Thousands

Thousands of users of an adult virtual reality application risk having their personal information, including names and email addresses exposed, according to researchers in the UK. Thousands of Internet denizens who wanted to explore their virtual naughty side are in for an unpleasant surprise after a firm offering an adult virtual reality game,...

Read the whole entry... »

Related Stories

AdultSwine Malware Displays Porn Ads within Child-Themed Android Apps

AdultSwine malware displays pornographic ads within affected child-themed game apps that were once available for download on Google’s Play Store. Researchers at Check Point detected AdultSwine hidden within 60 game apps, including some with children as their target audience. All of those affected apps were available for download on Google’s Play Store up until recently. […]… Read More

The post AdultSwine Malware Displays Porn Ads within Child-Themed Android Apps appeared first on The State of Security.

Researchers: SCADA Mobile Apps Continue to Have ‘Shocking’ Number of Vulnerabilities

Despite their availability on mobile networks and thus increased exposure to outside security threats, SCADA apps remain highly insecure and vulnerable to attack, putting critical industrial control systems at immediate and increased risk, researchers at IOActive and Embedi have found. While it might be good news for industrial control system...

Read the whole entry... »

Related Stories

North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk

Recently, South Korean media wrote about North Korean refugees and journalists being targeted by unknown actors using KakaoTalk (a popular chat app in South Korea) and other social network services (such as Facebook) to send links to install malware on victims’ devices. This method shows that attackers are always looking for different ways to deliver malware.

The McAfee Mobile Research Team has acquired malicious APK files that were used in the targeted attacks. According to the articles, Google-shortened URLs were used to spread malware. We analyzed those statistics.

There are two versions of the dropper malware: “북한기도” (Pray for North Korea) and “BloodAssistant” (a health care app). In both cases, most clicks originated in South Korea and the most common browser and operating system combination was Chrome and Windows. (Android was the second most common.) The referrers diagram of BloodAssistant shows Facebook was used in 12% of cases to send the link to its targets.

In the case of the journalist who was targeted, the attacker sent a shortened link showing a thumbnail of another story written by the journalist, according to the news article. The link directs to ihoodtec[.]com/upload/newslist[.]php (now offline), which seems to be used for redirecting to links in other domains. This shortened URL was clicked by someone with an account at mail[.]police[.]go[.]kr, suggesting the shortened URL was also sent via email to the police address.

The number of clicks might not be meaningful because it can include access from malware researchers, but what is meaningful is that malware-download links were spread using different platforms: Facebook, KakaoTalk, email, etc.

Analysis

Dropper

All the malicious APK files (including additional variants) dropped the Trojan on the victim’s device. Although the apps look different, the dropper mechanism is identical. The following screens show the execution of the dropper files.

Figure 1: Screenshots of droppers.

When the dropper APK executes, it first checks whether the device is already infected. If not infected, it phishes the victim to turn on the accessibility permission. If the victim clicks the pop-up window, the view changes to the accessibility settings menu so the app can acquire the permission.

When the accessibility service starts, it overlays the window (by playing a video, for example) to hide the process of turning on required settings and dropping and installing the Trojan. The overlay is removed after the Trojan is installed. The following diagram explains the flow after executing the dropper malware.

Figure 2: Execution flow of the dropper.

Trojan

The dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands. The following diagram explains the execution flow of the Trojan. The names of broadcast receivers and services (with some misspellings) may vary between samples but the execution is the same.

Figure 3: Execution flow of the Trojan.

When the dropped Trojan is installed, it saves device information in a temporary folder and uploads it to the cloud. It then downloads a file containing commands and other data to control the infected device. (We’ll explain the format of the downloaded file in the next section.) Most of the malicious behaviors—such as saving SMS, contact information, etc.—are implemented inside a separate dex file “core,” which is downloaded from the control server. This dex file is referenced in many places in the malware. The malicious functionality can be extended, as we’ll explain in the following section.

Command file structure

The command file has its own format. The following diagram explains the types of values. Offset designators are used to retrieve each value when parsing the file. The next table explains each value.

Figure 4: Command file format.

Figure 5: Command file values.

The handler for command code received from the cloud (CMD value) is implemented as a separate dex file and is downloaded either before or after the malware parses the command file. This mechanism allows the attacker to easily extend its malicious functionality without needing to update the whole malware.

Our analysis shows that only some of the commands are implemented now and uploaded to the cloud control server. Note Command 12 captures KakaoTalk chat logs.

Figure 6: Implemented commands.

Variants

We have found variants of the APKs that news articles initially reported on Google Drive. (The APKs on Google Drive are marked as malware and cannot be downloaded.) Some variants use different cloud services as their control servers while others drop the separate call-recording app “com.toh.callrecord” (assets/bbb). The following graph shows the relationships among variants and dropped files.

Figure 7: Relationships among variants.

The Actors

Initial malicious APKs we found were uploaded to Google Drive by the same account, and we found a connected social network account. By following activities of this account, we conclude with high confidence that this account was used to send shortened URLs to victims to get them to download malicious APK files.

The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama, and the language because the account names associated with the cloud services are from Korean drama and TV shows, including the following:

Figure 8: Cloud service accounts.

We found the use of an interesting word, “피형” (“blood type”), which is not used in South Korea but is used in North Korea. (“혈액형” is the word for blood type in South Korea.) We also found a North Korean IP address in test log files of some Android devices that are connected to accounts used to spread the malware. However, Wi-Fi was on so we cannot exclude the possibility that the IP address is private.

By looking at the list of deleted folders in the cloud, we found one with the name “sun Team Folder,” possibly the name of the actors. This group has been active since 2016, according to the cloud storage creation date.

Figure 9: Deleted folder in the cloud.

Conclusion

This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors.

McAfee Mobile Security detects this malware as Android/HiddenApp.BP. Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware.

The post North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk appeared first on McAfee Blogs.

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products. The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20

Bogus security apps in the Google Play store stole users’ info and tracked their location

Android users would be wise to remember that just because an app appears in the official Google Play store doesn't mean that it should be considered entirely trustworthy.

The post Bogus security apps in the Google Play store stole users’ info and tracked their location appeared first on The State of Security.

Hijacker – Reaver For Android Wifi Hacker App

Hijacker – Reaver For Android Wifi Hacker App

Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.

It offers a simple and easy UI to use these tools without typing commands in a console and copy & pasting MAC addresses.

Features of Hijacker Reaver For Android Wifi Hacker App
Information Gathering

  • View a list of access points and stations (clients) around you (even hidden ones)
  • View the activity of a specific network (by measuring beacons and data packets) and its clients
  • Statistics about access points and stations
  • See the manufacturer of a device (AP or station) from the OUI database
  • See the signal power of devices and filter the ones that are closer to you
  • Save captured packets in .cap file

Reaver for Android Wifi Cracker Attacks

  • Deauthenticate all the clients of a network (either targeting each one or without specific target)
  • Deauthenticate a specific client from the network it’s connected
  • MDK3 Beacon Flooding with custom options and SSID list
  • MDK3 Authentication DoS for a specific network or to every nearby AP
  • Capture a WPA handshake or gather IVs to crack a WEP network
  • Reaver WPS cracking (pixie-dust attack using NetHunter chroot and external adapter)

Other Wifi Hacker App Features

  • Leave the app running in the background, optionally with a notification
  • Copy commands or MAC addresses to clipboard
  • Includes the required tools, no need for manual installation
  • Includes the nexmon driver and management utility for BCM4339 devices
  • Set commands to enable and disable monitor mode automatically
  • Crack .cap files with a custom wordlist
  • Create custom actions and run them on an access point or a client easily
  • Sort and filter Access Points and Stations with many parameters
  • Export all gathered information to a file
  • Add a persistent alias to a device (by MAC) for easier identification

Requirements to Crack Wifi Password with Android

This application requires an ARM Android device with an internal wireless adapter that supports Monitor Mode.

Read the rest of Hijacker – Reaver For Android Wifi Hacker App now! Only available at Darknet.

Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser

A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site. Identified as CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version

Lo lo lo Loapi Trojan could break your Android

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the battery bulge, and essentially leave your Android for dead.

It seems creating Swiss army knife malware—lumping several uniquely malicious features into one catch-all malicious app—is becoming a trend. At least this time, the Loapi Trojan didn’t make it onto Google Play.

Loapi capabilities

For the purpose of hiding itself, Loapi poses (mostly) as a fake antivirus or, on the other end of the spectrum, adult content apps. It then asks for device administrator permissions to lock the screen of the mobile device, among other things. Furthermore, it takes the damage to another level by attempting to trick the user into thinking genuine anti-malware scanners are the real threat, and prompts to uninstall them if found. If that weren’t enough, it comes with a host of other features, including:

With everything going on in the background, Loapi puts an extreme load on the mobile device. This can lead to the Android literally blowing up from heat produced by the maxed-out processor and battery.

To state the obvious: This Loapi Trojan is quite nasty.

