Android  Articles -  H 1 2 3 2020  Android List - H  2021  2020  2019  2018  2017  2016 


Flaws in Samsung Phones Exposed Android Users to Remote Attacks

12.8.20  Android  Thehackernews
New research disclosed a string of severe security vulnerabilities in the 'Find My Mobile'—an Android app that comes pre-installed on most Samsung smartphones—that could have allowed remote attackers to track victims' real-time location, monitor phone calls, and messages, and even delete data stored on the phone.
Portugal-based cybersecurity services provider Char49 revealed its findings on Samsung's Find My Mobile Android app at the DEF CON conference last week and shared details with the Hacker News.
"This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (SD card included), serious privacy implication via IMEI and location tracking as well as call and SMS log access," Char49's Pedro Umbelino said in technical analysis.
The flaws, which work on unpatched Samsung Galaxy S7, S8, and S9+ devices, were addressed by Samsung after flagging the exploit as a "high impact vulnerability."
Samsung's Find My Mobile service allows owners of Samsung devices to remotely locate or lock their smartphone or tablet, back up data stored on the devices to Samsung Cloud, wipe local data, and block access to Samsung Pay.
According to Char49, there were four different vulnerabilities in the app that could have been exploited by a malicious app installed on the targeted device, thus creating a man-in-the-disk attack to hijack communication from the backend servers and snoop on the victim.
samsung
The flaw stems from the fact the app checks for the presence of a specific file on the device's SD card ("/mnt/sdcard/fmm.prop") in order to load a URL ("mg.URL"), thus allowing a rogue app to create this file that can be used by a bad actor to potentially hijack the communications with the server.
"By pointing the MG URL to an attacker-controlled server and forcing the registration, the attacker can get many details about the user: coarse location via the IP address, IMEI, device brand, API level, backup apps, and several other information," Umbelino said.
To achieve this, a malicious app installed on the device makes use of an exploit chain that leverages two different unprotected broadcast receivers to redirect commands sent to Samsung's servers from the Find My Mobile app to a different server that's under the attacker's control and execute malicious commands.
The malicious server also forwards the request to the legitimate server and retrieves the response, but not before injecting its own commands in the server responses.
In doing so, a successful attack could allow a hacker to track the device's location, grab call data and text messages for spying, lock the phone for ransom, and erase all data through a factory reset.
Needless to say, the vulnerability is yet another indicator of how an app that's meant to safeguard users against information loss can be susceptible to a number of flaws that can defeat the app's purpose.
"The FMM [Find My Mobile] application should not have arbitrary components publicly available and in an exported state," Umbelino said. "If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated."


Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks
11.8.20 
Android  Securityweek

Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks.

During a presentation at DEF CON last week, Check Point security researcher Slava Makkaveev revealed how vulnerabilities in the compute digital-signal processor (DSP) – a subsystem that enables the processing of data with low power consumption – could open the door for Android applications to perform malicious attacks.

The proprietary subsystem is licensed for programming to OEMs and a small number of application developers, and the code running on DSP is signed, but the security researchers have identified ways to bypass Qualcomm’s signature and run code on DSP.

Vendors can build software for DSP using the Hexagon SDK, and serious security flaws in the development kit itself have resulted in hundreds of vulnerabilities being introduced in code from Qualcomm and partner vendors.

According to Makkaveev, almost all of the DSP executable libraries that come embedded in Qualcomm-based smartphones are exposed to attacks through the issues identified in the Hexagon SDK.

The discovered flaws, over 400 in total, are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209 and have already been acknowledged by Qualcomm.

Check Point has yet to publish technical details on these vulnerabilities, but says that attackers able to exploit them would require no user interaction to exfiltrate large amounts of information, including users’ photos and videos, and GPS and location data, or to spy on users by recording calls or turning on the microphone.

Denial of service attacks are also possible, with the device remaining permanently unresponsive, thus making the information stored on it unavailable. Furthermore, malicious code installed on the device could hide activities entirely and become unremovable.

With Qualcomm’s chips present in approximately 40% of the smartphones out there, including high-end devices from Google, LG, OnePlus, Samsung, Xiaomi, and others, at least 1 billion mobile users are affected by these vulnerabilities.

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” a Qualcomm spokesperson told SecurityWeek.


Google Patches Over 50 Vulnerabilities in Android With August 2020 Updates
5.8.2020 
Android   Securityweek
Google on Monday announced the August 2020 security updates for the Android operating system, with patches for a total of more than 50 vulnerabilities.

According to Google, the most serious flaw patched this month is a high-severity issue in the Framework component that can be exploited by a remote attacker to execute arbitrary code in the context of an unprivileged process using a malicious file.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” Google noted.

The 2020-08-01 security patch level addresses 14 high-severity vulnerabilities in the Framework, Media Framework, and System components.

The most serious Media Framework and System flaws allow a malicious application to elevate privileges without any user interaction.

The 2020-08-05 security patch level fixes 40 vulnerabilities in the AMLogic, Kernel, MediaTek, and Qualcomm components of Android.

The AMLogic vulnerability patched this month allows a local attacker to execute arbitrary code with elevated permissions using a specially crafted file. In the kernel, Android developers fixed three high-severity bugs that can lead to information disclosure or privilege escalation.

In MediaTek components, there are five high-severity vulnerabilities that can be exploited for privilege escalation or to obtain information. All issues impact the multimedia processing driver.

Over 40 flaws have been patched in Qualcomm components — a majority in closed-source components. While most have been classified as high severity, half a dozen of them have been rated critical.

Google also announced that it has patched a handful of vulnerabilities that are specific to Pixel devices.


'BootHole' Flaw Allows Installation of Stealthy Malware, Affects Billions of Devices
30.7.20
Android  Securityweek

Billions of Windows and Linux devices are affected by a serious GRUB2 bootloader vulnerability that can be exploited to install persistent and stealthy malware, firmware security company Eclypsium revealed on Wednesday.

The vulnerability, tracked as CVE-2020-10713 and dubbed BootHole, has a CVSS score of 8.2 and Eclypsium says it affects all operating systems that use GRUB2 with Secure Boot, a mechanism designed to protect the boot process from attacks. In fact, the company says the flaw impacts machines that use Secure Boot even if they’re not using GRUB2.

“Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” Eclypsium explained in its report. “In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.”BootHole vulnerability found in GRUB2 bootloader

The company says the vulnerability affects a majority of laptop, desktop, workstation and server devices, as well as network appliances and equipment used in the healthcare, industrial and financial sectors.

