Category Archives: Android

Fortnite is coming to Android, but malicious fake apps are already there

Android users eager to play the increasingly popular Fortnite survival game on their mobile devices are being targeted left and right with malicious apps masquerading as the game or apps related to it. What is Fortnite? Fortnite is a co-op sandbox survival game published by Epic Games. It was released for Microsoft Windows, macOS, PlayStation 4, and Xbox One in July 2017 and, more recently, for iOS. Its popularity is steadily rising and Epic has … More

The post Fortnite is coming to Android, but malicious fake apps are already there appeared first on Help Net Security.

The Verge Goes Hands-On With the ‘Wildly Ambitious’ RED Hydrogen One Smartphone

It's been almost a year since RED, a company known for its high-end $10,000+ cameras, teased a smartphone called the RED Hydrogen One. Several months have passed since the phone was announced and we still don't know much about it, aside from it having a very industrial design and "Hydrogen holographic display." Earlier this week, AT&T and Verizon confirmed that they'll launch the device later this year. Now, The Verge's Dieter Bohn has shared his hands-on impressions with the device, which he claims to be "one of the most ambitious smartphones in years from a company not named Apple, Google, or Samsung." Here's an excerpt from the report: The company better known for high-end 4K cameras with names like "Weapon" and "Epic-w" isn't entering the smartphone game simply to sell you a better Android phone. No, this phone is meant to be one piece of a modular system of cameras and other media creation equipment -- the company claims it will be "the foundation of a future multi-dimensional media system." To that end, it has a big set of pogo-pins on the back to connect it to RED's other cameras also to allow users to attach (forthcoming) modules to it, including lens mounts. If it were just a modular smartphone, we'd be talking about whether we really expected the company to produce enough modules to support it. RED is planning on starting with a module that is essentially a huge camera sensor -- the company is not ready to give exact details, but the plan is definitely more towards DSLR size than smartphone size. Then, according to CEO Jim Jannard, the company wants any traditional big camera lens to be attached to it. Answering a fan question, he joked that support for lenses will be "pretty limited," working "just" with Fuji, Canon, Nikon, Leica, and more. [...] The processor inside will be a slightly-out-of-date Qualcomm Snapdragon 835, but it seemed fast enough in the few demos I was able to try. Honestly, though, if you're looking to get this thing just as a phone, you're probably making your decision based on the wrong metrics. It's probably going to be a perfectly capable phone, but at this price (starting at $1,195) what you're buying into is the module ecosystem.

Read more of this story at Slashdot.

‘Fortnite: Battle Royale’ is finally coming to Android this summer

Fortnite is coming to Android this summer

Epic Games, the studio behind the insanely popular battle royale game “Fortnite” had officially released the mobile version for iOS platform a few months ago. Besides iOS, the game is also available on Windows, macOS, PlayStation 4, and Xbox One. However, no specific release date of the game was mentioned for the largest mobile platform, Android.

Now, in a “State of Mobile” update on its official website, Epic Games revealed that the mobile version of the popular battle royale game is finally coming to Android this summer.

For those unaware, ‘Fortnite: Battle Royale’ is a colorful and cartoony style game where 100 players drop onto a huge map and then fight to the death with the last player standing to win a Victory Royale.

“Fortnite” developer Epic Games is “targeting this summer” for the game’s Android launch, and promises more information as soon as it’s available. There’s no hard release date, and it’s not clear which Android phones are supported.

“Fortnite is coming to Android! We are targeting this summer for the release. We know many of you are excited about this release, and we promise that when we have more information to share, you’ll hear it from us first.”

Besides mentioning about the Android version release, the post also highlights some of the features and quality-of-life improvements that Fortnite team is currently working on to enhance the game’s overall performance and player experience.

The developer is also planning to bring voice chat functionality to the game, which will allow players to chat with their teammates irrespective of which platform they’re playing on.

“We know that communication is key when you’re squatting up for that Victory Royale, so we’re working to bring voice chat to mobile. On top of that, you’ll be able to chat with your teammates regardless of platform!”

The Fortnite team is also further improving the Autorun feature and “adding better ways to fire.” These changes will be added to the game in the near future and will be available within the settings tab in game. The Fortnite team is planning to add a Battery-Saver mode that offers increased performance on low graphics settings. Epic says it is also constantly working to resolve crashes and other technical issues.

Since, the time ‘Fortnite: Battle Royale has been released on iOS, it’s been a huge success, and has earned over $15 million from in-app purchases just in the first month of release. Therefore, it would be interesting to see whether the popular battle royale game is able to outperform iOS’s earnings when it is released on Android platform.

 

The post ‘Fortnite: Battle Royale’ is finally coming to Android this summer appeared first on TechWorm.

Endless OS 3.4 Released With Companion App For Android

Endless OS 3.4 Released With Phone Companion App, Linux 4.15 Kernel, And Smarter Updates

Endless Mobile, Inc., which develops the Linux-based operating system, Endless OS and reference platform hardware for it, has recently announced Endless OS 3.4, which is the company’s latest major release.

According to Endless OS’ community manager Michael Hall, Endless OS 3.4 is a “huge step forward in our journey to help you take advantage of an internet connection when you have it, and be respectful of your limited data plan if that’s what you are using to connect. Version 3.4 brings exciting new features to help you manage your data consumption and get updates in smarter ways.”

