Category Archives: Mobile

A new text bomb threatens Apple devices, a single character can crash any apple iPhone, iPad Or Mac

Researchers discovered a new dangerous text bomb that crashes Apple devices, only a single character of the Indian Telugu language could create the chaos.

A new ‘text bomb’ threatens Apple devices, just a single character of the Indian alphabet (precisely the
Telugu language, a Dravidian language spoken in India by about 70 million people) can crash your device and block access to the Messaging app in iOS, including WhatsApp, Facebook Messenger, Outlook for iOS, Gmail, Safari and Messages for the macOS versions.

The issue seems not affect the beta versions of iOS 11.3 and Telegram and Skype applications.

First spotted by Italian Blog Mobile World, the text bomb affects a wide range of Apple devices, including iPads, Macs and even Watch OS devices running the latest versions of OS.

apple text bomb

The news of the bug was first reported on the Italian Blog Mobile World, the issue can be it can be easily exploited by anyone just by sending a message containing the Telugu character to the recipient.

Once the recipient receives the message or typed the Telugu symbol into the text editor, its Apple device will crash.

To fix the issue on the device that is crashing after received the text bomb is possible to send a message to the app that is crashing.

According to the bug report published on OpenRadar:

“When iOS, MacOS, watchOS try to render Indian symbol ‘‘ all of it has crashed Steps to Reproduce: Try to insert ‘‘ this symbol in any system text renderer like TextField, Label, TextView it always has crashed.”

“The issue was reported to Apple a few days ago, the tech giant will likely fix the issue in the iOS update before the release of iOS 11.3 that is planned for the next spring.”

Pierluigi Paganini

(Security Affairs – text bomb, Telugu language)

The post A new text bomb threatens Apple devices, a single character can crash any apple iPhone, iPad Or Mac appeared first on Security Affairs.

Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities

Android Security Bulletin for February 2018 – Google has fixed tens of vulnerabilities for Android OS, including several critical remote code execution (RCE) flaws.

The Android Security Bulletin for February 2018 addresses 26 vulnerabilities in the mobile operating system, most of which are elevation of privilege flaws.

The 2018-02-01 security patch level fixed 7 vulnerabilities, 6 in Media Framework and one issue affecting the System component.

The tech giant has fixed two critical RCE vulnerabilities in Media Framework. The first issue is the CVE-2017-13228 that affects Android 6.0 and newer, the second one, tracked as CVE-2017-13230, impacts Android 5.1.1 and later.

Android Security Bulletin

Google also fixed other vulnerabilities in Media Framework, including an information disclosure vulnerability, an elevation of privilege bug, and several denial-of-service flaws.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” states the advisory.

The most severe of these vulnerabilities is tracked as CVE-2017-13236, it is a System issue that could be exploited by an attacker to achieve remote code execution in the context of a privileged process. The attacker can trigger the flaw via email, web browsing, and MMS when processing media files.

The 2018-02-05 security patch level includes fixes for 19 vulnerabilities in HTC, Kernel, NVIDIA, Qualcomm, and Qualcomm closed-source components.

The most severe flaws included in the 2018-02-05 security patch level are two remote code execution vulnerabilities in Qualcomm components tracked as CVE-2017-15817 and CVE-2017-17760.

Google also released the Pixel / Nexus Security Bulletin that addresses 29 vulnerabilities in Google devices.

“The Pixel / Nexus Security Bulletin contains details of security vulnerabilities and functional improvements affecting supported Google Pixel and Nexus devices (Google devices). For Google devices, security patch levels of 2018-02-05 or later address all issues in this bulletin and all issues in the February 2018 Android Security Bulletin.” states Google.

“All supported Google devices will receive an update to the 2018-02-05 patch level. We encourage all customers to accept these updates to their devices.”

Pierluigi Paganini

(Security Affairs – Google, Android)

The post Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities appeared first on Security Affairs.

Top 10 Mobile App Security Best Practices for Developers

App security isn’t a feature or a benefit. It is a bare necessity. One breach could cost your company not just millions of dollars but a lifetime of trust. That is why security should be a priority from the moment you start writing the first line of code. While you were busy developing the most […]… Read More

The post Top 10 Mobile App Security Best Practices for Developers appeared first on The State of Security.

Security Affairs: A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.



Security Affairs

A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.

Kotlin-based malicious apps penetrate Google market

An open-source programming language, Kotlin is a fully-supported official programming language for Android. Google boasts that Kotlin contains safety features in order to make apps “healthy by default.” Many apps are already built with Kotlin, from the hottest startups to Fortune 500 companies. (Twitter, Uber, Pinterest)

Concise while being expressive, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, as revealed by Trend Micro researchers, the first samples of Android malware created using Kotlin were found on Google Play. Introducing: Swift Cleaner, a utility tool built with Kotlin that claims to clean and optimize Android devices.

This malicious app is capable of remote command execution, can steal personal information, carry out click fraud, and sign users up to premium SMS subscription services without their permission. So much for safe.

Analyze this

Subsequently, after launching Swift Cleaner, the first thing the malware does is call PspManager.initSDK, check the phone number, and send an SMS message to the particular number that is given by the C&C server. The app initiates this to check for a SIM card presence and if mobile carrier services are available.

Upon server interaction, the malicious part of the app launches URL forwarding and click fraud activities. Click fraud is an illegal practice that occurs when individuals click on a website’s advertisements (either banner ads or paid text links) to increase the payable number of clicks to the advertiser. In our case, the app clicks on a URL, which leads you to a survey. At the end of the survey, you are given an opportunity to get some free services if you click on the claim link. By clicking the button, you will then be redirected to another possibly malicious website.

Meanwhile, Swift Cleaner collects personal information from the infected mobile device, such as the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and information about the SIM card. The stolen information is then encrypted and sent to the remote Command and Control (C&C) server.

There are services that run in the background in order to communicate with a C&C server. Swift Cleaner compromises one of these services: the Wireless Application Protocol (WAP). WAP is a technical standard for accessing information over a mobile wireless network.

The app is using WAP in conjunction with JavaScript in order to bolt on CAPTCHA bypass functionality, using mobile data and analyzing the image base64 code. CAPTCHA images are parsed and cracked, and the image data will later be uploaded to the C&C server. This data is needed to train the neural network. Later on, all the image samples will be useful for finding the best match for each character of the new upcoming CAPTCHA.

Premium SMS service

The Swift Cleaner malware also uploads information about the user’s service provider along with login information and similar sensitive data to the C&C server. This can automatically sign users up for a premium SMS service, which will cost money.

Premium rate SMS is a way of mobile billing where user pays for a premium service by either receiving or sending a message. There are two ways this billing service works:

  1. Mobile Originated (MO): where the mobile user pays to send a message (used for once-off services, such as competitions)
  2. Mobile Terminated (MT): where the mobile user pays to receive a message (used for subscription services)

Our example app uses the premium SMS MO service, and redirects users to webpages where they can select to send a message.

Neverending story

As of now, Google has removed the fake Swift Cleaner apps carrying this new malware from the Play Store. However, even if Google states that their protection is on a high level, there appears to be no fail-proof way to stop malware from entering the Play store. By using a quality mobile anti-malware scanner as second layer of protection, you can stay safe even when Google Play Protect fails. We (as always) recommend Malwarebytes for Android. Stay safe out there!

The post Kotlin-based malicious apps penetrate Google market appeared first on Malwarebytes Labs.

TrendLabs Security Intelligence Blog: New AndroRAT Exploits Dated Permanent Rooting Vulnerability, Allows Privilege Escalation

by Veo Zhang, Jason Gu, and Seven Shen

Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture. This AndroRAT targets CVE-2015-1805, a publicly disclosed vulnerability in 2016 that allows attackers to penetrate a number of older Android devices to perform its privilege escalation.

RATs have long been a common Windows threat, so it shouldn’t be a surprise that it has come to Android. A RAT has to gain root access — usually by exploiting a vulnerability — in order to have control over a system. Discovered in 2012, the original authors intended AndroRAT — initially a university project — as an open-source client/server application that can provide remote control of an Android system, which naturally attracted cybercriminals.

