Tag Archives: Android

Google Play Store Launches Bug Bounty Program to Protect Popular Android Apps

android-play-store-bug-bounty

Better late than never.

Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps.

Dubbed “Google Play Security Reward,” the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards.

“The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem,” the technology giant says in a blog post published today.

Google has collaborated with bug bounty platform, HackerOne, to manage backend for this program, like submitting reports and inviting white-hat hackers and researchers.

White-hat hackers who wish to participate can submit their findings directly to the app developers. Once the security vulnerability has been resolved, the hacker needs to submit his/her bug report to HackerOne.

Google will then pay out a reward of $1,000 based on its Vulnerability Criteria, wherein, according to the company, more criteria may be added in the future, creating more scope for rewards.

“All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer.” HackerOne said. 

“For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher.”

It is an unfortunate truth that even after so many efforts by Google, malicious apps continuously somehow managed to fool its Play Store’s security mechanism and infect millions of Android users.

It’s notable that Google Play Security Reward program does not include finding and reporting fake, adware or malware apps available on Google play store, so the program will not affect the increase in malicious apps on Google’s app platform.

For now, a limited number of Android apps have been added to Google Play Security Reward Program, including Alibaba, Snapchat, Duolingo, Line, Dropbox, Headspace, Mail.ru and Tinder.

So what you are waiting for?

Roll up your sleeves and start hunting for vulnerabilities. For more details about Google Play Security Reward Program, visit HackerOne.

Learn How to Use Your Android for Hacking and Penetration Testing

Learn How to Use Android Phone for Hacking and Penetration Testing

Android is now the most used mobile operating system in the world—even Microsoft’s Founder Bill Gates has recently revealed that he is currently using an Android device.

Mobile devices have become a powerful productivity tool, and it can now be used to hack and test the security of your networks and computer systems.

This week we introduced a new online course at THN Store, “Learn Hacking/Penetration Testing Using Android From Scratch,” which will help you learn how to use your Android device for hacking and penetration testing, just like any computer.

This online video training course offers 47 lectures, which focuses on the practical side penetration testing using Android without neglecting the theory behind each attack.

This course will help you learn how to turn your Android smartphone into a hacking machine, practically perform various cyber attacks, and at the same time, how you can protect yourself against such attacks.

This course will walk you through basics of pentesting to advanced level using Android platform, including ‘Weaponising’, ‘Information Gathering’, ‘Spying’, and ‘Exploitation’, which eventually help you gain full control over the target device.

You will also learn to practically launch an attack with a full understanding of the vectors that would allow attacks to be successfully executed, which will help you to detect and sometimes prevent this attack from happening.

Practically, by the end of this course, you will also learn how to root your Android device, which hacking apps are required for penetration testing, how to crack Wi-Fi passwords, how to perform man-in-the-middle attacks to spy on internet connections, how to scan connected devices for vulnerabilities, as well as how to take control over Windows/OSX/Linux devices and many more techniques.

Learn Hacking/Penetration Testing Using Android From Scratch usually costs $90, but at THN Store you can sign up for a lifetime subscription account at just $23 (after 74% discount).

So, what are you waiting for? Go and grab this deal!

Powered by WPeMatico

Red Alert 2.0: New Android Banking Trojan for Sale on Hacking Forums

android-banking-trojan

The Recent discoveries of dangerous variants of the Android banking Trojan families, including Faketoken, Svpeng, and BankBot, present a significant threat to online users who may have their login credentials and valuable personal data stolen.

Security researchers from SfyLabs have now discovered a new Android banking Trojan that is being rented on many dark websites for $500 per month, SfyLabs’ researcher Han Sahin told The Hacker News.

Dubbed Red Alert 2.0, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as BankBot and ExoBot, which were evolved from the leaked source code of older trojans.

The Red Alert banking malware has been distributed via many online hacking forums since last few months, and its creators have continuously been updating the malware to add new functionalities in an effort to make it a dangerous threat to potential victims.