Threat actors could exploit this vulnerability to install bootkits or malicious bootloaders that would give them control of the targeted device. Eclypsium researchers noted that exploiting the vulnerability requires administrator privileges on the targeted device, but successful exploitation enables the attacker to obtain even higher privileges and achieve persistence.

BootHole has been described as a buffer overflow flaw related to how GRUB2 parses its grub.cfg configuration file. An attacker can modify this file, which is an unsigned text file typically found in the EFI system partition, to ensure that their malicious code is executed in the UEFI execution environment, before the operating system is loaded. This enables the attacker to run malware, modify the boot process, or directly patch the operating system kernel.

Following Eclypsium’s discovery of the BootHole vulnerability, the Canonical security team also analyzed GRUB2 and identified several other security holes, all of which have been classified as medium severity.

Eclypsium has coordinated the disclosure of the vulnerability with Microsoft, Linux distributions, the UEFI Security Response Team, OEMs, CERTs, VMware, Oracle and other impacted software vendors. Many of them are expected to release advisories or updates addressing BootHole and other GRUB2 issues.

“Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack. This will likely be a long process and take considerable time for organizations to complete patching,” the company explained.


Critical Android bug lets malicious apps hide in plain sight
29.5.2020  Bleepingcomputer  Android

A critical Android security vulnerability disclosed today and dubbed StrandHogg 2.0 can allow malicious apps to camouflage as most legitimate applications and steal sensitive information from Android users.

According to Promon security researchers who found the bug, StrandHogg 2.0 impacts all devices running Android 9.0 and below (Android 10 is not affected), and it can be exploited by attackers without root access.

Spy and steal sensitive user information
After exploiting the critical vulnerability tracked as CVE-2020-0096 on an Android device, malicious actors can easily steal the users' credentials with the help of overlays or their data by abusing app permissions.

By abusing the StrandHogg 2.0 bug, attackers can perform a wide array of malicious tasks which allow them to:

• Listen to the user through the microphone
• Take photos through the camera
• Read and send SMS messages
• Make and/or record phone conversations
• Phish login credentials
• Get access to all private photos and files on the device
• Get location and GPS information
• Get access to the contacts list
• Access phone logs
Malicious apps that exploit the vulnerability can easily trick users by replacing the interface of legitimate apps after they are launched using reflection and remaining fully hidden as Promon explains.

"If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps," Promon says.

"Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone."

Strandhogg 2.0

Fix already rolled out to all vulnerable Android devices
A security fix was already released by Google for Android versions 8.0, 8.1, and 9, after being notified of the vulnerability in December 2019 and rolling out a patch to Android ecosystem partners during April 2020.

"Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilizing StrandHogg 2.0," Promon CTO and founder Tom Lysemose Hansen said.

Luckily, no malware has been observed so far actively exploiting the security bug in the wild until today.

StrandHogg 2.0 is similar to a previous Android vulnerability Promon found during 2019, dubbed StrandHogg, and actively exploited at the time by the BankBot banking trojan.

"They are similar in the sense that hackers can exploit both vulnerabilities in order to gain access to very personal information and services, but from our extensive research, we can see that StrandHogg 2.0 enables hackers to attack much more broadly while being far more difficult to detect," Promon CTO and founder Tom Lysemose Hansen said.

StrandHogg allowed malicious apps to hijack Android’s multitasking feature and "freely assume any identity in the multitasking system they desire," while StrandHogg 2.0 is an elevation of privilege vulnerability that enables malware to gain access to almost all Android apps.

Over 90% of Android users exposed to attacks
"Promon predicts that attackers will look to utilize both StrandHogg and StrandHogg 2.0 together because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible."

Since many of the mitigation measures that can be taken against StrandHogg do not apply to StrandHogg 2.0 and vice-versa, many Android users might be exposed to future attacks attempting to exploit both vulnerabilities.

Additionally, since the vast majority of users are still running Android version 9.0 or earlier on their devices (91.8% of Android active users worldwide according to Google), malware designed to abuse the StrandHogg bugs will have a lot of potential targets lined up.


Aggressive in-app advertising in Android
25.5.2020  Securelist  Android
Recently, we’ve been noticing ever more dubious advertising libraries in popular apps on Google Play. The monetization methods used in such SDKs can pose a threat to users, yet they pull in more revenue for developers than whitelisted ad modules due to the greater number of views. In this post we will look into a few examples of suspicious-looking ad modules that we discovered in popular apps earlier this year.

One of the applications we researched was a popular app that allows users to ask questions anonymously. Integrated into the code of an earlier version of the app was the module com.haskfm.h5mob. Its task was to show intrusive advertising (in breach of the Google Play rules) when the user unlocked the phone.


Code for displaying ads when the screen is unlocked

In other words, the module can show ads whether the app is running or not. The ad can simply pop up on the main screen all on its own, causing a nuisance for the user. We passed our findings to the app developers, who promptly removed com.haskfm.h5mob. However, this module remains interesting from technical point of view.

In this application to receive advertising offers, the module connects to the C&C servers, whose addresses are encrypted in the app code.


Decrypting the C&C addresses

The C&C response contains the display parameters and the platforms used to receive ads.

{"status":1,
"msg":"Success",
"data":{"rqect":0,
"ldfr":1,
"tifr":1,
"appintset":43200000,
"swpa":1,
"ssjp":1,
"tcap":86400000,
"ctoftime":3600000,
"jtslist":[{"domain":"app.appsflyer.com","format":"&android_id={android_id}&advertising_id={gaid}"},
{"domain":"app.adjust.com","format":"&android_id={android_id}&gps_adid={gaid}"},
{"domain":"app.adjust.io","format":"&android_id={android_id}&gps_adid={gaid}"},
……
{"status":1,
"msg":"Success",
"data":{"rqect":0,
"ldfr":1,
"tifr":1,
"appintset":43200000,
"swpa":1,
"ssjp":1,
"tcap":86400000,
"ctoftime":3600000,
"jtslist":[{"domain":"app.appsflyer.com","format":"&android_id={android_id}&advertising_id={gaid}"},
{"domain":"app.adjust.com","format":"&android_id={android_id}&gps_adid={gaid}"},
{"domain":"app.adjust.io","format":"&android_id={android_id}&gps_adid={gaid}"},
……
The most interesting parameter here is appintset, which specifies the delay before displaying the first ad after installation of the app. In our example, it was set to 43.2 million milliseconds, or 12 hours. This delay makes it much harder for the user to find the culprit for all the ads that suddenly appear on the screen. Also, this technique is frequently used by cybercriminals to trick automatic protection mechanisms, such as sandboxes in app stores. The main parameters are followed by an extensive list of addresses of advertising providers with request parameters for receiving offers.

