- Android -

Last update 04.10.2017 16:16:35

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 



Android P to Block Apps From Monitoring Device Network Activity
11.5.2018 thehackernews Android

Do you know that any app you have installed on your Android phone can monitor the network activities—even without asking for any sensitive permission—to detect when other apps on your phone are connecting to the Internet?
Obviously, they cant see the content of the network traffic, but can easily find to which server you are connecting to, all without your knowledge. Knowing what apps you often use, which could be a competing or a financial app, "shady" or "malicious" app can abuse this information in various ways to breach your privacy.
But it seems like Google has planned to address this serious privacy issue with the release of its next flagship mobile operating system.
With Android P, any app will no longer be able to detect when other apps on your Android device are connecting to the Internet, according to the new code changes in Android Open Source Project (AOSP) first noticed by XDA Developers.
"A new commit has appeared in the Android Open Source Project to 'start the process of locking down proc/net,' [which] contains a bunch of output from the kernel related to network activity," XDA Developers writes.
"There's currently no restriction on apps accessing /proc/net, which means they can read from here (especially the TCP and UDP files) to parse your device's network activity. You can install a terminal app on your phone and enter cat /proc/net/udp to see for yourself."
Also Read: Android P Will Block Background Apps from Accessing Your Camera, Microphone
However, the new changes applied to the SELinux rules of Android P will restrict apps from accessing some network information.

The SELinux changes will enable only designated VPN apps to access some of the network information, while other Android apps seeking access to this information will be audited by the operating system.
However, it should be noted that the new SELinux changes are coming for apps using API level 28 running on Android P—which means that apps working with API levels prior to 28 continue to have access to the device' network activities until 2019.
A few custom ROMs for Android, such as CopperheadOS, have already implemented these changes years ago, offering better privacy to their users.
As XDA developers pointed out, this new change introduced to the Android operating system appears to be very small that users will hardly notice, "but the implications for user privacy will be massive."


Google Releases Additional Meltdown Mitigations for Android

9.5.2018 securityweek   Android

As part of its May 2018 Android Security Bulletin, Google this week released additional mitigations for the Meltdown attack that impacts microprocessors from Intel, AMD, and other vendors.

The attack leverages CVE-2017-5754, a security vulnerability that allows applications to bypass memory isolation and read arbitrary kernel memory locations. Meltdown was made public in January 2018 alongside Spectre, an attack residing in speculative execution (leveraging CVE-2017-5753 and CVE-2017-5715).

In January, Google released protections for both Meltdown and Spectre attacks, and this month delivered additional mitigations as part of the 2018-05-05 security patch level. Impacting Kernel components, the issue was addressed along with CVE-2017-16643, an information disclosure in USB driver.

“The most severe vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” Google notes in an advisory.

The May 2018 Android Security Bulletin is split into two parts, the first being the 2018-05-01 security patch level, which addresses 7 High severity vulnerabilities in Android runtime, Framework, Media framework, and System.

The bugs include Information Disclosure, Elevation of Privilege, and Denial of Service and impact Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1 releases.

In addition to the Meltdown mitigations, the 2018-05-05 security patch level also includes patches for security flaws in NVIDIA and Qualcomm components.

Three vulnerabilities were addressed in NVIDIA components: an elevation of privilege rated Critical, along with an information disclosure and an elevation of privilege assessed as High risk. The most severe of the vulnerabilities could allow a malicious application to execute code within the context of the trusted execution environment (TEE).

A total of 11 vulnerabilities were addressed in Qualcomm components, including a Critical remote code execution bug that could be exploited by an attacker over WLAN. Rated High severity, the remaining bugs included 9 elevation of privilege flaws and one denial of service issue.

Also this week, Google released a new set of patches for the Pixel and Nexus devices to address a total of 34 security bugs. Impacting Framework, Media framework, System, and Kernel, NVIDIA and Qualcomm components, the vulnerabilities feature a Moderate severity rating (two are considered High risk on Android 6.0 and 6.0.1).

In addition to security patches, the Pixel / Nexus Security Bulletin—May 2018 includes a couple of functional updates to address issues not related to the security of these devices.


May 2018 Android Security Bulletin includes additional Meltdown fix
9.5.2018 securityaffairs Android

Google releases additional Meltdown mitigations for Android as part of the May 2018 Android Security Bulletin. The tech giant also addresses flaws in NVIDIA and Qualcomm components.
Both Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack (CVE-2017-5754 vulnerability) could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The good news is that Meltdown attacks are not easy to conduct and the risk of exploitation is considered low.

Early this year, Google released mitigations for both Meltdown and Spectre attacks, and not delivered additional mitigations. The Meltdown mitigation was addressed along with the information disclosure flaw in USB driver tracked as CVE-2017-16643.

“The most severe vulnerability in this section [Kernel components] could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” reads the security advisory published by Google.

The May 2018 Android Security Bulletin is composed of two parts, the first one being the 2018-05-01 security patch level, that addresses seven High severity issues (CVE-2017-13309, CVE-2017-13310, CVE-2017-13311, CVE-2017-13312, CVE-2017-13313, CVE-2017-13314, CVE-2017-13315) in Android runtime, Framework, Media framework, and System.

The flaws addressed in the 2018-05-01 security patch level include Information Disclosure, Elevation of Privilege, and Denial of Service that affects Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1 releases.

The second section is the “2018-05-05 security patch level vulnerability details” that includes details for each of the security vulnerabilities that apply to the 2018-05-05 patch level.

The 2018-05-05 security patch level includes patches for security vulnerabilities affecting NVIDIA and Qualcomm components.

Three vulnerabilities that were fixed in the NVIDIA components are CVE-2017-6289, CVE-2017-5715, CVE-2017-6293, respectively a critical elevation of privilege, an information disclosure and an elevation of privilege ranked as High risk.

“The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of the TEE.” continues the advisory.

Google addressed 11 vulnerabilities in Qualcomm components, including a Critical remote code execution flaw that could be exploited by an attacker over WLAN. The remaining issued are 9 elevation of privilege vulnerabilities and one denial of service issue.


