OS 2024 2023 2022 2020 ANDROID 2022 2021 2020
Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store
20.12.2021 Android Thehackernews
A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users' contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge.
The latest Joker malware was found in a messaging-focused app named Color Message ("com.guo.smscolor.amessage"), which has since been removed from the official app marketplace. In addition, it has been observed simulating clicks in order to generate revenue from malicious ads and connecting to servers located in Russia.
Color Message "accesses users' contact list and exfiltrates it over the network [and] automatically subscribes to unwanted paid services," mobile security firm Pradeo noted. "To make it difficult to be removed, the application has the capability to hides it icon once installed."
"We is [sic] committed to ensuring that the app is as useful and efficient as possible," the developers behind Color Message state in their terms and conditions. "For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you're paying for."
Joker, since its discovery in 2017, has been a notorious fleeceware infamous for carrying out an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information unbeknownst to users.
The rogue apps have continued to skirt Google Play protections using a barrage of evasion tactics to the point that Android's Security and Privacy Team said the malware authors "have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."
Beware! This Android Trojan Stole Millions of Dollars from Over 10 Million Users
6.10.21 Android Thehackernews
A newly discovered "aggressive" mobile campaign has infected north of 10 million users from over 70 countries via seemingly innocuous Android apps that subscribe the individuals to premium services costing €36 (~$42) per month without their knowledge.
Zimperium zLabs dubbed the malicious trojan "GriftHorse." The money-making scheme is believed to have been under active development starting from November 2020, with victims reported across Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the U.K., and the U.S.
No fewer than 200 trojan applications were used in the campaign, making it one of the most widespread scams to have been uncovered in 2021. What's more, the malicious apps catered to a varied set of categories ranging from Tools and Entertainment to Personalization, Lifestyle, and Dating, effectively widening the scale of the attacks. One of the apps, Handy Translator Pro, amassed as much as 500,000 downloads.
"While typical premium service scams take advantage of phishing techniques, this specific global scam has hidden behind malicious Android applications acting as Trojans, allowing it to take advantage of user interactions for increased spread and infection," Zimperium researchers Aazim Yaswant and Nipun Gupta said in a report shared with The Hacker News.
"These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent."
Like other banking trojans, GriftHorse does not exploit flaws in the Android operating system, but rather socially engineers users into subscribing their phone numbers to premium SMS services upon downloading the apps.
Following a successful infection, the victims are bombarded with deceptive alerts promising a free "GIFT" that, when clicked, redirect them to a geo-specific webpage to submit their phone numbers for verification. "But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month," the researchers said.
In building a stable cash flow of illicit funds, the GriftHorse campaign not only managed to fly under the radar and avoid antivirus detection, but also has generated millions in recurring revenue each month, potentially surpassing hundreds of millions in the total amount plundered from these victims, the researchers noted.
Following responsible disclosure to Google, the apps have been purged from the Play Store. But they continue to be available on untrusted third-party app repositories, once again underscoring the risks associated with sideloading arbitrary applications and how they can emerge as an intrusion route for malware.
"Overall, GriftHorse Android Trojan takes advantage of small screens, local trust, and misinformation to trick users into downloading and installing these Android Trojans, as well frustration or curiosity when accepting the fake free prize spammed into their notification screens," Yaswant and Gupta concluded.
New Android Malware Steals Financial Data from 378 Banking and Wallet Apps
6.10.21 Android Thehackernews
The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research.
"The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays," ThreatFabric's CEO Cengiz Han Sahin said in an emailed statement. First campaigns involving ERMAC are believed to have begun in late August under the guise of the Google Chrome app.
Since then, the attacks have expanded to include a range of apps such as banking, media players, delivery services, government applications, and antivirus solutions like McAfee.
Almost fully based on the notorious banking trojan Cerberus, the Dutch cybersecurity firm's findings come from forum posts made by an actor named DukeEugene last month on August 17, inviting prospective customers to "rent a new android botnet with wide functionality to a narrow circle of people" for $3,000 a month.
DukeEugene is also known as the actor behind the BlackRock campaign that came to light in July 2020. Featuring an array of data theft capabilities, the infostealer and keylogger originate from another banking strain called Xerxes — which itself is a strain of the LokiBot Android banking Trojan — with the malware's source code made public by its author around May 2019.
Cerberus, in September 2020, had its own source code released as a free remote access trojan (RAT) on underground hacking forums following a failed auction that sought $100,000 for the developer.
ThreatFabric also highlighted the cessation of fresh BlackRock samples since the emergence of ERMAC, raising the possibility that "DukeEugene switched from using BlackRock in its operations to ERMAC." Besides sharing similarities with Cerberus, the freshly discovered strain is notable for its use of obfuscation techniques and Blowfish encryption scheme to communicate with the command-and-control server.
ERMAC, like its progenitor and other banking malware, is designed to steal contact information, text messages, open arbitrary applications, and trigger overlay attacks against a multitude of financial apps to swipe login credentials. In addition, it has developed new features that allow the malicious software to clear the cache of a specific application and steal accounts stored on the device.
"The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape," the researchers said. "Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world."
New Android Malware Targeting US, Canadian Users with COVID-19 Lures
6.10.21 Android Thehackernews
An "insidious" new SMS smishing malware has been found targeting Android mobile users in the U.S. and Canada as part of an ongoing campaign that uses SMS text message lures related to COVID-19 regulations and vaccine information in an attempt to steal personal and financial data.
Proofpoint's messaging security subsidiary Cloudmark coined the emerging malware "TangleBot."
"The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone," the researchers said.
Besides capabilities to obtain sensitive information, the malware is engineered to control device interaction with banking or financial apps using overlay screens and plunder account credentials from financial activities initiated on the phones.
The attacks themselves originate from SMS messages that claim to be "new regulations about COVID-19" or confirmation for an "appointment for the 3rd [vaccine] dose," urging users to click on an accompanying link that, when visited, notifies the victim that their Adobe Flash player is out-of-date and must be updated. Opting to update the software results in the installation of the TangleBot malware on the Android device.
In the next phase, TangleBot is granted wide-ranging permissions to access contacts, SMS, call logs, internet, camera and microphone, and GPS, thus enabling the operators to intercept phone calls, send and receive text messages, record the camera, screen, or microphone audio or stream them directly to the attacker, turning it into full-fledged spyware.
"Harvesting of personal information and credentials in this manner is extremely troublesome for mobile users because there is a growing market on the dark web for detailed personal and account data," the researchers said. "Even if the user discovers the TangleBot malware and it is able to remove it, the attacker may not use the stolen information for some period of time, rendering the victim oblivious of the theft."
Google to Auto-Reset Unused Android App Permissions for Billions of Devices
20.9.21 Android Thehackernews
Google on Friday said it's bringing an Android 11 feature that auto-resets permissions granted to apps that haven't been used in months, to devices running Android versions 6 and above.
The expansion is expected to go live later this year in December 2021 and enabled on Android phones with Google Play services running Android 6.0 (API level 23) or higher, which the company said should cover "billions more devices." Google officially released Android 6.0 Marshmallow on October 5, 2015.
With Android 11 that came out last year, the internet giant introduced a permission auto-reset option that helps improve user privacy by automatically resetting an app's permissions to access sensitive features like storage or camera if the app in question is left unopened for a few months.
"Some apps and permissions are automatically exempted from revocation, like active Device Administrator apps used by enterprises, and permissions fixed by enterprise policy," Google noted. While permission auto-reset will be turned on by default for apps targeting Android 11 (API level 30) or higher, the new feature has to be enabled manually for apps targeting API levels 23 to 29.
The rollout is slated to be complete by sometime in Q1 2022.
The changes are part of a number of user-facing privacy and security features that Google has pushed out in recent months. The Mountain View-based company, in late July, said it intends to disallow users from signing in to their Google accounts from Android devices running versions 2.3.7 or lower starting September 27, 2021.
Earlier this year, Google announced plans to add iOS-style privacy labels to app listings on the Play Store that highlight the various types of data being collected and how it's used, in addition to limiting apps, with the exception of a few, from accessing the list of installed apps on Android devices. In June 2021, Google also moved to strip users' advertising IDs when opting out of ads personalization in Android Settings as part of a Google Play services update.
SOVA: New Android Banking Trojan Emerges With Growing Capabilities
10.9.21 Android Thehackernews
A mix of banking applications, cryptocurrency wallets, and shopping apps from the U.S. and Spain are the target of a newly discovered Android trojan that could enable attackers to siphon personally identifiable information from infected devices, including banking credentials and open the door for on-device fraud.
Dubbed S.O.V.A. (referring to the Russian word for owl), the current version of the banking malware comes with myriad features to steal credentials and session cookies through web overlay attacks, log keystrokes, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses, with future plans to incorporate on-device fraud through VNC, carry out DDoS attacks, deploy ransomware, and even intercept two-factor authentication codes.
The malware was discovered in the beginning of August 2021 by researchers from Amsterdam-based cybersecurity firm ThreatFabric.
Overlay attacks typically involve the theft of confidential user information using malware that overlays its own windows on top of another program. On the other hand, the pilfering of valid session cookies is particularly nasty as it allows the criminals to log in and take over accounts from the users without the need for knowing the banking credentials.
"The second set of features, added in the future developments, are very advanced and would push S.O.V.A. into a different realm for Android malware, making it potentially one of the most advanced bots in circulation, combining banking malware with automation and botnet capabilities," ThreatFabric said in a report shared with The Hacker News.
Although the malware is believed to be in its nascent stages of development, S.O.V.A.'s developers have been advertising the product on hacking forums, looking to recruit testers to trial the malware on a large number of devices and its bot capabilities. "Not redistribution of Cerberus/Anubis, the bot is written from scratch," the forum post read.
"[S.O.V.A.] is still a project in its infancy, and now provides the same basic features as most other modern Android banking malware," the researchers said. "However, the author behind this bot clearly has high expectations for his product, and this is demonstrated by the author's dedication to test S.O.V.A. with third parties, as well as by S.O.V.A.'s explicit feature roadmap.".
Modified Version of WhatsApp for Android Spotted Installing Triada Trojan
25.8.21 Android Thehackernews
A modified version of the WhatsApp messaging app for Android has been trojanized to intercept text messages, serve malicious payloads, display full-screen ads, and sign up device owners for unwanted premium subscriptions without their knowledge.
"The Trojan Triada snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 together with the advertising software development kit (SDK)," researchers from Russian cybersecurity firm Kaspersky said in a technical write-up published Tuesday. "This is similar to what happened with APKPure, where the only malicious code that was embedded in the app was a payload downloader."
Modified versions of legitimate Android apps — a practice called Modding — are designed to perform functions not originally conceived or intended by the app developers. FMWhatsApp, billed as a custom build of WhatsApp, allows users to refashion the app with different themes, personalize icons, and hide features like last seen, and even deactivate video calling features. The app is only available via third-party websites.
The tampered variant of the app detected by Kaspersky comes equipped with capabilities to gather unique device identifiers, which are sent to a remote server that responds back with a link to a payload that's subsequently downloaded, decrypted, and launched by the Triada trojan.
The payload, for its part, can be employed to carry out a wide range of malicious activities ranging from downloading additional modules and displaying full-screen ads to stealthily subscribing the victims to premium services and signing into WhatsApp accounts on the device. Even worse, the attackers can hijack and take control of the WhatsApp accounts to carry out social engineering attacks or distribute spam messages, thus propagating the malware to other devices.
"It's worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them," the researchers said. "This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process."
Experts spotted a new advanced Android spyware posing as “System Update”
28.3.2021 Android Securityaffairs
Researchers spotted a sophisticated Android spyware that implements exfiltration capabilities and surveillance features, including recording audio and phone calls.