Figure 1. Code snippet of the malware executing the exploit

Figure 1. Code snippet of the malware executing the exploit

This new variant of AndroRAT disguises itself as a malicious utility app called TrashCleaner, which is presumably downloaded from a malicious URL. The first time TrashCleaner runs, it prompts the Android device to install a Chinese-labeled calculator app that resembles a pre-installed system calculator. Simultaneously, the TrashCleaner icon will disappear from the device’s UI and the RAT is activated in the background.

Figure 2. Icon of the malicious TrashCleaner

Figure 2. Icon of the malicious TrashCleaner

Figure 3. Icon of the Chinese-labeled calculator app

Figure 3. Icon of the Chinese-labeled calculator app

The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions. It performs the following malicious actions found in the original AndroRAT:

  • Record audio
  • Take photos using the device camera
  • Theft of system information such as phone model, number, IMEI, etc.
  • Theft of WiFi names connected to the device
  • Theft of call logs including incoming and outgoing calls
  • Theft of mobile network cell location
  • Theft of GPS location
  • Theft of contacts list
  • Theft of files on the device
  • Theft of list of running apps
  • Theft of SMS from device inbox
  • Monitor incoming and outgoing SMS

Apart from the original features of the AndroRAT, it also performs new privileged actions:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Targeting CVE-2015-1805

Google already patched CVE-2015-1805 in March 2016, but devices that no longer receive patches or those with a long rollout period are at risk of being compromised by this new AndroRAT variant.  Older versions of Android, which are still being used by a significant number of mobile users, may still be vulnerable.

Countermeasures

Users should refrain from downloading apps from third-party app stores to avoid being targeted by threats like AndroRAT. Downloading only from legitimate app stores can go a long way when it comes to device security. Regularly updating your device’s operating system and apps also reduce the risk of being affected by exploits for new vulnerabilities.

[Read: Secure your mobile device through these easy steps]

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™, which is also available on Google Play. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning. It also protects devices from attacks that leverage vulnerabilities, prevents unauthorized access to apps, and detects/blocks malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. The service protects users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

We disclosed our findings to Google and worked with them on further analyzing the apps that carried the new AndroRAT variant. Google said that the abovementioned apps were never on Google Play, and that they already incorporated detection for CVE-2015-1805 into their compatibility tests. Ideally, any device launched or updated after April 2016 will not be vulnerable.

Indicators of Compromise (IoCs)

SHA256 App Label Package Name
2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f TrashCleaner com.cleaner.trashcleaner
fde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced TrashCleaner com.cleaner.trashcleaner
2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7 TrashCleaner com.cleaner.trashcleaner
909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e TrashCleaner com.cleaner.trashcleaner

 

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New AndroRAT Exploits Dated Permanent Rooting Vulnerability, Allows Privilege Escalation



TrendLabs Security Intelligence Blog

CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family

Researchers from CSE ZLAB malware Analysis Laboratory analyzed a set of samples of the Pallas malware family used by the Dark Caracal APT in its hacking operations.

The malware researchers from ZLab analyzed a collection of samples related to a new APT tracked as Dark Caracal, which was discovered by Electronic Frontier Foundation in collaboration with Lookout Mobile Security.

Dark Caracal has been active at least since 2012, but only recently it was identified as a powerful threat actor in the cyber arena.

The first analysis of the APT linked it to Lebanese General Directorate of General Security.

Dark Caracal is behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

One of their most powerful campaigns started in the first months of last year, using a series of trojanized Android applications to steal sensitive data from the victim’s mobile device. The trojan injected in these applications is known in the threat landscape with the name Pallas.

Threat actors use the “repackaging” technique to generate its samples, they start from a legitimate application and inject the malicious code before rebuilding the apk.

The target applications belongs to specific categories, such as social chat app (Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).

The attackers used social engineering techniques to trick victims into installing the malware. Attackers use SMS, a Facebook message or a Facebook post, which invites the victim to download a new version of the popular app through from a specific URL

http://secureandroid[.]info,

All the trojanized app are hosted at the same URL.

Dark Caracal

Figure 1 – Dark Caracal Repository – Malicious site

This malware is able to collect a large amount of data and to send it to a C&C through an encrypted URL that is decrypted at runtime. The capabilities of the trojan are:

  • Read SMS
  • Send SMS
  • Record calls
  • Read calls log
  • Retrieve account and contacts information
  • Gather all stored media and send them to C2C
  • Download and install other malicious software
  • Display a phishing window in order to try to steal credentials
  • Retrieve the list of all devices connected to the same network

Further details are included in the complete report published by CSE.

You can download the full ZLAB Malware Analysis Report at the following URL:

20180212_CSE_DARK_CARACAL_Pallas_Report.pdf

Pierluigi Paganini

(Security Affairs – Dark Caracal, Pallas malware)

The post CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family appeared first on Security Affairs.

EFF Seeks Right to Jailbreak Alexa, Voice Assistants

The Electronic Frontier Foundation (EFF) is asking the Library of Congress to give owners of voice assistant devices like Amazon’s Echo, Google Home and other voice assistants the right to “jailbreak” the devices: freeing them from content control features designed to prevent users from running unauthorized code on those...

Read the whole entry... »

Related Stories

The source code of the Apple iOS iBoot Bootloader leaked online

The source code for Apple iOS iBoot secure bootloader has been leaked to GitHub, now we will try to understand why this component is so important for the iOS architecture.

The iBoot is the component loaded in the early stages of the boot sequence and it is tasked with loading the kernel, it is stored in a boot ROM chip.

“This is the first step in the chain of trust where each step ensures that the next is signed by Apple.” states Apple describing the iBoot.

The leaked code is related to iOS 9, but experts believe it could still present in the latest iOS 11.

Apple promptly reacted to the data leak asking to remove the content for a violation of the Digital Millennium Copyright Act (DMCA).

“This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.” reads the notice on the GitHub repository.

“Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source.”

iBoot dala leak

The data leak is considered very dangerous because hackers and security experts can analyze the code searching for security vulnerabilities that could be triggered to compromise the iBoot.

Even is the code cannot be modified, the exploit of a flaw could allow loading other components compromising the overall security of the architecture.

The boot sequence is:

Bootrom → Low Level Bootloader → iBoot → Device tree → Kernel.

The Jailbreak consists of compromising one of the above phases, typically the kernel one.

Newer iPhones have an ARM-based coprocessor that enhances iOS security, so-called Secure Enclave Processor, it makes impossible the access to the code to conduct reverse engineering of the code.

But now the iBoot code has been leaked online and experts can analyze it.

The jailbreak could allow removing security restrictions making it possible to install third-party software and packages, also code that is not authorized by Apple and therefore not signed by the IT giant.

Compromising the iBoot could theoretically allow loading any malicious code in the boot phase or a tainted kernel.

Apple tried to downplay the issue saying that it implements a layered model of security

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protection,” reads a statement issued by Apple.

Pierluigi Paganini

(Security Affairs – iBoot, Apple)

The post The source code of the Apple iOS iBoot Bootloader leaked online appeared first on Security Affairs.

Smartphone Users Tracked Even with GPS, WiFi Turned Off

A team of researchers from Princeton has demonstrated that they can track the location of smartphone users even when location services like GPS and WiFi are turned off. The recent military security breach involving the Strava mobile fitness app proved the persistent vulnerabilities of location-based services on mobile devices. However, turning off...

Read the whole entry... »

Related Stories

Security Affairs: Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.

Researchers from Princeton University have developed an app called PinME to locate and track smartphone without using GPS.

The research team led by Prateek Mittal, assistant professor in Princeton’s Department of Electrical Engineering and PinMe paper co-author developed the PinMe application that mines information stored on smartphones that don’t require permissions for access.

The data is processed alongside with public available maps and weather reports resulting on information if a person is traveling by foot, car, train or airplane and their travel route. The applications for intelligence and law enforcement agencies to solve crimes like kidnapping, missing people and terrorism are very significant.

As the researchers notice, the application utilizes a series of algorithms to locate and track someone using information like the phone IP address and time zone combined with data from its sensors. The phone sensors collect compass details from the gyroscope, air pressure reading from barometer and accelerometer data while remaining undetected from the user. The resulting data processed can be used to extract contextual information about users’ habits, regular activities, and even relationships.