GLitch attack, Rowhammer attack against Android smartphones now leverages GPU
4.5.2018 securityaffairs Android

A team of experts has devised the GLitch attack technique that leverages graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.
A team of experts has demonstrated how to leverage graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

By exploiting the Rowhammer attackers hackers can obtain higher kernel privileges on the target device. Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

In October 2016, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam devised a new method of attack based on Rowhammer, dubbed DRAMMER attack, that could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices. The greatest limitation of the Drammer attack was the necessity to have a malicious application being installed on the target device.

Now for the first time ever, the same team of experts has devised a technique dubbed GLitch to conduct the Rowhammer attack against an Android phone remotely.

The GLitch technique leverages embedded graphics processing units (GPUs) to launch the attack

“We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to “accelerate” microarchitectural attacks (i.e., making them more effective) on commodity platforms.” reads the research paper.

“In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript”

The name GLitch comes from a widely used browser-based graphics code library known as WebGL for rendering graphics to trigger a known glitch in DDR memories.

The experts published a GLitch proof-of-concept attack that can exploit the Rowhammer attack technique by tricking victims into visiting a website hosting a malicious JavaScript code to remotely hack an Android smartphone in just 2 minutes.

The malicious script runs only within the privileges of the web browser, which means that it can the attack could allow to spy on user’s browsing activity or steal users’ credentials.

Experts highlighted that the attack could not allow threat actors to gain the full control over the victim’s device.

GLitch rather than leverage the CPU like other implementation for the Rowhammer technique uses the graphics processing units (GPU).

The researchers have chosen to leveraged the GPU because its cache can be more easily controlled, allowing them to hammer targeted rows without any interference.

“While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms” continues the paper.

Affected smartphones run the Snapdragon 800 and 801 system on a chip, this implies that the GLitch attack only works only on older Android devices, including LG Nexus 5, HTC One M8, or LG G2.

GLitch attack

The PoC code works against both Firefox and Chrome, the video demo researchers demonstrate the GLitch attack on a Nexus 5 running over Mozilla’s Firefox browser.

The bad news for Android users is that no software patch can mitigate the GLitch attack because it leverages hardware bugs.

Experts warn of potential effects of Rowhammer attacks on a large scale, they are currently helping Google to mitigate the attack.

If you’re interested in more details about the exploit or other technical details I suggest you read the technical walkthrough.


Android Phones Vulnerable to Remote Rowhammer Attack via GPU
4.5.2018 securityweek  Android

A team of researchers has shown how malicious actors could leverage graphics processing units (GPUs) to launch Rowhammer attacks remotely against Android smartphones.

Rowhammer attacks involve repeatedly accessing a row of memory and causing bit flips in adjacent rows. The issue has been known since at least 2012, but its security implications were first discussed only in 2014, and the first attack was demonstrated in 2015 when Google researchers showed that it could be exploited for privilege escalation.

Other experts later discovered that Rowhammer was remotely exploitable via JavaScript and even demonstrated attacks on mobile platforms, specifically for rooting Android phones. A new variation of the attack presented last year bypassed mitigations proposed up to that point.

Researchers from the VU University in Amsterdam have now shown that the GPU integrated in most mobile processors can also be abused for Rowhammer and other microarchitectural attacks.

Experts demonstrated that JavaScript-based attacks can be launched remotely against web browsers such as Firefox and Chrome on older LG Nexus 5, HTC One M8 and LG G2 smartphones running Android. These devices use the GPU integrated into the Snapdragon 800/801 mobile chips.

The researchers claim their technique, which they have dubbed GLitch, is an improvement to existing CPU attacks, and it can bypass “state-of-the-art” mitigations. Their experiments have shown that the GPU-based Rowhammer attack is reliable and it can be used to compromise a mobile browser in less than two minutes.

“In comparison, even on PCs, all previous Rowhammer attacks from JavaScript require non default configurations (such as reduced DRAM refresh rates or huge pages) and often take such a long time that some researchers have questioned their practicality,” the researchers said in their paper.

“Our GLitch exploit shows that browser-based Rowhammer attacks are entirely practical even on (more challenging) ARM platforms. One important implication is that it is not sufficient to limit protection to the kernel to deter practical attacks, as hypothesized in previous work,” they added.

Ars Technica reported that Chrome 65 and Firefox 59 include mitigations for these types of attacks, and further protections will be rolled out by Google and Mozilla in the upcoming period.

The discovery of the GLitch method is important as it helps software and hardware vendors make their future products more secure, but these types of attacks require significant knowledge and resources and are unlikely to be seen in the wild any time soon.


Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan
25.4.2018 thehackernews  Android

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication.
In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.
DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.
Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.
Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.
Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—"To better experience the browsing, update to the latest chrome version."

It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.
"The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker."
If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, "Account No.exists risks, use after certification."
Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.

To convince users into believing that they are handing over this information to Google itself, the fake page displays users' Gmail email ID configured on their infected Android device, as shown in the screenshots.
"After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit," researchers said. "Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English."
Since Roaming Mantis malware app has already gained permission to read and write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for victims' accounts.
While analysing the malware code, Researchers found reference to popular South Korean mobile banking and gaming applications, as well as a function that tries to detect if the infected device is rooted.
"For attackers, this may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system," the researchers said.
What's interesting about this malware is that it uses one of the leading Chinese social media websites (my.tv.sohu.com) as its command-and-control server and sends commands to infected devices just via updating the attacker-controlled user profiles.

According to Kaspersky's Telemetry data, the Roaming Mantis malware was detected more than 6,000 times, though the reports came from just 150 unique users.
You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.
You should also disable router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.


Safe Browsing Now On by Default on Android
25.4.2018 securityweek Android

Google is taking another step to protect Android users when browsing the Internet by making Safe Browsing in WebView set by default.

Launched in 2007, Google Safe Browsing was designed as an extra layer of protection against phishing and malware attacks, and is available for all users across the web. According to Google, the technology delivers protection to more than three billion devices.

Over the past several years, the search giant has made various improvements to Safe Browsing, and also made the technology available to Android and macOS. Safe Browsing also includes protections from unwanted software across both desktop and mobile platforms.

Now, Google reveals that Safe Browsing is available to WebView by default, via Google Play Protect. The change will take effect when WebView 66 arrives this month.

The availability of Safe Browsing in WebWiew means that all Android applications using the platform will be delivering new security benefits to their users.

“Developers of Android apps using WebView no longer have to make any changes to benefit from this protection,” Nate Fischer, Software Engineer, Google, notes in a blog post.