Darn it, tell me if you detect it or not already!

So, do we detect this monster? You bet we do! Our Malwarebytes for Android detection name is Android/Trojan.Dropper.Agent.BGT. You’ll be delighted to know that we’ve been on top of this bad boy since October.

In Malwarebytes for Android, detection of this infection is primarily done by our advanced deep scanner, which uses heuristic methodology to find malware, such as this Trojan, deeply embedded in the device. Deep scan is a feature in our Premium version. Therefore, if you want to stay protected in real time against Loapi, we recommend you upgrade to Premium after your free 30-day trial of Malwarebytes for Android. Stay safe out there!

The post Lo lo lo Loapi Trojan could break your Android appeared first on Malwarebytes Labs.

Mobile Menace Monday: upping the ante on Adups

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

Click to view slideshow.

Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

The post Mobile Menace Monday: upping the ante on Adups appeared first on Malwarebytes Labs.

Kids, Travel and Wi-Fi

If your brood of kids is anything like mine, holiday travel is all about devices and Wi-Fi. Sure, we’ll focus on sights and activities when we get to our destination, but the journey is made all the sweeter with a huge dose of technology!

And as all my boys have pretty basic mobile phone plans (I’m paying!), a technology binge means Wi-Fi! Whether it’s connecting at the airport, on the plane – yes this is a thing now, in trains or in hotels – finding Wi-Fi is possibly more important to my boys than finding the next snack bar.

But unfortunately, Wi-Fi is not the great nirvana. There can be some serious risks associated with connecting to random Wi-Fi outlets, as I continuously tell my offspring. The recent KRACK Wi-Fi saga, which potentially affected iOS and Android users worldwide, gave us all a big scare and reminded us yet again that modern Wi-Fi is not risk free.  Discovered by a Belgian researcher, the KRACK vulnerability meant a hacker could access your device even through a password protected Wi-Fi network. It was such a big deal that even the US Department of Homeland Security issued a warning!

‘It Won’t Happen To Me’

Regardless of the warnings, there are still many amongst us that are not convinced Wi-Fi poses genuine risks, particularly when we travel. Many of my friends and family members still believe horror stories only happen to ‘other people’.

And research conducted by McAfee confirms this very opinion with the majority Aussies surveyed not worried about the risks associated with Wi-Fi. In fact, 62% of people on holiday either don’t care or don’t bother ensuring they have a secure Wi-Fi connection. And 41% believe our personal information is as secure when we connect to public Wi-Fi on holiday as when we are home or at work. Eeek!!!

Why Do We Need To Worry?

In short, accessing dodgy Wi-Fi means you are more likely to get hacked which can cause you a world of pain! If you have connected to a Wi-Fi hotspot that has either been set up by a hacker or a hacker has broken in to, anything you send or share online – you are also sharing with the hacker: banking details, online shopping logins, social media passwords… the list goes on. And once the hacker has that information, he/she can access your accounts as if they were you.

In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware aka malicious software.  Some hackers have been known to hack the Wi-Fi connection point itself to try and trick Wi-Fi users into downloading malicious software. Attractive, believable pop-ups appear on users’ screens offering free upgrade to commonly used software. However, clicking the link in the pop-up ad downloads the malicious software!

What Should We Do To Stay Safe?

Well, let me tell you I’m not staying home… holidays keep me going! So, what we need to do is spend just a little time implementing a few strategies so we can securely manage our kids and their online lives when we travel. Not only will this minimise the risk but just as importantly, the stress!

Here is how I’ll be managing my boys and their Wi-Fi connections when we set off on our annual family vacation this year:

1. Ban Free Wi-Fi

If your kids just have to connect to Wi-Fi, ensure it is password protected option NOT a random free Wi-Fi. While this does not provide any guarantee of security, it is another layer of protection. However, no banking, financial or shopping transactions are to be undertaken on this Wi-Fi – no exceptions!

2. Invest in a VPN

A Virtual Private Network (VPN) is one of the best services you can sign up to. In simple terms, it creates a secure encrypted connection which means that anything you send or receive is safe. McAfee’s VPN, SafeConnect, provides bank-grade Wi-Fi encryption which means your personal data and online activities are kept private even when you are connected to public Wi-Fi.

3. Update ALL Your Devices Before You Leave Home

I know it is a pain but if the software and apps on your devices are not up to date, you’re essentially leaving a ‘back door’ open for a hacker. App creators and hardware vendors will release patches or updates when they become aware of a security vulnerability – so it is essential you have the latest and greatest installed before you walk out of your door!

4. Turn Off Bluetooth When Not Using It

This needs to become a family rule – just like turning off the lights before you leave the house! When your Bluetooth is active, hackers can see which networks you have connected previously. It then takes very little effort for them to copy these networks and fool your device into connecting with their Bluetooth devices. Within minutes, the hacker can steal your data, download malware and create a world of pain!

5. Download Security Software for All Your Devices including Smartphones!

Ensuring your devices are protected with comprehensive security software is the same as locking the backdoor and turning on the house alarm – common sense. McAfee’s Total Protection software provides protection for your entire fleet of devices and includes anti-virus and anti-malware software, a firewall, anti-spam functions, parental controls and a password management tool.

So, don’t cancel your holiday. Managing Wi-Fi safely when you travel with kids is absolutely possible with just a little planning. And if Nana and Pop are joining you on vacation, please ensure they are up to speed with the family Wi-Fi rules too! With 85% of older Australians accessing the internet every day, they will very likely have their eye on the Wi-Fi too!

Happy Christmas and Safe Travels!

Alex xx

The post Kids, Travel and Wi-Fi appeared first on McAfee Blogs.

Lazarus Cybercrime Group Moves to Mobile Platform

When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is to begin an attack with a simple email, which for some time has been one of the most effective malware delivery mechanisms.

The McAfee Mobile Research team has identified a new threat—Android malware that poses as a legitimate app available from Google Play and targets South Korean users—that suggests a deviation from the traditional playbook. An analysis of campaign code, infrastructure, and tactics and procedures suggests the Lazarus group is responsible, as they evolve their attack tactics to now operate within the mobile platform. And although the debate regarding attribution of attacks will always rage, documenting evolving tactics by threat actor groups allows organizations and consumers to adapt their defenses accordingly.

Based on what we know, the app first appeared in the wild in March 2017. The distribution is very low and is aimed at a Korean Audience (based on telemetry hits).

Although we cannot be certain, persons associated with GodPeople, an organization based in Seoul with a history of supporting religious groups in North Korea and the developers of the original application, could be the intended targets. GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea.

Evolving Attack Tactics

Leveraging email as the entry vector allows attackers to be very specific about whom they wish to target, often described as the spear phishing. Developing a malicious application does not provide the same level of granularity. However, in this instance the attackers developed malware that poses as a legitimate APK, advertising itself as means for reading the Bible in Korean. Leveraging the mobile platform as the attack vector is potentially significant—particularly as South Korea has a significant mobile population that is “in a race to be first with 5G,” according to a Forbes article. Typically when a mobile platform is mentioned, we think about our mobile phones. However, in this case, we know South Korea has an increasing use of tablets, replacing traditional laptops. How well secured are tablets and how are they monitored?

Evolving attacks onto the mobile platform are likely to continue, and this appears to be the first example of the Lazarus group using mobile. Such a change, therefore, is significant, demonstrating that criminals are keeping up with platform popularity. Indeed, according to the International Telecommunication Union, the global number of mobile subscriptions worldwide now exceeds the global population, which suggests that such a tactic is only likely to increase as our dependency on mobile platforms grows.

Source: International Telecommunication Union.

Keeping Safe

Understanding the evolving tactics by nefarious actors is imperative. It is critical that we adopt simple security measures to counter these new tactics. This malware is detected as “Android/Backdoor” by McAfee Mobile Security. Always keep your mobile security application updated to the latest version. And never install applications from unverified sources.

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

Android Malware Appears Linked to Lazarus Cybercrime Group

The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)

The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.

Figure 1: Description of the legitimate app on Google Play.

Figure 2: An overview of the malware’s operation.

 

Comparing Certificates

The repackaged APK has been signed by a different certificate from the legitimate APK. We can see the differences in the following two screen captures:

Figure 3: The certificate of the malicious, repackaged APK.

Figure 4: The certificate of the legitimate APK.

Once the malicious APK installs its code, it attempts to execute the backdoor ELF from “assets/while.” If the ELF successfully executes, it turns the device into a bot.

Figure 5. The main function for executing the backdoor ELF.

 

Analyzing the Backdoor

Once the backdoor ELF starts, it turns into a zombie process to protect itself. It remains as a zombie even if the parent process terminates, as long as the “dex” execute() method has been implemented successfully.

Figure 6. The malware turns itself into a zombie process.

The malware contains a list of IP addresses of control servers. The list is encoded and written to the file /data/system/dnscd.db.

The preceding table lists information for each of the IP addresses. None of these is available now.

Figure 7. The flow of writing the encoded control server IPs to a file.