Experts from security firm Zimperium have spotted a new sophisticated Android spyware that masquerades itself as a System Update application. The malware is able to collect system data, messages, images and take over the infected Android devices, it could allow operators to record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more.
“The “System Update” app was identified by zLabs researchers who noticed an Android application being detected by the z9 malware engine powering zIPS on-device detection. Following an investigation, we discovered it to be a sophisticated spyware campaign with complex capabilities.” states the analysis published by Zimperium. “The mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide range of data and perform a wide range of malicious actions”
The experts shared their findings with Google, which confirmed that the malicious app has never been uploaded on Google Play.
Once downloaded the malicious app from a third-party store and installed it, the spyware registers itself with a Firebase command-and-control (C2) server with information such as the presence of WhatsApp, battery percentage, and storage stats. The malware exfiltrates data from the infected devices in the form of an encrypted ZIP file.
The spyware’s actions and exfiltration are triggered in different circumstances, including the creation of a new contact, when a new SMS is received or, a new application is installed by the victims.
The malware receives commands through the Firebase messaging service to start actions like recording audio from the microphone. The stolen data is exfiltrated to a dedicated C2 through POST request. Below the list of commands supported by the spyware:
In order to avoid detection and leave no traces, the Android spyware deletes any exfiltrated files as soon as it receives a “success” response from the C2 and also significantly reduce the bandwidth consumption.
“The spyware is capable of performing a wide range of malicious activities to spy on the victim while posing as a “System Update” application.” concludes the report. “It exhibits a rarely seen before feature, stealing thumbnails of videos and images, in addition to the usage of a combination of Firebase and a dedicated Command & Control server for receiving commands and exfiltrate data.”
Researchers also shared Indicators of Compromise (IoCs) for this threat.
Watch Out! That Android System Update May Contain A Powerful Spyware
28.3.2021 Android Thehackernews
Researchers have discovered a new information-stealing trojan, which targets Android devices with an onslaught of data-exfiltration capabilities — from collecting browser searches to recording audio and phone calls.
While malware on Android has previously taken the guise of copycat apps, which go under names similar to legitimate pieces of software, this sophisticated new malicious app masquerades itself as a System Update application to take control of compromised devices.
"The spyware creates a notification if the device's screen is off when it receives a command using the Firebase messaging service," Zimperium researchers said in a Friday analysis. "The 'Searching for update..' is not a legitimate notification from the operating system, but the spyware."
Once installed, the sophisticated spyware campaign sets about its task by registering the device with a Firebase command-and-control (C2) server with information such as battery percentage, storage stats, and whether the phone has WhatsApp installed, followed by amassing and exporting any data of interest to the server in the form of an encrypted ZIP file.
The spyware features myriad capabilities with a focus on stealth, including tactics to pilfer contacts, browser bookmarks, and search history, steal messages by abusing accessibility services, record audio, and phone calls, and take photos using the phone's cameras. It can also track the victim's location, search for files with specific extensions, and grab data from the device's clipboard.
"The spyware's functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android's contentObserver and Broadcast receivers," the researchers said.
What's more, the malware not only organizes the collected data into several folders inside its private storage, it also wipes out any trace of malicious activity by deleting the ZIP files as soon as it receives a "success" message from the C2 server post exfiltration. In a further bid to evade detection and fly under the radar, the spyware also reduces its bandwidth consumption by uploading thumbnails as opposed to the actual images and videos present in external storage.
Although the "System Update" app was never distributed through the official Google Play Store, the research once again highlights how third-party app stores can harbor dangerous malware. The identity of the malware authors, the targeted victims, and the ultimate motive behind the campaign remains unclear as yet.
Google fixes an Android vulnerability actively exploited in the wild
24.3.2021 Android Securityaffairs
Google addressed a zero-day vulnerability affecting Android devices that use Qualcomm chipsets which is actively exploited in the wild.
Google has addressed a zero-day vulnerability, tracked as CVE-2020-11261, affecting Android devices that use Qualcomm chipsets. According to the IT giant, threat actors are actively exploiting the vulnerability in attacks in the wild.
The CVE-2020-11261 flaw, is an improper input validation in Graphics, rated with a CVSS score 8.4.
“Memory corruption due to improper check to return error when user application requests memory allocation of a huge size” reads the description provided by Qualcomm.
The vulnerability could be exploited through an attacker-engineered app requests access to a huge portion of the device’s memory.
“There are indications that CVE-2020-11261 may be under limited, targeted exploitation” reads a note added to the January security bulletin last week.
The CVE-2020-11261 flaw was reported to Qualcomm by Google’s Android Security team on August 20, 2020 and was addressed in January 2021.
The issue was rated as high severity because it requires local access to be exploited, this means that attackers need physical access to the vulnerable device.
Google did not provide technical details about the attacks either attribute them to certain threat actors.
WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack
23.3.2021 Android Thehackernews
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by attackers to launch targeted attacks.
Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an "improper input validation" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device's memory.
"There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18.
CVE-2020-11261 was discovered and reported to Qualcomm by Google's Android Security team on July 20, 2020, after which it was fixed in January 2021.
It's worth noting that the access vector for the vulnerability is "local," meaning that exploitation requires local access to the device. In other words, to launch a successful attack, the bad actor must either have physical access to the vulnerable smartphone or use other means - e.g., a watering hole - to deliver malicious code and set off the attack chain.
While specifics about the attacks, the identity of the attacker, and the targeted victims have not been released, it is not unusual for Google to withhold sharing such information to prevent other threat actors from taking advantage of the vulnerability.
If anything, the development once again underscores the need to promptly install monthly security updates as soon as they are available to prevent Android devices from being exploited. We've reached out to Google for comment and will update this article if we hear back.
Bogus Android Clubhouse App Drops Credential-Swiping Malware
20.3.2021 Android Threatpost
The malicious app spreads the BlackRock malware, which steals credentials from 458 services – including Twitter, WhatsApp, Facebook and Amazon.
Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps.
Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. However, as of now the app is only available on Apple’s App Store mobile application marketplace – there’s no Android version yet (though plans are in the works to develop one).
Cybercriminals are swooping in on Android users looking to download Clubhouse by creating their own fake Android version of the app. To add a legitimacy to the scam, the fake app is delivered from a website purporting to be the real Clubhouse website – which “looks like the real deal,” said Lukas Stefanko, researcher with ESET.
“To be frank, it is a well-executed copy of the legitimate Clubhouse website,” said Stefanko on Friday. “However, once the user clicks on ‘Get it on Google Play’, the app will be automatically downloaded onto the user’s device. By contrast, legitimate websites would always redirect the user to Google Play, rather than directly download an Android Package Kit, or APK for short.”
It’s not known how this website is discovered by potential victims, but Stefanko told Threatpost the website is most likely spread via social media or third-party websites like forums. The fraudulent website (joinclubhouse[.]mobi) looks identical to the real Clubhouse website (joinclubhouse.com) – both tell users that they can join with an invite from an existing user, with a call to action: “Sign up to see if you have friends on Clubhouse who can let you in.” While the real website points to users to download the app on the store, the fake site tells users to get the app on Google Play.
However, upon closer inspection the fake website has red flags tipping off potential victims that something is off – such as the connection being HTTP rather than HTTPS, and the fact that the site uses the .mobi top-level domain (rather than the .com used by the legitimate domain).
The Android Malware: BlackRock
If the victim should click on the button that purports to download the app, a trojan called BlackRock is installed on their system. This malware, discovered in July, is a variant of the LokiBot trojan that attacks not just financial and banking apps, but also a massive list of well-known and commonly used brand-name apps on Android devices.
The fake Clubhouse website. Credit: ESET
“The trojan – nicknamed “BlackRock” by ThreatFabric and detected by ESET products as Android/TrojanDropper.Agent.HLR – can steal victims’ login data for no fewer than 458 online services,” said researchers.
The targeted list of app credentials includes well-known financial and shopping apps, cryptocurrency exchanges and social media and messaging apps – including Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA and Lloyds Bank.
The trojan swipes credentials using an overlay attack – which is a common type of attack for malicious Android apps. In this type of attack, the malware will create a data-stealing overlay of the application that the victim is navigating to, and request the user to log in. However, while the victim believes he is logging in, he is unwittingly handing over his credentials to the cybercriminals.
In a commonly-used tactic by Android malware, the malicious app also asks the victim to enable accessibility services on the phone in order to grant itself permissions on the phone without the victim’s knowledge (Android says that accessibility services are typically used to assist users with disabilities in using Android devices and apps). These permissions give the malware to access contacts, camera, SMS messages and more. This ability to intercept SMS messages is also handy for threat actors looking to get around SMS-based two-factor authentication (2FA) protections set up by the apps on the victims’ phone (if an app sends a 2FA code, for instance, attackers can pick it up via viewing the text messages).
The malware’s installation prompt. Credit: ESET
The biggest clue that this app is malicious is that its name is “Install” rather than “Clubhouse,” Stefanko said.
“While this demonstrates that the malware creator was probably too lazy to disguise the downloaded app properly, it could also mean that we may discover even more sophisticated copycats in the future,” he said.
Even as its popularity grows, Clubhouse has come under fire for various privacy issues, such as the fact that conversations via the app are recorded. France’s privacy watchdog also recently opened an investigation into the app over how it protects the privacy of European users’ data.
While this malicious app is in no way affiliated with the legitimate Clubhouse app itself, researchers warn that more sham Clubhouse apps will appear in the future – particularly while the demand for a yet-to-be rolled out Android version continues.
Android users can protect themselves by always sticking to official mobile app marketplaces to download apps to their devices, staying wary of the permissions they grant to applications and keeping their devices up to date (via patching and otherwise).
Expert found a 1-Click RCE in the TikTok App for Android
19.3.2021 Android Securityaffairs
Egyptian security researcher Sayed Abdelhafiz discovered multiple bugs in TikTok Android Application that can be chained to achieve Remote code execution.
Egyptian security researcher Sayed Abdelhafiz discovered multiple vulnerabilities in the TikTok Android Application that can be chained to achieve Remote code execution.
“While testing TikTok for Android Application, I identified multiple bugs that can be chained to achieve Remote code execution that can be triaged through multiple dangerous attack vectors.” Abdelhafiz wrote.
The list of vulnerabilities discovered by the expert are:
Universal XSS on TikTok WebView
Another XSS on AddWikiActivity
Start Arbitrary Components
Zip Slip in
TmaTestActivity
RCE!
The researcher provided technical details for each of the above vulnerabilities and finally explained how to chain them to achieve remote code execution.
The expert created a zip file and path traversed the filename to overwrite the libjsc.so file:
/data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
Then he overwrote the native-libraries with a malicious library created to execute his code. The expert initially noticed that the code will be executed at the successive restart of the Application, so he attempted to find a way to reload the library without relaunching the application. This was possible by launching the Activity:
com.tt.miniapphost.placeholder.MiniappTabActivity0
The expert also published final PoC for the RCE and reported the issue to the TikTok Security team that quickly addressed them. Below the list of actions taken by TikTok:
The vulnerable XSS code has been addressed;
TmaTestActivity has been deleted
The security team implemented restrictions to intent scheme that doesn’t allow an intent for TikTok Application on AddWikiActivity and Main WebViewActivity.
Google Play Harbors Malware-Laced Apps Delivering Spy Trojans
10.3.2021 Android Threatpost
A never-before-seen malware-dropper, Clast82, fetches the AlienBot and MRAT malware in a savvy Google Play campaign aimed at Android users.
