Tag Archives: google

Google to Block Third-Party Software from Injecting Code into Chrome Browser

code-injection-google-chrome

To improve performance and reduce crashes caused by third-party software on Windows, Google Chrome, by mid-2018, will no longer allow outside applications to run code within its web browser.

If you are unaware, many third-party applications, like accessibility or antivirus software, inject code into your web browser for gaining more control over your online activities in order to offer some additional features and function properly.

However, Google notes that over 15 percent of Chrome users running third-party applications on their Windows machines that inject code into their web browsers experience crashes—and trust me it’s really annoying.

But don’t you worry. Google now has a solution to this issue.

In a blog post published Thursday on Chromium Blog, Google announced its plan to block third-party software from injecting code into Chrome—and these changes will take place in three steps:

  1. April 2018 — With the release of Chrome 66, Google will begin informing users if code injection causes their browsers to crash, alerting them with the name of the responsible application and a guide to update or remove it.
  2. July 2018 — Chrome 68 will start blocking third-party software from injecting code into Chrome processes. But if this blocking prevents Chrome from starting, the browser will restart and allow the injection. But it will also display a warning for guiding users to remove that particular software.
  3. January 2019 — With no exception, starting with Chrome 72, Google will completely block code injection by any third-party software.

However, there will be some exceptions. Google Chrome will continue to allow Microsoft-signed code, accessibility software, and IME software to inject code into your browsers.

Today’s blog post is an advance notification for all developers out there, whose applications rely on code injection to function properly, forcing them to use either Native Messaging API calls or Chrome extensions to add functionality to the web browser.

“With Chrome extensions and Native Messaging, there are now modern alternatives to running code inside of Chrome processes,” Google said.

According to Google, both methods can be used by developers to retain their app features without having to risk browser crashes.

“Fewer crashes mean more happy users, and we look forward to continuing to make Chrome better for everyone,” Google said while summing up its blog post.

So, companies have almost 13 months to remove the code injecting bits from their software. Google is encouraging developers to use Chrome Beta channel and test their code, though these changes will more likely take effect in the Dev or Canary channels even sooner.

Now, what you are waiting for? Get ready to start rewriting your code.

Google Detects Android Spyware That Spies On WhatsApp, Skype Calls

android-spying-app

In an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service.

Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.

Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims’ devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

“The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities,” Google said in a blog post. “The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015.”

Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.

Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.

Here’s How Tizi Gains Root Access On Infected Devices

For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, “it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, ” Google said.

Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.

The Tizi backdoor contains various capabilities common to commercial spyware, such as

  • Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
  • Recording calls from WhatsApp, Viber, and Skype.
  • Sending and receiving SMS messages.
  • Accessing calendar events, call log, contacts, photos, and list of installed apps
  • Stealing Wi-Fi encryption keys.
  • Recording ambient audio and taking pictures without displaying the image on the device’s screen.

So far Google has identified 1,300 Android devices infected by Tizi and removed it.

Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.


How to Protect your Android device from Hackers?

Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself:

  • Ensure that you have already opted for Google Play Protect.
  • Download and install apps only from the official Play Store, and always check permissions for each app.
  • Enable ‘verify apps’ feature from settings.
  • Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
  • Keep “unknown sources” disabled while not using it.
  • Keep your device always up-to-date with the latest security patches.

BankBot Returns On Play Store – A Never Ending Android Malware Story

android-bankbot-malware

Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software.

A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users’ login details.

BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.

With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts.

Google removed at least four previous versions of this banking trojan from its official Android app store platform earlier this year, but BankBot apps always made their ways to Play Store, targeting victims from major banks around the world.

The second campaign spotted by researchers not only spreads the same BankBot trojan as the first campaign but also Mazar and Red Alert. This campaign has been described in detail on ESET blog.

According to an analysis performed by the mobile threat intelligence team at Avast in collaboration with ESET and SfyLabs, the latest variant of BankBot has been hiding in Android apps that pose as supposedly trustworthy, innocent-looking flashlight apps.

First spotted by the researchers on 13 October, the malicious BankBot apps uses special techniques to circumvent Google’s automated detection checks, such as starting malicious activities 2 hours after the user gave device admin rights to the app and publishing the apps under different developer names.

After tricking victims into downloading them, the malicious apps check for the applications that are installed on the infected device against a hard-coded, list of 160 mobile apps.

According to the researchers, this list includes apps from Wells Fargo and Chase in the U.S., Credit Agricole in France, Santander in Spain, Commerzbank in Germany and many other financial institutions from around the world.