Malware Blocks Incoming Calls from Banks

Like most other Android banking trojans, Red Alert has a large number of capabilities such as stealing login credentials, hijacking SMS messages, displaying an overlay on the top of legitimate apps, contact list harvesting, among others.

Besides this, Red Alert actors have also added an interesting functionality to its malware, like blocking and logging all incoming calls associated with banks and financial associations.

This would potentially allow the Red Alert malware to prevent warnings of a compromised account to be received by the victims from their associated banks.

Malware Uses Twitter As Backup C&C Infrastructure

android-banking-trojan

Another most interesting thing about Red Alert 2.0 is that it uses Twitter to prevent losing bots when its command and control server is knocked offline.

“When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account,” SfyLabs researchers said in a blog post. 

“This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan.”

The Red Alert 2.0 is currently targeting victims from more than 60 banks and social media apps across the world and works on Android 6.0 (Marshmallow) and previous versions.

Here’s How the Red Alert 2.0 Trojan Works:

Once installed on victim’s phone via the third-party app store, the malware waits for the victim to open a banking or social media app, whose interface it can simulate, and once detected, the Trojan immediately overlays the original app with a fake user interface.

The fake interface then informs the victim that there is an error while logging the user in and requests the user to re-authenticate his/her account.

As soon as the user enters the credentials into the fake user interface, Red Alert records them and sends them to the attacker-controlled command and control (C&C) server to be used by the attackers to hijack the account.

In case of banking apps, the recorded information is being used by attackers to initiate fraudulent transactions and drain the victim’s bank account.

Since Red Alert 2.0 can also intercept SMS text messages received by the infected smartphone, the trojan could work around two-factor authentication techniques that otherwise are designed to throttle such attacks.

Ways to Protect Yourself Against Such Android Banking Trojans

The easiest way to prevent yourself from being a victim of one such mobile banking Trojan is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.

Just to be on the safer side, go to Settings → Security and make sure “Unknown sources” option is turned off on your Android device that blocks installation of apps from unknown sources.

Most importantly, verify app permissions before installing any app, even from official Google Play Store, and if you find any application asking more than what it is meant for, just do not install it.

It is always a good idea to install an anti-virus app from a reputed vendor that can detect and block such Trojan before it can infect your device.

Also, always keep your system and apps up-to-date.

Powered by WPeMatico

BlueBorne Bluetooth hack could affect millions of smartphones

pandasecurity-blueborne-threat

Bluetooth is an important smartphone technology, allowing us to transfer files, or to listen to music, wirelessly. It’s so useful that many people leave it switched on all the time.

But researchers have discovered a vulnerability in the technology that allows hackers to take control of a victim’s phone remotely. Known as “BlueBorne”, the technique can be used by hackers to connect to a nearby phone, install malware, steal data, or delete important personal information. And it takes less than 10 seconds for them to break in.

Most worrying is that the BlueBorne hack works on almost every smartphone – Apple, Android and Windows Mobile devices are all vulnerable to attack.

Update now

The good news is that manufacturers were alerted to the risks of BlueBorne weeks before the news went public. They have spent this time developing fixes for the vulnerabilities, blocking the weaknesses used by the hackers.

Both Windows Mobile and Apple iOS have already been patched – users need to update their phones as soon as possible. Unfortunately, any iPhone stuck on iOS 9 or earlier cannot be fixed, so users will need to seriously consider buying a new phone to protect themselves.

Patching Android has been much slower unfortunately. Google have a fix ready for their Pixel XL handsets, but older phones are still without full protection against BlueBorne. Patches will be released, but it may take days or weeks for these updates to make it onto users’ phones.

You can check whether your Android phone is affected using the free BlueBorne Vulnerability Scanner.

One important warning however: always ensure that you only download patches and updates from your handset manufacturer. Never, ever install security updates from a third party, or you may end up infecting your phone yourself.

