Tag Archives: Android

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

Millions of Android devices are at serious risk of a newly disclosed critical vulnerability that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.

Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

The vulnerability (CVE-2017-13156) was discovered and reported to Google by security researchers from mobile security firm GuardSquare this summer and has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.

However, the worrisome part is that majority of Android users would not receive these patches for next few month, until their device manufacturers (OEMs) release custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.

The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) and 6 (Marshmallow).

Explained: How Android Janus Vulnerability Works?

android-malware-hacking

The vulnerability resides in the way Android handles APK installation for some apps, leaving a possibility to add extra bytes of code to an APK file without affecting the application’s signature.

Before proceeding further, you need to know some basics about an APK file.

A valid APK file is a type of archive file, just like Zip, which includes application code, resources, assets, signatures, certificates, and manifest file.

Earlier versions of Android operating system 5.0 (Lollipop) and 6.0 (Marshmallow) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.

While installing an Android app or its update, your device checks APK header information to determine if the archive contains code in the compressed DEX files.

If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.

It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.

Researchers find that this ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.

In other words, the hack doesn’t require attackers to modify the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.

Attack Scenarios

After creating malicious but valid versions of legitimate applications, hackers can distribute them using various attack vectors, including spam emails, third-party app stores delivering fake apps and updates, social engineering, and even man-in-the-middle attacks.

According to the researchers, it may be “relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature.”

I find man-in-the-middle attack more interesting, as it could allow hackers to push malicious installation for the apps designed to receive its updates over an unencrypted HTTP connection.

“When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update,” GuardSquare explains. 

“The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get an unverified code with powerful permissions installed on the devices of unsuspecting users.” 

“For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates,” the security firm added.

Since this vulnerability does not affect Android 7 (Nougat) and latest, which supports APK signature scheme version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).

It’s unfortunate, but if your device manufacturer neither offers security patches nor the latest Android version, then you should not install apps and updates from outside of Google Play Store to minimise the risk of being hacked.

Researchers also advised Android developers always to apply signature scheme v2 in order to ensure their apps cannot be tampered with.

Banking Apps Found Vulnerable to MITM Attacks

Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile banking apps that left customers vulnerable to man-in-the-middle attacks.

Read More

Critical Flaw in Major Android Tools Targets Developers and Reverse Engineers

android-development-tools

Finally, here we have a vulnerability that targets Android developers and reverse engineers, instead of app users.

Security researchers have discovered an easily-exploitable vulnerability in Android application developer tools, both downloadable and cloud-based, that could allow attackers to steal files and execute malicious code on vulnerable systems remotely.

The issue was discovered by security researchers at the Check Point Research Team, who also released a proof of concept (PoC) attack, which they called ParseDroid.

The vulnerability resides in a popular XML parsing library “DocumentBuilderFactory,” used by the most common Android Integrated Development Environments (IDEs) like Google’s Android Studio, JetBrains’ IntelliJ IDEA and Eclipse as well as the major reverse engineering tools for Android apps such as APKTool, Cuckoo-Droid and more.

android-development

The ParseDroid flaw, technically known as XML External Entity (XXE) vulnerability, is triggered when a vulnerable Android development or reverse engineering tool decodes an application and tries to parse maliciously crafted “AndroidManifest.xml” file inside it.

In order words, all an attacker need to trigger the vulnerability is trick the developers and reverse engineers into loading a maliciously crafted APK file.

“By simply loading the malicious ‘AndroidManifest.xml’ file as part of an Android project, the IDEs starts spitting out any file configured by the attacker,” the researchers said.

Demonstration: XML External Entity (XXE) to Remote Code Execution

Besides this, the XXE vulnerability can also be used to inject arbitrary files anywhere on a targeted computer to achieve full remote code execution (RCE), which makes the attack surface-wide and various.

Moreover, the attacker doesn’t require to target their victims directly, as the researchers suggest “another attack scenario that can be used in the wild to attack a massive range of Android developers by injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories.”