The IP address array is encoded by a simple routine when it is loaded into memory from the read-only data section; that encoded data is written to the file /data/system/dnscd.db. The decoded file is then loaded into memory to select an IP address to connect to.

One of control servers is selected randomly immediately before the backdoor process attempts to connect to its address. The attempt is performed repeatedly to successfully connect with one of the control servers.

Figure 8. The malware creates a socket and connects to a randomly selected control server.

Once connected with a control server, the malware begins to fill the buffer using a callback beacon. Figure 9 shows a part of the message-generating code. Several fields of the packet are hardcoded, particularly the bytes at offsets 0, 4, and 5. After we realized that the message only pretended to use the SSL handshake protocol, we understood the meaning of the hardcoded bytes. The byte at offset 0 is the handshake type; offsets 4 and 5 are the SSL version of the handshake layer, a part of transport layer security.

Figure 9. A part of the function for generating a callback beacon.

Figure 10. Transferring data to be used as the callback beacon to the control server.

After the message is generated, it sends the following packet (Figure 11) to the control server as a callback beacon. There is a randomly selected well-known domain in the packet where the server name indicator field is placed as a field of extension data. We suspect this is an evasion technique to avoid detection by security solutions looking for suspicious behaviors.

Figure 11. A captured packet from the callback beacon.

Figure 12. The list of legitimate (well-known) domains in the binary.

After sending the callback beacon, the malware assigns global variables that contain device information which is transferred to the control server once it receives the command code 0x5249. Figure 13 shows the jump table for implementing commands and its pseudo code.

Figure 13. The jump table for implementing commands from the control server and the structure for receiving data.

The functions are described in the following table. Command code and arguments arrive as structured data from the control server, as shown in Figure 13. The command code and arguments are assigned, respectively, to the CMD and DATA member variables of the received data structure.

After performing commands received from the control server, the malware returns the results to the control server using the codes in Figures 14 and 15. Before transferring the results, the return code and data are stored in a structure described in the following pseudo code.

Figures 14 and 15. The codes and data structure returned to the control server.

 

Similarities to Lazarus Malware

In Figure 16, the function on the left is from the backdoor ELF we have analyzed. On the right, we see procedures found in several executables used by the Lazarus Group in various attacks.

Figure 16. Similar functions to the executable used in the Sony Pictures attack.

Both functions look very similar. And the hexadecimal seeds for generating a key for encryption and decryption are the same. Both functions are also used to generate a message encryption and decryption key between the victim and control server. Figure 17 shows the functions of both the backdoor ELF and an executable recently used by the Lazarus Group. The function connects to the control server, and generates a disguised SSL ClientHello packet. Then the generated packet is sent to the control server as callback beacon.

Figure 17. The functions to establish a connection to the control server (ELF on the left).

The function in Figure 18 generates a disguised ClientHello packet to use as a callback beacon.

Figure 18. Generating the disguised ClientHello packet (ELF on the left).

Both backdoors use same protocol, as we confirmed when analyzing the function for receiving a message from the control server. Figure 19 shows the protocol for transferring a message between the backdoor and the control server.

Figure 19. The receive message function included in the checking protocol (ELF on the left).

To transfer a message from the source, the malware first sends a five-byte message to the destination. The message contains information on the size of the next packet, a hardcoded value, and the type of message. The hardcoded value is 0x0301 and the type of message can be between 0x14–0x17. The message type can also be used to check the validation of the received packet. The following is pseudo code from the receive function:

Figure 20. The five-byte packet sent before the source sends its primary message.

Figure 21. Pseudo code from the receive message function.

 

Conclusion

The security industry keeps an eye on the Lazarus Group, and McAfee Mobile Security researchers actively monitor for mobile threats by Lazarus and other actors. We compared our findings with the threat intelligence research of our Advanced Threat Research team, which studies several groups and their techniques. Due to the reuse of recent campaign infrastructure, code similarities, and functions such as the fake transport layer security, these tactics match many we have observed from the Lazarus Group.

We do not know if this is Lazarus’ first activity on a mobile platform. But based on the code similarities we can say it with high confidence that the Lazarus Group is now operating in the mobile world.

 

McAfee Mobile Security detects this malware as “Android/Backdoor.” Always keep your mobile security application updated to the latest version. And never install applications from unverified sources. This habit will reduce the risk of infection by malware.

 

Indicators of Compromise:

Hashes

12cc14bbc421275c3c6145bfa186dff

24f61120946ddac5e1d15cd64c48b7e6

8b98bdf2c6a299e1fed217889af54845

9ce9a0b3876aacbf0e8023c97fd0a21d

 

Domains

mail[.]wavenet.com.ar

vmware-probe[.]zol.co.zw

wtps[.]org

 

IP addresses

110[.]45.145.103

114[.]215.130.173

119[.]29.11.203

124[.]248.228.30

139[.]196.55.146

14[.]139.200.107

175[.]100.189.174

181[.]119.19.100

197[.]211.212.31

199[.]180.148.134

217[.]117.4.110

61[.]106.2.96

The post Android Malware Appears Linked to Lazarus Cybercrime Group appeared first on McAfee Blogs.

Grabos Malware Discovered On 144 Trojanized Android Apps

Cybercriminals have been practically relentless in their attacks against the Android OS, and McAfee’s own Mobile Research team has discovered yet another attempt at infecting Android devices. Named Grabos, the malware was first discovered by the team in the Android application “Aristotle Music audio player 2017,” which claimed to be a free audio player on Google Play. However, we’ve since found the threat present in 144 trojanized applications on Google Play.

What is it and how does it work?

Let’s start with Aristotle. The music app puts on a good face – it has a good rating on Google Play, and has even been installed between one and five million times. However, one user comment mentioned that the application was indeed detected as malware. Once our Mobile Research team identified Grabos on the application, they flagged it to Google, who removed it from Google Play.

But then the team discovered a lot more Grabos on Google Play. In fact, they found another 143 applications that were infected with the Android malware. Out of these 143 applications, they were able to examine 34 and found that they had an average rating of 4.4, and between 4.2 million and 17.4 million users had downloaded these apps. Only 6 have been removed entirely since being flagged to Google.

So, how exactly was Grabos able to maneuver its way onto so many applications? The malware was likely able to move past Google Play security measures because its code is protected with a commercial obfuscator, which essentially makes it difficult to analyze the app without launching it first.

Grabos has also developed a few unique capabilities, one being the ability to distinguish and inject code accordingly into “fake” vs “real” apps, which our other blog outlines. Additionally, it can communicate with a command and control server about the devices it infects with these trojanized apps. This device information includes: Android version, build model, device location, device configuration, specific apps installed, the list goes on.

Mind you, after collecting information on already installed apps, the C&C server creates fake custom notifications to trick users into installing additional applications. This may in fact reveal the malware’s true intentions — to make money by promoting the installation of apps.

How do I protect myself?

Now, the next step is to start thinking about protection. To ensure you keep your Android devices secure, be sure to follow these tips:

  • Do your homework. Before you download an app, make sure you head to the reviews section of an app store first. Grabos could’ve been avoided if a user read one of the comments, so be sure to thoroughly sift through the reviews, and read through the comments section. It helps to research the developer too. When in doubt, don’t download any app that is remotely questionable.
  • Limit the amount of apps. Only install apps you think you need and will use regularly. If you still a promotion for an app you did not seek out, avoid clicking on it entirely. And if you no longer use an app, uninstall it to keep it from accessing your information unnecessarily. This will help you save memory, and reduce your exposure to threats such as Grabos.
  • Use a mobile security solution. As malware campaigns continue to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Grabos Malware Discovered On 144 Trojanized Android Apps appeared first on McAfee Blogs.

New Android Malware Found in 144 GooglePlay Apps

McAfee’s Mobile Research team has found a new Android malware in 144 “Trojanized” applications on Google Play. We named this threat Grabos because we found this string in several elements of the code, including variable and method names. Grabos was initially found in the Android application “Aristotle Music audio player 2017,” which claimed to be a free audio player on Google Play:

Figure 1. Trojanized music app in Google Play.

At the time Aristotle Music was discovered, the application had a very good rating. According to Google Play, the application was installed between one and five million times and had a recent comment from a user saying that the application was detected as malware:

Figure 2. User reporting the application Aristotle Music being detected as malware.

Grabos on Google Play

McAfee Mobile Research notified Google about Grabos in September and confirmed that Google promptly removed the reported application. After further research, we found another 143 applications (see complete list at the end of this post); all have been removed from Google Play. Six were removed after we reported the first to Google:

Figure 3. Additional Grabos Trojanized apps formerly on Google Play.

At the time of writing this post, 34 applications still had their webpages available in cache, so we were able to obtain additional information such as the approximate number of installs, last updated date, and rating. Most of these apps were last updated in August and October. They had an average rating of 4.4, and between 4.2 million and 17.4 million users downloaded these apps from Google Play:

Figure 4. Malicious apps details from Google Play.

