Half a million Android users tricked into downloading malware from Google Play

By: Zack Whittaker

More than half a million users have installed Android malware posing as driving games — from Google’s own app store.

Lukas Stefanko, a security researcher at ESET, tweeted details of 13 gaming apps — made by the same developer — which were at the time of his tweet downloadable from Google Play. Two of the apps were trending on the store, he said, giving the apps greater visibility.

Combined, the apps surpassed 580,000 installs before Google pulled the plug.

Anyone downloading the apps were expecting a truck or car driving game. Instead, they got what appeared to be a buggy app that crashed every time it opened.

In reality, the app was downloading a payload from another domain — registered to an app developer in Istanbul — and installed malware behind the scenes, deleting the app’s icon in the process. It’s not clear exactly what the malicious apps do; none of the malware scanners seemed to agree on what the malware does, based on an uploaded sample to VirusTotal. What is clear is that the malware has persistence — launching every time the Android phone or tablet is started up, and has “full access” to its network traffic, which the malware author can use to steal secrets.

We reached out to the Istanbul-based domain owner, Mert Ozek, but he did not respond to our email. (If that changes, we’ll update).

Sistemas operacionais móveis e segurança – evolução

By: Alexandre Vasconcelos

Sistemas Operacionais são a base da computação desde seus primórdios, pois sempre foi necessário ter uma fundação e plataforma base, a partir de onde outros programas serão executados. É um tema fascinante e extenso, cadeira obrigatória nos cursos de computação.

Sistemas Operacionais de dispositivos Móveis, mais recentes, inevitavelmente são derivações (ou até mesmo adaptações) de sistemas existentes, mas nem por isso perdem em sua virtude executar tarefas nobres – e obrigatórias – como gerenciamento de recursos de hardware, por exemplo.

E a Segurança? Esta tem sido negligenciada por muitos no decorrer das últimas décadas. No entanto, na medida em que a computação em nuvem e a massificação do uso de dispositivos móveis aumenta, inevitavelmente torna-se um assunto de grande relevância.

Um dos principais pontos que definem o sucesso em maior ou menor intensidade é como um determinado produto é planejado e, consequentemente, concebido. Sem a intenção em voltar demais no tempo, os medalhões da tecnologia que iniciaram suas carreiras lá pelos anos 80 se lembrarão (saudosamente, muitas vezes) dos mainframes e dos monitores que exibiam apenas caracteres, devotados à eficiência computacional e ao máximo aproveitamento dos poucos recursos de hardware existentes na época. Não existia mobilidade e a segurança desempenhava seu papel, a conectividade era bem restrita e as ameaças limitadas.

Um pouco mais adiante, nos anos 90, o uso da Internet se intensifica, as interfaces gráficas tornam-se cada vez mais populares, mas a segurança ainda continua sendo coadjuvante nesta história. O nascimento do Google, iMac, players portáteis de MP3, além da telefonia móvel também que avançava. Os sistemas operacionais continuavam a evoluir, não apenas com o progresso da interface gráfica, mas também com o surgimento de opções como o Linux, que influenciaria decisivamente o mercado. Aqui a segurança ainda tinha um papel secundário, fraudes e roubo de identidade eram eventos de até certa forma isolados e que causavam poucos danos, apesar das falhas crescentes no flash e plugins em navegadores, por exemplo.

No início dos anos 2000 temos um cenário muito mais sólido e empolgante, muitas soluções disponíveis e um mercado de tecnologia muito mais maduro. Com a Internet cada vez mais presente, distribuída e com mais velocidade, redes sociais e YouTube abrirão caminho para que dispositivos móveis, como o iPhone, bem como as primeiras versões do Android (entre 2007 e 2009) ocupem espaço definitivo. Eis que a segurança começa a ocupar um papel de destaque, uma vez que os dados iniciam o processo de migração para estes dispositivos.

Nos últimos anos alguns eventos causaram impacto no uso da tecnologia. No campo da política, quando pairaram dúvidas a respeito da influência dos Russos nas eleições Americanas; além de inúmeros casos de vazamento de dados.