This technology as many others have two sides: Help solving crimes at large, and implications on privacy and security of the users.  The researchers hope to be fomenting the development of security measures to switch off sensor data by revealing this sensor security flaw. Nowadays such sensor data is collected by fitness and game applications to track people movement.

Another key point where the application can be a game changer is an alternative navigation tool, as highlighted by the researchers. Gps signals used in autonomous cars and ships can be the target of hackers putting the safety of the passengers in danger. The researchers conducted their experiment using Galaxy S4 i9500, iPhone 6 and iPhone 6S. To determine the last Wi-Fi connection, the PinMe application read the latest IP address used and the network status.

pinme

To determine how a user is traveling, the application utilizes a machine learning algorithm that recognizes the different patterns of walking, driving and flying by gathering data from the phones sensor like speed, direction of travel, delay between movement and altitude.

Once determined the pattern of activity of a user, the application then executes one of four additional algorithms to determine the type transportation. By comparing the phone data against public information the route of the user is determined. Maps from Google and the U.S. Geological Survey were used to determine the altitude details of every point on Earth. Details regarding temperature, humidity, and air pressure reports were also used to determine the use of trains or planes.

The researchers wanted also to raise the question about privacy and data collected without the user consent as Prateek Mittal states: “PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives”.

Sources:

https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371

https://nakedsecurity.sophos.com/2017/12/19/gps-is-off-so-you-cant-be-tracked-right-wrong/

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services

https://www.theregister.co.uk/2018/02/07/boffins_crack_location_tracking_even_if_youve_turned_off_the_gps/

https://www.helpnetsecurity.com/2018/02/07/location-tracking-no-gps/

https://www.bleepingcomputer.com/news/security/apps-can-track-users-even-when-gps-is-turned-off/

https://arxiv.org/pdf/1802.01468.pdf

http://ieeexplore.ieee.org/document/8038870/?reload=true

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – PinME, hacking)

The post Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off. appeared first on Security Affairs.



Security Affairs

Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.

Researchers from Princeton University have developed an app called PinME to locate and track smartphone without using GPS.

The research team led by Prateek Mittal, assistant professor in Princeton’s Department of Electrical Engineering and PinMe paper co-author developed the PinMe application that mines information stored on smartphones that don’t require permissions for access.

The data is processed alongside with public available maps and weather reports resulting on information if a person is traveling by foot, car, train or airplane and their travel route. The applications for intelligence and law enforcement agencies to solve crimes like kidnapping, missing people and terrorism are very significant.

As the researchers notice, the application utilizes a series of algorithms to locate and track someone using information like the phone IP address and time zone combined with data from its sensors. The phone sensors collect compass details from the gyroscope, air pressure reading from barometer and accelerometer data while remaining undetected from the user. The resulting data processed can be used to extract contextual information about users’ habits, regular activities, and even relationships.

This technology as many others have two sides: Help solving crimes at large, and implications on privacy and security of the users.  The researchers hope to be fomenting the development of security measures to switch off sensor data by revealing this sensor security flaw. Nowadays such sensor data is collected by fitness and game applications to track people movement.

Another key point where the application can be a game changer is an alternative navigation tool, as highlighted by the researchers. Gps signals used in autonomous cars and ships can be the target of hackers putting the safety of the passengers in danger. The researchers conducted their experiment using Galaxy S4 i9500, iPhone 6 and iPhone 6S. To determine the last Wi-Fi connection, the PinMe application read the latest IP address used and the network status.

pinme

To determine how a user is traveling, the application utilizes a machine learning algorithm that recognizes the different patterns of walking, driving and flying by gathering data from the phones sensor like speed, direction of travel, delay between movement and altitude.

Once determined the pattern of activity of a user, the application then executes one of four additional algorithms to determine the type transportation. By comparing the phone data against public information the route of the user is determined. Maps from Google and the U.S. Geological Survey were used to determine the altitude details of every point on Earth. Details regarding temperature, humidity, and air pressure reports were also used to determine the use of trains or planes.

The researchers wanted also to raise the question about privacy and data collected without the user consent as Prateek Mittal states: “PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives”.

Sources:

https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371

https://nakedsecurity.sophos.com/2017/12/19/gps-is-off-so-you-cant-be-tracked-right-wrong/

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services

https://www.theregister.co.uk/2018/02/07/boffins_crack_location_tracking_even_if_youve_turned_off_the_gps/

https://www.helpnetsecurity.com/2018/02/07/location-tracking-no-gps/

https://www.bleepingcomputer.com/news/security/apps-can-track-users-even-when-gps-is-turned-off/

https://arxiv.org/pdf/1802.01468.pdf

http://ieeexplore.ieee.org/document/8038870/?reload=true

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – PinME, hacking)

The post Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off. appeared first on Security Affairs.

Bogus hack apps hack users back for cryptocash

Recently, we discovered a gold…er…APK mine of fake hacking apps. The “legitimate” versions of hack apps are intended to hack other apps in order to get something for free. Although it’s unclear what exactly these fake apps claim to hack, the real hack job is done to unsuspecting users.

Search and you will find

Disclaimer:  I, and Malwarebytes, do not recommend the process I’m about to outline below. Be that as it may, I’m also not naïve and know people do this all the time. In order to demonstrate the pitfalls of such an approach, I’ll lay it all out for you.

Say you want a hack for a particular app. Obviously, you aren’t going to find such a hack on Google Play. So you fire up your favorite search engine and type in something like <app name> hack apk. In this example, let’s use Lyft hack apk—Lyft being, of course, the popular on-demand transportation company. There, right at the top of the results, is the link to the hack app you desire. You decide to play it safe and navigate to the source domain rather than the direct link to the hack app. It’s a clean but simply looking website called androidapk.world.

Convinced that such a clean-looking site has to be legitimate, you proceed to the Lyft hack app.

Click to view slideshow.

Complete with app screenshots, description of the app (stolen from Google Play), a FAQ, and a How to Install section, it looks promising. There is even a long list of tags so it can be easily searched—which is how you navigated there in the first place. You roll the dice and click Download APK…

A bad roll of the dice

After install, you open the app and get a message that states you need to install one of three apps listed to unlock premium content.

Click to view slideshow.

At this point, I suspect that a seasoned user would conclude that the jig is up and rush to uninstall, but let’s just play this out anyway. The first link for Castle Clash redirects you to the legit Google Play version of the game—okay, easy enough.  The second link for Final Fantasy XV redirects to a broken link—fail. The third and final link for AppMatch Survey redirects to a dreaded, but harmless survey that ends in, once again, installing an app from Google Play.

Besides the failed link, all the redirects equal a small payout to the evil doers if an app is installed. Thus the “run it for 30 seconds” disclaimer pop-up.

After installing said app, and still no hack app and/or premium content, you should be ready to uninstall this bogus hack job. Good luck finding the app’s shortcut icon though, because it doesn’t exist. Luckily, it’s not too hard to find in your apps list.

In reality, I’m a little disappointed and confused that the malware developers didn’t hide their efforts more thoroughly. But hey, it’s good news if you did unsuspectingly install it. Hopefully if you did install, you go through the steps to uninstall in leu of the missing shortcut. However, there is going to be small percentage that don’t bother and forget about its existence—which is exactly what the bad actors are “banking” on. (Pun intended. Wait for it…)

Oh, mine!

So far, the attempts to dupe users seem bush league. Meanwhile, the true malicious intent has been running in the background all along. During the entire process of clicking through redirect links, the user may notice their mobile device being a tad slow. That’s because a bitcoin miner has been running the whole time. Under the Java class com.coinhiveminer.CoinHive is a Monero JavaScript miner. Thus, we classify this bogus hack app as Android/Trojan.CoinMiner.kki.

Just a dish of adware

As if things couldn’t get worse, this fake hack app also comes with adware. Not surprising, as we are seeing a trend of adware being added to various malware variants as way to gain extra revenue. This particular adware serves ad pop-ups, as seen below.