Earlier we detected a similar ad module in apps without a payload. For example, the code in the app com.android.ggtoolkit_tw_xd, which we detect as not-a-virus:AdWare.AndroidOS.Magic.a, contains the same features and is managed from the same C&C as the com.haskfm.h5mob module. However, this adware app has no graphical interface to speak of, is not displayed in the device’s app menu, and serves only to display intrusive ads as described above. It looks something like this: adware_in-app_video.mp4

While, as previously mentioned, the creators of the application described in the first example, promptly removed the ad module, not all Android developers are so conscientious. For example, the Cut – CutOut & Photo Background Editor app does not hesitate to treat users to a half-screen ad as soon as the smartphone is unlocked, regardless of whether the app is running or not.


Likewise the Fast Cleaner — Speed​Booster & Cleaner app.


In both apps, the library com.vision.lib handles the display of advertising.

Display of advertising

At the time of writing this article, the developers of both apps had not responded to our requests.

Note, however, that adware is not always about greed. Often, app developers are not versed in advertising SDKs and lack the necessary skills to test an integrated advertising library, and therefore may not fully understand what they are adding to their code. The danger for users here is that a dubious library could unexpectedly make its way into an app as part of a rank-and-file update. And it becomes extremely difficult to figure out which of a dozen recently updated apps is the source of intrusive advertising.

IOCs
MD5
1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
134283b8efedc3d7244ba1b3a52e4a92 – com.xprodev.cutcam
3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner

С&C
ti.domainforlite[.]com/st/hg
uu.domainforlite[.]com


WolfRAT Android Malware Targets WhatsApp, Facebook Messenger
20.5.2020  Threatpost  Android

Researchers link the malware to Wolf Research operators with “high confidence” after it was spotted in campaigns targeting Thai users.

A new Android malware family has been discovered, which targets popular messaging apps like WhatsApp and Facebook Messenger to gather intelligence on Android victims.

The malware, dubbed WolfRAT, is under active development, and was recently identified in campaigns targeting Thai users. Researchers assess with “high confidence” that the malware is operated by Wolf Research, a Germany-based spyware organization that develops and sells espionage-based malware to governments.

“The chat details, WhatsApp records, messengers and SMSs of the world carry some sensitive information and people choose to forget these when communications occur on their phone,” said Warren Mercer, Paul Rascagneres and Vitor Ventura, researchers with Cisco Talos, in a Tuesday analysis. “We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia, Line, which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it’s prying eyes.”

Warren Mercer, technical lead at Cisco Talos, told Threatpost that he believes the infection vector was via phishing/smishing links sent to users devices. Researchers found that the command-and-control (C2) server domain is located in Thailand and contains references to Thai food, giving a clue about what the lure could potentially be.

The Campaign
Once downloaded, WolfRAT poses as legitimate services, such as Google Play apps or Flash updates, by using their icons and package names. These are normally functional packages, with no user interaction needed, Mercer said. For instance, the malware uses a package name (“com.google.services”) to pretend to be a Google Play application.

“The name appears generic enough to make a non-tech savvy user think it is related to Google and is a required part of the Android Operating System. If the user presses the application icon they will only see generic Google application information injected by the malware authors,” Mercer told Threatpost. “This is aimed at ensuring the application is not uninstalled by the victim.”

Upon further research of WolfRAT itself, researchers found the RAT is based on a previously leaked malware named DenDroid. DenDroid was discovered in 2014 and is a fairly simple Android malware (it doesn’t take advantage of the Android accessibility framework, for instance, as many modern Android malware families do). DenDroid contains espionage-based commands for taking photos and videos, recording audio and uploading pictures.

Researchers identified at least four major releases of the WolfRAT, reflecting that it’s under “intense development.” In terms of timeline, researchers identified samples that show activity from January 2019, however, one of the C2 domains was registered in 2017 (ponethus[.]com), Mercer said.

These versions revealed several capabilities, including a screen-recording feature. During their analysis of the earlier samples, researchers noticed that the feature was never called or used by the malware — however, in later samples the screen recording is started when the RAT determines that WhatsApp is running.

Later versions of the malware also feature various permissions requesting ACCESS_SUPERUSER (deprecated in Android 5.0 onward), and DEVICE_ADMIN privileges (also deprecated, in Android 10), which both are attempted methods of accessing privileged access rights (i.e.; administrative permissions) on the victim’s device. Another permission added, READ_FRAME_BUFFER, is the “most important API used here,” Mercer told Threatpost, as it can be used by an application to obtain screenshots of the current device screen (ie; WhatsApp). Adding onto that capability, later versions of the malware actively search for Facebook Messenger, WhatsApp and Line activities. Once these apps are opened, the malware takes screenshots and uploads them to the C2.

Researchers noted that the constant addition and removal of packages, along with the huge quantity of unused code and usage of deprecated and old techniques, “denotes an amateur development methodology.”

“This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and panels that are freely open,” they said.

Wolf Research Links
Researchers linked the campaign to Wolf Research after identifying infrastructure overlaps and string references used previously by the group. The organization appears to be shut down, said researchers, but the threat actors are still very active. Researchers believe its operators are continuing to work under the guise of a new organization, called LokD. This new organization proposed the creation of a more secure Android phone, said researchers. Based on the organization’s website, it also proposes services and developed zero-day vulnerabilities to test their own products.

“However, thanks to the infrastructure sharing and forgotten panel names, we assess with high confidence that this actor is still active, it is still developing malware and has been using it from mid-June to today,” said researchers. “On the C2 panel, we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech. This organization is also working on interception technology.”


Mandrake, a high sophisticated Android spyware used in targeted attacks
18.5.2020  Securityaffairs  Android

Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.
Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.

Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.

“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”
Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.

Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.

Mandrake
Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.
During the past four years, the platform has received numerous updates, operators constantly implemented new features.

Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.
“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
obviously paint a pretty accurate picture of the victim, and their whereabouts.” continues the report. “The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing. It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.”

The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.

The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.

The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.

The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.

The report contains technical details about the threat, including Indicators of Compromise.


'Mandrake' Android Spyware Remained Undetected for 4 Years
18.5.2020 
Securityweek   Android
Security researchers at Bitdefender have identified a highly sophisticated Android spyware platform that managed to remain undetected for four years.

Dubbed Mandrake, the platform targets only specific devices, as its operators are keen on remaining undetected for as long as possible. Thus, the malware avoids infecting devices in countries that might bring no benefit for the attackers.

Over the past four years, the platform has received numerous updates, with new features being constantly added, and obsolete ones being removed. Under continuous development, the malware framework is highly complex, Bitdefender’s security researchers say.