For those unaware, Endless OS is a free, easy-to-use, Linux-based operating system that provides a simplified and streamlined user experience using a customized desktop environment branched from GNOME 3.

“Endless OS 3.4 also brings many stability and performance improvements since we’ve updated our open source core. With all of these great new features and improvements, we hope that you will enjoy this new version of Endless OS as the best release to date,” Michael said in the announcement.

The new version brings low-level improvements to the system and the graphical interface based on GNOME (brought to version 3.26), which allows you to set system updates automatically or schedule them at certain times. This is especially useful if you have limited data access to the Internet. For instance, the system can be configured to not download app updates or any kind of content when a limited data connection is used. The distro is intelligently designed to know when and how it can depend on the Internet.

The App Center in Endless OS 3.4 has been updated to show users Endless OS updates for their apps. This will allow the users to manage all their updates in one place, and also provide more information about what is in the OS update before the user installs it.

Further, Endless OS 3.4 will ship with the Linux 4.15 kernel, which fixes a number of hardware bugs and increases support for various types of hardware. This release also gets updated Intel and AMD graphics drivers which should fix a number of graphical bugs that have been reported by Endless OS users’.

However, above all, it introduces the Companion App for Android that allows remote access to your PC. This is an application for sharing content, which will soon be in beta with all the instructions for use.

Lastly, other improvements in Endless OS 3.4 include the AdBlock Plus extension for Chromium and Google Chrome web browsers that automatically block unwanted banners, pop-ups, tracking, malware and more which in turn will enhance user experience when browsing the web. Further, Endless OS SDK was upgraded to version 4 with many improvements for those developers who want to write native apps.

Endless OS 3.4 is now available to download from the official website. However, for those who are running Endless OS 3.3.17 or earlier on their PC, will first be upgraded to 3.3.18 and then, after rebooting, the upgrade to 3.4 will become available.

 

The post Endless OS 3.4 Released With Companion App For Android appeared first on TechWorm.

Google will force Android OEMs to push out security patches regularly

Android P, the ninth major version of the widely-used mobile OS, is expected to be released later this year. Google has already announced a slew of security and privacy improvements that will be shipped with it, but David Kleidermacher, head of Android security at the company, has recently shared more welcome news: the company is working to make sure that all Android OEMs are delivering patches regularly to their devices. Android’s update problem Google has … More

The post Google will force Android OEMs to push out security patches regularly appeared first on Help Net Security.

With Steam Link App, Your Smartphone Can Be An Imperfect Gaming Monitor

Ars Technica's Kyle Orland shares his experience with Valve's recently announced Steam Link app, which lets users play games running on a PC via a tablet, mobile phone, or Apple TV on the same network. The app launches today for Android 5.0+ devices; iOS support is "pending further review from Apple." From the report: Valve isn't kidding when it says a Wi-Fi router in the 5Ghz band is required for wireless streaming. I first tested iPad streaming on the low-end 2.4Ghz router provided with my Verizon FiOS subscription (an Actiontec MI424WR), with a wired Ethernet connection to my Windows gaming rig on the other end. The Steam Link network test warned me that "your network may not work well with Steam Link," thanks to 1- to 2-percent frame loss and about 15ms of "network variance," depending on when I tested. Even graphically simple games like The Binding of Isaac ran at an unplayably slowed-down rate on this connection, with frequent dropped inputs to boot. Switching over to a 5GHz tri-band router (The Netgear Nighthawk X6, to be precise), the same network test reported a "fantastic" connection that "look[s] like it will work well with Steam." On this router, remotely played games ran incredibly smoothly at the iPad's full 1080p resolution, with total round-trip display latency ranging anywhere from 50 to 150ms, according to Steam Link's reports (and one-way "input lag" of less than 1ms). At that level of delay, playing felt practically indistinguishable from playing directly on the computer, with no noticeable gameplay impact even on quick-response titles like Cuphead.

Read more of this story at Slashdot.

OnePlus 6 Launched With 6.28-inch Display, Snapdragon 845 CPU, and Headphone Jack

OnePlus has launched their newest flagship smartphone today at an event in London. The OnePlus 6, as it is called, features a 6.28-inch 2280x1080 display with 19:9 aspect ratio and notch, Snapdragon 845 octa-core processor with up to 8GB of RAM, 16- and 20-megapixel rear-facing cameras, 3,330mAh battery, 3.5mm headphone jack, and Android 8.1 Oreo running out of the box with support for Android P coming soon. Strangely, the phone features a glass build construction but no support for wireless charging. OnePlus claims the glass back will be better for transmitting radio waves, but it's likely included in preparation for the OnePlus 6T, which will likely launch several months later and include wireless charging. PhoneDog reports: Around on the back of the OnePlus 6 is a vertically stacked dual rear camera setup that's now in the center of the phone for symmetry. There's a 16MP camera with Sony IMX 519 sensor, f/1.7 aperture, and support for optical image stabilization and electronic image stabilization, as well as a 20MP camera with Sony IMD 376K sensor and f/1.7 aperture. Also included are portrait mode and slow-motion 480fps video capture features. The body of the OnePlus 6 is made of Gorilla Glass 5, which OnePlus says will be better for transmitting radio waves. Rounding out the OP6's spec list is a 16MP front-facing camera, NFC, Bluetooth 5.0, USB-C, an alert slider, and a 3.5mm headphone jack. On the security side of things, there's a rear fingerprint reader and face unlock, and when it comes to wireless capabilities, the OnePlus 6 supports 40 global LTE bands as well as 4x4 MIMO for speeds up to 1Gbps. The OnePlus 6 will be available on May 22 with the following prices: 6GB/64GB: $529; 8GB/128GB: $579; 8GB/256GB: $629.

