New Man-in-the-Disk attack leaves millions of Android phones vulnerable

By: Swati Khandelwal

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

How Android Man-in-the-Disk Attack Works?

Similar to the “man-in-the-middle” attack, the concept of “man-in-the-disk” (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative “would lead to harmful results.”

man-in-the-disk android hacking apps

 

More: https://thehackernews.com/2018/08/man-in-the-disk-android-hack.html

Google Tracks Android, iPhone Users Even With ‘Location History’ Turned Off

By: Mohit Kumar

Google tracks you everywhere, even if you explicitly tell it not to.

Every time a service like Google Maps wants to use your location, Google asks your permission to allow access to your location if you want to use it for navigating, but a new investigation shows that the company does track you anyway.

An investigation by Associated Press revealed that many Google services on Android and iPhone devices store records of your location data even when you have paused “Location History” on your mobile devices.

Disabling “Location History” in the privacy settings of Google applications should prevent Google from keeping track of your every movement, as its own support page states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

However, AP found that even with Location History turned off, some Google apps automatically store “time-stamped location data” on users without asking them, eventually misleading its claim.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,” the AP explains.

 

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

To demonstrate the threat of this Google’s practice, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android smartphone with ‘Location History’ switched off to prevent location data collection.

More: https://thehackernews.com/2018/08/google-mobile-location-tracking.html

The source code of the Exobot Android banking trojan has been leaked online

By: Pierluigi Paganini

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog postpublished by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

More: https://securityaffairs.co/wordpress/74678/malware/exobot-source-code-leaked.html

Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

By: Mohit Kumar

Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.

Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.

Researchers from mobile security firm Appthority discovered that many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.

Since Firebase offers app developers an API server, as shown below, to access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.

Sample API URL: https://<Firebase project name>.firebaseio.com/<database.json>
Payload to Access: Data https://<Firebase project name>.firebaseio.com/.json

To find the extent of this issue, researchers scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data.

More: https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html

DNS-Hijacking Malware Targeting iOS, Android and Desktop Users Worldwide

By: Swati Khandelwal

Widespread routers’ DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.

Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users’ login credentials and the secret code for two-factor authentication.

According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.

Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.

How the Roaming Mantis Malware Works

Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.

So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

  • fake apps infected with banking malware to Android users,
  • phishing sites to iOS users,
  • Sites with cryptocurrency mining script to desktop users

“After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk),” researchers say.

To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.

More: https://thehackernews.com/2018/05/routers-dns-hijacking.html

GLitch attack, Rowhammer attack against Android smartphones now leverages GPU.

By: Pierluigi Paganini

A team of experts has devised the GLitch attack technique that leverages graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

A team of experts has demonstrated how to leverage graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

By exploiting the Rowhammer attackers hackers can obtain higher kernel privileges on the target device. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

In October 2016, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam devised a new method of attack based on Rowhammer, dubbed DRAMMER attack, that could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices. The greatest limitation of the Drammer attack was the necessity to have a malicious application being installed on the target device.

Now for the first time ever, the same team of experts has devised a technique dubbed GLitch to conduct the Rowhammer attack against an Android phone remotely.

The GLitch technique leverages embedded graphics processing units (GPUs) to launch the attack

“We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to “accelerate”  microarchitectural attacks (i.e., making them more effective) on commodity platforms.” reads the research paper.

“In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript”

The name GLitch comes from a widely used browser-based graphics code library known as WebGL for rendering graphics to trigger a known glitch in DDR memories.

The experts published a GLitch proof-of-concept attack that can exploit the Rowhammer attack technique by tricking victims into visiting a website hosting a malicious JavaScript code to remotely hack an Android smartphone in just 2 minutes.

The malicious script runs only within the privileges of the web browser, which means that it can the attack could allow to spy on user’s browsing activity or steal users’ credentials.

MORE: https://securityaffairs.co/wordpress/72131/hacking/glitch-attack-amndroid.html

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

By: Swati Khandelwal

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users’ sensitive information, login credentials and the secret code for two-factor authentication.