A malware dropper that paves the way for attackers to remotely steal data from Android phones has been spreading via nine malicious apps on the official Google Play store, according to researchers.
The malware is part of a campaign aimed at lifting victims’ financial information, but which also allows eventual takeover of mobile phones, according to Check Point Research.
The dropper, dubbed Clast82, was disguised in benign apps, which don’t fetch a malicious payload until they have been vetted and cleared by Google Play Protect. Google Play Protect is the store’s evaluation mechanism, meant to weed out apps with ill intent and malicious functions.
“During the Clast82 evaluation period on Google Play, the configuration sent from the [Google] Firebase [command-and-control server] contains an ‘enable’ parameter,” according to Check Point’s research, released on Tuesday. “Based on the parameter’s value, the malware will decide to trigger the malicious behavior or not. This parameter is set to ‘false’ and will only change to ‘true’ after Google has published the Clast82 malware on Google Play.”
Once ensconced in the App Store, Clast82 fetches the AlienBot banking trojan, or in some cases MRAT, the investigation found.
Info-stealers AlienBot and MRAT
AlienBot is available in a malware-as-a-service (MaaS) model, and it allows a remote attacker to inject malicious code into legitimate financial applications, Check Point noted.
The Cake VPN app lurking in Google Play. Source: Check Point.
“The attacker obtains access to victims’ accounts, and eventually completely controls their device,” according to the firm’s analysis. “Upon taking control of a device, the attacker has the ability to control certain functions, just as if they were holding the device physically, like installing a new application on the device, or even control it with TeamViewer.”
MRAT meanwhile has been around since at least 2014, when it was used against Hong Kong protestors. It was created for reconnaissance and information-gathering, and sports all of the typical spyware features, plus detection evasion, specific checks for antivirus, app and file deletion functionality, and more.
The payloads were both hosted in GitHub. AlienBot was by far the most common to be delivered to victims.
“In the case of Clast82, we were able to identify over 100 unique payloads of the AlienBot, an Android MaaS banker targeting financial applications and attempting to steal the credentials and [two-factor authentication] 2FA codes for those applications,” researchers noted.
GitHub Projects Tied to Malicious Android Apps
Check Point’s analysis found that for each application, the actor created a new developer user for the Google Play store, along with a corresponding code repository in GitHub.
“The actor used legitimate and known open-sourced Android applications, which the actor added the malicious code into in order to provide functionality to the malicious dropper, along with the reason for the victim to download and install it from the official Google Play store,” the researchers explained.
For instance, the malicious Cake VPN application is based on a legitimate GitHub repository.
Across all of the fake developer accounts on Google Play, there was a single email address listed for contact information: sbarkas77590ATgmail.com. Also, each application writeup up used the same Policy page, which in turn linked to the same GitHub repository. Clearly, all of the apps were the work of a single author.
Clast82 Malware Infection Flow
Typically, one activity in any given Android app is specified as the “main” activity (MainActivity.java), which is presented to the user when the app is launched. In this case, when a user launches a Clast82 app, MainActivity starts a foreground service to perform the malicious dropping task, Check Point found.
This service is straightforwardly called “LoaderService.”
“Once a user downloads one of the fake apps and launches it, it starts a service from MainActivity that starts a dropping flow called LoaderService,” researchers explained. “The foreground service registers a listener for the Firebase real-time database, from which it receives the payload path from GitHub.”
Android developer rules specify that when an application creates a foreground service like this, it must show an ongoing notification to the user about what the app is doing.
The neutral alert prompting users to start the malware execution flow. Source: Check Point
“Clast82 bypassed this by showing a ‘neutral’ notification,” according to Check Point. “In the case of…the Cake VPN app, the notification shown is ‘GooglePlayServices’ with no additional text.”
Meanwhile the app waits for a command from the Firebase C2. Once it’s told to start the “loadAndInstallApp” function, this downloads the payload from GitHub. Then, it calls the “installApp” method to finalize the malicious activity.
If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be “Google Play Services.” These fake requests will pop up every five seconds.
Infected Clast 82 Applications for Android
After Check Point Research reported its findings to the Android Security team, Google confirmed that all Clast82 apps were removed from the Google Play Store. However, victims with the apps already installed remain at risk. The affected apps are as follows:
BeatPlayer
Cake VPN
Two versions of eVPN
Music Player
Pacific VPN
QR/Barcode Scanner MAX
QRecorder
tooltipnattorlibrary
9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware
10.3.2021 Android Thehackernews
Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices.
"This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT," Check Point researchers Aviran Hazum, Bohdan Melnykov, and Israel Wernik said in a write-up published today.
The apps that were used for the campaign include Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. After the findings were reported to Google on January 28, the rogue apps were removed from the Play Store on February 9.
Malware authors have resorted to a variety of methods to bypass app store vetting mechanisms. Whether be it using encryption to hide strings from analysis engines, creating rogue versions of legitimate apps, or crafting fake reviews to lure users into downloading the apps, fraudsters have hit back at Google's attempts to secure the platform by constantly developing new techniques to slip through the net.
Equally popular are other methods like versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then sneakily adding unwanted code at a later stage via app updates, and incorporating time-based delays to trigger the malicious functionality in an attempt to evade detection by Google.
Clast82 is no different in that it utilizes Firebase as a platform for command-and-control (C2) communication and makes use of GitHub to download the malicious payloads, in addition to leveraging legitimate and known open-source Android applications to insert the Dropper functionality.
"For each application, the actor created a new developer user for the Google Play store, along with a repository on the actor's GitHub account, thus allowing the actor to distribute different payloads to devices that were infected by each malicious application," the researchers noted.
For instance, the malicious Cake VPN app was found to be based on an open-sourced version of its namesake created by a Dhaka-based developer by the name of Syed Ashraf Ullah. But once the app is launched, it takes advantage of the Firebase real-time database to retrieve the payload path from GitHub, which is then installed on the target device.
In the event the option to install apps from unknown sources has been turned off, Clast82 repeatedly urges the user every five seconds with a fake "Google Play Services" prompt to enable the permission, ultimately using it to install AlienBot, an Android banking MaaS (malware-as-a-service) capable of stealing credentials and two-factor authentication codes from financial apps.
Last month, a popular barcode scanner app with over 10 million installations turned rogue with a single update after its ownership changed hands. In a similar development, a Chrome extension by the name of The Great Suspender was deactivated following reports that the add-on stealthily added features that could be exploited to execute arbitrary code from a remote server.
"The hacker behind Clast82 was able to bypass Google Play's protections using a creative, but concerning, methodology," Hazum said. "With a simple manipulation of readily available 3rd party resources — like a GitHub account, or a FireBase account — the hacker was able to leverage readily available resources to bypass Google Play Store's protections. The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous trojan coming straight for their financial accounts."
Google Patches Critical Remote Code Execution Vulnerability in Android
3.3.2021 Android Securityweek
Google this week announced the release of patches for 37 vulnerabilities as part of the Android security updates for March 2021, including a fix for a critical flaw in the System component.
Tracked as CVE-2021-0397 and affecting Android 8.1, 9, 10, and 11 releases, the security issue could allow an attacker to execute code remotely on a vulnerable device.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” Google explains.
The bug was addressed as part of the 2021-03-01 security patch level, which also brings patches for nine other issues, including six more in the System component, one affecting Android runtime, and two impacting Framework.
All of these flaws were rated high severity, with their exploitation leading to remote code execution (three bugs), elevation of privilege (five issues), and information disclosure (one vulnerability).
A total of 27 other security holes were addressed as part of the 2021-03-05 security patch level, including one in Kernel components, four in Qualcomm components, and 22 in Qualcomm closed-source components.
The issues were rated high severity, except for five bugs in the Qualcomm closed-source components, which feature a severity rating of critical.
Google’s March 2021 Android Security Bulletin also makes reference to a vulnerability included in Project Mainline components, namely CVE-2021-0390, which affects Wi-Fi.
This week, Google also announced the release of security patches for 43 vulnerabilities affecting Pixel devices. The bugs impact Framework (6), Media framework (5), System (11), Kernel components (19), Qualcomm components (1), and Qualcomm closed-source components (1).
The issues could lead to elevation of privilege, information disclosure, and denial of service. Eight of the bugs were rated high severity, with the remaining 35 considered moderate risk.
Pixel devices running a security patch level of 2021-03-05 or later have fixes for all bugs included in the March 2021 Android Security Bulletin and Pixel Update Bulletin.
Unpatched Android App with 1 Billion Downloads Threatens Spying, Malware
17.2.2021 Android Threatpost
Attackers can exploit SHAREit permissions to execute malicious code through vulnerabilities that remain unpatched three months after app makers were informed.
An Android app that’s been downloaded more than 1 billion times is riddled with flaws that can let attackers hijack app features or overwrite existing files to execute malicious code, or launch man-in-the-disk (MiTD) attacks on people’s devices, researchers discovered.
The flaws exist in an app called SHAREit, which allows Android app users to share files between friends or devices. They were identified and reported to the app maker three months ago by researchers at Trend Micro. However, the flaws remain unpatched, according to a report posted online Monday. Softonic, a company based in Barcelona, Spain, is the app’s developer and distributor.
“We decided to disclose our research three months after reporting this since many users might be affected by this attack, because the attacker can steal sensitive data and do anything with the apps’ permission,” Echo Duan, a mobile threats analyst for Trend Micro, wrote in the report. “It is also not easily detectable.”
Trend Micro also notified Google of the app’s issues, which lie in several flaws in its code that too easily give third parties permissions to take over legitimate app features, overwrite existing app files or even take over Android storage shared by multiple apps to execute malicious code, he said.
SHAREit’s Bevy of Security Bugs
“We delved into the app’s code and found that it declares the broadcast receiver as ‘com.lenovo.anyshare.app.DefaultReceiver,'” Duan explained in the post. “It receives the action ‘com.ushareit.package.action.install_completed’ and Extra Intent then calls the startActivity() function.”
Researchers built a simple proof of concept (PoC) and found that “any app can invoke this broadcast component,” he said. “This shows arbitrary activities, including SHAREit’s internal (non-public) and external app activities.”
Moreover, third-parties also can gain temporary read/write access to the content provider’s data through a flaw in its FileProvider, Duan wrote. “Even worse, the developer specified a wide storage area root path,” he wrote. “In this case, all files in the /data/data/<package> folder can be freely accessed.”
In Trend Micro’s PoC, researchers included code that reads WebView cookies, which was used to write any files in the SHAREit app’s data folder. “In other words, it can be used to overwrite existing files in the SHAREit app,” Duan said of the attack.
In this way malicious apps installed on a device running SHAREit can run take over the app to run custom code or install third-party apps without the user knowing, researchers found.
Man-in-the-Disk Mobile Threat
SHAREit also is susceptible to an MiTD attack, a variation on a man-in-the-middle attack identified by Check Point in 2018 that arises from the way the Android OS uses two types of storage—internal and external, the latter of which uses a removable SD card and is shared across the OS and all apps.
This type of attack allows someone to intercept and potentially alter data as it moves between Android external storage and an installed app, and is possible using SHAREit “because when a user downloads the app in the download center, it goes to the directory,” Duan wrote. “The folder is an external directory, which means any app can access it with SDcard write permission.”
Researchers illustrated this action in their POC by manually copying Twitter.apk in the code to replace it with a fake file of the same name. As a result, a pop-up of the fake Twitter app appeared on the main screen of the SHAREit app, Duan wrote. Reopening SHAREit caused the fake Twitter app to appear on the screen again, prompting the user to install it, an action that is successful, according to the post.