Snake eyes

At the beginning of this blog post, I mentioned that I was not naïve to the fact that people willingly install hack apps. I ask you, dear readers, to not be naïve as well. Trying to find workarounds to get apps for free that are otherwise paid apps on Google Play is a gamble. The odds are against you by going to third-party app stores to install apps for free, or finding hack apps like the one described above.  This roll of the dice ends in snake eyes.

In the scenario above, I’m not sure how anything is being hacked from the aforementioned Lyft Hack app. As a matter of fact, this should be the first clue something is fishy. As with anything in life, use your best judgment when installing apps onto your mobile device. Consequently, installing an app from a shady app store, even if it does look legit, could cost you. Stay safe out there!

The post Bogus hack apps hack users back for cryptocash appeared first on Malwarebytes Labs.

ADB.Miner, the Android mining botnet that targets devices with ADB interface open

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet that targets devices with ADB interface open.

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet over the weekend. The malicious code ADB.Miner targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

Spread of time : the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the afternoon of 2018-02-03 and is still on the rise.” reads the analysis published by Netlab.

“Infected port : 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened.”

Starting from February 3, the expert noticed a rapid growth of the volume of scan traffic on port 5555 associated with the ADB.Miner:

ADB.Miner

Once the ADB.Miner has infected a device, the compromised system start scanning the Internet for other devices to infect.

According to the experts, ADB.miner borrowed the scanning code implemented by the Mirai botnet, this is the first time that the Mirai code is used by an Android threat.

The researchers did not reveal the way the malware infects the Android devices, it is likely it exploits a flaw in the ADB interface.

The number of infected devices is rapidly growing, according to different caliber statistics, there are 2.75 ~ 5.5k, and this figure is rapidly growing.

The two sources reported by Netlab are:

  • Statistics from scanmon : 2.75k, mainly from China (40%) and South Korea (31%).
  • Statistics from our botnet tracking system: 5.5k

At the time of writing the number of ADB.miner scans reached 75,900 unique IP addresses.

ADB.Miner traffic 2.png

Most IP addresses scanning the port 5555 are located in China (~40%) and South Korea (~30%).

The operators of the botnet are using the following Monero wallet address:

  • 44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr

That still has not received the first payment for the mine.

Pierluigi Paganini 

(Security Affairs – Monero, ADB.Miner)

The post ADB.Miner, the Android mining botnet that targets devices with ADB interface open appeared first on Security Affairs.

Privacy Meltdown: Strava tricked into Revealing Soldiers’ Names

Days after Strava fitness heatmaps were shown to reveal the location of military bases, a Norwegian journalist  fooled Strava into revealing the names of some of soldiers and other personnel on those bases.  Strava’s decision to release a heat map visualization of billions of data points recorded from its millions of users is generating...

Read the whole entry... »

Related Stories

The Future of IoT: What to Expect From Our Devices This Year

The beginning of the new year is always an exciting time for consumer technology enthusiasts. Business leaders, pioneers and forward-thinking companies gather in Las Vegas to showcase their latest devices at The International Consumer Electronics Show (CES), where next-generation innovations take center-stage and the world gets a glimpse into the future of IoT. I had the pleasure of attending CES with my colleagues this year and was blown away by the breadth of technology showcased. While the innovations stretched across many industries, I’d like to focus on the reoccurring themes in home and personal technology and how we can secure ourselves through the gadget-filled year ahead:

Smart Homes Will Become “Smarter” 

My favorite devices are the ones designed to enhance the smart home. Companies are striving to advance technology and make our lives easier in the comfort of our homes. From smart thermostats to smart assistants, there is certainly no shortage of household innovation; and companies like Google and Samsung are making strides to contribute to the smart home ecosystem. During CES, Samsung pledged to make all of its devices “smarter” by 2020, linking together all devices via its SmartThings cloud. Meanwhile, Google announced that Google Assistant will now be built in (or compatible) with a range of household products including your smart doorbell and ceiling fan.

As our homes become increasingly connected, the need to secure our internet-connected devices is critical. More IoT devices mean more points of data to attack and leverage for cybercrime. Hackers have the ability to access your personal information through connected home devices, which poses a threat to your identity. Consider using a service with built-in security to ensure every device in your home is well protected― especially the ones that often fly under the radar. Secure routers and gateways can protect all of your connected devices, even the ones without screens.

Smart Technology Will Track Your Sleep 

Technology is even changing the way we sleep, with smart sleep solutions for consumers. At CES 2018, Terraillon announced HOMNI, a device designed to help improve a user’s sleep environment. This device tracks the sleeper’s movement, sending your sleep data to a free app so that users can see how well they’ve slept. There’s nothing technology can’t solve for, including a good night’s sleep. However, when it comes to our personal data, it’s wise to be aware of how your data is being tracked or used.

As the use of connected devices in our homes and personal lives grow, so does the need for security beyond your PC or mobile phone. Many of the devices that we welcome into our daily routine aren’t equipped with proper security controls. It’s important to remember that these connected devices often run on our personal information, information such as your name, age, location –and in this case, your sleeping habits. While a sleep tracker may collect your information with the intentions of helping perfect your sleeping patterns, it has the potential to put your information in places that you might not intend. This is another example of why it’s exceedingly important to secure the connection at its source: your home.

“Ask Alexa” Will Live in Your Eyewear

Amazon Alexa has the ability to communicate with just about every connected device, so it’s no wonder that the Alexa Voice Service will have the ability to connect with your glasses soon, too. During CES, Vuzix announced that its latest pair of AR glasses, the Vuzix Blade, can communicate with Amazon Alexa. Blending augmented reality with AI assistant’s functionality, this headset acts as a fully functional computer with the ability to send email and text notifications via Bluetooth through the processing power of Android and unparalleled display.

Amazon Alexa has become a pseudo-family member in many households, offering assistance in the kitchen and even reading bedtime stories to children. To keep Cybercriminals from gaining access to your personal data , be sure you enable an extra measure of security, like setting up a PIN code for your voice command purchases.

Adding an extra layer of security to your smart devices is key to becoming an empowered consumer in today’s day and age. By taking these extra steps you’ll be able to enjoy the benefits of a secured smart home.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post The Future of IoT: What to Expect From Our Devices This Year appeared first on McAfee Blogs.

Security-as-a-Service Bolsters Customer Satisfaction

Communications service providers (CSPs), which have notoriously poor customer satisfaction ratings as an industry, can bolster loyalty by delivering security-as-a-service for mobile devices, research has revealed.According to Allot Communications’ latest

The post Security-as-a-Service Bolsters Customer Satisfaction appeared first on The Cyber Security Place.

Are you a Tinder user? Watch out, someone could spy on you

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.

Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.

Tinder data leak

SOCIAL NETWORKS / TINDER

An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,” 

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.

Pierluigi Paganini

(Security Affairs – Tinder, privacy)

The post Are you a Tinder user? Watch out, someone could spy on you appeared first on Security Affairs.

Security Affairs: Are you a Tinder user? Watch out, someone could spy on you

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.

Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.

Tinder data leak

SOCIAL NETWORKS / TINDER

An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,” 

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.

Pierluigi Paganini

(Security Affairs – Tinder, privacy)

The post Are you a Tinder user? Watch out, someone could spy on you appeared first on Security Affairs.



Security Affairs

Three Sonic apps in the Google Play are leaking data to uncertified servers

According to a researcher from security firm Predeo, three Sonic apps in the Google Play published by SEGA leak users’ data to uncertified servers.

According to a researcher from security firm Predeo, some game applications in the Google Play published by SEGA leak users’ data to uncertified servers.

The Android apps are Sonic Dash,  Sonic the Hedgehog™ Classic, and Sonic Dash 2: Sonic Boom, that have been totally downloaded millions of times.

The expert discovered that the apps are leaking users’ geolocation and device data to suspicious servers, thereby posing a privacy threat to mobile gamers, according to researchers.

Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device dataHundreds of millions of users are concerned by these data privacy violations.” states the blog post published by Pradeo.

sonic-apps

The Sonic apps send data to an average of 11 distant servers, three of which are not certified. Most of the servers obviously collect data for marketing purposes, but the expert observed that two of the three uncertified servers are linked to a potential unwanted library app dubbed Android/Inmobi.D,

Android.InMobi is classified as an advertisement library that is bundled with certain Android applications.