Grabos likely evaded Google Play security measures because the injected code is protected with a commercial obfuscator, making it very difficult to statically analyze without executing the application. Even dynamic analysis to stop its execution is difficult without knowing what the app is checking. However, once we unpacked the code, we proceeded with our analysis.

“Fake” vs. “real” apps

We found Grabos injected in file explorer and music player applications, some of them open source. Every time that the app is opened, it checks if any of the following settings is not true to decide whether to launch the “fake” (legitimate functionality) or “real” (injected packed code) app:

  • isOnline: Checks if the device has Internet connectivity
  • getIsBlacklisted: Checks if the Android debug bridge (adb) and development settings are enabled or if the device is in an emulator. If the latter is the case, the device is blacklisted and the “fake” app is launched.
  • getIsForcedBlacklisted: Flag set by the control server.

The code also has a test mode that allows the execution of the “real” app in case it is running in an emulator or has adb and development settings enabled. These checks detect if the app is currently being dynamically analyzed and prevent the execution of the hidden code if necessary.

In case the app is not being analyzed or is in test mode, the “real” app launches. This hidden music downloader searches for a specific song on YouTube. Once the song is selected, it can be downloaded in MP3 or MP4 format to be played offline.

Figure 5. “Fake” vs “real” app flow. “BL” stands for “blacklisted.”

At this point, the application seems to be just a music downloader hidden in a Trojanized app that checks for dynamic analysis to avoid being removed from Google Play due to its downloading of copyrighted music. In the background, however, more is happening.

Communicating with the Control Server

In addition to the “fake” and “real” app functionality, Grabos is also present in the AndroidManifest as a receiver that executes every time there is a connectivity change or when the app is installed:

Figure 6. Grabos receiver in the AndroidManifest.

If the receiver is executed due to a connectivity change, the execution ends if the device is offline or if fewer than five seconds have passed since the last connection. If more than five seconds have already passed, the method “updateRemoteSettingsSynchronousTask” executes. This method collects and encrypts (Base64 plus Advanced Encryption Standard) the following data from the infected device:

  • Device information:
    • android_version
    • build_model
    • install_referrer
    • network_country
    • sim_country
    • carrier_name
    • language_code
    • country_code
    • time_timezone
  • Device location: Grabos uses free IP geolocation API services to obtain IP address information such as city, country code, ISP, organization, region, and ZIP code.
  • Device configuration:
    • is_emulator
    • is_rooted
    • is_adb_enabled
    • is_dev_settings_enabled
    • allow_mock_location
    • allow_non_market (unknown sources enabled/disabled)
    • is_vpn_connected
    • dp checks (additional root, debug, and emulator checks provided by the commercial obfuscator)
  • Installed Grabos app information: version_code, package_name, and install_time
  • Specific apps installed: Grabos reports if any app in a predefined list is currently installed on the infected device (more on this later).

All the information is encrypted and submitted to a control server. The remote server responds with encrypted data that contains parameters required to download music (URLs, API keys, user agents, client_id, etc.) to show advertainments (nativead_id, interstitial_id, banner_id, etc.) and display customized notifications such as asking the user to rate the app in Google Play:

Figure 7. “Rate this app” parameters provided by the control server.

The rating pop-up appears the first time the app is opened. If the button “Rate 5 Stars” is clicked, the app opens in Google Play so the user can rate the app there.

Figure 8. Rating pop-up.

In a similar way, the remote server also provides parameters to ask the user to share the app with friends and promising faster download speeds:

Figure 9. “Share the app” parameters provided by the control server.

The control server also sends the parameter “is_forced_blacklisted,” which manually blacklists the device if the value is “true”—to prevent the execution of the hidden app.

Mysterious functionality

In addition to reporting an infected device’s location and configuration, Grabos checks if specific social and Google apps are installed using the method isPackageInstalled and the app package name. Depending whether an app is currently installed, the corresponding value is set to true or false and that information is encrypted and reported to the control server:

Figure 10. Social and Google apps reported to the control server.

We reported this finding to Google, who are investigating. At this point we do not know the purpose of this app reporting. However, we believe this information could be very useful to malware authors because Grabos has implemented several mechanisms to trick users into installing applications provided by the remote server. Let’s look into those functions.

Custom Push Notifications and Additional Apps

After the initial settings are obtained from the remote server, the AsyncTask ShowNotificationIfNeeded is executed to check if the parameters n_title, n_description, and n_package were provided by the control server. If that is the case, Grabos checks if the app is available on Google Play (if “pack” is a name and not a URL) or on a remote server (if “pack” starts with HTTP).

If the application is not installed and is available, Grabos gathers additional parameters (for example, icon and bigicon) from the remote server response to create a custom notification and trick the user into installing the app:

Figure 11. Parameters provided by the control server to create a custom notification.

Grabos also checks if the remote server provided the following parameters:

  • interstitial_letang_options: provides values to delay and repeat the display of an activity (initial_delay and min_interval)
  • interstitial_letang: includes the following remote commands:
    • admob: executes method “showAdmobInterstitial”
    • nothing
    • grabos_direct

If the command is grabos_direct, Grabos gets the title, package, and max_times_shown values in the parameter grabos_direct_interstitial to open the app in Google Play or trigger a download:

Figure 12. Downloading an APK from a URL or open app on Google Play.

Both the notification and the interstitial_letang methods, to trick the user into downloading or installing apps, are executed in the background every time there is a connectivity change. However, Grabos also implements another app delivery method when the music downloader executes. This method, ShowGrabosIfNeeded, is very similar to interstitial_letang in that it checks if the required parameters are present and the app is available as well as checking if the app should be opened without the user’s consent:

Figure 13. Grabos checking whether the installed app should be opened.

As soon as Grabos confirms that the device is online, the app is available either on Google Play or a remote server, and the package is not installed, the malware gets the following parameters from the remote server response to create an AlertDialog and trick the user into downloading another app:

Figure 14. Grabos parameters to create an AlertDialog.

Flying Under the Radar: Evading Analysis

In addition to the multiple efforts to detect if the app is being dynamically analyzed (emulator, adb, development settings) and the encryption of the injected code, Grabos updates its remote settings every 24 hours (unless it is in test mode). This restriction can be easily bypassed by changing the date and time of the device used to analyze the app. However, recent versions of Grabos include checks to detect if the automatic date and time and time zone are enabled:

Figure 15. Grabos checks if automatic date and time and time zone are enabled.

The status of this setting is reported to the control server in the fields time_is_auto and time_timezone_is_auto. Although this check is not used in the Grabos code, the information could be used to determine if the app is being dynamically analyzed and decide if an additional payload should be delivered.

The URLs used as control servers indicate that Grabos tries to masquerade its network traffic as legitimate. At first sight the URLs appear to belong to familiar adware companies; the names are identical. However, instead of finishing with .com, Grabos uses domains such as .link and .click, which are not registered by the company.

Finally, Grabos defines an additional mechanism, currently not implemented, to blacklist or whitelist a specific device. For example, the device could be blacklisted or whitelisted in a future version depending on the country code or configured language of the infected device:

Figure 16. Blacklist and whitelist functions based on language and country code.

Grabos also defines (but does not implement) methods to blacklist a device based on IP address:

Figure 17. Blacklist functions based on IP address information.

Conclusion

During our analysis of this threat, the control servers always provided empty parameters for the custom notifications to trick users into installing applications. Taking into account the functionality to display ads and the high number of downloads, we believe the main purpose of Grabos is to make money by promoting the installation of apps.

Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app. However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to download and install additional apps and open them without their consent.

Considering that Grabos also reports the presence of specific social and Google apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code. Although during our analysis the remote servers did not deliver the required parameters to trigger custom notifications, the devices remain exposed to the download of additional Android apps.

McAfee Mobile Security detects this threat as Android/Grabos. To protect yourselves from threats like this on Google Play, employ security software on your mobile devices, check user reviews, and avoid installing suspicious apps with screenshots or functionality that do not correspond to the name of the app.

We would like to thank Sebastian Porst and Jason Woloz from Google’s Android Security for their helpful contributions on this research.