Mandrake provides attackers with complete control over an infected device, allowing them to turn down the volume, block calls and messages, steal credentials, exfiltrate data, transfer money, record the screen, and blackmail the victim.

“Considering the complexity of the spying platform, we assume that every attack is targeted individually, executed with surgical precision and manual rather than automated. Weaponization would take place after a period of total monitoring of the device and victim,” Bitdefender explains.

Mandrake looks like an advanced espionage platform, but the security researchers believe the campaign is rather financially motivated. During their investigation, they observed phishing attacks targeting an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, banking software, payment apps, an Australian pension fund app, and Gmail.

Mandrake infections happened in two waves, the researchers say. The first took place in 2016 and 2017, and a second between 2018 and 2020, with most of the victims located in Australia, Europe, and the Americas. Australia appears to be the most targeted.

According to Bitdefender, the current wave likely made tens of thousands of victims to date, with hundreds of thousands likely infected over Mandrake’s four-year lifespan. Every victim was likely exposed to some form of data theft, the researchers say.

Seven malicious applications delivering Mandrake were identified in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope and Car News, each of them having hundreds of thousands of downloads.

To gain users’ trust, the operators pay attention to negative reviews posted for their apps and often deliver fixes for reported issues. They also left the apps mostly ad free, and created a dedicated microsite, along with social media accounts to persuade users to download their apps.

Furthermore, the malicious activity is delayed and works in three stages: dropper, loader and core. The apps published in Google Play represent the dropper, but the loader and the core are delivered at an unpredictable point in time, or never.

The malware avoids about 90 countries from infection and does not run on devices with no SIM or with SIM cards issued by certain operators, including Verizon and China Mobile Communications Corporation (CMCC).

Various anti-emulation and hiding techniques are also employed, along with administrator privileges and the Accessibility Service to ensure persistence following infection. The malware also grants itself a great deal of permissions that allow it to collect and exfiltrate large amounts of data and to track and spy on users.

The malware operators can also erase all traces of compromise by issuing a command to reboot the device and reset it to factory settings, effectively wiping the malware. This command is only called if the malware has admin privileges.


Thousands of Android Apps Leak Data Due to Firebase Misconfigurations
13
.5.2020  Securityweek  Android

Comparitech security researchers have discovered that thousands of Android applications distributed through Google Play leak sensitive information due to Firebase misconfigurations.

Launched in 2011, Firebase is a mobile app development platform that Google acquired in 2014. It can be used for authentication, hosting, cloud storage, analytics, messaging, and more.

Roughly 30% of all the applications in Google Play are believed to be using Google Firebase to store user data, but many of them are not properly secured. Overall, 4.8% of all mobile apps using Firebase are believed to be leaking personal information, access tokens, and other types of data.

After looking at 515,735 Android applications in Google Play, Comparitech’s researchers found 4,282 apps that leak sensitive information.

“If we extrapolate those figures, an estimated 0.83 percent of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total,” the researchers note.

The identified vulnerable applications have a combined download count of more than 4.22 billion. These figures, however, only include the download counts from Google Play, and not third-party application marketplaces.

Data exposed through these misconfigurations includes email addresses (Comparitech identified more than 7,000,000), usernames (over 4,400,000), passwords (more than 1,000,000), phone numbers (in excess of 5,300,000), full name (more than 18,300,000), chat messages (6,800,000+), GPS data (6,200,000+), IP addresses (156,000+), and street addresses (560,000+), among others.

The researchers also say that credit card numbers and photos of government-issued identification were also being exposed.

“Of the 155,066 Firebase apps analyzed, 11,730 had publicly exposed databases. 9,014 of them even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it,” Comparitech says.

A cross-platform tool, Firebase is used on many operating systems and platforms, not just mobile, and the identified misconfigurations are believed to affect a much larger number of applications.

Google was alerted on the findings in late April and said it was reaching out to the affected developers to help them address the identified issues.

The problem, however, is not new. In 2018, Appthority identified over 3,000 Android and iOS applications that were leaking 100 million records (113 gigabytes of data) from Firebase databases.


Over 4000 Android Apps Expose Users' Data via Misconfigured Firebase Databases
12
.5.2020  Thehackernews  Android
More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.
The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.
"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said.
Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.
With the vulnerable apps in question — mostly spanning games, education, entertainment, and business categories — installed 4.22 billion times by Android users, Comparitech said: "the chances are high that an Android user's privacy has been compromised by at least one app."
Given that Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact iOS and web apps as well.
The full contents of the database, spanning across 4,282 apps, included:
Email addresses: 7,000,000+
Usernames: 4,400,000+
Passwords: 1,000,000+
Phone numbers: 5,300,000+
Full names: 18,300,000+
Chat messages: 6,800,000+
GPS data: 6,200,000+
IP addresses: 156,000+
Street addresses: 560,000+
Diachenko found the exposed databases using known Firebase's REST API that's used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing "/.json" to a database URL (e.g. "https://~project_id~.firebaseio.com/.json").
firebase database security
Aside from 155,066 apps having publicly exposed databases, the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.
Complicating the matter further is the indexing of Firebase database URLs by search engines such as Bing, which exposes the vulnerable endpoints for anyone on the Internet. A Google search, however, returns no results.
After Google was notified of the findings on April 22, the search giant said it's reaching out to affected developers to patch the issues.
This is not the first time exposed Firebase databases have leaked personal information. Researchers from mobile security firm Appthority found a similar case two years ago, resulting in the exposure of 100 million data records.
Leaving a database exposed without any authentication is an open invite for bad actors. It's therefore recommended that app developers adhere to Firebase database rules to secure data and prevent unauthorized access.
Users, for their part, are urged to stick to only trusted apps and be cautious about the information that's shared with an application.


Hackers breach company’s MDM server to spread Android malware
3.5.2020  Bleepingcomputer  Android

Attackers infected more than 75% of a multinational conglomerate's managed Android devices with the Cerberus banking trojan using the company’s compromised Mobile Device Manager (MDM) server.

MDM (also known as Enterprise Mobility Management - EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.

The Cerberus banking trojan was first spotted in June 2019 and it uses a Malware-as-a-Service (MaaS) business model allowing clients who rent their services to drop their payloads, as well as configure and control devices compromised during their attacks.

Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information including but not limited to call logs, text messages, credentials, Google Authenticator 2FA codes, phone unlocking patterns, as well as to collect info on installed apps and log keystrokes.