Google made Safe Browsing available in WebView since the release of Android 8.0 (API level 26) and developers could take advantage of the same underlying technology as Chrome on Android to keep their users safe from threats on the Internet.

Following the new change, all applications using WebWiew will present a warning and receive a network error when Safe Browsing is triggered. New APIs for Safe Browsing provide developers of apps built for API level 27 and above to customize this behavior.

Google is providing details on how to customize and control Safe Browsing via the Android API documentation. Google also provides developers with a Safe Browsing test URL so they can check their applications using the current WebView beta.


Popular Android Apps Leak User Data via Third-Party SDKs
19.4.2018 securityweek Android

Popular mobile applications that use third-party, ready-to-go advertising Software Development Kits (SDKs) expose user data by transmitting it over the insecure HTTP protocol, Kaspersky Lab warns.

While analyzing popular dating apps, the security firm discovered that user data is often transmitted unencrypted when SDKs from popular advertising networks are used. With some of the apps having several billion installations worldwide, security flaws put a gigantic amount of private data at risk.

Consisting of development tools and often provided free of charge, SDKs allow app developers to immediately include some capabilities into their apps and save time while focusing on other, more important elements. However, it also means that developers don’t know that the used code may contain security issues.

The advertising SDKs were designed to collect user data to show relevant ads and help developers monetize their product.

These kits would send the collected data to the domains of popular advertising networks to ensure more targeted ad displaying, but the data is sent unencrypted over HTTP, meaning it remains unprotected from a variety of attacks while in transit. The data is exposed via unprotected Wi-Fi, Internet Service Providers, or malware on a home router, Kaspersky says.

Not only can the data be intercepted, but it can also be modified, which could result in users being exposed to malicious ads instead of legitimate ones. This could result in users being tricked into downloading promoted applications that could turn out to be malware.

Analysis of a file one of the applications was sending to an analytics company revealed the type of data being transmitted unencrypted: device information, date of birth, user name, and GPS coordinates, along with information on app usage (such as profiles liked by the user).

Other analyzed dating apps were showing similar behavior, using HTTPS to communicate with their servers, but making HTTP requests to a third-party server. This server was belonging to an advertising network used by both dating apps and the user data was sent as parameters in a URL.

What Kaspersky discovered was that the leaky applications were using large amounts of third-party code, with every app containing at least 40 different modules.

“They make up a huge part of these apps – at least 75% of the Dalvik bytecode was in third-party modules; in one app the proportion of third-party code was as high as 90%,” Kaspersky’s Roman Unuchek notes in a blog post.

After diving into the GET and POST requests through which popular applications with third-party SDKs were sending unencrypted data, the security firm was able to identify the most popular SDKs leaking user data, as well as the domains the data was being sent to.

The four most popular domains the apps were exposing data to via GET requests include mopub.com (used in apps with hundreds of millions of installs), rayjump.com (nine of the apps had a total of 2 billion installs), tappas.net (tens of millions of installations), and appsgeyser.com (supposedly used in 6 million apps with almost 2 billion installations between them).

The four most popular domains the apps were exposing data to via POST requests include ushareit.com (one of the apps had more than 500 million installs), Lenovo (which was leaking user data because of a mistake by developers), Nexage.com (nearly 1.5 billion installs in 8 apps alone), and Quantumgraph.com (with tens of millions of installs).

In most cases, the SDKs were leaking data such as device information (screen resolution, storage size, volume, battery level, OS version, IMEI, IMSI, language), network information (operator name, IP address, connection type, signal strength, MAC), device coordinates, Android ID, app usage, and personal information such as user name, age and gender. Phone number and email address can also be leaked.

The main issue with these apps is that they send the data unencrypted, meaning that it can be intercepted. This means that anyone able to intercept the data can learn a lot about the user, and, depending on the transmitted data, can even use it to do harm. Additionally, the data can be modified, leading to other malicious attacks.

“Starting from the second half of 2016, more and more apps have been switching from HTTP to HTTPS. So, we are moving in the right direction, but too slowly. As of January 2018, 63% of apps are using HTTPS but most of them are still also using HTTP. Almost 90% of apps are using HTTP. And many of them are transmitting unencrypted sensitive data,” Unuchek points out.

The security researcher urges developers to stop using HTTP and to turn on 301 redirection to HTTPS for the frontends. They should also encrypt data, always use the latest version of an SDK, and should check the app’s network communications before publishing.

Users are advised to check the permissions requested by each application and only grant those permissions that are required for the application’s functionality. They should also use a VPN, which would encrypt the traffic to external servers.

“The scale of what we first thought was just specific cases of careless application design is overwhelming. Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices,” Unuchek said.


Android Trojan Spreads via DNS Hijacking
17.4.2018 securityweek Android

An Android Trojan masquerading as popular mobile applications is propagating via smartphones roaming between Wi-Fi networks, Kaspersky Lab warns.

Over the span of two months, the Moscow-based security firm observed the malware mainly targeting users in Asia. As part of the attack, DNS settings of routers are hijacked to redirect users to malicious IP addresses, where they serve fake versions of popular applications.

Dubbed Roaming Mantis, the Trojan appears to be the work of a financially motivated actor familiar with both Simplified Chinese and Korean. The attackers were observed using Trojanized applications named facebook.apk and chrome.apk to trick users into installing the malware.

After being redirected to a malicious website, users are prompted, for example, to install an update for Chrome: “To better experience the browsing, update to the latest chrome version,” the popup message displayed by the rogue server reads, Kaspersky says.

During installation, Roaming Mantis requests permission to be notified when the device is booted, to use the Internet, collect account information, manage SMS/MMS and make calls, record audio, control external storage, check packages, work with file systems, draw overlay windows, and more.

After installation, the malware overlays a message over all other windows, after which it starts its own webserver on the device, and renders a page spoofing Google’s authentication on 127.0.0.1. Using the Google account name collected from the infected device, the threat asks the user to provide a name and date of birth, claiming that this would facilitate access to the account.

The Trojan also attempts to get a verification code for two-factor authentication, but a bug in the code resulted in the Korean text to be displayed for Japanese and English users as well. The malware developers could also attempt to steal verification codes using the receive/read/write/send SMS/MMS and record audio permissions.