List of Grabos Package Names

  • com.picklieapps.player
  • com.musicaplayer.stonetemples
  • com.mp3musicplayer.playmusicmp3
  • com.densebutter.musicplayer
  • com.airplaneapps.soundmeter
  • com.dinosaursr.musicplayer
  • com.tenuousllc.humneate
  • com.astropie.musicplayer
  • info.chargeshoes.videoplayer
  • com.callsaver.doubtful
  • com.unfestenedsail.freeapp
  • com.extendmilk.freeplayer
  • com.excellentlossapps.playermusic
  • com.AliciaTech.free
  • com.mp3player.musicplayer.freelocalmusicplayer
  • com.freemusicplayer.freemusicplayer.free
  • com.afromusicplayer.fremediaplayer
  • com.info_astro.glider_player
  • com.illfatednotice.humdrum
  • com.headybowl.musicplayer
  • com.musicgratisplayerfree.free
  • com.naturityllc.mp3player
  • info.anothertube.music.player
  • com.startdancingapps.callrecorder
  • com.social.video.saver.pro
  • es.gratis.video.downloader.hd
  • com.sportingapps.copyleft_music.player
  • com.auto_call_recorder.freeapp
  • com.freenewsreader.rssfeed
  • ar.music.video.player
  • com.curatorinc.ringtone.search
  • com.mp3musicplayer.local_files_player
  • com.copyleft.stream.musica.player
  • info_de.mp3.music.player
  • com.nobodybeats.musicplayer
  • com.file.manager.pronessbest
  • info.ark.music.mp3.player
  • com.air.browser.free
  • com.aneeoboapps.playlistmanager
  • com.local_music_player.free_mp3_player
  • com.greenlinellc.voicechanger
  • com.free.playlist.creator.tube
  • com.toporganizer.fileorganizer
  • com.thumb.webbrowse
  • com.aspirator.ringtones.player
  • com.freevideoplayer.musicplayer
  • com.vimfast.videodl
  • com.whimsical.piano.free
  • com.truckneat.freeapp
  • com.crowdedarmy.volume.controller
  • com.arnold_legal.mp3.musica
  • com.descent.shutterfly
  • com.thankyou.arrowplayer
  • com.pocahantasapps.musicplayer
  • com.astroplayer.freee
  • com.couchpotato.musica.play_stream
  • com.abstractly.musica.player
  • com.matsumoto.mp3player
  • com.musicequalizer.freeequalizer
  • com.lifesbad.fileexplorer
  • com.videolunch.free
  • legal.copyleft.cc.mp3.music
  • com.ark.music.mp3.player
  • info.musik.mp3.music
  • com.streamerplayer.stream_videos
  • info.voicerecorder.recordvoice
  • com.snip.browser
  • com.checkrein.musicapp
  • com.mp3musicplayer.freemusicplayer.playmusic
  • com.jadedprogram.mp3player
  • com.preoral.freeborn
  • com.voice.changer.freeappsapp
  • es.streamplay.stream.player
  • com.localmp3music.freeplayer
  • com.drummachine.machinedrums
  • com.coloringbook.freetrynow
  • com.videodownloader.social_video_download
  • com.ElephantApps.FileManager
  • com.scaricare.app.musica
  • com.quicksearch.tube.player
  • com.rooseveltisland.mp3player
  • com.mindprogram.musicf
  • com.freeborn.sdkintegration
  • com.koseapps.tubemusica
  • fr.baixar.videos.gratis
  • info.adeptly.forgoneapp
  • us.musicas.gratis.player
  • com.miniaturef.swanky
  • com.insta.mp3.music.streamer
  • com.anchor.musicplayer
  • com.repeate.mp3musicplayer
  • com.FeisalLLC.MusicPlayer
  • com.shelfshare.freeapp
  • info.simple.streamer.player
  • com.streamplayer.freearnold
  • com.freeturkish.video.downloader
  • com.cowherd.freeapp
  • com.localmp3musicplayer.local_player
  • com.scaricare.apps.musica
  • com.silymove.freeapp
  • com.pinkphone.funfreetube
  • info.tissuepaper.freemusic
  • com.chopsuey.musicplayer
  • com.branchnotice.musicplayer
  • com.fradcip.MasterApp
  • sv.music.player.mp3.ares
  • com.social.video.downloader.for_fb
  • com.frobenius.time.tube
  • com.spelldoom.comeup
  • com.bailymusic.player
  • com.sportifco.musicplayer
  • com.topsaver.video.downloader
  • com.coupleweeks.modcium
  • com.unbecomingllc.videodownloader
  • com.video.for_fb.downloader.saver
  • com.macdrop.apptool
  • com.callsaver.recorderfreeapp
  • com.arnie_legal.mp3.musica
  • com.kikiapps.freeplayer
  • com.pintaapps.expensetracker
  • com.marble.musicequalizer
  • com.artproject.searcher
  • com.UnitTest.FreeApp
  • com.exudedplayer.freemusicplayer
  • com.blackballed.player
  • com.mp3player.decisiveapps
  • com.rusticd.musicplayer
  • com.byunhyeong.jungfree
  • com.voicelessapps.mp3musicplayer
  • com.localmp3player.freeplayer
  • com.kinokunya.free
  • com.socialvideo.downloader_vim
  • com.viastore.video.saver_for_fb
  • com.disarmbit.reache
  • com.crackerbalancellc.mp3converter
  • info.vaskollc.jpfree
  • com.freemusicplayer.musicplayfreetoolpalyer
  • com.combustionapps.musique
  • com.arnold.mp3.musica
  • com.purpleheadphones.audioplayer
  • com.unscalableapps.free
  • com.freefile.organizerfree
  • com.free.mp3.stream_cc_music
  • com.mp3uncle.musiccamera

 

The post New Android Malware Found in 144 GooglePlay Apps appeared first on McAfee Blogs.

Researchers find hundreds of easily-breached messaging apps

The security of our personal data is top of mind right now, so the news that nearly 700 apps for iOS and Android were easily exploited to show private messages and calls is troubling, to say the least. Security company Appthority discovered the exploit, dubbed "Eavesdropper," and published its findings this morning. According to the company's research, up to 180 million Android devices could be affected, as well as an unknown number of iOS devices.

Via: Reuters

Source: Appthority

Marcher Malware Uses Both Credential and Credit Card Phishing to Steal Financial Data

Actors turned models turned singers — pretty much the definition of a “triple threat” in the entertainment industry. However, the definition changes a bit for the cybersecurity space, as Android users are faced with a different type of “triple threat.” In fact, it’s a new attack campaign involving three malicious tactics: credential phishing, credit card data theft, and the Marcher banking trojan.

What is it and how does it work?

The newest form of Marcher pairs credential and credit card phishing with banking trojans into one multi-step scheme. The attack starts with a phishing email containing a bit.ly link to a fake version of the Bank Austria login page, which was registered to a variety of domains containing “bankaustria” in the title in order to give the appearance of legitimacy. Upon opening the page, users will be asked to supply their customer details, email, and phone number– which gives the attackers what they need for the next stage of the attack.

Leveraging the customer data that was provided by the unknowing user, the attack intimidates the victim into downloading the “new Bank Austria” app, aka a fake app. The user is then directed to a link for app download. Once installed, the app asks permission to a plethora of personal data and device settings, and places a legitimate looking icon on the phone’s home screen. Mind you, the app and everything involved in the campaign uses stolen branding from Bank Austria. So, it’s easy to believe that this scam is the real thing.

Finally, Marcher moves onto data collection. But it’s important to remember — this version of Marcher isn’t just a banking trojan, it also enables the direct theft of credit card details. Plus, beyond stealing credit card info and banking details, the threat also goes after date of birth, address, and password data.

How do I protect myself?

So far, it’s been reported that this campaign has tricked almost 20,000 people into divulging their personal information. Plus, new campaigns targeting Raffeisen and Sparkasse banks are already underway. Therefore, the next step is to start thinking about protection. To ensure your personal and financial information stays secure, follow these tips:

  • Be careful what you click on. This malware, like many others before it, was distributed via phishing emails. Be sure to only click on emails that you are sure came from a trusted source. If you don’t know the sender, or the email’s content doesn’t seem familiar, remain wary and avoid interacting with the message.
  • Always use legitimate app stores. This malware campaign depends on victims downloading a fake app outside of a legitimate app store. It’s crucial users only download applications by heading directly to official stores, like Google Play or the Apple App store, to ensure they don’t become part of larger malware schemes like Marcher.
  • Place a fraud alert. If you know your data has been compromised by this attack, be sure to place a fraud alert on your credit so that any new or recent requests undergo scrutiny. It’s important to note that this also entitles you to extra copies of your credit report so you can check for anything sketchy. And if you find an account you did not open, make sure you report it to the police or Federal Trade Commission, as well as the creditor involved so you can put an end to the fraudulent account.
  • Use a mobile security solution. As malware campaigns continue to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security, which is prepared to protect your data from Marcher malware and others like it.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Marcher Malware Uses Both Credential and Credit Card Phishing to Steal Financial Data appeared first on McAfee Blogs.

Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization

The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies being distributed on the official market.

The four pirated apps we found are developed by AE-funStudios, which offers versions of the common tool and games Flashlight, Race Car, Gun Shoot, and Chess. The download numbers of these apps are between 10,000–100,000. We contacted Google about these pirated apps; they were promptly removed from the Google Play store.

How do we know these apps are pirated versions? Let’s look at their structure. The following screenshot shows the pirated version of Chess, com.chess.chessfree.chessboard.chessgame.free.

In this app, we find the file ttttt in the assets folder. The file has no extension, but the format is APK, and in this case is the legitimate app Chess Free from a different developer. The bogus filename is already suspicious.

The pirate app attempts to create a virtual space using the class VirtualCore, installing the legitimate app in the virtualization space, and running it after it launches.