Company factory reset all enrolled devices
After the attackers successfully compromised the unnamed company's MDM server following a targeted attack, they used it to remotely deploying the banking trojan malware on over 75% of all managed Android devices as Check Point security researchers discovered.

This was what allowed the researchers to detect the attack after two malicious apps were installed on a large number of company devices within a very short time with the help of the breached MDM server.

To get rid of the malware and remove the attackers' ability to control the infected devices, the company decided to factor reset all devices enrolled with the compromised MDM server.

"This is the first time we have a reported incident of mobile malware distribution that uses the MDM server as an attack vector," the researchers said.

Android Accessibility Service abuse
Right after infecting a device, the malware will display a dialog camouflaged as an update for the Android Accessibility Service which will keep popping up on the screen until the victim gives in and hits the "Enable Update" button.

After it gains access to the Accessibility Service, Cerberus will later use it for clicking on menu options and to bypass user interaction.

The banking Trojan was recently upgraded with RAT functionality in February and it is now capable of stealing victims' Google Authenticator two-factor authentication (2FA) codes that provide an additional layer of security when logging into services like banks, email, messaging, and social media networks.

Fake Accessibility Services update
Fake Accessibility Services update (Check Point)
Cerberus also has TeamViewer-based remote access Trojan (RAT) capabilities that make it possible for its operators to have full remote control of infected devices. Additionally, it uses overlays to grab the screen-lock pattern to enable the attackers to the devices remotely.

The malware downloads a ring0.apk module which adds the ability to harvest contacts, SMS messages, and the list of installed applications and send it to the command and control server.

"This module also can perform phone-related actions such as sending specific SMS messages, making calls and sending USSD requests," the researchers found. "In addition, this module can show notifications, install or uninstall applications, and open popup activities with URLs."

Maintaining access to compromised devices
Cerberus maintains access by blocking the victims' attempts to uninstall TeamViewer and it will also gain admin privileges, further hindering the users' ability to uninstall any apps it needs to perform its malicious tasks.

The malware will also block any user attempts to remove the app by automatically closing the App Detail page when the victims try to open it.

On compromised devices, Cerberus will also disable Google Play Protect, the built-in Android malware protection for Android, by abusing the Accessibility Service, thus preventing both detection and automatic removal.

Disabling Google Play Protect
Disabling Google Play Protect (Check Point)

"This incident underscores the importance of distinguishing between managing and securing mobile devices.

"Managing a mobile device means installing applications, configuring settings, and applying policies on multiple devices at once," they added. "Securing a mobile device means protecting it from malware threats and attacks."

Indicators of compromised including command and control server IP addresses, the malicious Android apps' package names, and SHA256 hashes are available here.


New Android malware steals financial information, bypasses 2FA
3.5.2020  Bleepingcomputer  Android

A new banking Trojan can steal financial information from Android users across the United States and several European countries, including the UK, Germany, Italy, Spain, Switzerland, and France.

Dubbed EventBot by researchers at Cybereason Nocturnus who discovered it in March 2020, the malware is a mobile banking trojan and infostealer designed to abuse the Android operating system's accessibility features to steal sensitive financial data.

"EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets," the Cybereason Nocturnus researchers found.

"Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more." — the full list of targeted Android apps is available here.

At the moment, the malware is not being distributed via the Google Play Store, with its creators most likely using shady APK hosting websites and rogue APK marketplace for distribution to potential victims' devices.

Apps targeted by EventBot
Apps targeted by EventBot (Cybereason Nocturnus)
Permissions for everything
Once the targets download EventBot on their devices and start the installation process, the malware will ask to be granted a large set of permissions including the capability to run in the background, to ignore battery optimizations, and to prevent the processor from sleeping or the device from dimming the screen.

EventBot also asks to get access to Android's accessibility services which allows it to "operate as a keylogger and can retrieve notifications about other installed applications and content of open windows" once the permissions are granted.

The banking trojan also asks for permission to launch itself after system boot as a simple way to gain persistence on infected devices and run in the background as a service.

It will also request permission to read and receive SMS messages malware, thus gaining the ability to read text messages and steal one-time passcodes (OTPs) it later uses to bypass two-factor authentication (2FA) for accounts using SMS-based 2FA — EventBot also uses webinjects to circumvent 2FA.

EventBot collects the list of installed apps on the Android devices it infects, together with device info like OS and model, data that gets sent to its command-and-control server to be later harvested by its operators.

EventBot requesting permissions
EventBot requesting permissions (Cybereason Nocturnus)
Still in development but already a threat
Although it is currently in its early stages of development, EventBot can become a major Android malware threat since it is already capable of targeting hundreds of financial apps and the developers add more new feature in each version like encryption, dynamic library loading, and automatic adjustment to device models and locales.

Because the threat actor behind this malware updates it every few days, it's just a matter of time until it catches up to other highly dangerous Android trojans like Cerberus, Anubis, and xHelper.

For instance, EventBot's developers added a layer of obfuscation in the latest version, "perhaps taking the malware one step closer to being fully operational," according to the researchers.

To defend against an EventBot infection you should avoid third-party marketplaces if possible and always install apps only from the Google Play Store as they go through a vetting process that makes sure that most potentially malicious apps are rejected.

"Cybereason believes EventBot could be the next influential mobile malware because of the time the developer has already invested into creating the code and the level of sophistication and capabilities is really high," Cybereason Head of Threat Research Assaf Dahan said.

"By accessing and stealing this data, Eventbot has the potential to access key business data, including financial data. Mobile malware is no laughing matter and it is a significant risk for organizations and consumers alike."

EventBot indicators of compromise (IOCs) including malware sample hashes, and IP addresses and domains of its command and control servers, are available at the end of Cybereason Nocturnus' report.

Starting last month, the TrickBot​​​​​ gang has also begun using a malicious Android app dubbed TrickMo that steals transaction authentication numbers (TANs) — including one-time passwords (OTP), mobile TAN (mTAN), and pushTAN authentication codes — to bypass the 2FA protection used by various banks.


Hacking group used Google Play Store to push spyware for years
2
.5.2020  Bleepingcomputer  Android

A malicious campaign dubbed PhantomLance has been targeting users of Android devices with spyware payloads embedded in applications delivered via multiple platforms including Google's Play Store and alternative Android app stores such as APKpure and APKCombo.

According to a report published earlier by Kaspersky researchers, PhantomLance overlaps with previous campaigns targeting Windows and macOS attributed to OceanLotus, an advanced persistent threat group also tracked as APT32 and believed to be Vietnam-based.

"[The] campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware – software created to gather victims’ data – and smart distribution tactics, including distribution via dozens of applications on the Google Play official market," Kaspersky says.