Softonic did not yet respond to an email by Threatpost seeking comment about Trend Micro’s discoveries, which aren’t the first time serious flaws were found in SHAREit. Two years ago researchers discovered two high-severity flaws in the app that allowed an attacker to bypass the file transfer application’s device authentication mechanism and ultimately download content and arbitrary files from the victim’s device.
Duan recommended that people regularly update and patch mobile operating systems and the apps themselves to maintain security on their devices, as well as “keep themselves informed by reading reviews and articles about the apps they download.”
Unpatched ShareIT Android App Flaw Could Let Hackers Inject Malware
17.2.2021 Android Thehackernews
Multiple unpatched vulnerabilities have been discovered in SHAREit, a popular app with over one billion downloads, that could be abused to leak a user's sensitive data, execute arbitrary code, and possibly lead to remote code execution.
The findings come from cybersecurity firm Trend Micro's analysis of the Android version of the app, which allows users to share or transfer files between devices.
But in a worrisome twist, the flaws are yet to be patched by Smart Media4U Technology Pte. Ltd., the Singapore-based developer of the app, despite responsible disclosure three months ago.
"We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps' permission," Trend Micro researcher Echo Duan said in a write-up. "It is also not easily detectable."
One of the flaws arises from the manner the app facilitates sharing of files (via Android's FileProvider), potentially allowing any third-party to gain temporary read/write access permissions and exploit them to overwrite existing files in the app's data folder.
Separately, the use of deep links to launch specific features in the app — including downloading split APK (SAPK) files from a URL that has the scheme of HTTP/HTTPS and domain host that matches *.wshareit.com or gshare.cdn.shareitgames.com — can be leveraged to install a malicious app, resulting in a possible remote code execution when a user clicks on a URL.
"When the user clicks this download URL, Chrome will call SHAREit to download the SAPK from https://gshare.cdn.shareitgames.com," Duan explained. "Since it supports the HTTP protocol, this SAPK can be replaced by simulating a man-in-the-middle (MitM) attack."
Lastly, the app is also susceptible to what's called a man-in-the-disk (MitD) attack, which arises when careless use of "external storage" permissions opens the door to the installation of fraudulent apps and even causes a denial of service condition.
SHAREit has courted a fair of security shortcomings in the past. In February 2019, two vulnerabilities were detected in the app that could allow attackers to bypass authentication, download arbitrary files, and pilfer files from Android devices.
A pop-up from the fake Twitter app created to test the vulnerability
Then on June 29, 2020, the Indian government banned SHAREit along with 58 other Chinese apps over concerns that these apps were engaging in activities that threatened "national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India."
We have reached out to the developers of SHAREit, and we will update the story if we hear back.
Military, Nuclear Entities Under Target By Novel Android Malware
11.2.2021 Android Threatpost
The two malware families have sophisticated capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.
Researchers have uncovered two novel Android surveillanceware families being used by an advanced persistent threat (APT) group to target military, nuclear and election entities in Pakistan and Kashmir.
The two malware families, which researchers call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging app content and geolocation, as well as other types of sensitive information.
Researchers first saw Hornbill as early as May 2018, with newer samples of the malware emerging on December 2020. They said the first Sunbird sample dates back to 2017 and was last seen active on December 2019.
“Hornbill and SunBird have both similarities and differences in the way they operate on an infected device,” said Apurva Kumar, staff security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.”
Malware Attack Targeting Military, Nuclear, Election Entities
The malware strains were seen in attacks targeting personnel linked to Pakistan’s military and various nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley (and a previous target for other Android malware threat actors).
“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan,” Kumar told Threatpost. “According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted.”
For instance, attackers targeted an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force, as well as officers responsible for electoral rolls located in the Pulwama district of Kashmir.
Sunbird samples hosted on third-party app stores. Credit: Lookout
In regards to the initial attack vectors for the malware samples, researchers pointed to samples of SunBird found hosted on third-party app stores, providing a clue for one possible distribution mechanism. However, researchers have not yet found SunBird on the official Google Play marketplace.
SunBird has been disguised as applications such as security services (including a fictional “Google Security Framework”), apps tied to specific locations (like “Kashmir News”) or activities (“including “Falconry Connect” or “Mania Soccer”). Researchers said the majority of these applications appear to target Muslim individuals. Meanwhile, Hornbill applications impersonate various chat (such as Fruit Chat, Cucu Chat and Kako Chat) and system applications.
“Considering many of these malware samples are trojanized – as in they contain complete user functionality – social engineering may also play a part in convincing targets to install the malware,” said Kumar and Del Rosso. “No use of exploits was observed directly by Lookout researchers.”
Malware Cybersecurity Surveillance Capabilities
Both malware families have a wide range of data exfiltration capabilities. They are able to collect call logs, contacts, device metadata (such as phone numbers, models, manufacturers and Android operating system version), geolocation, images stored on external storage and WhatsApp voice notes.
Credit: Lookout
In addition, both families can request device administrator privileges, take screenshots of whatever victims are currently viewing on their devices, take photos with the device camera, record environment and call audio and scrape WhatsApp message and contacts and WhatsApp notifications (via the Android accessibility service feature).
SunBird has a more extensive set of malicious functionalities than Hornbill, with the ability to upload all data at regular intervals to its C2 servers. For instance, SunBird can also collect a list of installed applications on the victims’ devices, browser history, calendar information, WhatsApp Audio files, documents, databases and images and more. And, it can run arbitrary commands as root or download attacker-specified content from FTP shares.
“In contrast, Hornbill is more of a passive reconnaissance tool than SunBird,” said Kumar and Del Rosso. “Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low.”
Researchers named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh in India, where they believe the developers of Hornbill are located. SunBird’s name, meanwhile, stemmed from the malicious services within the malware called “SunService” – and the sunbird is also native to India, they said.
State-Sponsored APT Behind The Cyberattack
The malware families have been linked “with high confidence” to the APT Confucius. This APT has been on the cybercrime scene since 2013 as a state-sponsored, pro-India actor. The APT has previously targeted victims in Pakistan and South Asia.
“We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes,” said Kumar and Del Rosso.
Experts spotted two Android spyware used by Indian APT Confucius
11.2.2021 Android Securityaffairs
Lookout researchers provided details about two Android spyware families employed by an APT group tracked as Confucius.
Researchers at mobile security firm Lookout have provided details about two recently discovered Android spyware families, dubbed Hornbill and SunBird, used by an APT group named Confucius.
Confucius is a pro-India APT group that has been active since 2013, it mainly focused on Pakistani and other South Asian targets. Since 2018, the hackers started targeting mobile users with an Android surveillance malware ChatSpy.
confucius hornbill_sunbird_third_infected_map
The two malware were used to spy on personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir.
“Hornbill and SunBird have both similarities and differences in the way they operate on an infected device.” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.”
Both malware can exfiltrate a wide range of data, including Call logs, Contacts, Device metadata (i.e. phone number, IMEI/Android ID, Model and Manufacturer, and Android version), Geolocation, Images stored on external storage, WhatsApp voice notes, if installed.
The two malware also perform multiple malicious activities such as:
Request device administrator privileges
Take screenshots, capturing whatever a victim is currently viewing on their device
Take photos with the device camera
Record environment and call audio
Scrape WhatsApp messages and contacts via accessibility services
Scrape WhatsApp notifications via accessibility services
SunBird is more advanced than Hornbill, it stores gathered in SQLite databases at regular intervals before uploading it to C2 servers in the form of compressed ZIP files.
The malware can download content from FTP shares and run arbitrary commands as root.
Hornbill only targets a limited set of data, it uploads data when it initially runs and only when changes are observed.
The malware monitors the use of certain resources on the infected device, gathers hardware information, logs location data, and monitors external storage for “.doc”, “.pdf”, “.ppt”, “.docx”, “.xlsx”, and “.txt” documents.
Experts pointed out that the operators behind the Hornbill malware are extremely interested in a user’s WhatsApp communications, it also records WhatsApp calls by detecting an active call by abusing Android’s accessibility services.
“We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes.” concludes the report.
Newly Discovered Android Spyware Linked to State-Sponsored Indian Hackers
11.2.2021 Android Securityweek
Researchers at mobile security firm Lookout have published information on two recently discovered Android spyware families employed by an advanced persistent threat (APT) group named Confucius.
Active since 2013, this pro-India threat actor has been mainly focused on Pakistani and other South Asian targets, primarily with the help of desktop malware. For the past several years, however, it also switched to mobile malware, with the first Android surveillanceware ChatSpy being observed in 2018.
In a new report, Lookout revealed that the threat actor might have started using Android spyware in 2017, with SunBird, which has been masquerading as applications mostly targeting Muslim individuals.
Supposedly developed between 2016 and 2019, SunBird features remote access Trojan (RAT) capabilities, allowing attackers to execute commands on the infected devices. Hornbill, on the other hand, which has been around since May 2018 (and continues to be active), is a discreet surveillance tool meant to steal data.
Both malware families can target a broad range of data for exfiltration, including call logs, contacts, device metadata (such as phone numbers, IMEI/Android IDs, device model, manufacturer), Android version, geolocation, images from external storage, and WhatsApp voice notes.
On the infected devices, both request device administrator privileges, capture screenshots, take photos with the device camera, record audio and calls, and scrape WhatsApp messages, contacts, and notifications, via accessibility services.
Additionally, SunBird can exfiltrate a list of installed applications, browser history, calendar information, BlackBerry Messenger (BBM) audio files, documents and images, WhatsApp audio files, documents, databases, voice notes and images, and IMO (instant messaging application) content.
Furthermore, the malware can download content from FTP shares and run arbitrary commands, and attempts to upload all data to the attackers’ command and control (C&C) servers at regular intervals.
Hornbill uploads data at initial execution and then only uploads changes to that data, when they occur. The malware closely monitors the use of resources on the infected device, collects hardware information, and logs location data if the location changes by approximately 70 meters, and monitors external storage for ".doc", ".pdf", ".ppt", ".docx", ".xlsx", and ".txt" documents.
“The operators behind Hornbill are extremely interested in a user’s WhatsApp communications. In addition to exfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services,” Lookout explains.
Notable SunBird targets include an individual who applied for a position at the Pakistan Atomic Energy Commission, people with contacts in the Pakistan Air Force (PAF), and Booth Level Officers in the Pulwama district of Kashmir (officers responsible for electoral rolls).
SunBird is likely the work of the Indian developers who also built the BuzzOut commercial spyware. Based on victimology, which includes Pakistani nationals traveling to the UAE and India, the malware clearly has roots in stalkerware, Lookout says.
Hornbill’s code, the researchers say, appears derived from the commercial surveillanceware MobileSpy, but it is unclear how the code base was acquired. Retina-X Studios, the company behind MobileSpy, shut down in May 2018, after two successful hack attempts.
Lookout identified a total of 156 victims from India, Pakistan, and Kazakhstan, and was able to link the malware families to the Confucius APT through the use of specific infrastructure and similar tactics for hiding the malware’s intent.
Researchers Uncover Android Spying Campaign Targeting Pakistan Officials
11.2.2021 Android Thehackernews
Two new Android surveillanceware families have been found to target military, nuclear, and election entities in Pakistan and Kashmir as part of a pro-India, state-sponsored hacking campaign.
Dubbed Hornbill and Sunbird, the malware impersonates legitimate or seemingly innocuous services to cover its tracks, only to stealthily collect SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.
The findings published by Lookout is the result of an analysis of 18GB of exfiltrated data that was publicly exposed from at least six insecurely configured command-and-control (C2) servers located in India.
"Some notable targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir," the researchers said in a Wednesday analysis.
In all, the attacks targeted 156 victims with phone numbers from India, Pakistan, and Kazakhstan over the last several years.