The component com.lody.virtual is a piece of virtualization technology. The virtualization component VirtualApp is published on github as open source. Thus the component itself is not malicious. It is a similar technology to Instant App, introduced from Android 8.0 Oreo that provides a framework for running an application in a virtual space without installation. The component creates a virtual memory space in a local process, and loads and executes an APK file in the memory space.

The pirated app makes the legitimate app in the assets folder behave like a part of the application by using the virtualization component, without installing the legitimate app on the device. Using this framework, the malware author can generate a new Trojan without repackaging (disassembling an app, inserting malware code, and rebuilding it as new package).

However, the virtualization technique is not the perfect framework for all Android apps. Those with diversion protection and complex structures will not run in a virtual space. By applying app protection technology against repackaging, for example, we believe that the risk of a legitimate application being abused will become very low.

Let’s consider the intent of the pirated app’s author. In the following screenshot, it appears the author intends to earn income from mobile app advertisements. From our investigation, however, the current versions of these pirated apps have no mechanisms to display advertisements or to intercept the communications of the related legitimate apps to gain the revenue. Perhaps this feature is under development for future updates.

Another scenario is that the developer of the pirated apps might plan to sell the developer account to a criminal organization because, as one website points out, popular accounts such as those on Facebook and Instagram are traded at high prices in the black market just like banking accounts and personal identity information. The developer account could also be used for malware and spyware distribution. Each application affected by these four pirated apps is very popular, with the number of users between 1 million to 50 million. The pirated versions offer the same functionality as the legitimate apps to attract and retain users looking for original applications.

McAfee Mobile Security detects these pirated apps as Android/PUP.Pirates.C and protects user devices as well as the legitimate developers’ rights. To further protect yourself against pirated apps, download only recommended and popular apps on official app stores, and pay attention to suspicious traits such as odd app titles, user-unfriendly descriptions, low-quality screenshots, and poor user reviews. Also, verify that an app’s request for permissions is related to its functionality.

 

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

ROCA: Which Key-Pair Attacks Are Credible?

In the past two weeks, we have seen two big encryption issues arise: key reinstallation attacks, called KRACKs; and “Return of Coppersmith’s Attack,” called ROCA. Many CEOs, CIOs, and CISO/CSOs are asking, as they must, “Are we protected?” and “What’s our exposure?” Security architects are scurrying about to identify reasonable responses that can be presented to anxious executives.

We’ve already looked at KRACKs. How dangerous is ROCA?

Upon reading the Forbes article on ROCA, the first attack (code signatures) did not seem to be that major because operating system certificates typically are not generated on users’ individual machines. “Given a code signing certificate’s public key (which an organization has to publish), an attacker could derive the private key allowing them to sign software impersonating the victim,” said Jake Williams of Rendition InfoSec.

Although Williams’ example is theoretically correct, his statement fails to acknowledge how the major operating system vendors issue certificates. As we shall see from our analysis, only some digitally signed software might suffer from private-key derivation. For several commercial and open-source operating systems, derivation will not be probable, and for others will be impossible.

In case you haven’t read the rest of the analysis, Android is again this week’s security “problem child.”

Android Google Play signing certificates are generated on whatever hardware an application developer happens to own. The key pair are also generated based upon the default Java algorithm in their installation of Java. Surely, some percentage of Android signing certificates use RSA algorithm key pairs smaller than 2,048 bits and are generated from the vulnerable Infineon hardware and software?

It also appears that Apple applications not offered by the Apple Store can be signed with any certificate, including key pairs generated locally. Some small percentage of Apple applications might have key pairs that can be derived via the Infineon chip subject to a ROCA attack.

Because Apple’s Mac OS X doesn’t make use of the Infineon chip for random number generation,[1] we believe the percentage of derivable private keys will be small. Apple development occurs on Apple machines, which use a pseudorandom software algorithm. Only in a corner case would a developer generate the keys outside of Apple’s development system, XCode. Though this is certainly possible, it is not usual, and perhaps quite rare.

Are there other credible attacks? Absolutely. At the current state of key derivation (estimated at 140.8 CPU years), single, targeted derivations are very credible, especially considering adversaries who can afford to apply serious computing time to the derivation.

For attackers who can leverage massive parallel processing or supercomputing resources, the derivation of a targeted private key might be worth the investment. But the attacker first must obtain the public key, which for a number of scenarios will first require gaining a beachhead on the targeted machine.

For attackers who must maximize profits and minimize expenses and investments, key derivation is probably too expensive an operation, unless the return on investment far outweighs the expense of purchasing the computing power and taking the time to perform that single, targeted derivation. This attack occurs one at a time, not as weaponized and global.

Nation-states, cyber armies, and industrial espionage threat actors who aim at specific targets, these are the types of attacks to worry about. For the average consumer who is not a government official, intelligence agency worker, executive, or technical leader of an organization of interest, there is probably little to worry about. Update your firmware (if you can) when it becomes available. But do not change all of your passwords yet again. (Changing passwords provides no protection for this issue.)

If you reuse passwords often, do not construct passwords with lots of character variation, or do not use passphrases, any time is good to change your password strength. The ease of cracking passwords just keeps increasing exponentially. Make your passphrases slow to crack; criminals will move on to easier targets. For those who insist on using poorly constructed passwords, this attack does not decrease your already weak security posture. Weak passwords offer attackers an easy, well-trodden path to success.

For those who are potential targets of a one-off attack powered by significant resources, you should immediately seek a Trusted Platform Module (TPM) firmware update. These users will also need to reprovision the TPM root key pair and any other keys that have been generated by the Infineon chip and its associated random number generator (RNG) library. (More details follow.) Or, potential targets may wish to obtain a different device that is not dependent upon the vulnerable Infineon chip and its RSA key generation library.

For those concerned about McAfee products: McAfee Drive Encryption and McAfee Management of Native Encryption may depend upon an Infineon TPM chip to protect hard disk encryption keys. This not a McAfee vulnerability. Indeed, use of the TPM is a configurable option in McAfee Drive Encryption. If you do not use the “TPM Autoboot” feature, then even if the Infineon chip is present, McAfee Drive Encryption does not use it.

The situation is the same for any product that may take advantage of available TPM protections: A service upon which McAfee software is dependent and over which McAfee has no control has a serious vulnerability that affects the security of the machine upon which McAfee builds its protections.

McAfee customers who must protect data from a tightly targeted attack should seek a TPM firmware update immediately and then reprovision their disk encryption keys. (More details follow.) In any event, like other software that makes use of a root-of-trust like the TPM, we depend upon the TPM to ensure and anchor trust on a machine; that is its purpose and a very strong reason to use it. Hence, McAfee Drive Encryption and McAfee Management of Native Encryption are functioning as designed. (McAfee disk encryption products do not support Google Chromebook computers.)

Let’s take a look at how several major operating systems issue code-signing certificates and why these certificates will likely not be vulnerable to ROCA.

To follow the analysis, remember that ROCA works against the Infineon chip’s RNG. Even if a vulnerable Infineon chip is used, if some other RNG is employed then the ROCA attack is not applicable.

Microsoft

Authentic code certificates, which must be used for Windows digital signatures, are issued only by a limited set of approved certificate authority (CA) vendors. We might imagine that one or more of these vendors have support staff issuing certificates on their laptops, but that is not how it is done. Because the CA business is entirely dependent on the trustworthiness of the private key that is used to sign the root certificate, commercial CA must rigorously defend their root private key, and ensure that it is generated with as much entropy as possible.

We have been directly involved in the implementation of four public key infrastructures (PKIs) at three companies and worked with several more. Although none of these was a commercial CA, a couple were for large enterprises.

Root of trust CA and PKI typically do not depend on a user level or even server machines; they depend on hardware security modules (HSM) for generating and protecting keys and cryptographic functions. HSM are purpose-built appliances to perform cryptographic operations. The few HSM vendors tend to be very jealous of their careful and exacting RNGs. Based upon our investigation, the major HSM vendors build RNGs to exacting standards; these tend to be custom—as a differentiator.

It is certainly possible that these HSMs contain Infineon chips. It is also possible that the vulnerable Infineon RNG is used in some capacity in the HSM vendor’s RNG. But, the HSM RNG would have to pass its entropy failures into the vendor’s RNG, and that is unlikely. HSM RNGs receive a lot of testing and, often, independent certification of randomness.

Our educated guess is that commercial HSMs do not suffer from poor entropy because that is what the HSM business is built upon. Of course, without direct testing, Infineon ROCA susceptibility is still a possibility, though we believe a remote one (except perhaps for Infineon’s own HSM offering, Aurix).

It is very unlikely that a commercial CA that is successful enough to be approved by Microsoft would generate keys on anything less than heavy-duty, purpose-built RNGs, likely an HSM that can also adequately protect the private keys to root certificates.