Focused on collecting and stealing information
Kaspersky's researchers discovered the targeted campaign after Doctor Web published a report on a new backdoor trojan they found on the Play Store, a malware that was a lot more complex than the usual malware used by cybercriminals for stealing financial information and credentials from Android users in Southeast Asia.

Antiy Labs researchers also published a report describing the Android malware campaign in May 2019, attributing it to the OceanLotus hacking group.

BlackBerry researchers also discovered OceanLotus' malware being distributed via the Google Play Store during 2019, dubbing the campaign Operation OceanMobile. They published their findings as part of BlackBerry's October 2019 Mobile Malware Report.

"It is important to note that according to our detection statistics, the majority of users affected by this campaign were located in Vietnam, with the exception of a small number of individuals located in China," Kaspersky says.

Countries targeted by PhanthomLance
Countries targeted by PhanthomLance (Kaspersky)
Similar malware samples were later discovered by Kaspersky in multiple apps distributed on the Play Store and tied by the researchers to the PhantomLance campaign, a targeted series of attacks aiming to harvest information including geolocation, call logs, contacts, text messages, list of installed apps, and device information.

"Furthermore, the threat actor was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps," Kaspersky's report reads.

"This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information."

Distributed via multiple Android marketplaces
Among the Android applications containing samples of PhantomLance malware, Kaspersky provides the following list of apps that were distributed and later removed from the Play Store by Google in November 2019.

Package name Google Play persistence date (at least)
com.zimice.browserturbo 2019-11-06
com.physlane.opengl 2019-07-10
com.unianin.adsskipper 2018-12-26
com.codedexon.prayerbook 2018-08-20
com.luxury.BeerAddress 2018-08-20
com.luxury.BiFinBall 2018-08-20
com.zonjob.browsercleaner 2018-08-20
com.linevialab.ffont 2018-08-20
While the backdoored apps discovered by Kaspersky have already been removed from the Play Store, the situation is not the same in the case of the unofficial marketplaces since the PhantomLance spyware is still hosted and distributed through stores available at https://apkcombo[.]com, https://apk[.]support/, https://apkpure[.]com, https://apkpourandroid[.]com, as well as and many others.

To avoid getting their apps tagged and blocked from being listed, the OceanLotus hackers would first upload clean app versions without any malicious payloads or the necessary code to dropping them on compromised devices — this behavior was confirmed after discovering versions of the same app, with and without an embedded payload.

"These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads," the researchers reveal.

The fact that the malicious apps are still available through the third-party marketplaces is easy to explain: since most of these stores work by mirroring the official Play Store, they also grabbed and listed the malicious apps.

Five-year long OceanLotus campaign
"PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals," Alexey Firsh, security researcher at Kaspersky’s GReAT, said.

"We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area."

APT32 is a Vietnamese-backed advanced persistent threat group known to have targeted foreign companies investing in multiple Vietnam industry sectors.

The hacking group is also known to have been behind attacks targeting research institutes from around the world, media orgs, various human rights orgs, and even Chinese maritime construction firms. [1, 2, 3, 4, 5, 6, 7]

More recently, the Vietnamese threat actors carried out spear-phishing attacks targeting China's Ministry of Emergency Management and the government of Wuhan province with the end goal of collecting intelligence on the ongoing COVID-19 crisis.

Update April 29, 15:24 EDT: Added information about the Operation OceanMobile discovered by BlackBerry researchers.




StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft

28.5.2020  Net-Security  Android

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data.

CVE-2020-0096

Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers.
About StrandHogg 2.0 (CVE-2020-0096)

Like StrandHogg before it, CVE-2020-0096:

Doesn’t need the target device to be rooted and doesn’t require any specific permissions
Allows hackers to hijack nearly any app, i.e., to insert an overlay when the app is opened. The overlay take the form of a login screen, request for permissions, etc.

Unlike StrandHogg, StrandHogg 2.0:

Can attack nearly any app on a given device simultaneously at the touch of a button (and not just one app at a time)
Is more difficult to detect because of its code-based execution.

“The key difference between StrandHogg (1.0), and StrandHogg 2.0 is that the former uses an attribute called taskAffinity to achieve the task hijacking,” Promon researchers explained.

“For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext. While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”

StrandHogg 2.0 uses a different method for task hijacking that leaves no markers. Also, hackers can use obfuscation and reflection to make static analysis of the malicious app difficult.

Promon researcher John Høegh-Omdal says that malware that exploits StrandHogg 2.0 will be harder for anti-virus and security scanners to detect.
Who’s affected and what to do?

According to Promon’s research, the vulnerability affects all Android versions below Android 10 (with the caveat that early Android versions (<4.0.1) have not been tested). Google has released a patch to Android ecosystem partners in April 2020 and a fix for Android versions 8.0, 8.1, and 9 to the public in May 2020.

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” says Tom Lysemose Hansen, CTO and founder of Promon.

As with StrandHogg, users are advised to be wary of permission pop-ups that don’t contain an app name and apps that they have already logged into asking for login credentials.

“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild,” Hansen advises.

These measures include setting all of the app’s public activities to launchMode=”singleTask” OR launchMode=”singleIn stance” in AndroidManifest.xml.


The Security of Your Android Device May Depend on Where You Live
27.5.2020  Securityweek  Android
Region-specific Default Configurations and Settings for Android Devices Cause Varied Security Posture for Mobile Users

Over the last few years, security researchers have been able to crack various Android phones during Pwn2Own hacking competitions. Now one firm has collected its research and finds a potentially significant global problem: Android security may be dependent on the country of use.

One problem is the open and global nature of the Android operating system. Handset manufacturers seek to differentiate themselves and gain a competitive edge over other manufacturers by adding their own proprietary apps to the default Android device -- sometimes known as bloatware. "Specifically," commented F-Secure UK director of research James Loureiro, "we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region."

Android Security At Mobile Pwn2Own 2017, F-Secure used vulnerabilities in the proprietary Huawei apps HiApp and Read to compromise the Huawei Mate 9 Pro.

Just as concerning is the absence of the official Google Play app store in some regions. China, where access to Google Play is banned, is a good example. Both Xiaomi and Huawei have been forced to develop their own dedicated app stores. F-Secure's researchers found multiple vulnerabilities in the Huawei AppGallery that could be exploited to create a beachhead for additional attacks. "Following this initial compromise," say the researchers, "an attacker could use additional vulnerabilities the researchers discovered in Huawei iReader to execute code and steal data from the device."