Read more of this story at Slashdot.

How to decrease the data usage on your phone?

If you are one of the lucky ones who recently switched to a new smartphone, you might have noticed that your cell data usage has increased without any significant changes in your habits. The truth is that the more advanced cellphones get, the more data they require to operate. Newer devices come with improved cameras that capture fantastic quality content that not only take more space on your device but also drains your data when you upload it to social media. The bigger screens and higher resolutions often used in new smartphone models also negatively impact the data usage.

Using too much data could end up being costly too as mobile carriers here in the US do not make your life easier. They want you to use more data, Verizon Wireless even created an app called go90 so they can encourage users to use more data. Even though mobile carriers claim that they offer unlimited data plans, those plans are never genuinely unlimited. In most cases, there is a cutoff limit which varies depending on the wireless carrier of your choice and when you reach it – you get to experience something you wouldn’t wish on your worst enemy – the modern day nightmare of 3G internet speeds.

Whatever the reason – avoiding high bills or slow internet – our suggestions will help you decrease the data usage on your smartphone.

How to decrease the data usage on your smartphone

Perform app updates only when connected to a Wi-Fi network

One of the best ways to decrease your data usage is to make sure that you always download updates for apps when you are connected to a Wi-Fi. On average, people tend to have about 30 apps on their smartphone. App updates are issued more often than we want and quite regularly updates end up more than 100mb.

If every app receives an update once a month, and the update is about 100mb, you will end up using nearly 3GB of data to simply keep your phone running. Go to settings and switch off the app updating when not connected to a Wi-Fi, spare yourself those 3GB for something more refreshing such as watching a few episodes on The Big Bang Theory on your way to work.

Turn Off Wi-Fi Assist or Smart Network Switch

Both iOS’ Wi-Fi Assist and Android’s Smart Network Switch were put in place for people who cannot afford to have a lousy internet connection on their smartphones. However, both have proven to be controversial as sometimes those functions may overuse your cellphone data while you think you are connected to a Wi-Fi network.

Avoid disappointment by switching them off. Unless you need them all the time, the best option would be to keep the functions turned off and take advantage of them only when a stable connection is necessary.

Stop autoplay

This is starting to be one of the biggest reasons for the increase in data consumption. More and more apps are bombarding us with oddly satisfying video content. While apps such as FOX Sports and Comedy are in place to entertain us and autoplay is generally expected there, non-video apps are integrating this feature starting the videos as soon as you scroll over them.

Once the video has begun the chances of you continuing to watch are increasing hand in hand with your chances of getting a data overage on your next monthly cell phone bill. To be on the safe side, go ahead and turn off autoplay on every app.

Terminate all unneeded background processes

Those are the little pieces of software that continuously transmit data to their mothership – you need to find a way to stop them from doing so. And as we all know, sometimes it can be a bit overwhelming to have to dig in settings and terminate processes manually.

This is why there are user-friendly task killers that can do the job for you. With a task killer app, you are only a few clicks away from terminating all these background processes that drain your data usage and battery life.

Most reputable antivirus software solutions include such features in their flagship mobile internet security products.

Download Google Maps

If you’ve been looking for a reason to ditch Waze or Apple Maps, this might be a good one for you. We are getting more and more dependent on our mobile devices, especially on their GPS functions. Sadly, even though GPS usage is not one of the main reasons for generating a significant increase in data usage, it is indeed worth mentioning that Google Maps have the option to use the maps offline.

Open Google Maps, go up in the menu and then hit the offline ‘maps button’ and download the area you need. Make sure you are connected to a Wi-Fi! This is how you can save on GPS data usage, and you will have the much-needed piece of mind that you will be able always to find your way back home when you’ve used all your data, and your carrier has switched you to an unusable 3G connection.

We are confident that you now have what is needed to switch to a lower tier data plan and decrease your monthly cell phone bill, or to avoid reaching the cutoff limit wireless carriers impose on you. Whatever your goal is, make sure your precious connected device is protected with antivirus software – this is the one task you cannot afford to kill.

Download Panda Mobile Security

The post How to decrease the data usage on your phone? appeared first on Panda Security Mediacenter.

US senators demand FTC investigate Google’s GPS data collection

Two US senators from the Democratic Party urged the US Federal Trade Commission to thoroughly investigate Google and the way its Location History collects user data on Android smartphones. Once the application is turned on, it is apparently enabled on all signed-in devices.