The expert discovered that the Sonic apps also leak mobile network information, including the service provider name, network type, and device information (i.e. manufacturer, commercial name, battery level, the maximum level of the battery, and operating system version number).

The researchers at Pradeo also conducted a vulnerability assessment for the three Sonic App and discovered an average of 15 OWASP (Open Web Application Security Project) flaws.

Experts discovered two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that could be exploited by hackers to power man-in-the-middle attacks due to the lack of validation for SSL certificate errors.

“Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.” reads the description for the X.509TRUSTMANAGER flaw, while the POTENTIALLY_BYPASS SSL_CONNECTION is described as:

“The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.

I suggest you read the post to discover the remaining issues and the risks they posed to the users.

Pierluigi Paganini

(Security Affairs – Sonic apps, hacking)

The post Three Sonic apps in the Google Play are leaking data to uncertified servers appeared first on Security Affairs.

Security Affairs: Three Sonic apps in the Google Play are leaking data to uncertified servers

According to a researcher from security firm Predeo, three Sonic apps in the Google Play published by SEGA leak users’ data to uncertified servers.

According to a researcher from security firm Predeo, some game applications in the Google Play published by SEGA leak users’ data to uncertified servers.

The Android apps are Sonic Dash,  Sonic the Hedgehog™ Classic, and Sonic Dash 2: Sonic Boom, that have been totally downloaded millions of times.

The expert discovered that the apps are leaking users’ geolocation and device data to suspicious servers, thereby posing a privacy threat to mobile gamers, according to researchers.

Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device dataHundreds of millions of users are concerned by these data privacy violations.” states the blog post published by Pradeo.

sonic-apps

The Sonic apps send data to an average of 11 distant servers, three of which are not certified. Most of the servers obviously collect data for marketing purposes, but the expert observed that two of the three uncertified servers are linked to a potential unwanted library app dubbed Android/Inmobi.D,

Android.InMobi is classified as an advertisement library that is bundled with certain Android applications.

The expert discovered that the Sonic apps also leak mobile network information, including the service provider name, network type, and device information (i.e. manufacturer, commercial name, battery level, the maximum level of the battery, and operating system version number).

The researchers at Pradeo also conducted a vulnerability assessment for the three Sonic App and discovered an average of 15 OWASP (Open Web Application Security Project) flaws.

Experts discovered two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that could be exploited by hackers to power man-in-the-middle attacks due to the lack of validation for SSL certificate errors.

“Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.” reads the description for the X.509TRUSTMANAGER flaw, while the POTENTIALLY_BYPASS SSL_CONNECTION is described as:

“The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.

I suggest you read the post to discover the remaining issues and the risks they posed to the users.

Pierluigi Paganini

(Security Affairs – Sonic apps, hacking)

The post Three Sonic apps in the Google Play are leaking data to uncertified servers appeared first on Security Affairs.



Security Affairs

Security Affairs: Google awarded Chinese hacker record $112,500 for Android exploit chain

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.

Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.

Android exploit chain

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.

Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.

Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.

Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.

“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.

The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.

Pierluigi Paganini

(Security Affairs – Android exploit chain, hacking)

The post Google awarded Chinese hacker record $112,500 for Android exploit chain appeared first on Security Affairs.



Security Affairs

Google awarded Chinese hacker record $112,500 for Android exploit chain

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.

Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.

Android exploit chain

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.

Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.

Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.

Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.

“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.

The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.

Pierluigi Paganini

(Security Affairs – Android exploit chain, hacking)

The post Google awarded Chinese hacker record $112,500 for Android exploit chain appeared first on Security Affairs.

Lasers Eyed as Way Forward for Quantum Encryption of Data, Cryptocurrencies

Researchers at the University of Southern California have developed a technology called a frequency comb that could pave the way for quantum-encryption technologies to be used to protect mobile data and digital currencies. Given yesterday’s news that cryptocurrencies remain in the crosshairs of hackers, people would surely welcome new methods to...

Read the whole entry... »

Related Stories

Security Affairs: Dark Caracal APT – Lebanese intelligence is spying on targets for years

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.

Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.

The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

 Dark caracal

 

The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

 Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).

Pierluigi Paganini

(Security Affairs – Dark Caracal, APT)

The post Dark Caracal APT – Lebanese intelligence is spying on targets for years appeared first on Security Affairs.



Security Affairs

Dark Caracal APT – Lebanese intelligence is spying on targets for years

A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns.

Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.

This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.

The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen
data includes enterprise intellectual property and personally identifiable information.” states the report.

The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

 Dark caracal

 

The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.

Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.

Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.

“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”

 Further details are provided in the technical report that includes more than 90 indicators of
compromise (IOC).

Pierluigi Paganini

(Security Affairs – Dark Caracal, APT)

The post Dark Caracal APT – Lebanese intelligence is spying on targets for years appeared first on Security Affairs.

Skygofree is the most powerful surveillance tool for Android, Kaspersky says

Skygofree Android Spyware Can Steal Almost Everything In Your Mobile

Security researchers at Kaspersky Lab have identified a new sophisticated espionage software for Android, which can gain complete control of users’ phones and steal information.

The software dubbed as ‘Skygofree’ is “one of the most powerful spyware tools” ever seen for Android that “display capabilities more reminiscent of Hollywood spy movies,” says Kaspersky.

This Android software can trace user’s location, record audio conversations, intercept SMS, calendar entries, monitor popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp, and even read WhatsApp messages through Accessibility Services. It can also connect a device to a Wi-Fi network controlled by hackers, even when the user has disabled Wi-Fi connections or take photos every time the user unlocks his device. The software can also operate in standby mode.

“In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home,” said Kaspersky Lab. “This lets the victim’s traffic be collected and analysed.”

Although the spyware was identified by Kaspersky’s researchers at the end of 2017, but its existence dates back to 2014. Apparently, Skygofree has already infected several Italian Android users and the software has evolved considerably during the three year period.

“The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion,” says Kaspersky.

In order to safeguard against the software, Kaspersky firstly recommends users to install apps only from official online stores (such as Play Store, App Store) and disable installation of apps from third-party sources. Secondly, pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions. Lastly, install a reliable security solution that will protect your device from most suspicious websites, dangerous links, and malicious apps and files.

Source: Kaspersky

The post Skygofree is the most powerful surveillance tool for Android, Kaspersky says appeared first on TechWorm.

Security Affairs: Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec

The Skygofree spyware analyzed by Kaspersky today was first spotted by the researcher Lukas Stefanko and the first analysis was published last year experts at CSE Cybsec ZLab.

Security researchers at Kaspersky Lab have made the headlines because they have spotted a new strain of a powerful Android spyware, dubbed Skygofree, that was used to gain full control of infected devices remotely.

Skygofree is an Android spyware that could be used in targeted attacks and according to the experts it has infected a large number of users for the past four years.

The name Skygofree is not linked to Sky Go, which is the subsidiary of Sky and does not affect its services.

The malware has been in the wild at least since 2014, and it was improved several times over the years.

“At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014.” reads the analysis published by Kaspersky.

“Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.”

In this post, I’ll show you that the malware was first found by the security researcher at ESET Lukas Stefanko and the first detailed analysis of the spyware (titled “Malware Analysis Report: Fake 3MobileUpdater“) was published by the experts at the CSE Cybsec ZLab.

According to Kaspersky, Skygofree has being distributed through fake web pages mimicking leading mobile network operators. The attackers registered some of the domains used in the attack since 2015.

The most recently observed domain was registered on October 31, 2017, according to Kaspersky data the malicious code was used against several infected individuals, exclusively in Italy.

The team of researchers at CSE CybSec ZLab analyzed in November a fake 3 Mobile Updater that was used pose itself as a legitimate application of the Italian Telco company, TRE Italia.

“The most classic and efficient method used to lure the users is to believe that the application does something good. This is just what 3 Mobile Updater does. In fact, this malicious Android application looks like a legitimate app used to retrieve mobile system update and it improperly uses the logo of the notorious Italian Telco company, TRE Italia, in order to trick victims into trusting it.” reads the report published by CSE CybSec.