Lookout attributed the two tools to an advanced persistent threat (APT) tracked as Confucius, a group known for its attacks on South Asian countries at least since 2013. The cybersecurity firm called Hornbill a "passive reconnaissance tool."
While Hornbill appears to be derived from the same code base as a previously active commercial surveillance product known as MobileSpy, SunBird has been traced to a group of Indian developers behind another mobile tracking software called BuzzOut. Clues uncovered by the Lookout also point to the fact the operators of Hornbill worked together at various Android and iOS app development companies registered and operating in or near the Indian city of Chandigarh.
Both the pieces of spyware are equipped to amass a wide range of data, such as call logs, contacts, system information, location, photos stored on external drives, record audio and video, capture screenshots, with a particular focus on plundering WhatsApp messages and voice notes by abusing Android's accessibility APIs.
SunBird also differs from Hornbill in that the former features remote access Trojan (RAT) functionality, allowing the attackers to execute arbitrary commands on the target device. In addition, it's capable of exfiltrating browser histories, calendar information, and even siphoning content from BlackBerry Messenger and IMO instant messaging apps.
"Samples of SunBird have been found hosted on third-party app stores, indicating one possible distribution mechanism," the researchers detailed. "Considering many of these malware samples are trojanized – as in they contain complete user functionality — social engineering may also play a part in convincing targets to install the malware."
Lookout identified Hornbill samples as recently as December 2020, indicating an active use of the malware since their discovery in 2018. On the other hand, Sunbird seems to have been actively deployed in 2018 and 2019, before the threat actor shifted to another Android-based spyware product called ChatSpy last year.
Interestingly, the C2 infrastructure shared by Hornbill and SunBird reveals further connections with other stalkerware operations conducted by the Confucius group — including a publicly-accessible 2018 Pakistani government advisory warning of a desktop malware campaign targeting officers and government personnel — implying that the two tools are used by the same actor for different surveillance purposes.
Although India has been a relatively new entrant in the spyware and surveillance sector, Citizen Lab researchers last June outed a mercenary hack-for-hire group based in Delhi called BellTroX InfoTech that aimed to steal credentials from journalists, advocacy groups, investment firms, and an array of other high-profile targets.
Google Play Boots Barcode Scanner App After Ad Explosion
10.2.2021 Android Threatpost
A barcode scanner with 10 million downloads is removed from Google Play marketplace after ad blitz hits phones.
A barcode scanner app, with over 10 million downloads, was booted from the Google Play marketplace after users began to complain of mobile-ad overload. The makers of the app, called Barcode Scanner, intentionally altered the code of the app via an update turning it from a benign app to adware, according to researchers.
The rogue update to the app occurred in early December, according to researchers. That’s when the app, published by Lavabird, began to violate Google Play’s terms of service by surreptitiously delivering ads without consent.
Tipped by a user, researchers at Malwarebytes explained, the publisher added new heavily obfuscated code to the app that directed the default mobile web browser to launch and serve-up ads – whether the barcode app was active or not.
According to a report published Tuesday, the user who reported the issue installed the Barcode App years prior.
“Then all of sudden, after an update in December, Barcode Scanner had gone from an innocent scanner to full on malware!” the report written by Nathan Collier, a senior malware intelligence analyst with Malwarebytes said. “Although Google has already pulled this app, we predict from a cached Google Play webpage that the update occurred on Dec. 4, 2020.”
The most likely explanation for the errant ads would be faulty SDK code, which is commonly used in free, third-party apps to generate revenue. The report makes clear, the SDK code wasn’t the culprit in this instance.
Barcode Scanner Breach, From Adware to Trojan
“No, in the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app,” the report said. “Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions.”
This alerted the team they were looking more than just everyday adware.
“Because of its malign intent, we jumped past our original detection category of Adware straight to Trojan, with the detection of Android/Trojan.HiddenAds.AdQR.”
End users need to be aware that even trusted apps which have been reliable for years can be turned into malware, expert warn.
“When an application is installed, it typically asks the user for a list of permissions (e.g. access to files, SMS / call history), which are often approved without much cause for concern,” Or Sahar, an application security researcher with Checkmarx explained. “Given this, a malicious developer can upload to Google Play an un-harmful application, get rated, and later exploit the permissions without raising any obvious red flags.”
How Barcode Scanner Malware Made Money
And almost overnight the app publishers have a way to exploit those permissions for revenue.
“For example, if the Barcode Scanner app has permission to open a new Google Chrome pop-up,” Sahar said. “With this, a developer could potentially exploit the permission to show the desired ad, whether appropriate or not, in Chrome to increase exposure and clicks. Although the Barcode Scanner app was relatively ‘okay’ for a few years – showing ads according to Google’s policy – it could have gone down a bad path fueled by greed to earn more money.”
John Bohls, CEO of Inkscreen advises users to be suspicious of any apps offered for free.
“Building and maintaining apps is costly and time-consuming, even for relatively simple apps like a barcode scanner,” Bohls said. “I would be suspicious of any free app that does not have a clear monetization strategy such as advertisements, premium subscriptions, or tie-in to some other legitimate revenue model.”
For the millions of users still infected with the Barcode Scanner trojan, Malwarebytes recommends installing a malware scanner or just removing the app altogether.
“It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect,” the Malwarebytes report said. “It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.”
Android Devices Hunted by LodaRAT Windows Malware
10.2.2021 Android Threatpost
The LodaRAT – known for targeting Windows devices – has been discovered also targeting Android devices in a new espionage campaign.
A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also hunts down Android devices and spies on victims.
Along with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers said.
The campaign reflects an overarching shift in strategy for LodaRAT’s developers, as the attack appears to be driven by espionage rather than its previous financial goals. While previous versions of LodaRAT contained credential-stealing capabilities that researchers speculated were used for draining victims’ bank accounts, these newer versions come with a full roundup of information-gathering commands.
“The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving,” said researchers with Cisco Talos, on Tuesday. “Along with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.”
What is the LodaRAT Malware?
LodaRAT, first discovered in September 2016, is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices. The name “Loda” is derived from a directory to which the malware author chose to write keylogger logs.
Since its discovery in 2016 the RAT has proliferated, with multiple new versions being spotted in the wild as recently as September. The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.
Recent LodaRAT Cyberattack in Bangladesh
Researchers observed a campaign involving LodaRAT that began in October and is still active. The attackers appear to have a specific interest in Bangladesh-based organizations, including banks and carrier-grade voice-over-IP (VoIP) software vendors.
Vitor Ventura, Cisco Talos’ technical lead and senior security researcher, told Threatpost that the initial attack vectors for the campaign involved emails sent to victims with links to malicious applications (involving both the Windows and Android versions) or malicious documents (involving just the Windows version).
“The campaign uncovered targeting Bangladesh used different levels of lures, from type squatted domains, to file names directly linked to products or services of their victims,” said researchers.
For the Windows-targeting maldoc attack, after the victim clicked on the malicious documents, attackers used a malicious RTF document, which exploits CVE-2017-11882 (a remote code-execution vulnerability existing in Microsoft Office) in order to then download LodaRAT.
LodaRAT’s New Android Variant
The Android version of the LodaRAT malware, which researchers call “Loda4Android,” is “relatively simple when compared to other Android malware,” said researchers. For instance, the RAT has specifically avoided techniques often used by Android banking trojans, such as leveraging the Accessibility APIs, in order to steal data.
The underlying command-and-control (C2) protocol follows the same design pattern as the Windows version, said researchers – suggesting that the C2 code will be able to handle both versions.
Also, Loda4Android has “all the components of a stalker application” said researchers. The malware collects location data and records audio, and can take photos and screenshots.
“It can record audio calls, but it will only record what the victim says but not what the counterpart says,” said researchers. “The common SMS, call log and contact exfiltration functionalities are also present. It is interesting to note that it’s not capable of intercepting the SMS or the calls, like it’s usually seen in banker trojans.”
Fresh Windows Loda Version
The new version of the LodaRAT that targets Windows systems is version 1.1.8. While it’s mostly the same as previous versions, new commands have been added that extend its capabilities.
For one, the version comes with new commands that give the threat actor remote access to the target machine via the Remote Desktop Protocol (RDP). The new version can now leverage the BASS audio library to capture audio from a connected microphone. BASS is used in Win32, macOS, Linux and PocketPC software to provide streaming and recording functions for music.
“This new command is an improvement on the previous ‘Sound’ command which used Windows’ built in Sound Recorder,” said researchers. “The reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by the threat actor.”
Android Devices Prone to Botnet’s DDoS Onslaught
5.2.2021 Android Threatpost
A new DDoS botnet propagates via the Android Debug Bridge and uses Tor to hide its activity.
Researchers are warning a new botnet is recycling the Mirai malware framework and is now targeting Android devices in order to launch distributed denial-of-service (DDoS) attacks.
The botnet is dubbed Matryosh (after a Matryoshka Russian nesting doll) due to many of its functions being “nested” in layers, researchers said. The botnet propagates through the Android Debug Bridge (ADB) interface. This is a command-line utility that is included in Google’s Android software development kit (SDK). ADB allows developers to communicate with devices remotely, to execute commands and to fully control the device.
Also of note, Matryosh uses the Tor network to cloak its malicious activity and prevent command server takedowns.
“The changes at the network communication level indicates that its authors wanted to implement a mechanism to protect C2,” said researchers with 360 Netlab this week. “Doing this will bring some difficulties to static analysis or simple IOC simulator.”
Android Debug Bridge Used For Botnet Propagation
ADB is completely unauthenticated – but in order to abuse it attackers would need to first enable the Debug Bridge on the device. However, many vendors have shipped products with the Android Debug Bridge enabled.
This means that the feature is listening on port 5555 and enables anyone to connect with affected devices over the internet. Researchers did not specify which vendors leave the feature on in their Android devices by default. Android devices can vary from smartphones to televisions.
“This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’ — the administrator mode — and then silently install software and execute malicious functions,” security researcher Kevin Beaumont has previously written about ADB. Beyond Matryosh, many botnets have leveraged this issue – including ADB.Miner.
Matryosh: A Mirai Botnet Copycat
Researchers first discovered Matryosh in a suspicious ELF file on Jan. 25. Anti-virus software detectors labeled the file as Mirai; however, upon closer inspection researchers found that the network traffic of the file did not match Mirai’s characteristics. That’s because Matryosh reuses Mirai’s framework.
Mirai is an infamous botnet most widely known for its massive DDoS attack against DNS provider Dyn in 2016, which crippled Internet service on the East Coast of the United States and took down several popular services (such as Netflix).
In 2016, Mirai’s alleged author released its source code – making it easier for copycats to launch their own Mirai variants.
New Botnet Features in Matryosh
Researchers noted that Matryosh’s cryptographic design “has some novelty” – but still falls into the Mirai single-byte XOR pattern. This is a downfall for the botnet because it is easily flagged by anti-virus software systems as Mirai, they said.
Beyond this, the botnet has no integrated scanning features or vulnerability exploitation modules, researchers noted.
What does stand out about the botnet is its use of Tor proxies, which is obtained from remote hosts via a DNS TXT record (a record that stores text notes on a DNS server).
“The function of Matryosh is relatively simple, when it runs on [the] infected device, it renames the process … to confuse the user,” said researchers. “Then [it] decrypts the remote hostname and uses the DNS TXT request to obtain [the] TOR C2 and TOR proxy.”
After establishing a connection with the TOR proxy, the botnet communicates with the TOR C2 through the proxy and waits for the execution of the commands sent by C2.
Who is Behind the Matryosh Botnet?