For educational and demonstration purpose, researchers have also created an online APK decoder tool that can extract the malicious file from an APK (in this case they used a PHP web shell), allowing the attacker to execute system commands on the web application server, as shown in the video.

“The way we chose to demonstrate this vulnerability, of course, is just one of many possible attack methods that can be used to achieve full RCE,” the Check Point researchers wrote. “Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface-wide and various.”

Check Point researchers Eran Vaknin, Gal Elbaz, Alon Boxiner and Oded Vanunu discovered this issue in May 2017 and reported them to all major IDEs and tools developers, including Google, JetBrains, Eclipse and APKTool owner.

Most of the developers, including Google, JetBrains and APKTool owner, have since fixed the issue and released patched versions.

Since all the attack methods demonstrated by the researchers are cross-platform, developers and reverse engineers are highly recommended to update their tools, if they haven’t yet.

The best camera phones of 2017

The best camera phones of 2017 - cameraphones, camera phone, Fotohandys, Téléphones-appareils photo

2017 rocked the smartphone market, introducing increased photo-taking capabilities as never seen before. Here are the models to keep in mind. If you once used to go crazy trying to take a decent photo with your cell phone, today that is no longer an issue. Actually, for a few years now, a few hundred dollars […]

The post The best camera phones of 2017 appeared first on Avira Blog.

Read More

Google Detects Android Spyware That Spies On WhatsApp, Skype Calls

android-spying-app

In an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service.

Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.

Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims’ devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

“The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities,” Google said in a blog post. “The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015.”

Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.

Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.

Here’s How Tizi Gains Root Access On Infected Devices

For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, “it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, ” Google said.

Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.

The Tizi backdoor contains various capabilities common to commercial spyware, such as

  • Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
  • Recording calls from WhatsApp, Viber, and Skype.
  • Sending and receiving SMS messages.
  • Accessing calendar events, call log, contacts, photos, and list of installed apps
  • Stealing Wi-Fi encryption keys.
  • Recording ambient audio and taking pictures without displaying the image on the device’s screen.

So far Google has identified 1,300 Android devices infected by Tizi and removed it.

Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.


How to Protect your Android device from Hackers?

Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself:

  • Ensure that you have already opted for Google Play Protect.
  • Download and install apps only from the official Play Store, and always check permissions for each app.
  • Enable ‘verify apps’ feature from settings.
  • Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
  • Keep “unknown sources” disabled while not using it.
  • Keep your device always up-to-date with the latest security patches.

The modern Wild West’s guide to mobile malware

The modern Wild West's guide to mobile malware

Smartphones are mobile – which is precisely why we spend so much time with them instead of our more stationary computers. We do surfing, mobile banking, shopping, chatting – even watching advertisements. In fact, just about everything we do online is now done on the go with our smartphones. This huge amount of face time […]

The post The modern Wild West’s guide to mobile malware appeared first on Avira Blog.

Read More

Google Collects Android Location Data Even When Location Service Is Disabled

android-location-tracking

Do you own an Android smartphone?

If yes, then you are one of those billions of users whose smartphone is secretly gathering location data and sending it back to Google.

Google has been caught collecting location data on every Android device owner since the beginning of this year (that’s for the past 11 months)—even when location services are entirely disabled, according to an investigation conducted by Quartz.

This location-sharing practice doesn’t want your Android smartphone to use any app, or turn on location services, or even have a SIM card inserted.

All it wants is to have your Android device to be connected to the Internet.

The investigation revealed that Android smartphones have been collecting the addresses of nearby cellular towers, and this data could be used for “Cell Tower Triangulation“—a technique widely used to identify the location of a phone/device using data from three or more nearby cell towers.

Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled.

Since the component responsible for collecting location data resides in Android’s core Firebase Cloud Messaging service that manages push notifications and messages on the operating system, it cannot be disabled and doesn’t rely on what apps you have installed—even if you factory reset your smartphone or remove the SIM card.

When Quartz contacted the tech giant about this location-sharing practice, Google spokesperson replied: “We began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery.”