Google has been collecting massive amounts of data and tracking user location since 2009. Although Google was asked to comment on this matter and its privacy policies in an official letter in December 2017. Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) were not convinced by the company’s detailed answers so they wrote a letter to Federal Trade Commission (FTC) Chairman Joseph Simons asking him to take a closer look at the company’s practices.

“Google has an intimate understanding of personal lives as they watch their users seek the support of reproductive health services, engage in civic activities or attend places of religious worship,” reads the request.

The two argue that users cannot opt out of the service even though they think they can. Blumenthal and Markey believe Google is taking advantage of consumers’ lack of proper knowledge of how data collection works, which has driven them to making uninformed decisions about what they share.

They “found that the consent process frequently mischaracterizes the service and degrades the functionality of products in order to push users into providing permission.”

In the fall of 2017, Quartz investigated Google and found that, even though the GPS service was disabled, Android would still collect location information from cellular towers and share it with Google, violating user privacy.

Google Makes it Mandatory for OEMs to Roll Out Android Security Updates Regularly

Security of Android devices has been a nightmare since its inception, and the biggest reason being is that users don't receive latest security patch updates regularly. Precisely, it's your device manufacturer (Android OEMs) actually who takes time to roll out security patches for your devices and sometimes, even has been caught lying about security updates, telling customers that their

Mobile Menace Monday: re-emergence of a fake Android AV

Back in early 2013, a new mobile antivirus (AV) company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who gave it such a label, adding it to a list of malware detections. Shortly after, Armor for Android contacted the security company I worked for at the time and demanded their detection be removed.

As a rebuttal, I wrote a blog to fire back with evidence that there was no way this AV company could be legitimate—despite it being on Google Play. I never published that blog because I was thrown off by something that had me questioning everything: the AV company was tested by a reputable antivirus testing company. Even more off-putting, it landed a high score to receive an official certification! How could a Fake AV be certified by a respectable AV test company?

I left the blog alone and let the subject die. But recently, Armor for Android appears to have made a comeback. Let’s take a look at how they were gaming the system five years ago, and what new tricks they’re up to now.

Cheating the system

Suddenly, Armor for Android was competing with everyone else in the industry after only a couple months. But how? Simple. They were cheating. I remember vividly that the naming conventions they used to detect malware were the same as other well-received anti-malware mobile scanners. To be fair, many in the industry use similar naming conventions. However, the ones used by Android for Armor were EXACTLY the same as other companies. It was obvious they were stealing other company’s detections. But how?

Share, but don’t steal

VirusTotal is a company that everyone in the software security industry uses to share detections with the world. You can simply upload a file, even an Android APK, to virustotal.com and several antivirus/anti-malware scanners will return results. This can aid the typical user in finding out if a file is malicious. In addition, it helps point security researchers in the right direction in determining for themselves if something is malicious. What isn’t allowed is stealing directly from VirusTotal to produce your results. Not only is this against the terms of service, it is a deadly sin among everyone in the security industry.

But that is exactly what Android for Armor does. By using a network analyzer tool and running Android for Armor, you can see traffic to and from VirusTotal. The detailed data reveals that they indeed steal the detections of others. Pretty easy to do well on a test when you’re peeking over the shoulder of the smartest kids in class!

Showing their real intentions

Android for Armor could have stopped there. They had already duped Google Play. In addition, they clearly had the money to pay for an expensive test to receive certification. Instead, they decided to proceed with tactics used by other Fake AV malware. The following evidence is what I found years ago, but regrettably never published.

Back in 2013, I was playing a free game downloaded from Google Play. In exchange for the app being free, I agreed to receive non-aggressive ads, as many of us do. What I saw was a series of different links using scare tactics:

Click to view slideshow.

As a young mobile researcher, I did what all of us would have done and clicked on these links to see down which rabbit holes it would me. The first hop was this one:

Onward down the rabbit hole, I clicked Download & Scan FREE Now, and it started to download a file named Scan-For-Viruses-Now.apk (more on this app in a bit).

After the download, I landed on a known Armor for Android web page that instructs you to allow unknown sources and again to download and install an app.

Very odd for a legitimate AV company to instruct mobile users to download directly from their website rather than pointing them to Google Play.

Double chance of infection

Further analyzing the downloaded app, Scan-For-Viruses-Now.apk, it’s a version of Armor for Android that insists on a payment of $1.99 to scan the device. Check the fine print, because that ends up being $1.99 per week, or $103.48 a year. But hey, they have a certification by an AV testing form, right?

Click to view slideshow.

It appears Scan-For-Viruses-Now.apk downloads just in case you weren’t falling for the last web page asking to allow unknown sources and stating IMPORTANT! You must now INSTALL, OPEN and ACTIVATE. Also, if allowing unknown sources was disabled on your device, it would have been a last chance effort, since Scan-For-Viruses-Now.apk wouldn’t have been able to download and install. In my opinion, none of this looks like the practices of a legitimate AV company.

Re-emergence of a classic

Just a couple of days ago, an APK came into our mobile intelligence system with a different name, but very familiar set of behaviors. It was clearly a repackaged variant of Armor for Android, but this time called Android’s Antivirus.

Click to view slideshow.

Swiftly, we added a detection called PUP.Riskware.Armor.