Tre android malware

The analysis conducted by Kaspersky suggests the involvement of an Italian firm due to the presence in the code of strings in Italian.

“As can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.” states Kaspersky.

The CSE CybSec researchers arrived atthe same conclusion, below a portion of the code analyzed by the members of the ZLab.

Skygofree linked to fake 3 updater

“Moreover, both in the logcat messages and in the code, the malware writers used the Italian language. So, we can say with high confidence that this malicious app has been written by an Italian firm that intended to target users of the Italian telco company Tre.” CSE wrote in the analysis.

The artifacts analyzed by Kaspersky in the malware code and information gathered on the control infrastrucure suggest the developer of the Skygofree implants is an Italian IT company that works for surveillance solutions.

Skygofree

 

Kaspersky Lab has not confirmed the name of the Italian company behind this spyware, we at the CSE CybSec ZLab opted for the same decision in October due to the possible involvement of law enforcement or intelligence Agencies.

Unfortunately, the OPsec implemented by the firm is very poor. The name of the company is present in multiple reference of the code. Not only, one of the domains used to control registered by the attacker is linked to an Italian technology company.

“Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company “Negg” in the spyware’s code. Negg is also specialized in developing and trading legal hacking tools.” states the blog post published by THN.

Once installed, Skygofree hides its icon and starts background services to conceal its malicious actions from the victim, one interesting feature implemented by the malicious code prevents its services from being killed.

“Interestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it” continues Kaspersky.

According to Kaspersky, the Skygofree malware was enhanced since October implementing a sophisticated multi-stage attack and using a reverse shell payload.

The malicious code includes multiple exploits to escalate privileges for root access used by attackers to execute sophisticated payloads, including a shellcode used to spy on popular applications such as Facebook, WhatsApp, Line, and Viber.

The same spying abilities were implemented in the app we analyzed at the CSE CybSec.

“The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.” reads the preliminary analysis published on SecurityAffairs.

“There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features,” the researchers said.

Skygofree is able to take pictures and videos remotely, monitor SMS, call records and calendar event, of course, it also able to gather target’ location and access any information stored on the mobile.

Skygofree also can record audio via the microphone, the attacker can also force the victim’s device to connect to compromised Wi-Fi networks it controls in order to conduct man-in-the-middle attacks.

Kaspersky also found a variant of Skygofree targeting Windows users, a circumstance that suggests the same company is also targeting machines running Windows OS.

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

Comparative analysis fake 3 Mobile Updater vs SkyGoFree

I asked my colleague Dr. Antonio Pirozzi, Director of the CSE CybSec ZLab, to compare the stubs of code shared by Kaspersky with the ones related to the code we analyzed back in November.

This is what has emerged:

These classes are identical:

SkyGoFree comparison
  • The spyware we analyzed did not contain the Android exploits found by Kaspersky, as well as the reverse shell PRISM and the busy box.
  • The class used for parsing are similar;

  • The DNS used are the same;
 
  • The IoCs published by Kaspersky includes the URL of the C&C (url[.] plus) which was the same of the Spyware analyzed by CSE CybSec.
Conclusion
 
Many parts of the code are identical, both source codes include strings in Italian and the reference to the Italian firms are the same. The version analyzed by Kaspersky is a new version of the malware analyzed by CSE CybSec ZLab.
Kaspersky also shared the URL from which the spyware is downloaded and one of them was related to the version we analyzed (Fake 3 mobile updater).
The two version of the malware shared numerous classes, C&C server, Whois records and many other info.  The sample analyzed by CSE was probably still under development.

Pierluigi Paganini

(Security Affairs – Android malware, Skygofree)

The post Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec appeared first on Security Affairs.



Security Affairs

Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec

The Skygofree spyware analyzed by Kaspersky today was first spotted by the researcher Lukas Stefanko and the first analysis was published last year experts at CSE Cybsec ZLab.

Security researchers at Kaspersky Lab have made the headlines because they have spotted a new strain of a powerful Android spyware, dubbed Skygofree, that was used to gain full control of infected devices remotely.

Skygofree is an Android spyware that could be used in targeted attacks and according to the experts it has infected a large number of users for the past four years.

The name Skygofree is not linked to Sky Go, which is the subsidiary of Sky and does not affect its services.

The malware has been in the wild at least since 2014, and it was improved several times over the years.

“At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014.” reads the analysis published by Kaspersky.

“Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.”

In this post, I’ll show you that the malware was first found by the security researcher at ESET Lukas Stefanko and the first detailed analysis of the spyware (titled “Malware Analysis Report: Fake 3MobileUpdater“) was published by the experts at the CSE Cybsec ZLab.

According to Kaspersky, Skygofree has being distributed through fake web pages mimicking leading mobile network operators. The attackers registered some of the domains used in the attack since 2015.

The most recently observed domain was registered on October 31, 2017, according to Kaspersky data the malicious code was used against several infected individuals, exclusively in Italy.

The team of researchers at CSE CybSec ZLab analyzed in November a fake 3 Mobile Updater that was used pose itself as a legitimate application of the Italian Telco company, TRE Italia.

“The most classic and efficient method used to lure the users is to believe that the application does something good. This is just what 3 Mobile Updater does. In fact, this malicious Android application looks like a legitimate app used to retrieve mobile system update and it improperly uses the logo of the notorious Italian Telco company, TRE Italia, in order to trick victims into trusting it.” reads the report published by CSE CybSec.

Tre android malware

The analysis conducted by Kaspersky suggests the involvement of an Italian firm due to the presence in the code of strings in Italian.

“As can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.” states Kaspersky.

The CSE CybSec researchers arrived atthe same conclusion, below a portion of the code analyzed by the members of the ZLab.

Skygofree linked to fake 3 updater

“Moreover, both in the logcat messages and in the code, the malware writers used the Italian language. So, we can say with high confidence that this malicious app has been written by an Italian firm that intended to target users of the Italian telco company Tre.” CSE wrote in the analysis.

The artifacts analyzed by Kaspersky in the malware code and information gathered on the control infrastrucure suggest the developer of the Skygofree implants is an Italian IT company that works for surveillance solutions.

Skygofree

 

Kaspersky Lab has not confirmed the name of the Italian company behind this spyware, we at the CSE CybSec ZLab opted for the same decision in October due to the possible involvement of law enforcement or intelligence Agencies.

Unfortunately, the OPsec implemented by the firm is very poor. The name of the company is present in multiple reference of the code. Not only, one of the domains used to control registered by the attacker is linked to an Italian technology company.

“Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company “Negg” in the spyware’s code. Negg is also specialized in developing and trading legal hacking tools.” states the blog post published by THN.

Once installed, Skygofree hides its icon and starts background services to conceal its malicious actions from the victim, one interesting feature implemented by the malicious code prevents its services from being killed.

“Interestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it” continues Kaspersky.

According to Kaspersky, the Skygofree malware was enhanced since October implementing a sophisticated multi-stage attack and using a reverse shell payload.

The malicious code includes multiple exploits to escalate privileges for root access used by attackers to execute sophisticated payloads, including a shellcode used to spy on popular applications such as Facebook, WhatsApp, Line, and Viber.

The same spying abilities were implemented in the app we analyzed at the CSE CybSec.

“The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.” reads the preliminary analysis published on SecurityAffairs.

“There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features,” the researchers said.

Skygofree is able to take pictures and videos remotely, monitor SMS, call records and calendar event, of course, it also able to gather target’ location and access any information stored on the mobile.

Skygofree also can record audio via the microphone, the attacker can also force the victim’s device to connect to compromised Wi-Fi networks it controls in order to conduct man-in-the-middle attacks.

Kaspersky also found a variant of Skygofree targeting Windows users, a circumstance that suggests the same company is also targeting machines running Windows OS.

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

Comparative analysis fake 3 Mobile Updater vs SkyGoFree

I asked my colleague Dr. Antonio Pirozzi, Director of the CSE CybSec ZLab, to compare the stubs of code shared by Kaspersky with the ones related to the code we analyzed back in November.