Although it is still unknown how cell-tower data that helps identify a specific cell tower could have been helped Google improve message delivery, the fact that the company’s mobile operating system is collecting location data is a complete violation of user’s privacy.

Even in its privacy policy about location sharing, Google mentions that it will collect location information from devices that use its services, but has not indicated whether the company will collect data from Android devices when all location services are disabled.

“When you use Google services, we may collect and process information about your actual location,” Google’s privacy policy reads. 

“We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points, and cell towers.”

Moreover, this location-sharing practice is not limited to any particular Android phone model or manufacturer, as the tech giant was apparently collecting cell tower data from all modern Android devices before being contacted by Quartz.

Although the company said that it never used or stored this location data it collected on its users and that it is now taking steps to end this practice, this data could be used to target location-based advertisement when the user enters any store or restaurant.

According to Google, Android phones will no longer gather and send cell-tower location data back to Google by the end of this month.

Another Shady App Found Pre-Installed on OnePlus Phones that Collects System Logs

oneplus-logkit-app

The OnePlus Saga Continues…

Just a day after the revelation of the hidden Android rooting backdoor pre-installed on most OnePlus smartphones, a security researcher just found another secret app that records tons of information about your phone.

Dubbed OnePlusLogKit, the second pre-installed has been discovered by the same Twitter user who goes by the pseudonym “Elliot Alderson” and discovered the controversial “EngineerMode” diagnostic testing application that could be used to root OnePlus devices without unlocking the bootloader.

OnePlusLogKit is a system-level application that is capable of capturing a multitude of things from OnePlus smartphones, including:

  • Wi-Fi, NFC, Bluetooth, and GPS location logs,
  • Modem signal and data logs, hot and power issue logs,
  • list of the running processes, list of running service and battery status,
  • media databases, including all your videos and images saved on the device.

Unlike EngineerMode (which was found on devices by several manufacturers including HTC, Samsung, LG, Sony, Huawei, and Motorola), the OnePlusLogKit application (decompiled APK) most certainly is present only in OnePlus devices.

Since OnePlusLogKit is disabled by default, the attacker would require access to the victim’s smartphone to enable it.

With the physical access to the targeted smartphone, one can quickly enable it by dialing *#800# → “oneplus Logkit” → enable “save log,” or one can use social engineering to get the owner of the device to do it themselves.

Once enabled, any other application installed on your device can collect the logged information (stored unencrypted in the /sdcard/oem_log/ folder) remotely without requiring user interaction.

Although the app in question has been designed for device manufacturers and engineers to log the events/activities to diagnose system issues, the amount of information collected here could also be used for nefarious purposes.

OnePlus has yet to comment on this latest issue, while the Chinese company did not see the previous EngineerMode diagnostic tool as a major security issue, although it promised to remove the adb root function in the upcoming OxygenOS update.

“While it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges,” the OnePlus spokesperson said in a statement.

“Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.”

Qualcomm, who was believed to be the creator of the EngineerMode APK, also responded to allegations, saying that there are traces of source code from their original app, but the current APK found on devices from various manufacturers has been modified by someone else.

“After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm,” Qualcomm claims.

“Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.”

Meanwhile, another security researcher has released an Android application to root OnePlus phones quickly by using the backdoor discovered in EngineerMode.

Google Begins Removing Play Store Apps Misusing Android Accessibility Services

android-accessibility-service

Due to rise in malware and adware abusing Android accessibility services, Google has finally decided to take strict steps against the apps on its app platform that misuse this feature.

Google has emailed Android app developers informing them that within 30 days, they must show how accessibility code used in their apps is helping disabled users or their apps will be removed from its Play Store entirely.

For those who are unaware, Android’s accessibility services are meant to help disabled people interact with their smartphone devices (such as automatically filling out forms, overlaying content or switching between apps) by allowing app-makers to integrate verbal feedback, voice commands and more in their apps.