A similar situation exists with Xiaomi's GetApps store, where vulnerabilities allowed an attacker to gain full control of the device. The research demonstrated that an attacker could compromise the Xiaomi's Mi 9's default configuration for China, India, Russia, and possibly other countries -- it would simply require socially engineering the user to visit a website controlled by the attacker. In fact, a similar attack could be conducted via attacker-controlled NFC tags. Both attacks give the attacker the necessary access to steal data or install malware.

The security problems are not limited to bloatware and proprietary app stores. F-Secure discovered that the Samsung Galaxy S9 behaves differently depending on the geographical location of the SIM card manufacture. The device detects the Mobile Country Code (MCC) used by the SIM card -- and some apps adjust their behavior if they detect a Chinese MCC (460).

F-Secure discovered that if the Galaxy S9 detects the Chinese SIM, the affected component accepts unencrypted updates -- making it susceptible to man-in-the-middle attacks. A successful MitM attack would give the attacker full control of the device.

The attacks discovered by F-Secure could be used indiscriminately for mass compromise, or could be targeted at individuals while providing limited acknowledgement to the user that there might be a problem. At one level, this is philosophically unacceptable -- users deserve an equal level of high security regardless of where they live or the phone they use.

At other levels, although all the discovered vulnerabilities have since been patched, nevertheless, the F-Secure research still raises additional questions that need to be considered. Given the number of different Android handsets manufactured around the world, the problem is likely to be far greater than just the few handsets researched by F-Secure. Nor should large organizations dismiss the problem as a local foreign issue.

"Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective," comments F-Secure senior security researcher Mark Barnes. "And it's really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions."

But there is another issue that also needs to be considered. China seems to be the epicenter of the issues discovered by F-Secure, and wherever China is involved, geopolitics must be considered. F-Secure raises this. "It is unclear," says the firm, "if these [vulnerabilities] are being actively exploited; more likely, these are vulnerabilities left in due to carelessness by the developers. However, it does raise interesting questions about the relationship between a particular handset's security and the region it's used in."

That 'relationship' is particularly relevant given the occurrence of Huawei in the research, and the ongoing concern over the relationship between Huawei and the Chinese government. Although last year's NCSC report on Huawei telecommunications equipment found no backdoors, it did comment that vulnerabilities could lead to future abuse.

An alternative term for carelessness could be 'technical negligence'. Talking to SecurityWeek in January 2020, ex-intelligence community employee and now co-founder and CTO at SaltStack Thomas Hatch explained that technical negligence is a tool used by intelligence services over and above straightforward backdoors. Technical negligence can be used as necessary in the future by state actors who may know where the negligence exists. "This," he said, "poses a legitimate security risk that cannot be reasonably mitigated."


StrandHogg 2.0 Critical Bug Allows Android App Hijacking
27.5.2020  Threatpost  Android

a malicious app installed on a device can hide behind legitimate apps.

A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone – potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more.

The bug is dubbed the “StrandHogg 2.0” vulnerability (CVE-2020-0096) by the Promon researchers who found it, due to its similarity to the original StrandHogg bug discovered last year. Like the original, a malicious app installed on a device can hide behind legitimate apps. When a normal app icon is clicked, a malicious overlay is instead executed, which can harvest login credentials for the legitimate app.

However, Version 2.0 allows for a wider range of attacks. The main difference with the new bug is that exploits are carried out through reflection, “allowing malicious apps to freely assume the identity of legitimate apps while also remaining completely hidden,” researchers explained, in a white paper published on Tuesday. The original StrandHogg allowed attacks via the TaskAffinity Android control setting.

“StrandHogg 2.0…has learned how to, with the correct per-app tailored assets, dynamically attack nearly any app on a given device simultaneously at the touch of a button, unlike StrandHogg which can only attack apps one at a time,” according to the research.

Attackers would first inject the original launcher activity of the apps they are targeting with their own attack activity. The task will appear to be the original task belonging to the app; however, the attack activity that has been placed into the task is what the user will actually see when the task is activated.

“As a result, the next time the app is invoked, for instance, by a user clicking its app icon, the Android OS will evaluate the existing tasks and find the task we created,” according to the white paper. “Because it looks genuine to the app, it will bring the task we created to the foreground and with it our attack will now be activated.”

The Promon researchers have published a proof-of-concept video of how an exploit would work:

“Mobile apps practically have a target painted on their back. Promon’s recent malware vulnerability discovery dubbed “StrandHogg 2.0″ is the latest example of what dangerous malware could do if exploited in the wild – possibly exposing Android users’ mobile banking credentials and access one-time-passwords sent via SMS,” said Sam Bakken, senior product marketing manager at OneSpan, via email.

StrandHogg 2.0 attacks are also more difficult to detect, researchers wrote.

“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” they explained. “This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.”

Attackers can further hide their activities due to the fact that StrandHogg 2.0 requires root access or external configuration, and code obtained from Google Play will not initially appear suspicious to developers and security teams.

No attacks have thus been seen in the wild, but researchers theorize that it’s only a matter of time before they appear. Promon said that it expects threat actors to use both the original StrandHogg bug and the new version together, in order to broaden their attack surface: Many of the mitigations that can be executed against StrandHogg do not apply to StrandHogg 2.0 and vice-versa, Promon said.

“We see StrandHogg 2.0 as StrandHogg’s even more evil twin,” said Tom Lysemose Hansen, CTO at Promon. “Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors.”

Google has issued a patch for Android versions 9, 8.1 and 8, but users on earlier versions (representing 39.2 percent of Android devices, researchers said) will remain vulnerable. StrandHogg 2.0 exploits do not impact devices running Android 10, so users should update their devices to the latest firmware in order to protect themselves from attacks.

“With a significant proportion of Android users reported to still be running older versions of the OS, a large percentage of the global population is still at risk,” the researchers said.

In fact, according to data from Google, as of April 2020, 91.8 percent of Android active users worldwide are on version 9.0 or earlier: Pie (2018), Oreo (2017), Nougat (2016), Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012) and Ice Cream Sandwich (2011).


StrandHogg 2.0 Android flaw affects over 1 Billion devices
27.5.2020  Securityaffairs  Android

Researchers disclosed a new critical vulnerability (CVE-2020-0096, aka StrandHogg 2.0) affecting the Android operating system that could allow attackers to carry out a sophisticated version of Strandhogg attack.
A group of Norwegian researchers disclosed a critical flaw, tracked as CVE-2020-0096, affecting Android OS that could allow attackers to carry out a sophisticated version of the Strandhogg attack.
In December, security experts atPromon disclosed a vulnerability, dubbed StrandHogg, that has been exploited by tens of malicious Android apps.