Thus unless one of Microsoft’s approved CAs is blowing smoke (remembering that Microsoft certify each implementation), the likelihood of a vulnerable Infineon chip behind a Microsoft certified CA is small.

Apple

Apple issues its own Apple Store certificates. Apple would be very foolish to use just any hardware under the control of random employees and contractors for Apple Store key generation. Our educated guess is that they also employ a bank of HSMs to generate keys. After all, Apple must protect private keying material like Fort Knox, or their trust pyramid falls like a house of cards.

Outside the Apple Store, anything is possible. But, Apple’s development platform, XCode, makes it easy to generate keys. It would be a corner case that another piece of hardware and another operating system were used to generate a key pair, though this is certainly possible. XCode uses the operating system’s pseudorandom number generator, /dev/random. The device is a software generator. The Infineon ROCA attack is not relevant to XCode-generated keys.[2]

Linux

Linux makes use of OpenPGP. OpenPGP’s algorithms are specified in RFC 4880, which does not include RSA key pairs. Thus PGP signed software cannot be vulnerable.

Android/Google Play

The key pair for Google Play is generated by the Java key tool, which relies on the local Java installation and whatever cryptography provider is installed. (There is a default reference implementation.) Therefore, it is quite likely that a significant number of Android applications have been signed with the key pair generated by the vulnerable chip and potentially less than or equal to 2,048 bits.

To make matters worse, a Google Play certificate is glued to the single application to which it has been issued and is good for 30 years. How does one ensure that a private key will be safe for 30 years? That’s a couple of epochs in computer time, more in web time. Consider the rate of hardware and software change in the last 30 years. Brook threw away all his floppy disks 10 years ago; he hadn’t inserted one for at least seven years before that.

For a lone application developer without access to a properly managed HSM and security infrastructure, how do they protect their Android private key for three years, much less 30? There are many other ways to attack networks and computers beyond deriving the private key from the public key.

Taking in all of our analysis, the likely set of applications that have derivable private keys via a ROCA attack lie within the Android space. Although a faked signature based upon deriving a private key from a public key generated by the Infineon chip is certainly possible, for most operating systems it is not a credible attack due to mitigating factors in the way commercial organizations build trust with their certificate chains.

That does not mean that locally signed software used within an organization or community is not subject to a ROCA attack; the attack is certainly credible outside the realm of most major operating systems’ signing process. But self-signed certificates for signing software offer no more trust then you can place in the person who has signed the software. Caveat emptor; do not trust software from unreliable sources. That is nothing new.

Apple chose not to use the Infineon TPM chip that it had included in early Intel-powered MacBooks. The chip is no longer included. (See references, at end.)

The second attack reported in the Forbes article, impersonating trusted software that is then validated by an Infineon TPM, does seem credible to me. It might be interesting to identify which computers including the Infineon chip use it as a TPM.

Other credible attack scenarios

Of the other potential attacks, the most worrying will be those targeting a single victim. Once having gained a foothold on a device (in some unspecified manner) for which the root of trust or other cryptographic functions depend upon 2,048-bit or smaller RSA keys generated via Infineon’s RSA library, an attacker can steal the public key of the RSA key pair—if the attacker has access to the public key.[3] Offline, with sufficient computing resources, the attacker can derive the private key. At that point, what the attacker can accomplish is dependent upon the functions for which the private key has been used.

If the vulnerable key pair is used as the device startup (“boot”) root of trust, the attacker can insert software into the boot sequence. That might surrender complete control of the victim’s machine.

If the vulnerable key pair have been used to “seal,” that is, protect secrets in the TPM, then those secrets are compromised. For instance, in the case of Microsoft’s BitLocker disk encryption, the disk encryption key could be gained by the attacker.

A TPM attack will depend upon individual use cases and what the attacker hopes to accomplish through the attack. But the attack remains difficult to weaponize, and turn into a general-purpose, automated attack that anyone with the tool could carry out.

First, that attacker must get the public key to the vulnerable RSA key pair. TPM public keys generally remain on the local machine, and are not used across a network, though there are cases for network use of a TPM public key. (Brook has reviewed several such cases, but none of these was with the Infineon TPM.)

Smart card attacks, especially national cards, have been analyzed elsewhere. (See references, at end.) We find no fault in those analyses. Purveyors of smart cards using vulnerable RSA key pairs have been placed on notice to respond, quickly and effectively.

We offer this analysis in the hope that defenders and incident responders will be better able to assess the relative importance of the Infineon RSA RNG vulnerability to key derivation.

Typical consumers will not likely, at least immediately, be a target of this attack. The exploit may never become sufficiently automated to make it useful for broad cybercriminal activity. Those with valuable secrets protected by a vulnerable key pair would be wise to fix or remove the issue.

If a reader feels that they might be a target, then a first line of defense will be to install and maintain endpoint protections such as the latest version of McAfee Endpoint Security (ENS) or similar protections. By keeping attackers from establishing any presence on a machine, most credible attack scenarios cannot achieve the prerequisite first step such that any local, public RSA keys can be obtained.

McAfee Drive Encryption key reprovisioning

Drive Encryption is affected only if the TPM Autoboot policy is in use. McAfee Drive Encryption customers wishing to update an Infineon TPM should follow these steps:

  • Change the TPM Autoboot policy to Non-TPM Autoboot (or use Temporary Autoboot).
  • Update the Infineon TPM firmware provided by your hardware vendor.
  • Clear the TPM.
  • Reprovision the TPM with new keys.
  • Re-enable the TPM autoboot policy.

See the McAfee Service Portal for updates and detailed information.

Brook Schoenfield is Principal Engineer, Product Security Architecture and Jonathan Oulds is Senior Software Development Engineer and Product Security Champion Lead. They thank Joani Wilkinson, Senior Technical Support Engineer, for her assistance with this analysis.

References

https://msdn.microsoft.com/en-us/library/ms537364(v=vs.85).aspx

https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man4/random.4.html

https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW41

https://developer.apple.com/support/code-signing/

https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW1

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

RFC 4880 (November 2007)

RFC 4880bis in 2014

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

Notes

[1] First-generation MacBooks included an Infineon TPM but did not use it. See http://www.osxbook.com/book/bonus/chapter10/tpm/.

[2] Pseudorandom number generators have plenty of cryptographic problems, which is why HSM vendors build high-entropy RNG.

[3] TPM key use cases are largely confined to the machine upon which they are used, which implies that the attacker has gained a foothold on the machine to get the public key.

The post ROCA: Which Key-Pair Attacks Are Credible? appeared first on McAfee Blogs.

From Chrysaor to Lipizzan: Blocking a new targeted spyware family



Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)


The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications.



Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?




  • Ensure you are opted into Google Play Protect
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android security update.


List of samples

1st stage



Newer version 


Standalone 2nd stage



Which operating system is the most secure? Four points to remember.

No, you are almost certainly wrong if you tried to guess. A recent study shows that products from Apple actually are at the top when counting vulnerabilities, and that means at the bottom security-wise. Just counting vulnerabilities is not a very scientific way to measure security, and there is a debate over how to interpret the figures. But this is anyway a welcome eye-opener that helps kill old myths.

Apple did for a long time stubbornly deny security problems and their marketing succeeded in building an image of security. Meanwhile Windows was the biggest and most malware-targeted system. Microsoft rolled up the sleeves and fought at the frontline against viruses and vulnerabilities. Their reputation suffered but Microsoft gradually improved in security and built an efficient process for patching security holes. Microsoft had what is most important in security, the right attitude. Apple didn’t and the recent vulnerability study shows the result.

Here’s four points for people who want to select a secure operating system.

  • Forget reputation when thinking security. Windows used to be bad and nobody really cared to attack Apple’s computers before they became popular. The old belief that Windows is unsafe and Apple is safe is just a myth nowadays.
  • There is malware on almost all commonly used platforms. Windows Phone is the only exception with practically zero risk. Windows and Android are the most common systems and malware authors are targeting them most. So the need for an anti-malware product is naturally bigger on these systems. But the so called antivirus products of today are actually broad security suites. They protect against spam and harmful web sites too, just to mention some examples. So changes are that you want a security product anyway even if your system isn’t one of the main malware targets.
  • So which system is most secure? It’s the one that is patched regularly. All the major systems, Windows, OS X and Linux have sufficient security for a normal private user. But they will also all become unsafe if the security updates are neglected. So security is not really a selection criteria for ordinary people.
  • Mobile devices, phones and tablets, generally have a more modern systems architecture and a safer software distribution process. Do you have to use a desktop or laptop, or can you switch to a tablet? Dumping the big old-school devices is a way to improve security. Could it work for you?

So all this really boils down to the fact that you can select any operating system you like and still be reasonable safe. There are some differences though, but it is more about old-school versus new-school devices. Not about Apple versus Microsoft versus Linux. Also remember that your own behavior affects security more than your choice of device, and that you never are 100% safe no matter what you do.