More: http://tiinside.com.br/tiinside/seguranca/

WhatsApp confirma que las copias de seguridad almacenadas en iCloud y Google Drive pierden el cifrado de extremo a extremo

By: Raúl Álvarez

Hace unos días WhatsApp y Google anunciaron con bombo y platillo un nuevo acuerdo que beneficiaría a todos los usuarios de la plataforma en Android. Y es que a partir del 12 de noviembre, todos aquellos usuarios de Android podrán hacer copias de seguridad de sus conversaciones en Google Drive, sin que éstos ocupen espacio de la cuota de almacenamiento.

Sin embargo, hay aquí hay un detalles que se pasó por alto en ese entonces y que hoy se deja en claro: las copias de seguridad gratuitas de WhatsApp en Google Drive pierden su cifrado, algo que también aplica para las copias en iCloud desde un iPhone

Información privada sin ningún tipo de protección

Cuando se hizo el anuncio, WhatsApp actualizó su página de soporte para reflejar estos cambios, donde también explicaba paso a paso cómo configurar esta característica. Lo que por supuesto levantó sospechas al ser “demasiado bello para ser cierto”.

Y así ha sido, hoy WhatsApp nuevamente ha actualizado su web de soporte para mencionar explícitamente la pérdida del cifrado en las copias de seguridad en Google Drive:

“Importante: Los archivos multimedia y mensajes que guardes no estarán protegidos por el cifrado de extremo a extremo de WhatsApp mientras están en Google Drive.”

Whatsapp Google Drive Cifrado

Pero eso no es todo, ya que también se confirma que esto aplica de igual forma a los respaldos que actualmente tenemos en Google Drive y iCloud. Es decir, todas las copias de seguridad almacenadas están guardadas sin ningún tipo de protección, por lo que cualquier persona con acceso a estos respaldos podría tener acceso a mensajes, fotos, vídeos, ubicación y todo lo que compartimos en WhatsApp.

Pero ojo, la mayoría de los comentarios se están centrando en lo que ocurre en Android con WhatsApp y Google Drive, pero la realidad es que las copias de seguridad en iPhone que se guardan en iCloud también pierden el cifrado una vez almacenadas. Es decir, ni en Android ni en iOS tenderemos copias de seguridad de WhatsApp protegidas por cifrado.

Más: https://m-xataka-com.cdn.ampproject.org

Android ‘Triout’ spyware records calls, sends photos and text messages to attackers

By: Ms. Smith

Triout, a creepy Android spyware identified by Bitdefender researchers, can secretly snap photos and videos, record phone calls, log text messages and keep track of victims’ locations. The spyware framework’s extensive surveillance capabilities that can be bundled into benign apps make it likely that it is part of an espionage campaign.

The malicious app contains the same code and functionality as the original app as well as the malicious payload. Perhaps there were a lot of people in Israel looking to spice up their love lives because that is where most the Triout-infected ‘Sex Game’ (SexGameForAdults) apps were detected. The first malware sample, however, was originally submitted to VirusTotal from Russia on May 15, 2018.

Triout was detected by Bitdefender’s machine learning algorithms. Bitdefender researchers suspect the Triout spyware is being hosted on attacker-controlled domains or third-party marketplaces. The firm suspects it is being used for an espionage campaign, but does not know what group or nation is behind it.

The spyware capabilities include:

  • Recording every phone call as a media file and sending it along with the call date, call duration and the caller ID to a C&C server.
  • Logging every incoming text message and sending it to the C&C.
  • Taking photos with the front and rear cameras and sending those to the C&C server; the camera capture was described as “one of the more disturbing features” by Bitdefender.
  • Logging GPS coordinates and sending the tracked data to the C&C.
  • The Android spyware can also hide itself from the user.

Despite all those advanced spying features, the most striking thing about the sample, according to Bitdefender’s whitepaper (pdf), “is that it’s completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices.” The C&C server, a single, hardcoded IP address, to which the app sends the collected data has been operational since May.