The name StrandHogg comes from an old Norse term that refers to a tactic adopted by the Vikings that consists of raiding coastal areas to plunder and hold people for ransom.

The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to harvest elevated permissions from the victims.

StrandHogg
A rogue Android app could use the StrandHogg tactic to trick the user into granting it the permissions to control the devices.

The permissions granted to the app could allow spying on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations.
The same team of Norwegian researchers that discovered the Strandhogg now reported the CVE-2020-0096 flaw and called Strandhogg 2.0. The ‘Strandhogg 2.0,’ vulnerability affects all Android devices, except those running Android Q/10, this means that 80%-85% Android devices are exposed to hack.

The Strandhogg 2.0 flaw is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices.

StrandHogg 1.0 could be used to attack apps one at a time, StrandHogg 2.0 allow attackers “dynamically attack nearly any app on a given device simultaneously at the touch of a button,” all without requiring a pre-configuration for each targeted app.

“If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says.

“Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.”

StrandHogg 2.0.
Targeted users could not spot the StrandHogg attack, which can be exploited without root access and works on all versions of Android.

The new flaw can be used for various types of phishing attack, such as displaying a fake login screen, gathering different types of sensitive information, denial of service, and/or collecting permissions
under the guise of the target app (such as SMS, GPS positioning and more).

Experts reported the flaw to Google in December, the tech giant released a security patch to manufacturing companies in April 2020, that are going to release security updates to their devices.

Below the PoC video released by the experts:

 


StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices
27.5.2020  Securityweek  Android
Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.

In December 2019, Promon warned that an Android vulnerability, which it dubbed StrandHogg, was being exploited by tens of malicious Android apps to escalate privileges.

StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to plunder and hold people for ransom, exploits a weakness in Android’s multitasking system. It allows a malicious application with limited permissions to pose as a legitimate app in an effort to obtain elevated privileges, enabling attackers to spy on users and access data stored on the device.

Promon now says it has identified another similar vulnerability, which it has named StrandHogg 2.0 and described as StrandHogg’s “evil twin.”StrandHogg 2.0 Android vulnerability CVE-2020-0096

Just like the original vulnerability, StrandHogg 2.0 can be exploited to hijack apps, but the company warns that “it allows for broader attacks and is much more difficult to detect.”

Malware exploiting StrandHogg 2.0 does not require any permissions and the victim only needs to execute the malicious app to trigger the exploit. If exploitation is successful, the attacker can abuse the hijacked application to obtain the privileges needed to read SMS messages, steal files, phish login credentials, track the device’s location, make or record phone calls, and spy on the user through the phone’s microphone and camera.

According to Promon, StrandHogg 2.0 can target multiple apps simultaneously, and it’s more difficult to detect.

“Attackers exploiting StrandHogg have to explicitly and manually enter the apps they are targeting into Android Manifest, with this information then becoming visible within an XML file which contains a declaration of permissions, including what actions can be executed,” Promon explained in a blog post. “This declaration of required code, which can be found within the Google Play store, is not the case when exploiting StrandHogg 2.0.”

“As no external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack, as code obtained from Google Play will not initially appear suspicious to developers and security teams,” the company added.

Google was informed about the vulnerability on December 4, 2019, and patched it with its May 2020 Android security updates. The tech giant assigned it CVE-2020-0096 and described it as a critical elevation of privilege issue.

In the case of the original StrandHogg, Google focused on detecting and blocking malicious apps exploiting the vulnerability rather than releasing a patch for Android.

Promon says StrandHogg 2.0 does not affect Android 10, but the company notes that roughly 90 percent of Android devices currently run older versions of the mobile operating system.

The security firm says it’s not aware of any malware exploiting the new vulnerability, but it expects hackers to leverage StrandHogg and StrandHogg 2.0 together “because both vulnerabilities are uniquely positioned to attack devices in different ways, and doing so would ensure that the target area is as broad as possible.”


New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps
27.5.2020  Thehackernews  Android

StrandHogg Android Vulnerability
Remember Strandhogg?
A security vulnerability affecting Android that malicious apps can exploit to masquerade as any other app installed on a targeted device to display fake interfaces to the users, tricking them into giving away sensitive information.
Late last year, at the time of its public disclosure, researchers also confirmed that some attackers were already exploiting the flaw in the wild to steal users' banking and other login credentials, as well as to spy on their activities.
The same team of Norwegian cybersecurity researchers today unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack.
Dubbed 'Strandhogg 2.0,' the new vulnerability affects all Android devices, except those running the latest version, Android Q / 10, of the mobile operating system—which, unfortunately, is running on only 15-20% of the total Android-powered devices, leaving billions of rest of the smartphones vulnerable to the attackers.
StrandHogg 1.0 was resided in the multitasking feature of Android, whereas the new Strandhogg 2.0 flaw is basically an elevation of privilege vulnerability that allows hackers to gain access to almost all apps.
As explained before, when a user taps the icon of a legitimate app, the malware exploiting Strandhogg vulnerabilities can intercept and hijack this activity/task to display a fake interface to the user instead of launching the real application.
However, unlike StrandHogg 1.0 that can only attack apps one at a time, the latest flaw could let attackers "dynamically attack nearly any app on a given device simultaneously at the touch of a button," all without requiring a pre-configuration for each targeted app.

 

StrandHogg flaws are potentially dangerous and concerning because:
it is almost impossible for targeted users to spot the attack,
it can be used to hijack the interface for any app installed on a targeted device without requiring configuration,
it can be used to request any device permission fraudulently,
it can be exploited without root access,
it works on all versions of Android, except Q.
it doesn't need any special permission to work on the device.
Besides stealing login credentials through a convincing fake screen, the malware app can also escalate its capabilities significantly by tricking users into granting sensitive device permissions while posing as a legitimate app.
"Utilising StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims' login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone's camera and microphone," the researchers said.
"Malware that exploits StrandHogg 2.0 will also be harder for anti-virus and security scanners to detect and, as such, poses a significant danger to the end-user," they added.

Security researchers responsibly reported the new vulnerability to Google in December last year.
After that, Google prepared a patch and shared it with smartphone manufacturing companies in April 2020, who have now started rolling out software updates to their respective users from this month.
Though there is no effective and reliable way to block or detect task hijacking attacks, users can still spot such attacks by keeping an eye on discrepancies we shared while reporting StrandHogg 1.0, like when:
an app you're already logged into is asking for a login,
permission popups that do not contain an app name,
permissions asked from an app that shouldn't require or need the permissions it asks for,
buttons and links in the user interface do nothing when clicked on,
The back button does not work as expected.