Warning about Fake AVs

Fake AVs like the one described above have been around for a long time and come in many different forms. Some can be extremely dangerous. For legitimate antivirus/anti-malware programs to do their jobs, special permissions must be given. For instance, Malwarebytes for Android uses device administration as required to remediate nasty ransomware. As a respectable anti-malware company, you have our word that we will never use device administration rights for erasing mobile devices or other nefarious actions.  However, give those same rights to a malicious Fake AV app, and you could be in trouble.

Fake AV or legitimate

Because of the elevated permissions needed, consumers need to take extra caution when choosing a mobile antivirus/anti-malware scanner. Unfortunately, it’s often hard to tell what is a Fake AV versus a legitimate antivirus/anti-malware mobile app—especially when Fake AVs creep into Google Play and take time to create a convincing website. As a consumer, do your research to pick respectable software companies. Does the company have a deep, respectable blog (like this one)?  How long have they been around? When in doubt, you can always rely on Malwarebytes products to keep you safe from the latest threats!

Denial of entry

Although I never published that blog way back when, I did stand my ground to classify Armor for Android as a fake AV. Now, as a researcher at Malwarebytes, I continue to fight against shady fake AV companies in the mobile space. I helped detect Armor for Android as a fake Android AV years ago. I’ll do the same for any other company looking to take advantage of mobile customers. Stay safe out there!

The post Mobile Menace Monday: re-emergence of a fake Android AV appeared first on Malwarebytes Labs.

Smashing Security #076: Spying phones, hacked ski lifts, and World Password Day

Smashing Security #076: Spying phones, hacked ski lifts, and World Password Day

Cheap Android smartphones sold on Amazon have been sending customers’ full text messages to a Chinese server, ski lifts are found to be the latest devices left open to abuse by hackers, and we remind you why password managers are a good idea on World Password Day. Oh, and our guest serenades us with a hit from the 1980s!

All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by broadcaster and journalist David McClelland.

Over 3,300 Android apps may be violating kids’ privacy, study says

Researchers find that a great portion of popular children’s apps may run afoul of US privacy legislation by improperly collecting data – albeit often probably unintentionally. A response from Google to the unflattering findings wasn’t long in coming.

The post Over 3,300 Android apps may be violating kids’ privacy, study says appeared first on WeLiveSecurity

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  

Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times

The amount we use our apps and the amount of apps we use has shown no signs of slowing. And as the McAfee Labs Threats Report: March 2018 tells us, mobile malware has shown no signs of slowing either. Now, a tricky Android malware dubbbed Andr/HiddnAd-AJ is adding to the plethora of mobile strains out there. The malware managed to sneak onto the Google Play Store disguised as seven different apps – which have collectively been downloaded over 500,000 times.

Slipping onto the Google Play store via six QR reader apps and one smart compass app, the malware manages to sneak past security checks through a combination of unique code and no initial malicious activity. Following installation, Andr/HiddnAd-AJ waits for six hours before it serves up adware. When it does, it floods a user’s screen with full-screen ads, opens ads on web pages, and sends various notifications containing ad-related links, all with the goal of generating click-based revenue for the attackers.

These apps have since been taken down by Google, however, it’s still crucial that Android users are on the lookout for Andr/HiddnAd-AJ malware and other adware schemes like it. Start by following these security tips:

  • Do your homework. Before you download an app, make sure you head to the reviews section of an app store first. Be sure to thoroughly sift through the reviews and read through the comments section; Andr/HiddnAd-AJ may have been avoided if a user read one of the comments and saw that the app was full of unnecessary advertisements. When in doubt, don’t download any app that is remotely questionable.
  • Limit the amount of apps. Only install apps you think you need and will use regularly. And if you no longer use an app, uninstall it. This will help you save memory and reduce your exposure to threats such as Andr/HiddnAd-AJ.
  • Don’t click. This may go without saying, but since this is a click-generated revenue scheme, do whatever you can to avoid clicking pop-ups and unwarranted advertisements. The less you click, the less cybercriminals will profit.
  • Use a mobile security solution. As malware and adware campaigns continue to infect mobile applications, make sure your mobile devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times appeared first on McAfee Blogs.

McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards®

On February 28th, Info Security Products Guide Global Excellence Awards presented their 2018 award winners. We are humbled to have received two golds in the Product or Service Excellence of the Year — Security Information and Website & Web Application Security for McAfee Safe Connect.

Product Overview:

McAfee Safe Connect is a VPN (Virtual Private Network) that helps users create secure online connections while using the internet.  Doing so helps our customers minimize their individual security risks and helps keep their data private – especially when connecting to a public or open Wi-Fi network. Unlike home Wi-Fi, many public Wi-Fi networks (commonly offered at cafés, airports and hotels) aren’t password-protected and don’t encrypt the user data being transmitted through. Therefore, when you connect to a hotspot, your online activities from your social media activity to your online purchase history and even your bank account credentials may be wide open to hackers. With McAfee Safe Connect, you can rest assured that your information and online activities are encrypted.

McAfee has a proven record of providing security for consumers in the digital age. To address growing concerns over Wi-Fi security, we created an award-winning VPN that would keep users’ personal information secure from online threats and unsecure networks.

McAfee Safe Connect has over 1 million downloads across Google Play and the App Store with an impressive 4.3-star rating. It is available in over 20 languages to users worldwide.