 

Safe surfing,
Micke

 

Added February 27th. Yes, this controversy study has indeed stirred a heated debate, which isn’t surprising at all. Here’s an article defending Apple. It has flaws and represent a very limited view on security, but one of its important points still stands. If someone still thinks Apple is immortal and invincible, it’s time to wake up. And naturally that this whole debate is totally meaningless for ordinary users. Just keep patching what you have and you will be fine. 🙂 Thanks to Jussi (and others) for feedback.

 

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving” you, especially when the “service” is actually a malicious Android class running in the background and controlled by a remote access tool (RAT). Recently, FireEye mobile security researchers have discovered such a malware that pretends to be a “Google Service Framework” and kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the attacker is, as the computer of the IP might be a victim as well, we have found from the UI that both the malware developer and the victims are Korean speakers.

[caption id="attachment_5810" align="alignnone" width="545"]Fig. 1. The structure of the HijackRAT malware. Fig. 1. The structure of the HijackRAT malware.[/caption]

The package name of this new RAT malware is “com.ll” and appears as “Google Service Framework” with the default Android icon. Android users can’t remove the app unless they deactivate its administrative privileges in “Settings.” So far, the Virus Total score of the sample is only five positive detections out of 54 AV vendors [1]. Such new malware is published quickly partly because the CNC server, which the hacker uses, changes so rapidly.

[caption id="attachment_5812" align="alignnone" width="548"] Fig. 2. The Virus Total detection of the malware sample. [1][/caption] 

[caption id="attachment_5813" align="alignnone" width="549"] Fig. 3. The fake “Google Service Framework” icon in home screen.[/caption]

A few seconds after the malicious app is installed, the “Google Services” icon appears on the home screen. When the icon is clicked, the app asks for administrative privilege. Once activated, the uninstallation option is disabled and a new service named “GS” is started as shown below. The icon will show "App isn't installed." when the user tries to click it again and removes itself from the home screen.

[caption id="attachment_5815" align="alignnone" width="548"]Fig. 4. The background service of the malware. Fig. 4. The background service of the malware.[/caption]

The malware has plenty of malicious actions, which the RAT can command, as shown below.

8commands

Within a few minutes, the app connects with the CNC server and begins to receive a task list from it:

get

The content is encoded by Base64 RFC 2045. It is a JSONObject with content: {"task": {"0": 0}}, when decoded. The server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:

code-get

- "UPLOAD PRIVACY DETAILS"

The task list shown above will trigger the first malicious action of “Upload Phone Detail.” When executed, the user’s private information will be uploaded to the server using HTTP POST request. The information contains phone number, device ID, and contact lists as shown below in the network packet of the request:

post

When decoded, the content in the red and blue part of the PCap are shown below respectively:

1. The red part:

post-pcap-decrypt1

2. The blue part:

post-pcap-decrypt2

The contact list shown above is already highly sensitive, yet, if the user has installed some banking applications, the malware will scan for them too.

In a testing device, we installed the eight Korean bank apps as shown below:

[caption id="attachment_5822" align="alignnone" width="274"]Fig. 5. The eight banking apps. Fig. 5. The eight banking apps.[/caption]

When this was done,  we found the value of “banklist” in the PCap is no longer listed as N/A anymore:

8banks-pcap

The “banklist” entry in the PCap is filled with the short names of the banks that we installed. There is a map of the short names and package names of the eight banking apps installed on the phone:

table

The map of the banks is stored in a database and used in another malicious action controlled by the CNC server too.

- "POP WINDOW"

In this malicious action, the CNC server sends a command to replace the existing bank apps. The eight banking apps require the installation of “com.ahnlab.v3mobileplus,” which is a popular anti-virus application available on Google Play. In order evade any detections, the malware kills the anti-virus application before manipulating the bank apps. In the code as shown below, Conf.LV is the “com.ahnlab.v3mobileplus” being killed.

killav

Then, the malware app parses the banking apps that the user has installed on the Android device and stores them in the database under /data/data/com.ll/database/simple_pref. The red block below shows the bank list stored in the database:

db8banks

Once the corresponding command is sent from the RAT, the resolvePopWindow() method will be called and the device will pop a Window with the message: “The new version has been released. Please use after reinstallation.”

code-popwindow

The malware will then try to download an app, named after “update” and the bank’s short name from the CNC server, simultaneously uninstalling the real, original bank app.

code-install

In the code shown above, “mpath” contains the CNC server IP (103.228.65.101) and path (determined by the RAT); “mbkname” is the bank name retrieved from the SQL lite database. The fake APK (e.g. "updateBH.apk") is downloaded from the CNC server, however we don’t know what the fake apps look like because during the research the command for this malicious action was not executed from the RAT. Yet the source of the “update*.apk” is definitely not certified by the banks and might be harmful to the Android user.

- "UPDATE"

When the command to “update” is sent from the RAT, a similar app – “update.apk” is downloaded from the CNC server and installed in the Android phone:

code-update

- "UPLOAD SMS"

When the command to upload SMS is received from the RAT, the SMS of the Android phone will be uploaded to the CNC server. The SMS has been stored in the database once received:

code-uploadsms

code-savesms

Then the SMS is read from the database and uploaded to the CNC server once the command is received:

code-uploadsmscnc

- "SEND SMS"

Similarly, when the sending SMS command is received, the contact list is sent through SMS.

code-sendsms

- "BANK HIJACK"

Interesting enough, we found a partially finished method called “Bank Hijack.” The code below partially shows how the BankHijack method works. The malware reads the short bank name, e.g. “NH”, and then keeps installing the updateNH.apk from the CNC server until it’s of the newest version.

code-hijack

So far the part after the installation of the fake app is not finished yet. We believe the hacker is having some problems finishing the function temporarily.

code-hijack-half

As shown above, the hacker has designed and prepared for the framework of a more malicious command from the CNC server once the hijack methods are finished. Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon.

REFERENCE

__________________________________________________

[1] https://www.virustotal.com/intelligence

 

 

 

 

If an Android Has a Heart, Does It Bleed?

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

Currently there are about 17 antivirus apps on Google Play branded as “Heartbleed detectors”. Six of them scan the OpenSSL library belonging to the Android platform for vulnerabilities. Unfortunately, this method isn’t sufficient for detecting the Heartbleed vulnerability on Android. Except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.

We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.

During our investigation of the office apps that contains a vulnerable version of OpenSSL, we were surprised that they were not vulnerable to the Heartbleed attack. How could it be? A deeper look shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The linkage mistake is common for Android applications built with native code. As such, the side-effect of this mistake helps reduce the apps’ overall risk profile.

Of the 17 Heartbleed detector apps on Google play, only 6 detectors check installed apps on the device for Heartbleed vulnerability. And of those 6, 2 report all apps installed as “Safe,” including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only 2 of them did a decent check on Heartbleed vulnerability of apps. Although they conservatively labeled some non-vulnerable apps as vulnerable, we agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes. We’ve also seen several fake Heartbleed detectors among the 17 apps, which only serve as adware and don’t perform real detections or display detection results to users.

On April 10th, we scanned more than 54K Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products. Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17th.

[1] Vulnerability Summary for CVE-2014-0160

Occupy Your Icons Silently on Android

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.

Normal vs. Dangerous Permissions: A Background

Android Open Source Project (AOSP) classifies Android permissions into several protection levels: “normal”, “dangerous”, “system”, “signature” and “development” [1][2][3].

Dangerous permissions “may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities”. In contrast, normal permissions are automatically granted at installation,  “without asking for the user's explicit approval (though the user always has the option to review these permissions before installing)” [1].

On the latest Android 4.4.2 system, if an app requests both dangerous permissions and normal permissions, Android only displays the dangerous permissions, as shown in Figure 1. If an app requests only normal permissions, Android doesn’t display them to the user, as shown in Figure 2.

Figure 1. An Android app asks for one dangerous permission (INTERNET) and some normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS). Android doesn’t notify the user about the normal permissions.

Figure 2. An Android app asks for normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS) only. Android doesn’t show any permission to the user.

Normal Permissions Can Be Dangerous

We have found that certain “normal” permissions have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites.

The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user. There’s no surprise that the com.android.launcher.permission.INSTALL_SHORTCUT permission, which allows an app to create icons, was recategorized from “normal” to “dangerous” ever since Android 4.2. Though this is an important security improvement, an attacker can still manipulate Android home screen icons using two normal permissions: com.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission.WRITE_SETTINGS. These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as “normal” since Android 1.x.

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Lastly, this vulnerability is not limited to Android devices running AOSP. We have also examined devices that use non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2. All of them have the protection levels of com.android.launcher.permission.READ_SETTINGS and WRITE_SETTINGS as “normal”.

Google acknowledged this vulnerability and has released the patch to its OEM partners. Many android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users.

References:

  1. http://developer.android.com/guide/topics/manifest/permission-element.html

  2. https://android.googlesource.com/platform/frameworks/base/+/master/core/res/AndroidManifest.xml

  3. https://android.googlesource.com/platform/packages/apps/Launcher2/+/master/AndroidManifest.xml