Researchers speculate that the Moobot group is behind Matryosh. Moobot is a fairly new botnet family based on Mirai botnet, which targets internet of things (IoT) devices.
Researchers mde these conclusions because Matryosh and Moobot’s recent LeetHozer botnet branch have several similarities. For instance, they both use a model like the TOR C2, and their C2 port (31337) and attack method names are the same. Finally, the C2 command format is “highly similar,” said researchers.
Matryosh is only one of many recent botnet strains to surface, which over the past years have included Kaiji, Dark_Nexus, MootBot and the DDG botnet.
Five Critical Android Bugs Patched, Part of Feb. Security Bulletin
4.2.2021 Android Threatpost
February’s security update for the mobile OS includes a Qualcomm flaw rated critical, with a CVSS score of 9.8.
Google patched five critical bugs in its Android operating system as part of its February Security Bulletin. Two of the flaws were remote code execution vulnerabilities found within the Android media framework and system.
Three additional critical Qualcomm bugs were reported by Google and patched by Qualcomm – part of a separate security bulletin disclosure. One of those flaws (CVE-2020-11163) has a Common Vulnerability Scoring System (CVSS) rating of 9.8 out of 10. The bug is tied to the wireless local area network (WLAN) chip used for Wi-Fi communications.
In all, Google patched 22 vulnerabilities in the Android OS –15 of which included elevation-of-privilege (EOP) –class bugs. Another 22 security flaws were addressed by Qualcomm and impacted a range of device functions such as Wi-Fi radio, camera and device displays.
Patch Cadence and Disclosure
Over-the-air updates to the Android operating system and chipset firmware will be pushed to devices over the following days and weeks. Google’s own Pixel-device family typically receives the updates first with other device manufacturer handsets following. The technical details of the patched vulnerabilities are often not released until a majority of effected handsets have been patched.
The most severe of the critical bugs in the Android OS is a security vulnerability in the Media Framework component that allows for remote code execution (RCE), enabling a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process, according to Google. The bug is tracked as CVE-2021-0325, and received a “critical” rating on Android 8.1 and 9 but a “high” rating on Android 10, 11 and 12, the company said.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” according to the security bulletin.
The patch itself will be delivered in two parts, the first of which patches 20 vulnerabilities in the Android OS and the second which address 23 flaws found in the Android kernel and assorted components from Qualcomm, according to Google.
More Remote Code Execution Bugs
Also included in the update are patches for two additional bugs in the Media Framework, one tracked as CVE-2021-0332 that allows for privilege elevation on Android 10 and 11.
Another critical RCE bug, CVE-2021-0326, was found in the System component and could enable a remote attacker to use “a specially crafted transmission to execute arbitrary code within the context of a privileged process,” according to Google. It’s been updated for versions 8.1, 9,10 and 11 of the OS.
Five other vulnerabilities patched in the update for Android System all include EOP capability and have been updated for all versions of the OS from 8.1 upwards, the company said.
The update also patches 10 bugs found in Android Framework, nine of which include EOP capability and affect various versions of the OS. All of the Framework vulnerabilities received a “high” rating, according to the advisory.
Qualcomm Bugs: Also Patched
The other three bugs in the update with “critical” ratings affect Qualcomm components in Android. The most serious, based on public information, is tracked as CVE-2020-11272 (CVSS score 9.8) and affects the WLAN component.
Qualcomm describes the bug as an “improper validation of array index in data modem” flaw. It offered additional limited details including that the bug can be abused by an attacker should they trigger a “buffer overflow while updating ikev2 parameters.” Internet Key Exchange (IKEv2) is the protocol used to set up a security association in the IPsec protocol suite, according to a technical description.
The two others– CVE-2020-11163 and CVE-2020-11170—affected Qualcomm closed-source components found in the OS.
The Android Kernel, Google Play system, and Android runtime all received one patch each in the update for bugs rated respectively as “high.”
Last month Google also addressed 43 bugs in Android, including two critical bugs–one of which was found in Android System and allowed remote attackers to execute arbitrary code.
At this time there is no evidence that any of the vulnerabilities patched in the February update are being actively exploited in the wild, according to a post on the update by the Center for Internet Security (CIS).
CIS recommended that Android users apply the Android updates provided by Google or their mobile carriers to vulnerable systems “immediately after proper testing.” The center also reminded users to only download applications from trusted vendors in the Google Play Store and also to avoid visiting untrusted websites or following links provided by unknown or untrusted sources.
Google Patches Over a Dozen High-Severity Privilege Escalation Flaws in Android
3.2.2021 Android Securityweek
Google this week published its Android security bulletin for February 2021, which includes information on more than 40 vulnerabilities, most of which could lead to elevation of privilege.
The first part of the monthly update, which arrives on devices as the 2021-02-01 security patch level, includes fixes for a total of 20 vulnerabilities, 15 of which lead to elevation of privilege.
The most important of these vulnerabilities is a critical flaw in the Media Framework component that could allow an attacker to execute arbitrary code on a vulnerable device. The attacker needs to supply a specially crafted file to trigger the bug.
Tracked as CVE-2021-0325, the issue is considered critical on Android 8.1 and 9 platform releases, but has only a high severity rating on Android 10 and 11, Google’s advisory explains.
Two other flaws patched in Media Framework this month, namely CVE-2021-0332 and CVE-2021-0335, were rated high severity. The bugs could lead to elevation of privilege and information disclosure, respectively.
Google also patched an information disclosure flaw in Android runtime, along with nine elevation of privilege and one denial of service issue in Framework, all of which were rated high severity.
The System component received patches for six vulnerabilities, namely one critical remote code execution bug and five high-severity elevation of privilege issues. One vulnerability was patched in the media codecs component.
The second part of this month’s security update, which is delivered to devices as the 2021-02-05 security patch level, includes patches for 23 vulnerabilities in Kernel components (one high-severity bug), Qualcomm components (one critical and five high-severity flaws), and Qualcomm closed-source components (two critical and fourteen high-severity issues).
A single patch was included in this month’s Pixel update bulletin, for a moderate-severity vulnerability (CVE-2020-11203) in Qualcomm closed-source components.
Pixel devices, Google explains, will receive patches for all the security vulnerabilities in the February 2021 Android security bulletin, and for the bug described in the Pixel update bulletin.
There are no reports that the vulnerabilities addressed in this month’s Android security bulletin are being exploited in the wild, the Multi-State Information Sharing and Analysis Center (MS-ISAC) says.
Operation NightScout: supply chain attack on NoxPlayer Android emulator
2.2.2021 Android CyberCrime Securityaffairs
Experts uncovered a new supply chain attack leveraging the update process of NoxPlayer, a free Android emulator for PCs and Macs.
A new supply chain attack made the headlines, a threat actor has compromised the update process of NoxPlayer, a free Android emulator for Windows and Macs developed by BigNox. The company claims to have over 150 million users in more than 150 countries, according to ESET more than 100,000 of its customers have Noxplayer installed on their machines.
The emulator is widely adopted by gamers in order to play mobile games from their PCs.
The attack was discovered by cybersecurity firm ESET on January 25, threat actors delivered malware to a limited number of victims across Asia.
At the time of this writing, the researchers already identified five victims in countries such as Taiwan, Hong Kong, and Sri Lanka. ESET tracked this campaign as Operation NightScout.
“In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide.” reads the analysis published by ESET.
“Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.”
NoxPlayer supply chain attack
The attackers compromised one of the company’s official API (api.bignox.com) and file-hosting servers (res06.bignox.com), once gained a foothold in the target infrastructure they tampered with the download URL of NoxPlayer updates in the API server to deliver tainted updates.
The experts reported that threat actors employed at least three different malware families in this supply chain attack.
The report published by ESET includes technical details for this attack, it could allow NoxPlayers users to determine if they have installed the tainted updates and provides instructions on how to remove the malicious code.
ESET did not attribute this attack to a well-known threat actor, it only highlighted that the three malware employed in the attack had “similarities” with other pieces of malware used in a Myanmar presidential office website supply-chain attacks in 2018 and in an intrusion into a Hong Kong university in early 2020.
“We have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of Able Desktop among others. However, the supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers.” concludes the report.
“Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents.”
Oscorp, a new Android malware targets Italian users
29.1.2021 Android Securityaffairs
Researchers at the Italian CERT warns of new Android malware dubbed Oscorp that abuses accessibility services for malicious purposes.
Researchers from security firm AddressIntel spotted a new Android malware dubbed Oscorp, its name comes from the title of the login page of its command-and-control server.
Like other Android malware, the Oscorp malware trick users into granting them access to the Android Accessibility Service, this means they will be able to read the text on the phone screen, determine an app installation prompt, scroll through the permission list and press the install button on the behalf of the user.
“not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages (called, in the jargon of malware, injections), to blocking the device (intended as screen lock) and possibly to the capture of audio and video.” read the advisory published by Italy’s CERT-AGID (Italian language).
A few days ago, AddressIntel experts identified a domain called “supportoapp [.] Com” that was serving the file “Client assistance.apk”.
Once the app is installed, which is presented with the name “Customer Protection”, it asks users to enable the accessibility service.
The malware uses the Geny2 service to induce the user to enable the accessibility service and, once activated, automatically enable some permissions.
The malicious code reopens the Settings screen every eight seconds to force the user into granting the requested permissions for accessibility and device usage statistics.
Enabling accessibility service makes it possible to:
Enable keylogger functionality.
Automatically obtain the permissions and capabilities required by the malware.
Uninstall app.
Make calls.
Send SMS.
Stealing cryptocurrency.
Stealing the PIN for Google’s 2FA
At the time of the analysis, the wallet used by the malware had $584.
The CERT’s report provides technical details about the malware, such as the description of the services such as the PJService used to collect info on the device. The malware communicates with the C2 via HTTP POST requests.
When the user opens one of the apps targeted by Oscorp, the malicious code will display a phishing page that asks him to provide a username and password.
The style of this screen is different for each app and it’s designed to trick the victim into providing the information.
“Android protections prevent malware from doing any kind of damage until the user enables accessibility service,” concludes the CERT-AGID’s advisory. “Once enabled, however, a ‘dam’ opens up. In fact, Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end user.”
Italy CERT Warns of a New Credential Stealing Android Malware
29.1.2021 Android Thehackernews
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video.
Dubbed "Oscorp" by Italy's CERT-AGID and spotted by AddressIntel, the malware "induce(s) the user to install an accessibility service with which [the attackers] can read what is present and what is typed on the screen."
So named because of the title of the login page of its command-and-control (C2) server, the malicious APK (called "Assistenzaclienti.apk" or "Customer Protection") is distributed via a domain named "supportoapp[.]com," which upon installation, requests intrusive permissions to enable the accessibility service and establishes communications with a C2 server to retrieve additional commands.
Furthermore, the malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.
Once the access is provisioned, the malware exploits the permissions to log keystrokes, uninstall apps on the device, make calls, send SMS messages, steal cryptocurrency by redirecting payments made via Blockchain.com Wallet app, and access two-factor authentication codes from Google Authenticator app.
The attacker-controlled wallet had $584 as of January 9, the researchers said.
In the final step, the malware exfiltrates the captured data — along with system information (e.g., apps installed, phone model, carrier) — to the C2 server, in addition to fetching commands from the server that allows it to launch the Google Authenticator app, steal SMS messages, uninstall apps, launch specific URLs, and record audio and video of the screen through WebRTC.
What's more, users opening the apps targeted by the malware are displayed a phishing page that asks for their username and password, CERT noted, adding the style of this screen varies from app to app and that it's designed with an intent to trick the victim into providing the information.