Many popular Android apps use the accessibility API to legitimately provide users with benefits, but over the past few months, we have seen a series of malware, including DoubleLocker ransomware, Svpeng, and BankBot, misusing this feature to infect people.

android-accessibility-services

Researchers have even discovered an attack, Cloak and Dagger, that could allow hackers to silently take full control of the infected devices and steal private data.

This feature that lets malicious apps hijack a device’s screen has become one of the most widely exploited methods used by cybercriminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.

Google planned to resolve this issue with the release of its Android Oreo, but the new Android OS launched without changes in policy related to Accessibility services.

However, Google now appears to be putting an end to apps that use the accessibility services outside of their intended purpose.

“If you aren’t already doing so, you must explain to users how your app is using the [accessibility feature] to help users with disabilities use Android devices and apps,” part of the email sent out to developers reads. 

“Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.”

An active thread on Reddit where developers and app users are complaining about this change suggests that this new move will also affect popular and legitimate apps like LastPass, Tasker, and Universal Copy that use accessibility feature for key features and not intended for disabled users.

Although 30 days is a short period of time for app developers to find workarounds, the developer of Tasker suggested an alternative way to replace the accessibility services with different code.

“I plan to replace app detection with usage stats API,” Tasker’s developers suggested their plans to proceed. “Unfortunately, this API started with API 21, so people using Tasker on a pre-Lollipop device won’t be able to use app contexts anymore.”

This new move will prevent abuse of the API that poses a potential security threat to Android users, but legitimate app developers have only 30 days to search for an alternative before their apps get kicked out of Play Store.

How to download apps safely

Cybercriminals are constantly looking for new ways to trick people into downloading and installing malware. One of the most effective techniques is to hide malware in what appears to be a useful app; in many cases the software will behave just like the real thing, stealing sensitive personal data in the background.

So how can you protect yourself against these dodgy downloads?

1. Toughen up your system defences

Most computers and mobile devices now come with built-in protections to help reduce the risk of being tricked. They do this by locking down the computer so that you can only download and install software from approved sources – usually official app stores.

You can enable these safeguards as follows:

Windows 10

  1. Open Settings
  2. Click Updates and Security
  3. Click For Developers
  4. Unselect Sideload Apps
  5. Select Windows Store Apps

Changing these settings prevents any user of your computer from installing software from anywhere but the official Windows App Store.

Android

  1. Open Settings
  2. Tap Application Settings
  3. Uncheck Unknown Sources

This new setting will limit app downloads so that only approved apps from the Google Play (or other official store) can be downloaded.

Mac OS

  1. Open System Preferences
  2. Select the General tab
  3. Click the App Store radio button

As before, this setting prevents users from installing software from anywhere other than the official Apple App Store. You can further secure your Mac by clicking the Padlock icon in the bottom left corner of the screen.

Apple iOS

iPhone and iPad users can only install apps from the official App Store by default – unless they have “jailbroken” their handset. Jailbreaking allows third party apps to be installed on an Apple device – by circumventing many of the security safeguards supplied with the device.

If you have jailbroken your device, you should seriously reconsider your choice – your phone is in serious danger of malware attack otherwise.

2. Install anti-malware protections

No matter how hard you try, malware can still sneak through your defences – typically via an infected email attachment or compromised website. To combat these threats you need to install an anti-malware tool that will detect and block malicious code, and protect your personal data.

You can boost your defences now by downloading a free trial of Panda Security:

3. Don’t download pirated software

Another common source of malware infection is file sharing sites and services like Bittorrent. Hackers like to embed malware and ransomware inside stolen movies and applications, giving users much more than they bargained for.

The only way to avoid these infections is to avoid pirate sites completely. If you need a specific application, or want to watch a movie, always download it from a reputable site like Apple iTunes or Google Play. And if that means paying for it, pay for it – licensed software is always cheaper than trying to recover from a hacking.

Ready to learn more? Check out how to protect yourself from hackers on the Panda Security blog.

Download your Antivirus

The post How to download apps safely appeared first on Panda Security Mediacenter.

Read More