The malware’s code also contains references to Android applications popular in South Korea, linked to mobile banking and games: wooribank.pib.smart, kbstar.kbbank, ibk.neobanking, sc.danb.scbankapp, shinhan.sbanking, hanabank.ebk.channel.android.hananbank, smart, epost.psf.sdsi, kftc.kjbsmb, smg.spbs, webzen.muorigin.google, ncsoft.lineagem19, ncsoft.lineagem, co.neople.neopleotp, co.happymoney.android.happymoney, nexon.axe, nexon.nxplay, atsolution.android.uotp2.

The malware also verifies the presence of the su binary (superuser), which is usually an indication that the device is rooted (the su binary is not present on regular Android devices). This could allow attackers to gain elevated privileges on the system.

The malware appears to be receiving code updates on a regular basis, and the security researchers note that it also includes a new feature to communicate with the C&C via email protocols. The Trojan sends data such as language, phone number, access information, and the result of a PING test to the C&C.

Between February 9 and April 9, 2018, Kaspersky observed more than 6,000 occurrences of the malware, but only around 150 unique users appeard to be impacted.

Most detections came from South Korea, Bangladesh, and Japan, which isn’t surprising, as the malware’s capabilities suggest it was designed to be spread mainly in Asian countries. The researchers noticed around 3,000 connections to the C&C infrastructure per day, which reveals a much larger infection campaign.

Based on the system locale information the malware sends to the C&C, the researchers discovered that 98% of affected devices appear to have the Korean locale set. The remaining devices use English (both U.K. and U.S.), Simplified Chinese, Japanese, and others.

Roaming Mantis can not only steal information from the infected devices, but also provide attackers with full control over them. Likely the work of cybercriminal hackers, the Trojan is being updated each day, showing that the malicious actor is highly active.


Roaming Mantis Malware Campaign Leverages Hacked Routers to Infect Android Users With Banking Trojan
17.4.2018 securityaffairs Android

According to experts at Kaspersky, the Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on DNS hijacking.

Imagine a nefarious person swapped out your phone book with one they created, where all of the important phone numbers have been changed to call the bad actors’ friends instead of the bank you were trying to call.

Then imagine whomever answered the phone was able to convince you they actually are the bank you thought you were calling. You answer your security questions over the phone and when you hang up, the bad actor then calls your bank and successfully masquerades as you since they now have answers to your security questions. It is a flawed analogy since none of us use phone books anymore. But if you replace “phone books” with “DNS”, it is not just an analogy — it is a real cyberattack targeting mobile phone users in Asia right now — and it appears to be after users’ banking details.

In March 2018, reports began to surface about hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the ongoing attack is targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Infection statistics show that users in Bangladesh, Japan and South Korea are the most impacted.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The attack begins when a user attempts to access a legitimate website through a compromised router. Instead of reaching the intended website, the user is redirected to a convincing copy of the website and will be presented with a popup dialog box which says, “To better experience the browsing, update to the latest Chrome version.” When the user clicks on the OK button, a file called chrome.apk is downloaded, but instead of containing an updated Chrome browser, the file contains the Roaming Mantis malware. During installation of the malware, the user will be prompted to authorize a number of permissions including the ability to appear on top of other applications, access the contact list, collecting account information, sending/receiving SMS messages, making phone calls, recording audio.

Once these permissions have been confirmed by the user, the next stage of the compromise begins.

Using the ability to appear on top of other applications, the malware displays a warning message that says, “Account No. exists risks, use after certification.” When the user presses the Enter button, a fake version of a Google website hosted on a temporary web server on the phone is displayed. The fake pages show the user’s Gmail ID and ask for the user’s Name and Date of Birth. This will provide the bad actors with users’ Google IDs, full names and dates of birth which is enough to start compromising banking information.

Most banks require a second authentication factor (2FA) before allowing a user to make changes, but the malware is authorized to intercept SMS messages which should subvert many 2FA processes.

Mantis Malware

Bad actors implement upgrade processes for malware to ensure they can adapt and improve over time. Roaming Mantis makes use of popular Chinese social media site my.tv.sohu.com for its command & control (C2) needs. Simply making changes to a specific user profile on the social media network can trigger updates on all infected systems. It will be very difficult for technical systems to identify malicious account updates from benign ones.

What is a user to do? It starts with securing the router. Up-to-date firmware, strong passwords for admin access and disabling remote access to the administration interfaces on the router will make it difficult to compromise. This attack targets DNS services running on routers. A DNS service running on a server inside your network is not at risk to this attack (but is not impervious to all attacks.) Only install software from trusted app stores (e.g. Google Play.) Even when installing from a legitimate app store, pay attention to the permissions that are being requested. You are being prompted to approve the permissions so you can make an informed choice. And finally, bad actors are getting much better at language translations. When you see something in your language that doesn’t sound “right” be extra suspicious.


Android Vendors Regularly Omit Patches in Security Updates
16.4.2018 securityweek  Android

There is a good chance that your Android phone doesn’t have all of the security patches that it should, as vendors regularly omit some vulnerability fixes, security researchers have discovered.

After looking at the firmware of devices from tens of device makers, Germany-based Security Research Labs researchers discovered that not all relevant patches are included in the monthly updates that Android phones receive.

After the Stagefright vulnerabilities were found to impact nearly one billion devices three years ago, Google started releasing monthly security updates for the Android platform, to improve its overall security stance. Many vendors followed suit, announcing plans to keep up with Google and regularly deliver patches to their users.

However, only 17% of Android devices were found to run the most recent patch level in June 2016, and fixes were arriving slow in October that year. While many vendors have improved their patching frequency and phones started receiving monthly security updates, not all issues are addressed accordingly, the security researchers have discovered.

“Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” Security Research Labs says.

The security researchers analyzed the firmware of devices from over twenty vendors, looking for Critical and High severity patches they might be missing. They analyzed some phones multiple times, with different firmware releases and only considered phones patched from October 2017 or later.

The analysis revealed that most vendors forgot to deliver at least one patch to their users, while a handful of them didn’t deliver 4 or more patches. Given that not all patches were included in the tests, the actual number of missing patches could be much higher, the researchers say.

Missing patches don’t necessary imply that the phones are vulnerable, considering the security improvements in modern operating systems, such as ASLR and sandboxing, which typically prevent hacking, the security researchers argue.