The exact kind of applications singled out by this malware remains unclear, but the researchers said it could be any app that deals with sensitive data, such as those for banking and messaging.
"Android protections prevent malware from doing any kind of damage until the user enables [accessibility] service," CERT-AGID concluded. "Once enabled, however, a 'dam' opens up. In fact, Android has always had a very permissive policy towards app developers, leaving the ultimate decision to trust an app or not to the end user."
'LuckyBoy' Malvertising Campaign Hits iOS, Android, XBox Users
21.1.2021 Android Apple Securityweek
A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection.
Dubbed LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada.
According to security vendor Media Trust, the malware checks for a global variable ‘luckyboy’ that allows it to detect whether blockers, testing environments, and active debuggers are present on the device. If any is detected, the malware won’t execute.
Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.
LuckyBoy was observed operating in bursts: small campaigns are launched on Thursday nights, with only a few compromised tags, and continue throughout the weekend.
Multiple checks are performed as the campaign advances through stages, with extensive code obfuscation and domain exclusion employed, and device-specific information extracted.
The harvested device data includes country code, window size, graphics information, number of CPU cores, battery level, current domain, plugins, the presence of webdriver, and whether touch is available, likely to set up for future attacks.
The malware continuously performs checks to ensure that the value of the global variable remains ‘luckyboy’. Otherwise, the script stops execution and exits after delivering a clean creative to the user.
“LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive,” The Media Trust notes in a report shared with SecurityWeek.
The security firm says it is currently working with Google and TAG Threat Exchange to isolate the buyer and block them from launching these campaigns.
Report: TikTok Harvested MAC Addresses By Exploiting Android Loophole
15.1.2021 Android Securityweek
The ongoing controversies surrounding TikTok hit a new gear on Thursday with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google.
According to a Wall Street Journal report, TikTok used a banned tactic to bypass the privacy safeguard in Android to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out.
TikTok, based in Beijing, China, has been described as a national security threat in the U.S., and has been in the headline over concerns that data collected by the TikTok app could be used to aid government spying activities.
The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least 15 months. The practice stopped in November 2020.
MAC addresses are considered personally identifiable information under COPA (the Children’s Online Privacy Protection Act). It is the unique identifier found in all internet-enabled communications devices, including Android- and iOS-powered devices. MAC addresses can be used to target advertising to specific users or track and build dossiers of individuals.
TikTok responded to the WSJ’s findings by saying “the current version of TikTok does not collect MAC addresses” but the investigation found that the company had been harvesting that data for many months.
Apple’s iOS blocks third parties from reading MAC addresses as part of a privacy feature added in 2013, but on Android, the exploitable loophole remains.
From the WSJ report:
“TikTok bypassed that restriction on Android by using a workaround that allows apps to get MAC addresses through a more circuitous route, the Journal’s testing showed.
The security hole is widely known, if seldom used, Mr. Reardon said. He filed a formal bug report about the issue with Google last June after discovering the latest version of Android still didn’t close the loophole. “I was shocked that it was still exploitable,” he said.
Mr. Reardon’s report was about the loophole in general, not specific to TikTok. He said that when he filed his bug report, the company told him it already had a similar report on file. Google declined to comment.
TikTok collected MAC addresses for at least 15 months, ending with an update released Nov. 18 of last year, as ByteDance was falling under intense scrutiny in Washington, the Journal’s testing showed.
TikTok bundled the MAC address with other device data and sent it to ByteDance when the app was first installed and opened on a new device. That bundle also included the device’s advertising ID, a 32-digit number intended to allow advertisers to track consumer behavior while giving the user some measure of anonymity and control over their information.”
Although the investigation found that TikTok did not collect an unusual amount of data and typically was upfront about what was being captured, the Journal found that the parent company ByteDance took major steps to use extraneous steps” to “conceal the data it captures.”
The Wall Street Journal said it examined nine versions of TikTok released on the Google Play Store between April 2018 and January 2020. The analysis was limited to examining what TikTok collects when freshly installed on a user’s device, before the user creates an account and accepts the app’s terms of service.
Google said it is investigating the new discovery.
Sophisticated Hacks Against Android, Windows Reveal Zero-Day Trove
14.1.2021 Android Threatpost
Watering-hole attacks executed by ‘experts’ exploited Chrome, Windows and Android flaws and were carried out on two servers.
Google researchers have detailed a major hacking campaign that was detected in early 2020, which mounted a series of sophisticated attacks, some using zero-day flaws, against Windows and Android platforms.
Working together, researchers from Google Project Zero and the Google Threat Analysis Group (TAG) uncovered the attacks, which were “performed by a highly sophisticated actor,” Ryan from Project Zero wrote in the first of a six-part blog series on their research.
“We discovered two exploit servers delivering different exploit chains via watering-hole attacks,” he wrote. “One server targeted Windows users, the other targeted Android.”
2020 Reader Survey: Share Your Feedback to Help Us Improve
Watering-hole attacks target organizations’ oft-used websites and inject them with malware, infecting and gaining access to victims’ machines when users visit the infected sites.
In the case of the attacks that Google researchers uncovered, attackers executed the malicious code remotely on both the Windows and Android servers using Chrome exploits. The exploits used against Windows included zero-day flaws, while Android users were targeted with exploit chains using known “n-day” exploits, though they acknowledge it’s possible zero-day vulnerabilities could also have been used, researchers said.
The team spent months analyzing the attacks, including examining what happened post-exploitation on Android devices. In that case, additional payloads were delivered that collected device fingerprinting information, location data, a list of running processes and a list of installed applications for the phone.
Zero-Day Bugs
The researchers posted root-cause analyses for each of the four Windows zero-day vulnerabilities that they discovered being leveraged in their attacks.
The first, CVE-2020-6418, is a type confusion bug prior to 80.0.3987.122 leading to remote-code execution. It exists in V8 in Google Chrome (Turbofan), which is the component used for processing JavaScript code. It allows a remote attacker to potentially cause heap corruption via a crafted HTML page.
The second, CVE-2020-0938, is a a trivial stack-corruption vulnerability in the Windows Font Driver. It can be triggered by loading a Type 1 font that includes a specially crafted BlendDesignPositions object. In the attacks, it was chained with CVE-2020-1020, another Windows Font Driver flaw, this time in the processing of the VToHOrigin PostScript font object, also triggered by loading a specially crafted Type 1 font. Both were used for privilege escalation.
“On Windows 8.1 and earlier versions, the vulnerability was chained with CVE-2020-1020 (a write-what-where condition) to first set up a second stage payload in RWX kernel memory at a known address, and then jump to it through this bug,” according to Google. “The exploitation process was straightforward because of the simplicity of the issue and high degree of control over the kernel stack. The bug was not exploited on Windows 10.”
And finally, CVE-2020-1027 is a Windows heap buffer overflow in the Client/Server Run-Time Subsystem (CSRSS), which is an essential subsystem that must be running in Windows at all times. The issue was used as a sandbox escape in a browser exploit chain using, at times, all four vulnerabilities.
“This vulnerability was used in an exploit chain together with a 0-day vulnerability in Chrome (CVE-2020-6418). For older OS versions, even though they were also affected, the attacker would pair CVE-2020-6418 with a different privilege escalation exploit (CVE-2020-1020 and CVE-2020-0938).”
All have all since been patched.
Advanced Capabilities
From their understanding of the attacks, researchers said that threat actors were operating a “complex targeting infrastructure,” though, curiously, they didn’t use it every time.
“In some cases, the attackers used an initial renderer exploit to develop detailed fingerprints of the users from inside the sandbox,” according to researchers. “In these cases, the attacker took a slower approach: sending back dozens of parameters from the end user’s device, before deciding whether or not to continue with further exploitation and use a sandbox escape.”
Still other attack scenarios showed attackers choosing to fully exploit a system straightaway; or, not attempting any exploitation at all, researchers observed. “In the time we had available before the servers were taken down, we were unable to determine what parameters determined the ‘fast’ or ‘slow’ exploitation paths,” according to the post.
Overall, whoever was behind the attacks designed the exploit chains to be used modularly for efficiency and flexibility, showing clear evidence that they are experts in what they do, researchers said.
“They [use] well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,” according to the post.
Rogue Android RAT emerges from the darkweb
14.1.2021 Android Securityaffairs
Experts discovered an Android Remote Access Trojan, dubbed Rogue, that can allow to take over infected devices and steal user data.
Rogue is a new mobile RAT discovered by researchers from Check Point while investigating the activity of the darknet threat actors known as Triangulum and HeXaGoN Dev. Both actors are Android malware authors that are offering their malicious code on the darknet marketplaces.
Triangulum has been active since June 2017, he started as an amateur developer, but since then it has intensified its operations by developing a network of partnerships, making investments, and distributing malware to potential buyers.
Triangulum had purchased multiple projects created by HeXaGoN Dev. The experts pointed out that the combination of HeXaGon Dev’s programming skills and Triangulum’s social marketing skills clearly posed a legitimate threat.
The duo distributed multiple Android mobile malware, including cryptominers, keyloggers, and sophisticated P2P (Phone to Phone) Mobile RATs.
“Triangulum and HeXaGoN Dev then collaborated to create and introduce the Rogue malware to the darknet.” reads the post published by CheckPoint. “Rogue is part of the MRAT family (Mobile Remote Access Trojan). This type of malware can gain control over the host device and exfiltrate any kind of data, such as photos, location, contacts, and messages, to modify the files on the device and download additional malicious payloads.”
The RAT allows its operator to exfiltrate any kind of data (i.e. photos, messages, location, and contacts) from the infected device, but experts pointed out that it could also delete data.
Upon gaining all of the required permissions on the targeted device, the Rogue RAT will hide its icon from the device, while is all of the required permissions are not granted, it will repeatedly ask the user to grant them.
The malware also registers as a device administrator. If the victim attempts to revoke the admin permission, the malicious code will display an onscreen message “Are you sure to wipe all the data?” to scare the user.
Rogue leverages Google’s Firebase platform, which is a Google service for apps, to hide its activity. The malware uses Firebase to control send commands to the device and exfiltrate data.
The Rogue malware uses the following services implemented by Firebase:
“Cloud Messaging” to receive commands from the C&C.
“Realtime Database” to upload data from the device.
“Cloud Firestore” to upload files.
“In this research, CPR uncovered a fully active market that sells malicious mobile malware, living and flourishing on the dark net and other related web forums.” Check Point concludes.
“The story of the Rogue malware is an example of how mobile devices can be exploited. Similar to Triangulum, other threat actors are perfecting their craft and selling mobile malware across the dark Web – so we need to stay vigilant for new threats,”
'Rogue' Android RAT Can Take Control of Devices, Steal Data
14.1.2021 Android Securityweek
A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a trove of user data, Check Point security researchers warn.
Dubbed Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.
Triangulum, Check Point says, first shared a mobile RAT on a dark web forum in June 2017. The threat was capable of data exfiltration, but could also destroy data locally, and even erase the OS.
The developer started selling a piece of mobile malware several months later, and added another one to their portfolio after one year. Very active since, Triangulum likely created a “high-functioning production line for the development and distribution of malware,” Check Point says.
For the development of Rogue, the malware author apparently partnered with HexaGoN Dev, who specializes in the building of Android RATs. Previously, Triangulum purchased projects from NexaGoN Dev.
“The combination of HeXaGon Dev’s programming skills and Triangulum’s social marketing skills clearly posed a legitimate threat,” Check Point’s security researchers note.
Once it manages to compromise a device and gains all of the necessary permissions, the Rogue RAT hides its icon from the user, to ensure that it can’t be easily removed. The malware repeatedly asks for permissions until the user grants them.