Tech behemoth Samsung also chose McAfee Safe Connect VPN for their Galaxy Note 8 – Secure Wi-Fi feature and expanded collaboration with its newly announced Galaxy S9 Smartphones.

About Info Security PG’s Global Excellence Awards

Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping individuals informed of the choices they can make when it comes to protecting their digital resources and assets. The guide is written expressly for those who wish to stay informed about recent security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping cyber security and industry predictions & directions that facilitate in making the most pertinent security decisions. Visit www.infosecurityproductsguide.com for the complete list of winners.

We are proud of recognition given to McAfee Safe Connect, which aims to safeguard every Internet user’s online privacy. Please check out our award-winning Wi-Fi Privacy VPN product: McAfee Safe Connect.

Interested in learning more about McAfee Safe Connect and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards® appeared first on McAfee Blogs.

RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone

China is a region that has been targeted with mobile malware for over a decade, as malware authors there are continually looking at different tactics to lure victims. One of the most innovative tactics that we have come across in the past several years is to get victims to buy discounted devices from sellers that have compromised a smartphone. And now, one of these campaigns, Android.MobilePay (aka dubbed RottenSys) is making headlines, though McAfee has been aware of it for over two years. The tactic used by the author(s)/distributors is straightforward; they install fake apps on a device that pretend to provide a critical function, but often don’t get used.

RottenSys is stealthy. It doesn’t provide any secure Wi-Fi related service but is rather an advanced strain of malware that swoops almost all sensitive Android permissions to enable its malicious activities. In order to avoid detection, RottenSys doesn’t come with an initial malicious component and or immediately initiate malicious activity. The strain has rather been designed to communicate with its command-and-control servers to obtain the actual malicious code in order to execute it and following which installs the malicious code onto the device.

Given it installs any new malicious components from its C&C server, RottenSys can be used to weaponize or take full control over millions of infected devices. In fact, it already seems that the hackers behind RottenSys have already started turning infected devices into a massive botnet network.

This attack acts as an indication of change, as over the past two years the mechanism of fraud has adapted. In the past, scams such as this typically have used premium SMS scams to generate revenue, which reach out to a premium number and make small charges that go unnoticed over the course of an extensive period. As described in detail in our Mobile Threat Report: March 2018, we have seen traditional attack vectors, such as premium text messages and toll fraud replaced by botnet ad fraud, pay-per-download distribution scams, and crypto mining malware that can generate millions in revenue.

Long story short – it’s important to still take precautionary steps to avoid future infection from this type of malware scheme. The good news is, you can easily check if your device is being infected with RottenSys. Go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • android.yellowcalendarz
  • changmi.launcher
  • android.services.securewifi
  • system.service.zdsgt

Beyond that, you can protect your device by following these tips:

  • Buy with security in mind. When looking to purchase your next mobile device, make sure to do a factory reset as soon as you turn it on for the first time.
  • Delete any unnecessary apps. Most mobile providers allow users to delete pre-installed apps. So, if there’s a pre-installed app you don’t use, or seems unknown to you, go ahead and remove it from your device entirely.
  • Always scan your device, even if it’s new. One of the first applications you should load onto a new device is an anti-malware scanner, like McAfee Mobile Security. It can detect and alert users to malicious behavior on their devices. In this case, if a malware variant is detected, new users can see if they can return their infected devices in exchange for a clean one.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone appeared first on McAfee Blogs.

Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto-mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.

From Chrysaor to Lipizzan: Blocking a new targeted spyware family



Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)


The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications.



Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?




  • Ensure you are opted into Google Play Protect
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android security update.


List of samples

1st stage



Newer version 


Standalone 2nd stage



Which operating system is the most secure? Four points to remember.

No, you are almost certainly wrong if you tried to guess. A recent study shows that products from Apple actually are at the top when counting vulnerabilities, and that means at the bottom security-wise. Just counting vulnerabilities is not a very scientific way to measure security, and there is a debate over how to interpret the figures. But this is anyway a welcome eye-opener that helps kill old myths.

Apple did for a long time stubbornly deny security problems and their marketing succeeded in building an image of security. Meanwhile Windows was the biggest and most malware-targeted system. Microsoft rolled up the sleeves and fought at the frontline against viruses and vulnerabilities. Their reputation suffered but Microsoft gradually improved in security and built an efficient process for patching security holes. Microsoft had what is most important in security, the right attitude. Apple didn’t and the recent vulnerability study shows the result.

Here’s four points for people who want to select a secure operating system.

  • Forget reputation when thinking security. Windows used to be bad and nobody really cared to attack Apple’s computers before they became popular. The old belief that Windows is unsafe and Apple is safe is just a myth nowadays.
  • There is malware on almost all commonly used platforms. Windows Phone is the only exception with practically zero risk. Windows and Android are the most common systems and malware authors are targeting them most. So the need for an anti-malware product is naturally bigger on these systems. But the so called antivirus products of today are actually broad security suites. They protect against spam and harmful web sites too, just to mention some examples. So changes are that you want a security product anyway even if your system isn’t one of the main malware targets.
  • So which system is most secure? It’s the one that is patched regularly. All the major systems, Windows, OS X and Linux have sufficient security for a normal private user. But they will also all become unsafe if the security updates are neglected. So security is not really a selection criteria for ordinary people.
  • Mobile devices, phones and tablets, generally have a more modern systems architecture and a safer software distribution process. Do you have to use a desktop or laptop, or can you switch to a tablet? Dumping the big old-school devices is a way to improve security. Could it work for you?