This means that a few missing patches don’t usually render a device prone to remote compromise. A hacker would need to chain together multiple bugs for a successful attack, the researchers note, adding that cybercriminals do understand these challenges.

“Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” Security Research Labs says.

Those willing to invest into hacking Android devices are state-sponsored and other persistent threats. Operating stealthily and well-funded, these hackers normally leverage zero-day vulnerabilities in attacks, though they may also use known bugs to build exploit chains.

With monthly security updates arriving on many Android devices, it is important that these updates include all relevant patches. Users should start verifying their vendor’s claims about the security of their devices, and can measure their patch levels using free apps.

“As Android is ever increasing in popularity, the hacking incentives will only keep growing, as does the ecosystem’s responsibility for keeping its users secure. No single defense layer can withstand large hacking incentives for very long, prompting “defense in depth” approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android,” Security Research Labs concludes.


Popular Android Phone Manufacturers Caught Lying About Security Updates
15.4.2018 thehackernews Android

Android ecosystem is highly broken when it comes to security, and device manufacturers (better known as OEMs) make it even worse by not providing critical patches in time.
According to a new study, most Android vendors have been lying to users about security updates and telling customers that their smartphones are running the latest updates.
In other words, most smartphone manufacturers including big players like Samsung, Xiaomi, OnePlus, Sony, HTC, LG, and Huawei are not delivering you every critical security patch they're supposed to, a study by Karsten Nohl and Jakob Lell of German security firm Security Research Labs (SRL) revealed.
Nohl and Lell examined the firmware of 1,200 smartphones from over a dozen vendors, for every Android patch released last year, and found that many devices have a "patch gap," leaving parts of the Android ecosystem exposed to hackers.
"Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best," Nohl says in an interview with Wired.
Google releases security patches every month to keep its Android ecosystem safe and secure from the underlying risks, but since every manufacturer and mobile carrier modify the operating system to make their smartphone unique, they often fail to apply all those patches in time.
SRL researchers investigated smartphones that had supposedly received and installed the latest Android updates and released the following breakdown of their findings:
0-1 missed patches—Google, Sony, Samsung, Wiko Mobile
1-3 missed patches—Xiaomi, OnePlus, Nokia
3-4 missed patches—HTC, Huawei, LG, Motorola
4+ missed patches—TCL, ZTE
Specifically, the above result focused on security patches for Critical and High severity vulnerabilities that were released in 2017.
As shown above, Google, Samsung, Wiko Mobile and Sony are still doing great in installing patches, but others, specifically Chinese vendors like Xiaomi and OnePlus are worse in protecting their customers against latest security flaws.
In order to address the patch gap issue, Google has already launched a project, dubbed Treble, under which the company brought some significant changes to the Android system architecture last year to gain more control over the update process.

Project Treble was included as part of Android 8.0 Oreo and has been designed to separate core hardware code from the OS code, eliminating OEMs’ dependencies over to deliver Android updates faster.
However, even if your Android device runs Oreo 8.0 operating system, it's not necessary that it supports Treble project, as it's still up to the device manufacturer to include it. For example, Oreo firmware update for OnePlus devices don't support Treble yet.
But new devices will be required to support Treble moving forward.
Check Your Device For ‘Patch Level’
Meanwhile, SRL has developed an app called SnoopSnitch, which you can download for free, to measure the patch level of your own Android smartphone, helping you verify vendor claims about the security of your devices.


Are your Android devices updated? Researchers say maybe no
15.4.2018 securityaffairs  Android

Probably you don’t know that many Android smartphone vendors fail to roll out Google’s security patches and updates exposing the users to severe risks.
Researchers at Security Research Labs (SRL) that the problem also involves major vendors, including HTC, Huawei, and Motorola.

In some cases, manufacturers roll out incomplete security patches leaving the devices vulnerable to cyber attacks.

“Phones now receive monthly security updates. Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.” reads the blog post published by the SRL team.

The popular SRL experts Karsten Nohl and Jakob Lell presented the findings of the research at the Hack In The Box security conference in Amsterdam, the Netherlands.

The experts pointed out that that, even if Google is able to install some security patched over-the-air without vendor interaction, in some cases the fixes affect low-level faulty software components, such as drivers and system libraries, and this process needs the involvement of manufacturers.

The experts explained that some Android devices receive only half of the monthly updates, in some cases only from Google and none from the manufacturer.

The following table shows the average number of missing Critical and High severity patches before the claimed patch date (Samples – Few: 5-9; Many: 10-49; Lots: 50)
Experts clarified that some phones are included multiple times with different firmware releases.

android devices patches

Researchers at SRL explained that the only way to discover what is installed on your device is to take a look at what is included in the monthly fixes from Google verify that most important updates are present on the device.

The good news for users is that the failure in patch management is some cases is not enough for an attacker to remotely compromise an Android device and bypass defense mechanisms like Android’s sandbox and ASLR.

“Modern operating systems include several security barriers, for example, ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone.” continues the researchers.

“Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.”

I suggest you read the research paper for more details.


Google Turns TLS on By Default on Android P
14.4.2018 securityweek Android

Applications targeting the next version of Android (Android P) are required to use encrypted connections by default, Google said on Thursday.

To keep user data and devices safe, the company is protecting all inbound and outbound data on Android devices with Transport Layer Security (TLS) in transit. Thus, applications on Android P are no longer allowed to use unencrypted connections by default.

This is the latest step the Internet giant has taken to keep Android users better protected, after preventing accidental unencrypted connections on Android (6.0) Marshmallow.

The search company also added the Network Security Config feature to Android (7.0) Nougat, allowing apps to indicate that they do not intend to send network traffic without encryption.

However, Android Nougat and Oreo still allowed cleartext connections, necessary for legacy purposes, such as establishing a connection to an old server.

In Android P, currently available as Developer Preview, TLS is turned on by default, Google says. Applications that already use the protocol for all of their connections won’t be affected by the change, but those that don’t should be updated to use TLS to encrypt communications.

“Android considers all networks potentially hostile and so encrypting traffic should be used at all times, for all connections,” Chad Brubaker, Senior Software Engineer Android Security, notes in a blog post.

He also points out that mobile devices are at risk because they connect to different networks, including public Wi-Fi hotspots.