The malware also registers as a device administrator and threatens to erase all data if the user attempts to revoke its admin permissions, by displaying the following message on the screen: “Are you sure to wipe all the data?”
To hide its malicious intentions, Rogue leverages Google’s Firebase platform, masquerading as a legitimate Google service. Firebase services serve as a command and control (C&C) server, meaning that all commands and data exfiltration are performed using Firebase’s infrastructure.
Of the dozens of services provided by Google Firebase to application developers, Rogue uses “Cloud Messaging” to receive commands, “Realtime Database” to upload data, and “Cloud Firestore” to upload files.
“The story of the Rogue malware is an example of how mobile devices can be exploited. Similar to Triangulum, other threat actors are perfecting their craft and selling mobile malware across the dark Web – so we need to stay vigilant for new threats,” Check Point concludes.
Sophisticated hacking campaign uses Windows and Android zero-days
13.1.2021 Android Securityaffairs
Google Project Zero researchers uncovered a sophisticated hacking campaign that targeted Windows and Android users.
The Google Project Zero team has recently launched an initiative aimed at devising new techniques to detect 0-day exploits employed in attacks in the wild. While partnering with the Google Threat Analysis Group (TAG), the experts discovered a watering hole attack in Q1 2020 that was carried out by a highly sophisticated actor.
The campaign spotted by Project Zero experts targeted Windows and Android systems. Threat actors behind the attacks exploited multiple vulnerabilities in Android, Windows, and chained them with Chrome flaws. The attackers exploited both zero-days and n-days exploits.
“We discovered two exploit servers delivering different exploit chains via watering hole attacks. One server targeted Windows users, the other targeted Android. Both the Windows and the Android servers used Chrome exploits for the initial remote code execution.” reads the analysis published by Project Zero. “The exploits for Chrome and Windows included 0-days. For Android, the exploit chains used publicly known n-day exploits. Based on the actor’s sophistication, we think it’s likely that they had access to Android 0-days, but we didn’t discover any in our analysis.”
The attacks employed two exploit servers that were triggering multiple vulnerabilities through different exploit chains in watering hole attacks,
The two servers were hosting exploits to trigger Google Chrome vulnerabilities to gain an initial foothold on the visitors’ devices. The attackers exploited Windows and Android exploit to take over the victim’s devices.
The experts were able to extract the following code from the exploit servers:
Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.
The chains used by the attackers included the following 0-days flaws:
CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)
The Project Zero team spent many months analyzing in detail each part of the attack chain employed in this campaign, they detailed their findings in 6 separate reports:
Introduction (this post)
Chrome: Infinity Bug
Chrome Exploits
Android Exploits
Android Post-Exploitation
Windows Exploits
Google highlighted the level of sophistication of this campaign, the threat actors appears to be well resourced and the overall operations well-engineered.
“They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,” Google concludes.
“We believe that teams of experts have designed and developed these exploit chains,”
Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan
13.1.2021 Android Thehackernews
Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage.
Designed to masquerade apps such as the Pakistan Citizen Portal, a Muslim prayer-clock app called Pakistan Salat Time, Mobile Packages Pakistan, Registered SIMs Checker, and TPL Insurance, the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file.
"The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user's contact list and the full contents of SMS messages," Sophos threat researchers Pankaj Kohli and Andrew Brandt said.
"The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe."
Interestingly, the fake website of the Pakistan Citizen Portal was also prominently displayed in the form of a static image on the Trading Corporation of Pakistan (TCP) website, potentially in an attempt to lure unsuspecting users into downloading the malware-laced app.
Visiting the TCP website (tcp.gov.pk) now shows the message "Down for Maintenance."
Besides the aforementioned apps, Sophos researchers also discovered a separate app called Pakistan Chat that didn't have a benign analogue distributed via the Google Play Store. But the app was found to leverage the API of a legitimate chat service called ChatGum.
Once installed, the app requests intrusive permissions, including the ability to access contacts, file system, location, microphone, and read SMS messages, which allow it to gather a wide swathe of data on a victim's device.
All these apps have one singular purpose — to conduct covert surveillance and exfiltrate the data from a target device. In addition to sending the unique IMEI identifier, the DEX payload relays detailed profile information about the phone, location information, contact lists, the contents of text messages, call logs and the full directory listing of any internal or SD card storage on the device.
Troublingly, the malicious Pakistan Citizen Portal app also transmits sensitive information such as users' computerized national identity card (CNIC) numbers, their passport details, and the username and password for Facebook and other accounts.
"The spying and covert surveillance capability of these modified Android apps highlight the dangers of spyware to smartphone users everywhere," Pankaj Kohli said. "Cyber-adversaries target mobiles not just to get their hands on sensitive and personal information, but because they offer a real-time window into people's lives, their physical location, movements, and even live conversations taking place within listening range of the infected phone."
If anything, the development is yet another reason why users need to stick to trusted sources to download third-party apps, verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.
"In the current Android ecosystem, apps are cryptographically signed as a way to certify the code originates with a legitimate source, tying the app to its developer," the researchers concluded. "However, Android doesn't do a good job exposing to the end user when a signed app's certificate isn't legitimate or doesn't validate. As such, users have no easy way of knowing if an app was indeed published by its genuine developer."
"This allows threat actors to develop and publish fake versions of popular apps. The existence of a large number of app stores, and the freedom of users to install an app from practically anywhere makes it even harder to combat such threats."
Google fixed a critical Remote Code Execution flaw in Android
7.1.2021 Android Securityaffairs
Google released an Android security update that addressed tens of flaws, including a critical Android remote code execution vulnerability.
Google released an Android security update that addresses 43 flaws, including a critical remote code execution vulnerability in the Android System component tracked as CVE-2021-0316. Google addressed the flaws with the release of Security patch levels of 2021-01-05 or later.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.” reads Google’s January Android security bulletin.
The bulletin also fixed a critical DoS vulnerability, tracked as CVE-2021-0313, that affects the Framework. The flaw could be exploited by a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
The above vulnerabilities affect Android versions 8.0, 8.1, 9, 10 and 11.
Source code patches for these vulnerabilities have been released to the Android Open Source Project (AOSP) repository.
Google also addressed other 2 critical flaws in the Qualcomm closed-source components tracked as CVE-2020-11134 and CVE-2020-11182.
Google also fixed the following high-severity vulnerabilities:
Framework: CVE-2021-0303, CVE-2021-0306, CVE-2021-0307,CVE-2021-0310, CVE-2021-0315, CVE-2021-0317, CVE-2021-0318, CVE-2021-0319, CVE-2021-0304, CVE-2021-0309, CVE-2021-0321, CVE-2021-0322, CVE-2019-9376;
Media Framework: CVE-2021-0311, CVE-2021-0312; CVE-2021-0308, CVE-2021-0320;
System: CVE-2020-0471;
Kernel components: CVE-2020-10732, CVE-2020-10766, CVE-2021-0323;
MediaTek components: CVE-2021-0301;
Qualcomm components: CVE-2020-11233, CVE-2020-11239, CVE-2020-11220, CVE-2020-11250, CVE-2020-11261, CVE-2020-11262;
Qualcomm closed-source components: CVE-2020-11126, CVE-2020-11126, CVE-2020-11159, CVE-2020-11181, CVE-2020-11235, CVE-2020-11238, CVE-2020-11241, CVE-2020-11260.
Google Warns of Critical Android Remote Code Execution Bug
6.1.2021 Android Threatpost
Google’s Android security update addressed 43 bugs overall affecting Android handsets, including Samsung phones.
Google has fixed two critical bugs affecting its Android handsets. The more serious flaws exists in the Android System component and allow remote attackers to execute arbitrary code.
The two critical vulnerabilities are part of Google’s January Android security bulletin, released Monday. The security update addressed 43 bugs overall for the Android operating systems. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high- and critical-severity vulnerabilities tied to 15 bugs.
The critical-severity flaws include a remote-code-execution flaw in Google’s Android System component (CVE-2021-0316), the core of the Android operating system.
2020 Reader Survey: Share Your Feedback to Help Us Improve
Another flaw, rated serious, is a denial-of-service issue (CVE-2021-0313) in the Android Framework component, which is a set of APIs (consisting of system tools and user interface design tools) that allow developers to quickly and easily write apps for Android phones.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” according to Google. Both critical flaws are fixed in Android versions 8.0, 8.1, 9, 10 and 11.
Beyond these critical-severity issues, Google fixed a tangle of 13 high-severity flaws in its Framework. This included eight elevation-of-privilege issues (CVE-2021-0303, CVE-2021-0306, CVE-2021-0307, CVE-2021-0310, CVE-2021-0315, CVE-2021-0317, CVE-2021-0318, CVE-2021-0319); four information disclosure glitches (CVE-2021-0304, CVE-2021-0309, CVE-2021-0321, CVE-2021-0322) and one DoS flaw (CVE-2019-9376).
Three high-severity bugs were found in Media Framework (which offers support for playing a variety of common media types, so users can easily utilize audio, video and images). These include a RCE flaw tied to CVE-2016-6328, and two information disclosure flaws tied to CVE-2021-0311 and CVE-2021-0312.
Google also rolled out patches for flaws in various third-party components in its Android ecosystem. This included three high-severity flaws in the kernel (CVE-2020-10732, CVE-2020-10766, CVE-2021-0323), which could enable a local malicious application to bypass operating system protections that isolate application data from other applications. A high-severity vulnerability (CVE-2021-0301) was also fixed in the MediaTek component.
Finally, 15 critical and high-severity flaws were addressed in Qualcomm components, including ones affecting the kernel (CVE-2020-11233), display (CVE-2020-11239, CVE-2020-11261, CVE-2020-11262), camera (CVE-2020-11240) and audio components (CVE-2020-11250).
The fixes come after a hefty December Android security update, where Google patched ten critical bugs, including one tied to the Android media framework component that could give attacker remote control of vulnerable handsets.
Google Releases January 2021 Security Updates for Android
6.1.2021 Android Securityweek
Google this week announced the January 2021 security updates for Android devices, which address 42 vulnerabilities, including four rated critical severity.
Addressed as part of the 2021-01-01 security patch level and tracked as CVE-2021-0316, the most important of these flaws is a critical security bug in System that could be exploited to achieve code execution remotely.
An attacker looking to exploit the vulnerability would need to use a specially crafted transmission. Successful exploitation could lead to the execution of code within the context of a privileged process.
Three other vulnerabilities addressed in Android’s System component this month feature a severity rating of high. These include two elevation of privilege issues and one information disclosure bug.
The 2021-01-01 security patch level also fixes fifteen vulnerabilities in Framework, including a critical denial of service (DoS) flaw, eight high-severity elevation of privilege bugs, four high-severity information disclosure issues, one high-severity DoS flaw, and one medium-severity remote code execution vulnerability.
All of the three security flaws patched in Android’s Media Framework component this month feature a severity rating of high: one remote code execution and two information disclosure issues.
The second part of the Android security updates for January 2021 addresses a total of 19 vulnerabilities in Kernel (three high-severity flaws), MediaTek (one high-severity issue), and Qualcomm components (six high-severity bugs).
Patches for nine flaws in Qualcomm closed-source components were also included in this month’s set of updates (two critical and seven high-severity vulnerabilities).
All of these issues, as well as vulnerabilities patched with previous Android security updates, are resolved on devices running a security patch level of 2021-01-05 or later.
On Pixel devices, a security patch level of 2021-01-05 also addresses four other vulnerabilities: a high-severity elevation of privilege in Framework and a moderate one in Kernel components, along with a moderate flaw in Qualcomm components and another in Qualcomm closed-source components.