Turn off Bluetooth when not in use

Although leaving Bluetooth enabled all the time makes using your phone easier, it also increases the risk of falling victim to BlueBorne hackers. If you can, disable Bluetooth completely; it is much safer to leave Bluetooth switched off completely until a patch is released.

If you must use Bluetooth, enable it only when required to reduce opportunities for hackers to crack your phone.

Install anti-malware software now

Waiting for an update for your Android phone is not really an option. Until the patch is released, your phone (and data) are at risk of being hacked. Remember – it only takes 10 seconds to take control of your phone.

In order to prevent any other kind of threats, the best option is to install an antivirus app on your mobile devices.

While you wait for a BlueBorne patch for your Android handset, download a trial of Panda Mobile Security to keep yourself protected now.

The post BlueBorne Bluetooth hack could affect millions of smartphones appeared first on Panda Security Mediacenter.

Read More

Oreo and the sweet history of Android versions

Oreo Android, the sweetest version?

What does an Oreo cookie, a donut, a marshmallow or a lollipop have to do with your smartphone? Well, believe it or not, the names of all those sweets indicate the Android operating system installed on your cell phone.

After months of speculation about the new features to be included in the new Android operating system, August 21, the day of the solar eclipse, was the date chosen by Google’s engineers to unveil Android 8.0, codenamed Oreo. This new version allows you to minimize videos to a small window in any corner of your screen so that you can video chat while you’re checking your calendar or writing an email, for example.

However, the trend of codenaming Android releases after sweets and desserts is nothing new. Despite Android’s first two versions were unnamed: Android 1.0 (launched in September 2008) and Android 1.1 (released a year and a half after the first one), all subsequent Android versions have received tastier names than their predecessors.

Android Cupcake

Version 1.1 was followed three months later by version 1.5 (April 2009). Despite incorporating some really cool features (such as the ability to associate the contacts on your phone to pictures, or record videos in MPEG-4 and 3GP formats), this release is mainly remembered for being the first one codenamed after something as sweet as a cupcake.

From then on, all new Android versions have received a name that is irresistible for those with a sweet tooth.

Android Donut

If it was not tasty enough, Android Cupcake was followed by Android Donut in September 2009. This version, which featured a quick search box and major improvements to Android Market,  was followed a month later by Eclair (Android 2.0 and 2.1), with amazing live wallpapers which responded to your touch. Additionally, Eclair included live traffic information that allowed users to choose the fastest way to get to their destination.

Frozen yogurt

Almost a year after Eclair’s release, Android decided it was time to offer users another delicacy with the launch of Froyo, short for “frozen yogurt.” This new version enabled users to control their phones using their voice.

Gingerbread

In December 2010, seven months after Froyo was released, Android announced the launch of Ginberbread. This codename was used to refer to versions 2.3 and 2.3.7, which provided a smooth experience for both users and app developers. This release introduced support for NFC communication, which allows users to, among other things, make payments with their phone as if it were a credit card.

An Android version as sweet as honey

Just three months after the release of Gingerbread, Android launched Honeycomb in March 2011. Honeycomb was the first Android operating system specifically adapted for work with tablets, and featured a simple interface that allowed the use of wide-format images.

Ice cream sandwiches

Several months had to pass before Android 4.0, codenamed Ice Cream Sandwich, was released in October 2011. This version managed to satisfy users’ sweet tooth once again, with its new control technology and customization options.

Jelly beans

Almost an entire year had to pass before Android 4.1, Jelly Bean, came out  in July 2012. Jelly Bean was the first operating system to include a personal assistant with Artificial Intelligence. Plus, it provided the ability to use different user accounts on the same cell phone.

After a long break… Kit Kat

The technological advances included in Android 4.1 were so widely acclaimed that users had to wait more than a year for the next Android version. However, after the long wait, October 2013 saw the release of Android Kit Kat and its revolutionary ‘OK Google’. ‘OK Google’ allowed people to start a voice search, get driving directions or play a song without even touching their phones – just verbally saying the phrase.