If it finds one or more apps on the infected smartphone, the malware downloads and installs the BankBot APK from its command-and-control server on the device, and tries to trick the victim into giving it administrator rights by pretending to be a Play Store or system update using a similar icon and package name.

Once it gets the admin privileges, the BankBot app displays overlay on the top of legitimate apps whenever victims launch one of the apps from the malware’s list and steal whatever banking info the victim’s types on it.

The Avast Threat Labs has also provided a video demonstration while testing this mechanism with the app of the local Czech Airbank. You can see how the app creates an overlay within milliseconds and tricks the user into giving out their bank details to criminals.

Since many banks use two-factor-authentication methods for secure transactions, BankBot includes functionality that allows it to intercept text messages, allowing criminals behind BankBot to steal mobile transaction number (mTAN) sent to the customer’s phone and transfer money to their accounts.

Here’s one important thing to note is that Android mechanism blocks apps installation from outside the Play Store. Even if you have already permitted installation from unknown sources, Google still requires you to press a button to continue such installations.

“Unlike this newer version of BankBot, droppers from previous campaigns were far more sophisticated,” the researchers note. “They applied techniques such as performing clicks in the background via an Accessibility Service to enable the installation from unknown sources.”

The latest BankBot version does not utilize this Accessibility Service feature due to Google’s recent move of blocking this feature for all applications, except those designed to provide services for the blind.

Google has already removed all recently-discovered BankBot apps after being notified by the researchers.

Although it is a never-ending concern, the best way to protect yourself is always to be vigilant when downloading apps even from Google’s official Play store. So, always verify app permissions and reviews before downloading an app from Google Play Store.

Even though the BankBot apps made it way into the Play Store, its payload was downloaded from an external source. So, don’t allow any unknown third-party APK to be installed on your smartphone.

To do so, Go to Settings → Security and then Turn OFF “Allow installation of apps from sources other than the Play Store.”

Most importantly, be careful which apps you give administrative rights to, as it is powerful and can provide a full app control of your device.

Google Begins Removing Play Store Apps Misusing Android Accessibility Services

android-accessibility-service

Due to rise in malware and adware abusing Android accessibility services, Google has finally decided to take strict steps against the apps on its app platform that misuse this feature.

Google has emailed Android app developers informing them that within 30 days, they must show how accessibility code used in their apps is helping disabled users or their apps will be removed from its Play Store entirely.

For those who are unaware, Android’s accessibility services are meant to help disabled people interact with their smartphone devices (such as automatically filling out forms, overlaying content or switching between apps) by allowing app-makers to integrate verbal feedback, voice commands and more in their apps.

Many popular Android apps use the accessibility API to legitimately provide users with benefits, but over the past few months, we have seen a series of malware, including DoubleLocker ransomware, Svpeng, and BankBot, misusing this feature to infect people.

android-accessibility-services

Researchers have even discovered an attack, Cloak and Dagger, that could allow hackers to silently take full control of the infected devices and steal private data.

This feature that lets malicious apps hijack a device’s screen has become one of the most widely exploited methods used by cybercriminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.

Google planned to resolve this issue with the release of its Android Oreo, but the new Android OS launched without changes in policy related to Accessibility services.

However, Google now appears to be putting an end to apps that use the accessibility services outside of their intended purpose.

“If you aren’t already doing so, you must explain to users how your app is using the [accessibility feature] to help users with disabilities use Android devices and apps,” part of the email sent out to developers reads. 

“Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.”

An active thread on Reddit where developers and app users are complaining about this change suggests that this new move will also affect popular and legitimate apps like LastPass, Tasker, and Universal Copy that use accessibility feature for key features and not intended for disabled users.

Although 30 days is a short period of time for app developers to find workarounds, the developer of Tasker suggested an alternative way to replace the accessibility services with different code.

“I plan to replace app detection with usage stats API,” Tasker’s developers suggested their plans to proceed. “Unfortunately, this API started with API 21, so people using Tasker on a pre-Lollipop device won’t be able to use app contexts anymore.”

This new move will prevent abuse of the API that poses a potential security threat to Android users, but legitimate app developers have only 30 days to search for an alternative before their apps get kicked out of Play Store.

Google Patches ‘High Severity’ Browser Bug

Google began pushing out updates to its desktop browser Friday with a patch that repairs a stack-based buffer overflow vulnerability.

Read More