“All traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user,” Brubaker says.

To update their applications to use TLS, developers only need to implement the protocol to their servers, and then change all URLs in the app and server responses to HTTPS. When making a socket, devs should use an SSLSocketFactory instead of a SocketFactory, Brubaker points out.

For applications that still require cleartext connections for legacy purposes, changes should be made to the app’s network security configuration to allow such connections.

If the application supports opening arbitrary content from links over insecure connections, the cleartext connections to the developer’s servers should be disabled while they are enabled for arbitrary hosts, Brubaker advises.

Google has been long advocating for the adoption of HTTPS over HTTP and started pushing encrypted pages to the top of search results lists several years ago. Other companies have been pushing for an encrypted Internet as well, including Apple, GitHub, WordPress, and others.


New Android Malware Secretly Records Phone Calls and Steals Private Data
8.4.2018 thehackernews Android

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender."
Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.
Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.
Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "Group 123," primarily known for targeting South Korean targets.
The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:
record phone calls & audio
steal web history and files
gain root access
steal call logs, SMS, emails
collect device' location at every 10 seconds
collect a list of installed applications
Malware uses an open source library, available on GitHub, to gain the ability to record incoming and outgoing calls from the compromised Android device.

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim's phone calls, one of the variants even exploits a known Android flaw (CVE-2015-3636) to get root access on the compromised device.
All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.
"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.
"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."
Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.
How to Keep Your Smartphone Secure
Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.
Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:
Never install applications from 3rd-party stores.
Ensure that you have already opted for Google Play Protect.
Enable 'verify apps' feature from settings.
Keep "unknown sources" disabled while not using it.
Install anti-virus and security software from a well-known cybersecurity vendor.
Regularly back up your phone.
Always use an encryption application for protecting any sensitive information on your phone.
Never open documents that you are not expecting, even if it looks like it's from someone you know.
Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
Keep your device always up-to-date with the latest security patches.


Pocket cryptofarms

7.4.2018 Kaspersky Android  Cryptocurrency
Investigating mobile apps for hidden mining
In recent months, the topic of cryptocurrency has been a permanent news fixture — the value of digital money has been see-sawing spectacularly. Such pyrotechnics could hardly have escaped the attention of scammers, which is why cryptocurrency fluctuations have gone hand in hand with all kinds of stories. These include hacked exchanges, Bitcoin and Monero ransoms, and, of course, hidden mining. We’ve noticed that attackers no longer limit themselves to servers, desktops, and laptops. They are increasingly drawn to mobile devices, mainly Android. We decided to take a closer look to see which mobile apps stealthily mine digital coins on user devices and how widespread they are.

Primitive counterfeit apps
We found several types of malware posing as popular programs and games, but actually just showing ads and secretly mining cryptocurrencies using the CoinHive SDK. In particular, we unearthed counterfeit versions of Instagram, Netflix, Bitmoji, and others. The scammers had added the word “hack” to the original app names. These “hacked” apps were distributed through forums and third-party stores. Kaspersky Lab products detect such programs as RiskTool.AndroidOS.Miner.

Fragment of RiskTool.AndroidOS.Miner.a code that runs a hidden miner and displays an advertising page

Advertising page that RiskTool.AndroidOS.Miner.a shows to the user

Primitive miners based on web frameworks
There are a number of web frameworks that make it easy to create mobile apps, including miners. At the heart of such apps there lies a web page containing a JS script for mining cryptocurrency (for example, the CoinHive script). Most of the miners we found of this type were based on the Thunkable and Cordova frameworks. These apps are most commonly distributed through third-party sites, although one of them was found in the official Google Play store, where it was removed after we reported it.

Screenshot of a game in the Google Play store that mined cryptocurrency

We also found one app built on a different framework, Andromo. It looks like a discount aggregator at first glance, but instead of linking to sites with discounted products, it loads a page that mines cryptocurrency and doesn’t even try to hide it:

One more app caught our eye — Crypto Mining for Children. Based on the B4A framework, it was found in the official Google store (at the time of writing this article it had been deleted). Its stated goal was to mine cryptocurrency for charity. But the description contained no word about where or how the coins would be spent — something that any bona fide fundraising organization would publish. What’s more, the name of the developer bore a striking resemblance to that of a well-known mobile app (a cryptocurrency wallet), but with one letter missing. That’s a common trick used by phishers.

Useful apps infected with miners
This category is made of programs that Kaspersky Lab products detect as Trojan.AndroidOS.Coinge; they are popular apps in which cybercriminals have added malicious code for mining cryptocurrency.

Infected version of the TSF Launcher app

Interestingly, the cybercriminals added the malicious code to the code of other SDKs used by the app. That way, the app runs a library that does the mining. Not only that, we managed to detect a modification of this Trojan that does away with the need for a library: the malware adds its code to all web pages it opens. It’s worth noting that both methods of infection are similar to those used by Trojan-PSW.AndroidOS.MyVk to steal passwords.

A modification of Trojan.AndroidOS.Coinge adds mining code to all opened web pages

We managed to detect 23 different apps infected by Trojan.AndroidOS.Coinge.

Miners in apps for watching soccer
According to Kaspersky Security Network, the most common mining apps among those we found were connected to the topic of soccer. The name PlacarTV (placar means “account” in Portuguese) or something similar cropped up frequently. The main function of such apps was to show soccer videos while secretly mining cryptocurrency.

The PlacarTV app uses CoinHive for mining

The PlacarTV app interface

Our data shows that some of these apps were distributed through Google Play, with the most popular having been installed more than 100,000 times.

A modification of the PlacarTV app that was distributed through Google Play

The apps access the placartv.com server. This same domain is used in the developer’s email address specified in the Google Play store. Unbeknown to visitors, the site placartv.com runs a script that mines cryptocurrency.

Code of the placartv.com page used to mine cryptocurrency

Mobile clickers
Members of the Trojan.Clicker malware family typically open web pages and click them without the user noticing. Such pages can contain both adverts and subscriptions to WAP services. But having started to make easy money from unsuspecting users, the creators seemingly got greedy. And it wasn’t long before cryptocurrency mining was added to the feature set of some clickers. We already analyzed a similar case when a miner was caught lurking in the modules of the Loapi Trojan.