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Hijacking routers’ DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—”To better experience the browsing, update to the latest chrome version.”

MORE: https://thehackernews.com/2018/04/android-dns-hijack-malware.html

New Android Malware Secretly Records Phone Calls and Steals Private Data

By: Swati Khandelwal

Android trojans and malware usually have a similar approach when it comes to infecting their targets: malicious App installation. Once it takes place, the damage sometimes can be remediless, because of strategic information said on a voice call or sensitive document is just gone and there is nothing else to do.
While Security specialists keep sending the same message on how to keep your mobile secure, like to not install apps from 3rd-party stores, protect the devices with pin or password, etc., it’s hard for the majority having it done.
A Smartphone designed to be secure from its conception is the best approach to mitigate all those risks and protect your assets and strategic information. SIKURPhone, together with SikurOS is the choice for your Secure Business Platform.

Text by Alexandre Vasconcelos.

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed “Naver Defender.”

Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.

Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.

Though researchers haven’t attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group “Group 123,” primarily known for targeting South Korean targets.

The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:

  • record phone calls & audio
  • steal web history and files
  • gain root access
  • steal call logs, SMS, emails
  • collect device’ location at every 10 seconds
  • collect a list of installed applications

More: https://thehackernews.com/2018/04/android-spying-trojan.html

Facebook Collected Your Android Call History and SMS Data For Years

By: Swati Khandelwal

Facebook knows a lot about you, your likes and dislikes—it’s no surprise.

But do you know, if you have installed Facebook Messenger app on your Android device, there are chances that the company had been collecting your contacts, SMS, and call history data at least until late last year.

tweet from Dylan McKay, a New Zealand-based programmer, which received more than 38,000 retweets (at the time of writing), showed how he found his year-old data—including complete logs of incoming and outgoing calls and SMS messages—in an archive he downloaded (as a ZIP file) from Facebook.

Facebook was collecting this data on its users from last few years, which was even reported earlier in media, but the story did not get much attention at that time.

Since Facebook had been embroiled into controversies over its data sharing practices after the Cambridge Analytica scandal last week, tweets from McKay went viral and has now fueled the never-ending privacy debate.

A Facebook spokesperson explained, since almost all social networking sites have been designed to make it easier for users to connect with their friends and family members, Facebook also uploads its users’ contacts to offer same.

As Ars reported, in older versions of Android when permissions were a lot less strict, the Facebook app took away contact permission at the time of installation that allowed the company access to call and message data automatically.

Eventually, Google changed the way Android permissions worked in version 16 of its API, making them more clear and granular by informing users whenever any app tries to execute permissions.

More: https://thehackernews.com/2018/03/facebook-android-data.html

Presentan un teléfono seguro para invertir en bitcoins: ¿de qué se trata?

By: Desiree Jaimovich

Barcelona (enviada especial). SikurPhone es un teléfono diseñado especialmente para los que tienen (o están interesados en tener) inversiones en bitcoins. Se supone que ofrece mayor comodidad y seguridad para gestionar las criptomonedas por varios motivos.

El teléfono tiene un sistema operativo “propio”, que en realidad no es más que una versión personalizada del Android 7.0. Desde el celular no se pueden bajar aplicaciones de Google Play, sino solo aquellas que estén diseñadas especialmente dentro del ecosistema de la empresa.

Al no estar en contacto con apps de terceros, el móvil está menos expuesto a ser hackeado, destaca Alexandre Vasconcelos, vocero de Sikur. Esto es un buen punto, teniendo en cuenta que tan solo en 2017, Google tuvo que eliminar unas 700 mil aplicaciones maliciosas y expulsar a más de 100 mil desarrolladores de su tienda virtual, por intentar afectar los dispositivos de los 2 mil millones de usuarios de Android que hay en el mundo.

Los creadores del teléfono dicen que tan sólo en la última semana sometieron el equipo al testeo de un centenar de hackers y ninguno logró romper las barreras de seguridad del sistema

MORE: https://www.infobae.com/america/tecno/2018/03/01/presentan-un-telefono-seguro-para-invertir-en-bitcoins-de-que-se-trata/