More: https://www-csoonline-com.cdn.ampproject.org/

New Man-in-the-Disk attack leaves millions of Android phones vulnerable

By: Swati Khandelwal

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

How Android Man-in-the-Disk Attack Works?

Similar to the “man-in-the-middle” attack, the concept of “man-in-the-disk” (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative “would lead to harmful results.”

man-in-the-disk android hacking apps

 

More: https://thehackernews.com/2018/08/man-in-the-disk-android-hack.html

Google Tracks Android, iPhone Users Even With ‘Location History’ Turned Off

By: Mohit Kumar

Google tracks you everywhere, even if you explicitly tell it not to.

Every time a service like Google Maps wants to use your location, Google asks your permission to allow access to your location if you want to use it for navigating, but a new investigation shows that the company does track you anyway.

An investigation by Associated Press revealed that many Google services on Android and iPhone devices store records of your location data even when you have paused “Location History” on your mobile devices.

Disabling “Location History” in the privacy settings of Google applications should prevent Google from keeping track of your every movement, as its own support page states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

However, AP found that even with Location History turned off, some Google apps automatically store “time-stamped location data” on users without asking them, eventually misleading its claim.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,” the AP explains.

 

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

To demonstrate the threat of this Google’s practice, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android smartphone with ‘Location History’ switched off to prevent location data collection.

More: https://thehackernews.com/2018/08/google-mobile-location-tracking.html

The source code of the Exobot Android banking trojan has been leaked online

By: Pierluigi Paganini

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog postpublished by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

More: https://securityaffairs.co/wordpress/74678/malware/exobot-source-code-leaked.html

Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

By: Mohit Kumar

Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.

Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.

Researchers from mobile security firm Appthority discovered that many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.

Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.

Sample API URL: https://<Firebase project name>.firebaseio.com/<database.json>
Payload to Access: Data https://<Firebase project name>.firebaseio.com/.json

To find the extent of this issue, researchers scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data.

More: https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html

DNS-Hijacking Malware Targeting iOS, Android and Desktop Users Worldwide

By: Swati Khandelwal

Widespread routers’ DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.

Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users’ login credentials and the secret code for two-factor authentication.

According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.

Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.

How the Roaming Mantis Malware Works

Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.

So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

  • fake apps infected with banking malware to Android users,
  • phishing sites to iOS users,
  • Sites with cryptocurrency mining script to desktop users

“After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk),” researchers say.

To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.

More: https://thehackernews.com/2018/05/routers-dns-hijacking.html

GLitch attack, Rowhammer attack against Android smartphones now leverages GPU.

By: Pierluigi Paganini

A team of experts has devised the GLitch attack technique that leverages graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

A team of experts has demonstrated how to leverage graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

By exploiting the Rowhammer attackers hackers can obtain higher kernel privileges on the target device. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

In October 2016, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam devised a new method of attack based on Rowhammer, dubbed DRAMMER attack, that could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices. The greatest limitation of the Drammer attack was the necessity to have a malicious application being installed on the target device.

Now for the first time ever, the same team of experts has devised a technique dubbed GLitch to conduct the Rowhammer attack against an Android phone remotely.

The GLitch technique leverages embedded graphics processing units (GPUs) to launch the attack

“We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to “accelerate”  microarchitectural attacks (i.e., making them more effective) on commodity platforms.” reads the research paper.

“In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript”

The name GLitch comes from a widely used browser-based graphics code library known as WebGL for rendering graphics to trigger a known glitch in DDR memories.

The experts published a GLitch proof-of-concept attack that can exploit the Rowhammer attack technique by tricking victims into visiting a website hosting a malicious JavaScript code to remotely hack an Android smartphone in just 2 minutes.

The malicious script runs only within the privileges of the web browser, which means that it can the attack could allow to spy on user’s browsing activity or steal users’ credentials.

MORE: https://securityaffairs.co/wordpress/72131/hacking/glitch-attack-amndroid.html