Another Trojan-turned-miner is Ubsob. This malware poses as a suite of useful apps. When started, it downloads and installs an app that it uses to mask itself. Its creators broadened their horizons by adding code borrowed from the app NeoNeonMiner for cryptomining.

Installation of the original app initialized by the Ubsob Trojan

Furthermore, the Trojan requests device administrator rights to establish a foothold in the system. This means that to delete it, it must first be removed from the list of device administrators. During the process, the malware displays a scary message – “These action can lead to data lost. Are you really wont to erase all your data?”

Message displayed by the Ubsob Trojan when attempting to deprive it of administrator rights

The Trojan mainly “resides” in CIS countries, above all Russia.

Other interesting finds
Fire-prevention miner
Probably the most interesting Trojan we analyzed is Trojan.AndroidOS.Coinge.j. It has no legitimate app functions at all and installs itself either as a porn app or as an Android system app. As soon as it starts, the malware requests device administrator rights to prevent its removal.

Trojan.AndroidOS.Coinge.j requests device administrator rights

The Trojan uses several layers of encryption and obfuscation to protect its code from analysis, but that’s not the only string to its bow. The malware monitors the device battery and temperature to mine cryptocurrency without posing a fire hazard. It seems the cybercriminals have no desire to repeat the “success” of Loapi, which incinerated our test phone.

Almost a third (29%) of the Trojan’s victims were in India. It is also active in the United States (8%), Britain (6%), Iran (5%), and Ukraine (5%). Like Ubsod, it uses the code of a legitimate app to mine cryptocurrencies.

VPN with undocumented features
We found another battery and temperature-monitoring miner in Google Play under the guise of the Vilny.net VPN app for establishing a VPN connection. By the time of detection, it had been installed more than 50,000 times. We reported it to Google.

Code of the Vilny.net VPN app

Information about the Vilny.net VPN app on Google Play

Conclusion
Keep in mind that mobile mining has a number of limitations:

First, mobile devices trail a long way behind desktop systems performance-wise, let alone dedicated mining farms, which eats into the profitability of cryptocurrency mining on mobile devices.
Second, heavy use of mobile devices causes them to heat up noticeably, alerting the user.
Lastly, smartphones’ relatively small battery power means they discharge quickly if used intensively, making mining more visible to the user and time-limited.
However, our study showed that cybercriminals are not put off by these limitations. We uncovered numerous mobile miners built on various frameworks and distributed in various ways, including through the official Google Play store. Perhaps cybercriminals are banking on compensating for smartphones’ poor performance and mobile miners’ easy detection through the sheer number of handheld devices out there and their high infectibility.

MD5
F9C4A28284CD7A4534A1102C20F04C9D
B32DBBFBB0D4EC97C59B50D29DDAAA2D
2D846265F6569547490FCB38970FC93E
6E1FDFBDAB69090FEA77B3F2F33098A8
5464647B09D5F2E064183A073AE97D7B
5B7324C165EE6AF26CDA55293DAEACDF
E771099ACA570F53A94BE713A3C2ED63
3062659C25F44EEA5FE8D3D85C99907D
AEBB87E9AEA464EFB6FCC550BF7D2D38
38CE6C161F87345B773795553AAE2C28
CA3E7A442D5A316DA9ED8DB3C4D913A7
34F43BAAFAEBDAC4CC582E1AAACF26BD
F8DE7065A7D9F191FD0A53289CDB959B
34EB1FFDC8D9D5DD3C32A0ACC4995E29
020A9064D3819A0293940A4F0B36DD2A
EE78507A293D007C47F3D2D471AAD013
0E129E2F4EA3C09BFB0C4841E173580C
50BF20954B8388FA3D5E048E6FA493A9


Researchers Link New Android Backdoor to North Korean Hackers
7.4.2018 securityweek  Android

The recently discovered KevDroid Android backdoor is tied to the North Korean hacking group APT37, Palo Alto Networks researchers say.

Also tracked as Reaper, Group 123, Red Eyes, and ScarCruft, the threat group was observed earlier this year to be using a Flash Player zero-day vulnerability and has been expanding the scope and sophistication of its campaigns over the past months.

Recently, the group was said to have targeted victims with Android spyware via spear phishing emails. Cisco’s Talos security researchers analyzed the malware, which they called KevDroid, but weren’t able to find a strong connection with the group.

According to Palo Alto Networks, however, KevDroid is indeed part of APT37’s arsenal of mobile tools. Furthermore, the security researchers were able to find a more advanced version of the spyware, as well as Trojanized iterations of legitimate applications that are used as downloaders for the malware.

The Android spyware was initially found to be masquerading as an anti-virus app from Naver, a large search and web portal service provider in South Korea.

One version of the malware, Palo Alto’s Ruchna Nigam discovered, would call home to cgalim[.]com, a domain already associated with the Reaper group’s non-mobile attacks. Artefacts from the original malware variant eventually revealed a more advanced iteration of the malware, the security researcher notes.

The threat actor apparently uses two Trojanized application versions to distribute Android spyware variants. The legitimate applications – Bitcoin Ticker Widget and PyeongChang Winter Games – are distributed through Google Play, but the malicious variants never made it to the official app store.

The two Trojanized applications, which are signed with the same certificate, contact the same URL to fetch payloads, and were observed serving an advanced iteration of the Android spyware. Each of the malicious apps was created to “respectively download and drop one specific variant of Reaper’s Android spyware,” the Nigam says.

Once installed, the apps would display a message asking the user to update them. If the user accepts the update, however, the malicious payload is downloaded instead and saved as AppName.apk. Next, the payload is loaded and the user is asked to confirm the installation.

The spyware can record audio and video, capture screenshots, grab the phone’s file listing, fetch specific files, download a list of commands, get device info, and root the device. Additionally, it can steal voice recordings from incoming and outgoing calls, call logs, SMS history, contact lists, and information on registered accounts on the phone.

Unlike the previously detailed variants of the malware that used an open source library to record calls, the most recent – and more advanced – variant of the malware writes its own call recording library.

“The emergence of a new attack vector, followed by the appearance of new variants disguising themselves as currently relevant applications like the Winter Olympics, indicates expanding operations of the Reaper group that are actively in development,” Nigam concludes.