So all this really boils down to the fact that you can select any operating system you like and still be reasonable safe. There are some differences though, but it is more about old-school versus new-school devices. Not about Apple versus Microsoft versus Linux. Also remember that your own behavior affects security more than your choice of device, and that you never are 100% safe no matter what you do.

 

Safe surfing,
Micke

 

Added February 27th. Yes, this controversy study has indeed stirred a heated debate, which isn’t surprising at all. Here’s an article defending Apple. It has flaws and represent a very limited view on security, but one of its important points still stands. If someone still thinks Apple is immortal and invincible, it’s time to wake up. And naturally that this whole debate is totally meaningless for ordinary users. Just keep patching what you have and you will be fine. 🙂 Thanks to Jussi (and others) for feedback.

 

The Service You Can’t Refuse: A Secluded HijackRAT

In Android world, sometimes you can’t stop malware from “serving” you, especially when the “service” is actually a malicious Android class running in the background and controlled by a remote access tool (RAT). Recently, FireEye mobile security researchers have discovered such a malware that pretends to be a “Google Service Framework” and kills an anti-virus application as well as takes other malicious actions.

In the past, we’ve seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal. We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognized by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work.

Although the IP addresses we have captured don’t reveal who the attacker is, as the computer of the IP might be a victim as well, we have found from the UI that both the malware developer and the victims are Korean speakers.

[caption id="attachment_5810" align="alignnone" width="545"]Fig. 1. The structure of the HijackRAT malware. Fig. 1. The structure of the HijackRAT malware.[/caption]

The package name of this new RAT malware is “com.ll” and appears as “Google Service Framework” with the default Android icon. Android users can’t remove the app unless they deactivate its administrative privileges in “Settings.” So far, the Virus Total score of the sample is only five positive detections out of 54 AV vendors [1]. Such new malware is published quickly partly because the CNC server, which the hacker uses, changes so rapidly.

[caption id="attachment_5812" align="alignnone" width="548"] Fig. 2. The Virus Total detection of the malware sample. [1][/caption] 

[caption id="attachment_5813" align="alignnone" width="549"] Fig. 3. The fake “Google Service Framework” icon in home screen.[/caption]

A few seconds after the malicious app is installed, the “Google Services” icon appears on the home screen. When the icon is clicked, the app asks for administrative privilege. Once activated, the uninstallation option is disabled and a new service named “GS” is started as shown below. The icon will show "App isn't installed." when the user tries to click it again and removes itself from the home screen.

[caption id="attachment_5815" align="alignnone" width="548"]Fig. 4. The background service of the malware. Fig. 4. The background service of the malware.[/caption]

The malware has plenty of malicious actions, which the RAT can command, as shown below.

8commands

Within a few minutes, the app connects with the CNC server and begins to receive a task list from it:

get

The content is encoded by Base64 RFC 2045. It is a JSONObject with content: {"task": {"0": 0}}, when decoded. The server IP, 103.228.65.101, is located in Hong Kong. We cannot tell if it’s the hacker’s IP or a victim IP controlled by the RAT, but the URL is named after the device ID and the UUID generated by the CNC server.

The code below shows how the URL of the HTTP GET request is constructed:

code-get

- "UPLOAD PRIVACY DETAILS"

The task list shown above will trigger the first malicious action of “Upload Phone Detail.” When executed, the user’s private information will be uploaded to the server using HTTP POST request. The information contains phone number, device ID, and contact lists as shown below in the network packet of the request:

post

When decoded, the content in the red and blue part of the PCap are shown below respectively:

1. The red part:

post-pcap-decrypt1

2. The blue part:

post-pcap-decrypt2

The contact list shown above is already highly sensitive, yet, if the user has installed some banking applications, the malware will scan for them too.

In a testing device, we installed the eight Korean bank apps as shown below:

[caption id="attachment_5822" align="alignnone" width="274"]Fig. 5. The eight banking apps. Fig. 5. The eight banking apps.[/caption]

When this was done,  we found the value of “banklist” in the PCap is no longer listed as N/A anymore:

8banks-pcap

The “banklist” entry in the PCap is filled with the short names of the banks that we installed. There is a map of the short names and package names of the eight banking apps installed on the phone:

table

The map of the banks is stored in a database and used in another malicious action controlled by the CNC server too.