This is what has emerged:

These classes are identical:

SkyGoFree comparison
  • The spyware we analyzed did not contain the Android exploits found by Kaspersky, as well as the reverse shell PRISM and the busy box.
  • The class used for parsing are similar;

  • The DNS used are the same;
 
  • The IoCs published by Kaspersky includes the URL of the C&C (url[.] plus) which was the same of the Spyware analyzed by CSE CybSec.
Conclusion
 
Many parts of the code are identical, both source codes include strings in Italian and the reference to the Italian firms are the same. The version analyzed by Kaspersky is a new version of the malware analyzed by CSE CybSec ZLab.
Kaspersky also shared the URL from which the spyware is downloaded and one of them was related to the version we analyzed (Fake 3 mobile updater).
The two version of the malware shared numerous classes, C&C server, Whois records and many other info.  The sample analyzed by CSE was probably still under development.

Pierluigi Paganini

(Security Affairs – Android malware, Skygofree)

The post Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec appeared first on Security Affairs.

Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud

Organizations are flocking to cloud services and mobile devices to cut costs and boost productivity. Despite the benefits, these technologies exacerbate the challenge of verifying identities and managing access to applications and data by consumers, employees and business partners from multiple devices and locations.

Let’s take a look at some of the most common identity and access management (IAM) challenges and how organizations can resolve them without compromising employee productivity.

Common Identity and Access Management Challenges

Organizations struggle to vet identities and approve access requests because the data resides in various locations and business units. Requesters often encounter roadblocks when seeking access, leading them to escalate requests to upper management and override the proper vetting process. Furthermore, those tasked with approving requests lack sufficient insight into which employees require access to confidential data.

The lack of a centralized, authoritative identity repository for users makes reconciliation another significant challenge. Additional problems arise when privileges on systems either exceed or lack access levels that were previously granted and provisioned.

When it comes to certification and accreditation, examiners may have insufficient knowledge of access needs. Not to mention, processes tend to be manual, cumbersome and inconsistent between business units. This task becomes even more difficult when examiners must conduct multiple, redundant and granular validations.

Provisioning and deprovisioning identities can pose a critical challenge when manual provisioning processes are ineffective. Organizations that fail to remove improper IAM privileges or resort to cloning access profiles will face similar struggles.

Failure to segregate duties and monitor administrators, power users and temporary access privileges can further impede enforcement. Other issues include lack of support for centralized access management solutions, such as directories and single sign-on, outdated or nonexistent access management policies, and failure to establish rule-based access.

Finally, compliance concerns arise when performance metrics do not exist and/or do not align with security requirements, such as removing identities and access privileges automatically upon an employee’s termination. Laborious and time-consuming audits only make this problem worse.

The CISO’s Role in Resolving IAM Issues

Chief information security officers (CISOs) must meet these challenges. Their teams must vet identities, approve appropriate access entitlements, and grant or revoke user identities, access and entitlements in a timely manner. Security leaders must also provision proper access to applications, data and resources for users who need it and examine identities and the corresponding access privileges periodically to realign with users’ job functions.

Enforcing compliance in accordance with the organization’s IAM policy is another key responsibility of the CISO. A strong IAM strategy also requires security leaders to define performance metrics and implement periodic or real-time automated auditing tools.

Considerations for Mobile and Cloud

Today, many organizations have gone mobile with bring-your-own-device (BYOD) policies, enabling employees to access corporate data remotely. IAM serves as a foundational security component in environments that connect to mobile platforms.

Cloud services have also added daunting complexity to the IAM equation, forcing organizations to operate their capabilities on-premises and integrate with similar capabilities delivered by a cloud service provider (CSP). While these cloud platforms increase reliance on logical access controls, they also reduce network access controls.

Federation, role-based access and cloud-based IAM solutions exist to address these requirements. For example, the need to access apps hosted on the cloud goes hand in hand with the need to manage identities to protect personally identifiable information (PII).

Identity-as-a-service (IDaaS) is another effective solution to accelerate IAM deployments in the cloud. IDaaS supports federated authentication, authorization and provisioning, and it is a viable alternative to on-premises IAM solutions. When it comes to return on security investment, IDaaS eliminates the expense of implementing an on-premises solution.

It’s important to understand the need for IAM capabilities that effectively govern access to internally hosted apps. In a hybrid cloud IAM model, the IDaaS solution will need agent APIs or appliances that operate within the IT infrastructure to completely outsource the function. Securing these agents and interfaces represents a new source of risk for most organizations, and this risk must be managed.

Integrating Identity Management With Data Loss Prevention

It’s common for security professionals to provide identity information from an IAM tool to a data loss prevention (DLP) solution that continuously monitors sensitive data and correlates events to minimize the risk of losing sensitive data. The events are also correlated with analytical artificial intelligence and machine learning tools that analyze historical access behaviors to detect potential fraud.

Both IAM and DLP solutions must be leveraged to address insider threats and emerging threat vectors. Behavioral analytics and incident forensics tools provide additional monitoring capabilities. By integrating both of these solutions, organizations can handle the fast pace of emerging IT trends and threats with mobile and cloud computing.

Securing Social Media Identities

Organizations often leverage social media to interact with their customers, increase brand awareness and create a common identity repository. But if these social identities are breached, companies can face legal, regulatory, operational and reputational risks that may lead to the loss of customers.

Social media services must deploy strong IAM solutions to protect corporate accounts. These solutions include multifactor authentication (MFA) and notifications to alert users of multiple failed login attempts or attempts to authenticate from anomalous geographic regions. Awareness programs to educate employees about social media security must be an essential ingredient. CISOs should also inquire with legal to ensure that service-level agreements (SLAs) with social media providers account for proper IAM practices.

The Best of Both Worlds

In our increasingly mobile and connected world, IAM is more crucial than ever. To remain competitive, businesses around the world must embrace technologies and policies that enable employees to be as productive as possible.

However, it only takes one major data breach to negate all the benefits of that productivity. With a strong IAM program that proactively monitors user behavior for potentially malicious activity and periodically realigns access privileges with shifting job roles, organizations can have the best of both worlds: an empowered, productive workforce and a robust data security strategy.

Read the white paper: Deploy silent security to protect identities and future-proof your IAM

The post Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud appeared first on Security Intelligence.

Episode 79: Hackable Nukes, Dissecting Naughty Toys and APTs IRL

In this week’s Security Ledger Podcast episode, sponsored by the firm Flashpoint, the UK -based policy think tank Chatham House warned last week that aging nuclear weapons systems in the U.S., the U.K. and other nations are vulnerable to cyber attacks that could be used to start a global conflagration. We talk with Eddie Habbibi of PAS Global...

Read the whole entry... »

Related Stories

Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructe

In a report released today, by IOACTIVE, researchers’ advice that critical infrastructure mobile applications are being developed without secure coding compliance that could allow hackers to target Supervisory Control and

The post Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructe appeared first on The Cyber Security Place.

Adult Themed Virtual Reality App spills Names, Emails of Thousands

Thousands of users of an adult virtual reality application risk having their personal information, including names and email addresses exposed, according to researchers in the UK. Thousands of Internet denizens who wanted to explore their virtual naughty side are in for an unpleasant surprise after a firm offering an adult virtual reality game,...

Read the whole entry... »

Related Stories

Researchers: SCADA Mobile Apps Continue to Have ‘Shocking’ Number of Vulnerabilities

Despite their availability on mobile networks and thus increased exposure to outside security threats, SCADA apps remain highly insecure and vulnerable to attack, putting critical industrial control systems at immediate and increased risk, researchers at IOActive and Embedi have found. While it might be good news for industrial control system...

Read the whole entry... »

Related Stories

Lo lo lo Loapi Trojan could break your Android

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the battery bulge, and essentially leave your Android for dead.

It seems creating Swiss army knife malware—lumping several uniquely malicious features into one catch-all malicious app—is becoming a trend. At least this time, the Loapi Trojan didn’t make it onto Google Play.

Loapi capabilities

For the purpose of hiding itself, Loapi poses (mostly) as a fake antivirus or, on the other end of the spectrum, adult content apps. It then asks for device administrator permissions to lock the screen of the mobile device, among other things. Furthermore, it takes the damage to another level by attempting to trick the user into thinking genuine anti-malware scanners are the real threat, and prompts to uninstall them if found. If that weren’t enough, it comes with a host of other features, including:

With everything going on in the background, Loapi puts an extreme load on the mobile device. This can lead to the Android literally blowing up from heat produced by the maxed-out processor and battery.