VirusTotal presents its new Android Droidy sandbox
7.4.2018 securityaffairs Android

VirusTotal announced on Thursday the launch of a new Android sandbox, named Droidy sandbox, that will replace the previous one that was designed in 2013.
“Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.” reads the announcement published by Virus Total.

The Droidy sandbox was specifically designed to analyzed mobile threats, it can be used to obtain information on network communications and SMS-related activities, file system interactions, SQLite database usage, permissions, Java reflection calls, process and service actions, registered receivers, and crypto-related activity.

The Droidy sandbox is integrated with other services, such as VirusTotal Graph and VirusTotal Intelligence, the company aims to create a complete environment for malware analysis that helps professionals to analyzed the threats.

If you are interested in more info about the new Droidy sandbox just select it from the drop-down menu in the Behavior section, it also includes the Tencent HABO analysis system.

It is an important improvement for the VirusTotal platform, data from Droidy sandbox are complementary to the Tencent HABO.

The two sandboxes are part of a multisandbox project that aims to aggregate malware analysis sandbox reports.

“VirusTotal is much more than just an antivirus aggregator; we run all sorts of open source/private/in-house tools to further characterize files, URLs, IP addresses and domains in order to highlight suspicious signals.” states VirusTotal.

“Similarly, we execute a variety of backend processes to build relationships between the items that we store in the dataset, for instance, all the URLs from which we have downloaded a given piece of malware.“

Selecting Droidy sandbox from the behavior menu it is possible to see general information about the analyzed sample. Users can also go deeper in their analysis and “dig into the hooked calls and take a look at the screenshots generated when running the apps.”

Droidy sandbox

“To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

https://www.virustotal.com/#/file/f1475147b50a2cc868e308d87457cebd35fd6443ef27adce67a6bb3e8b865073/behavior” continues VirusTotal.

“Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.” concluded VirusTotal.


Google Patches 9 Critical Android Vulnerabilities in April 2018 Update
5.4.2018 securityweek
Vulnerebility  Android

Google this week has released its April 2018 set of Android security patches which address more than two dozen Critical and High severity vulnerabilities.

19 vulnerabilities were found to affect components such as Android runtime, Framework, Media framework, and System. These include 7 issues rated Critical and 12 considered High risk. All of the flaws were patched as part of the 2018-04-01 security patch level.

Successful exploitation of these security bugs could result in elevation of privileges, information disclosure, remote code execution, and denial of service.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in its advisory.

Six of the Critical severity bugs were remote code execution vulnerabilities, while the seventh was an elevation of privilege flaw. Impacted platform versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

Google also addressed 9 vulnerabilities as part of the 2018-04-05 security patch level, namely 2 Critical and 7 High severity. The issues impact Broadcom, Kernel, and Qualcomm components.

Both Critical bugs are remote code execution flaws, while the High severity issues include elevation of privilege and information disclosure vulnerabilities.

“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes.

The 2018-04-05 security patch level also includes patches for 34 vulnerabilities in Qualcomm closed-source components: 6 rated Critical and 28 assessed with a High risk severity level.

Google also included a Qualcomm closed-source components 2014-2016 cumulative update as part of its April 2018 Android security bulletin, although many devices have already addressed these issues in previous updates.

“These vulnerabilities affect Qualcomm components and were shared by Qualcomm with their partners through Qualcomm AMSS security bulletins or security alerts between 2014 and 2016. They are included in this Android security bulletin in order to associate them with a security patch level,” Google explains.

Over 250 vulnerabilities were included in the cumulative update, most rated High severity. One of the bugs was rated Critical risk and 9 were rated Moderate severity.

This month, Google also addressed over 40 vulnerabilities in the Nexus and Pixel devices, all rated Moderate severity (four of the flaws have a High severity rating on Android 6.0 and 6.0.1 devices). Impacted components include Framework, Media framework, System, and Broadcom, Kernel, and Qualcomm components.

On top of these security fixes, the Internet giant also included over 70 functional updates for Google devices as part of the April 2018 Pixel / Nexus Security Bulletin.


KevDroid Android RAT can steal private data and record phone calls
5.4.2018 securityaffairs Android

Security researchers discovered a new Android Remote Access Trojan (RAT) dubbed KevDroid that can steal private data and record phone calls.
Security researchers at South Korean cybersecurity firm ESTsecurity have discovered a new strain of Android Trojan KevDroid that is being distributed disguised as a fake anti-virus application, dubbed “Naver Defender.”

“Spear phishing attacks targeting Android mobile devices have recently emerged. Portal site Naver sends emails related to personal information leakage prevention to induce malicious apps to be installed.” reads the analysis published by ESTsecurity.

“This malicious app impersonates Naver with the Naver logo and the app name “Naver Defender” and takes away sensitive information such as address book, call log, and text messages.”

KevDroid is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices and spy on its owners by recording phone calls.

After the initial discovery made by cybersecurity firm ESTsecurity, experts at Talos published a detailed analysis of two variants of RAT detected in the wild.

KevDroid

“Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls.” reads the analysis published by Talos.

One of the variants exploits a known Android exploit (CVE-2015-3636) to get root access on the compromised device, this variant was dubbed KevDroid. Both variants sent data to the same command and control (C2) server through an HTTP POST.

Talos experts explained that the malicious code implemented the feature to record calls based on an open-source project available on GitHub.

The investigation about the infection vector revealed that attackers used a RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object.

The bait document used by hackers is written in Korean and contains information on Bitcoin and China.

The second RAT is targeting Windows systems it specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). This malware uses the PubNub API in order to publish orders to the compromised systems, expert dubbed it “PubNubRAT.”

The most recent variant of KevDroid malware, detected a few weeks ago, implements the following capabilities:

record phone calls & audio
steal web history and files
gain root access
steal call logs, SMS, emails
collect device’ location at every 10 seconds
collect a list of installed applications
“If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim.” continues Talos. “Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid.”
South Korean media associated the KevDroid RAT with North Korea APT Group 123.

“We do not have a strong link between the two malware samples and Group 123. The TTP overlaps are tenuous — using public cloud infrastructure as a C2 server is something other malware has used before as a technique, not just Group 123. Additionally, the C2 server is hosted in Korea, and this malware has been known to target Korean users. However, this information cannot lead us to a strong link,” Talos concluded.
The analysis published by Talos also included indicators of compromise (IoCs).