- "POP WINDOW"

In this malicious action, the CNC server sends a command to replace the existing bank apps. The eight banking apps require the installation of “com.ahnlab.v3mobileplus,” which is a popular anti-virus application available on Google Play. In order evade any detections, the malware kills the anti-virus application before manipulating the bank apps. In the code as shown below, Conf.LV is the “com.ahnlab.v3mobileplus” being killed.

killav

Then, the malware app parses the banking apps that the user has installed on the Android device and stores them in the database under /data/data/com.ll/database/simple_pref. The red block below shows the bank list stored in the database:

db8banks

Once the corresponding command is sent from the RAT, the resolvePopWindow() method will be called and the device will pop a Window with the message: “The new version has been released. Please use after reinstallation.”

code-popwindow

The malware will then try to download an app, named after “update” and the bank’s short name from the CNC server, simultaneously uninstalling the real, original bank app.

code-install

In the code shown above, “mpath” contains the CNC server IP (103.228.65.101) and path (determined by the RAT); “mbkname” is the bank name retrieved from the SQL lite database. The fake APK (e.g. "updateBH.apk") is downloaded from the CNC server, however we don’t know what the fake apps look like because during the research the command for this malicious action was not executed from the RAT. Yet the source of the “update*.apk” is definitely not certified by the banks and might be harmful to the Android user.

- "UPDATE"

When the command to “update” is sent from the RAT, a similar app – “update.apk” is downloaded from the CNC server and installed in the Android phone:

code-update

- "UPLOAD SMS"

When the command to upload SMS is received from the RAT, the SMS of the Android phone will be uploaded to the CNC server. The SMS has been stored in the database once received:

code-uploadsms

code-savesms

Then the SMS is read from the database and uploaded to the CNC server once the command is received:

code-uploadsmscnc

- "SEND SMS"

Similarly, when the sending SMS command is received, the contact list is sent through SMS.

code-sendsms

- "BANK HIJACK"

Interesting enough, we found a partially finished method called “Bank Hijack.” The code below partially shows how the BankHijack method works. The malware reads the short bank name, e.g. “NH”, and then keeps installing the updateNH.apk from the CNC server until it’s of the newest version.

code-hijack

So far the part after the installation of the fake app is not finished yet. We believe the hacker is having some problems finishing the function temporarily.

code-hijack-half

As shown above, the hacker has designed and prepared for the framework of a more malicious command from the CNC server once the hijack methods are finished. Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon.

REFERENCE

__________________________________________________

[1] https://www.virustotal.com/intelligence

 

 

 

 

If an Android Has a Heart, Does It Bleed?

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

Currently there are about 17 antivirus apps on Google Play branded as “Heartbleed detectors”. Six of them scan the OpenSSL library belonging to the Android platform for vulnerabilities. Unfortunately, this method isn’t sufficient for detecting the Heartbleed vulnerability on Android. Except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.

We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.

During our investigation of the office apps that contains a vulnerable version of OpenSSL, we were surprised that they were not vulnerable to the Heartbleed attack. How could it be? A deeper look shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The linkage mistake is common for Android applications built with native code. As such, the side-effect of this mistake helps reduce the apps’ overall risk profile.

Of the 17 Heartbleed detector apps on Google play, only 6 detectors check installed apps on the device for Heartbleed vulnerability. And of those 6, 2 report all apps installed as “Safe,” including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only 2 of them did a decent check on Heartbleed vulnerability of apps. Although they conservatively labeled some non-vulnerable apps as vulnerable, we agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes. We’ve also seen several fake Heartbleed detectors among the 17 apps, which only serve as adware and don’t perform real detections or display detection results to users.

On April 10th, we scanned more than 54K Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products. Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17th.

[1] Vulnerability Summary for CVE-2014-0160

Occupy Your Icons Silently on Android

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.

Normal vs. Dangerous Permissions: A Background

Android Open Source Project (AOSP) classifies Android permissions into several protection levels: “normal”, “dangerous”, “system”, “signature” and “development” [1][2][3].

Dangerous permissions “may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities”. In contrast, normal permissions are automatically granted at installation,  “without asking for the user's explicit approval (though the user always has the option to review these permissions before installing)” [1].

On the latest Android 4.4.2 system, if an app requests both dangerous permissions and normal permissions, Android only displays the dangerous permissions, as shown in Figure 1. If an app requests only normal permissions, Android doesn’t display them to the user, as shown in Figure 2.

Figure 1. An Android app asks for one dangerous permission (INTERNET) and some normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS). Android doesn’t notify the user about the normal permissions.

Figure 2. An Android app asks for normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS) only. Android doesn’t show any permission to the user.

Normal Permissions Can Be Dangerous

We have found that certain “normal” permissions have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites.

The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user. There’s no surprise that the com.android.launcher.permission.INSTALL_SHORTCUT permission, which allows an app to create icons, was recategorized from “normal” to “dangerous” ever since Android 4.2. Though this is an important security improvement, an attacker can still manipulate Android home screen icons using two normal permissions: com.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission.WRITE_SETTINGS. These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as “normal” since Android 1.x.

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Lastly, this vulnerability is not limited to Android devices running AOSP. We have also examined devices that use non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2. All of them have the protection levels of com.android.launcher.permission.READ_SETTINGS and WRITE_SETTINGS as “normal”.

Google acknowledged this vulnerability and has released the patch to its OEM partners. Many android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users.

References:

  1. http://developer.android.com/guide/topics/manifest/permission-element.html

  2. https://android.googlesource.com/platform/frameworks/base/+/master/core/res/AndroidManifest.xml

  3. https://android.googlesource.com/platform/packages/apps/Launcher2/+/master/AndroidManifest.xml