To state the obvious: This Loapi Trojan is quite nasty.

Darn it, tell me if you detect it or not already!

So, do we detect this monster? You bet we do! Our Malwarebytes for Android detection name is Android/Trojan.Dropper.Agent.BGT. You’ll be delighted to know that we’ve been on top of this bad boy since October.

In Malwarebytes for Android, detection of this infection is primarily done by our advanced deep scanner, which uses heuristic methodology to find malware, such as this Trojan, deeply embedded in the device. Deep scan is a feature in our Premium version. Therefore, if you want to stay protected in real time against Loapi, we recommend you upgrade to Premium after your free 30-day trial of Malwarebytes for Android. Stay safe out there!

The post Lo lo lo Loapi Trojan could break your Android appeared first on Malwarebytes Labs.

Mobile Menace Monday: upping the ante on Adups

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

Click to view slideshow.

Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

The post Mobile Menace Monday: upping the ante on Adups appeared first on Malwarebytes Labs.

ICE in your mobile. Sounds great, but is it really a good idea?

Another Internet and Facebook chain letter you no doubt have seen. Paramedics recommend adding a contact record named ICE in your mobile phone. It stands for In Case of Emergency and helps contacting your closest relatives if you have an accident. Sounds great, but let’s take a closer look first.

This is actually not a typical hoax chain letter because it’s based on facts. The idea emerged in UK in 2005, and was indeed introduced by paramedics. It’s a novel idea with good intentions and might have worked in the era before the smartphone. But it’s badly outdated now. I sincerely hope that people start circulating updated instructions rather than the original 10 years old idea.

Here’s why.

  • First, ICE is a nice idea. But it’s NOT the primary interest of paramedics. Their job is to save your life. They are going to concentrate on that rather than playing with your gadget. But ICE-info may still come in handy later at the hospital when the dust settles a bit.
  • Knowledge of some medical conditions is important to paramedics helping a trauma patient. Persons with conditions of this kind wear special medical IDs, necklaces or bracelets, and paramedics are trained to look for them. This has nothing to do with ICE.
  • Our smartphone is a key to all our on-line accounts, e-mail, Facebook, Twitter, cloud storage, you name it. It MUST be locked with a good password, otherwise you take a huge digital risk. And that unfortunately kills the idea with an ICE phonebook record. It’s not worth leaving the phone unprotected because of the ICE-record. Don’t even consider that!
  • Sometimes good old low-tech solutions are far better than digital technology. This is one of those cases. Write the ICE info on a sticker and put it on your phone or anything you carry with you. ID papers, like your driving license, are probably the best items as they are likely to be brought with you to the hospital.
  • If you are a bit nerdy, like me, you may still want a digital solution. Check your mobile for a function or app that puts free form text on the lock screen and use it for ICE. Some phones may even have a separate ICE function for this purpose. But use it as a complement to the good old sticker, not as a replacement.

So to summarize. ICE is in theory a good idea, but not really crucial for your survival. It’s not worth sacrificing your digital safety for it. Especially when you simply need a pen and paper to create an ICE record that is more reliable, safer and easier to use!

 

Safe surfing,
Micke

 

PS. Full medical ID can also be put on the mobile’s lock screen, at least on Android and iPhone. I’m not sure if this is a good idea. A solid necklace of stainless steel somehow feels better for stuff that can mean the difference between life and death. A complement to the necklace is of course never wrong but I really hope that nobody who really needs it trust this as their only medical ID!

 

Image by Ragesoss through Wikimedia

 

The Evolution of Mobile Security

Today, I posted a blog entry to the Oracle Identity Management blog titled Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements. In the post, I walk through a quick history of mobile security starting with MDM, evolving into MAM, and providing a glimpse into the next generation of mobile security where access is managed and governed along with everything else in the enterprise. It should be no surprise that's where we're heading but as always I welcome your feedback if you disagree.

Here's a brief excerpt:
Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.
Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.
Continue Reading

IAM for the Third Platform

As more people are using the phrase "third platform", I'll assume it needs no introduction or explanation. The mobile workforce has been mobile for a few years now. And most organizations have moved critical services to cloud-based offerings. It's not a prediction, it's here.

The two big components of the third platform are mobile and cloud. I'll talk about both.

Mobile

A few months back, I posed the question "Is MAM Identity and Access Management's next big thing?" and since I did, it's become clear to me that the answer is a resounding YES!

Today, I came across a blog entry explaining why Android devices are a security nightmare for companies. The pain is easy to see. OS Updates and Security Patches are slow to arrive and user behavior is, well... questionable. So organizations should be concerned about how their data and applications are being accessed across this sea of devices and applications. As we know, locking down the data is not an option. In the extended enterprise, people need access to data from wherever they are on whatever device they're using. So, the challenge is to control the flow of information and restrict it to proper use.

So, here's a question: is MDM the right approach to controlling access for mobile users? Do you really want to stand up a new technology silo that manages end-user devices? Is that even practical? I think certain technologies live a short life because they quickly get passed over by something new and better (think electric typewriters). MDM is one of those. Although it's still fairly new and good at what it does, I would make the claim that MDM is antiquated technology. In a BYOD world, people don't want to turn control of their devices over to their employers. The age of enterprises controlling devices went out the window with Blackberry's market share.

Containerization is where it's at. With App Containerization, organizations create a secure virtual workspace on mobile devices that enables corporate-approved apps to access, use, edit, and share corporate data while protecting that data from escape to unapproved apps, personal email, OS malware, and other on-device leakage points. For enterprise use-case scenarios, this just makes more sense than MDM. And many of the top MDM vendors have validated the approach by announcing MAM offerings. Still, these solutions maintain a technology silo specific to remote access which doesn't make much sense to me.

As an alternate approach, let's build MAM capabilities directly into the existing Access Management platform. Access Management for the third platform must accommodate for mobile device use-cases. There's no reason to have to manage mobile device access differently than desktop access. It's the same applications, the same data, and the same business policies. User provisioning workflows should accommodate for provisioning mobile apps and data rights just like they've been extended to provision Privileged Account rights. You don't want or need separate silos.

Cloud

The same can be said, for cloud-hosted apps. Cloud apps are simply part of the extended enterprise and should also be managed via the enterprise Access Management platform.

There's been a lot of buzz in the IAM industry about managing access (and providing SSO) to cloud services. There have even been a number of niche vendors pop-up that provide that as their primary value proposition. But, the core technologies for these stand-alone solutions is nothing new. In most cases, it's basic federation. In some cases, it's ESSO-style form-fill. But there's no magic to delivering SSO to SaaS apps. In fact, it's typically easier than SSO to enterprise apps because SaaS infrastructures are newer and support newer standards and protocols (SAML, REST, etc.)

My Point

I guess if I had to boil this down, I'm really just trying to dispel the myths about mobile and cloud solutions. When you get past the marketing jargon, we're still talking about Access Management and Identity Governance. Some of the new technologies are pretty cool (containerization solves some interesting, complex problems related to BYOD). But in the end, I'd want to manage enterprise access in one place with one platform. One Identity, One Platform. I wouldn't stand up a IDaaS solution just to have SSO to cloud apps. And I wouldn't want to introduce an MDM vendor to control access from mobile devices.

The third platform simply extends the enterprise beyond the firewall. The concept isn't new and the technologies are mostly the same. As more and newer services adopt common protocols, it gets even easier to support increasingly complex use-cases. An API Gateway, for example, allows a mobile app to access legacy mainframe data over REST protocols. And modern Web Access Management (WAM) solutions perform device fingerprinting to increase assurance and reduce risk while delivering an SSO experience. Mobile Security SDKs enable organizations to build their own apps with native security that's integrated with the enterprise WAM solution (this is especially valuable for consumer-facing apps).

And all of this should be delivered on a single platform for Enterprise Access Management. That's third-platform IAM.

Is MAM Identity and Access Management’s next big thing?

Mobile Application Management is making waves. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The third platform of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.

[Update - interesting discussion of the IAM technology stack for mobile by SIMIEO]