Lollipop

Android Lollipop, released in November 2014, allowed the operating system to make the jump from smartphones and tablets to other types of devices. This update, which spanned versions between 5.0 and 5.1.1, marked the birth of the Android-based smartwatches, smart cars and smart TVs.

Marshmallow

It looks as if, after Jelly Bean, Android made the decision to launch a single new version per year.  So, 13 months after Lollipop was launched, Google released Android Marshmallow in October 2015. User devices (now spanning not only tablets and smartphones, but all sorts of devices), became even tastier with the new Google Now on Tap, a feature that provided quicker shortcuts and smarter replies, as well as improved security features.

Summer nougat

June 2016 saw the release of Android Nougat. This version included a new Multi-Window mode and support for a new virtual reality platform called Daydream.

Some years ago, getting your phone wet was lethal. Today, however, Samsung’s latest spot for the launch of the Galaxy S8 smartphone features people taking pictures with their cell phones from the bottom of a swimming pool. Who knows if Android version 35, if Google continues with its habit of releasing a new version each year, will allow us to command our smartphone or smartwatch to make us some chocolate cookies…

The post Oreo and the sweet history of Android versions appeared first on Panda Security Mediacenter.

Read More

Over 500 Android Apps On Google Play Store Found Spying On 100 Million Users

android-spyware-malware

Over 500 different Android apps that have been downloaded more than 100 million times from the official Google Play Store found to be infected with a malicious ad library that secretly distributes spyware to users and can perform dangerous operations.

Since 90 per cent of Android apps is free to download from Google Play Store, advertising is a key revenue source for app developers. For this, they integrate Android SDK Ads library in their apps, which usually does not affect an app’s core functionality.

But security researchers at mobile security firm Lookout have discovered a software development kit (SDK), dubbed Igexin, that has been found delivering spyware on Android devices.

Developed by a Chinese company to offer targeted advertising services to app developers, the rogue ‘Igexin’ advertising software was spotted in more than 500 apps on Google’s official marketplace, most of which included:

  • Games targeted at teens with as many as 100 million downloads
  • Weather apps with as many as 5 million downloads
  • Photo editor apps with 5 Million downloads
  • Internet radio app with 1 million downloads
  • Other apps targeted at education, health and fitness, travel, and emoji

Chinese Advertising Firm Spying On Android Users

The Igexin SDK was designed for app developers to serve targeted advertisements to its users and generate revenue. To do so, the SDK also collects user data to help target interest-based ads.

android-spyware-malware

But besides collecting user data, the Lookout researchers said they found the SDK behaved maliciously after they spotted several Igexin-integrated apps communicating with malicious IP addresses that deliver malware to devices unbeknownst to the creators of apps utilizing it.

“We observed an app downloading large, encrypted files after making a series of initial requests to a REST API at http://sdk[.]open[.]phone[.]igexin.com/api.php, which is an endpoint used by the Igexin ad SDK,” the researchers explain in a blog post. 

“This sort of traffic is often the result of malware that downloads and executes code after an initially “clean” app is installed, in order to evade detection.”

Once the malware is delivered to infected devices, the SDK can gather logs of users information from their device, and could also remotely install other plugins to the devices, which could record call logs or reveal information about users activities.

How to Protect Your Android From This Malware

Google has since removed all the Android apps utilizing the rogue SDK from its Play Store marketplace, but those who have already installed one such app on their mobile handsets, make sure your device has Google Play Protect.

Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

In addition, you are strongly advised to always keep a good antivirus application on your device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day. Last month, we saw first Android malware with code injecting capabilities making rounds on Google Play Store.

A few days after that, researchers discovered another malicious Android SDK ads library, dubbed “Xavier,” found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.

Powered by WPeMatico