A team of security researchers has discovered a critical implementation flaw in major mobile banking applications that could leave banking credentials of millions of users vulnerable to hackers.
The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who tested hundreds of different banking apps—both iOS and Android—and found that several of them were affected by a common issue, leaving their users vulnerable to man-in-the-middle attacks.
The affected banking apps include HSBC, NatWest, Co-op, and Bank of America Health, Santander, and Allied Irish bank, which have now been updated after researchers reported them of the issue.
According to a research paper [PDF] published by researchers, vulnerable applications could allow an attacker, connected to the same network as the victim, to intercept SSL connection and retrieve the user’s banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature.
SSL pinning is a security feature that prevents man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices.
When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could attempt to use valid certificates issued by rogue certification authorities.
“If a single CA acted maliciously or were compromised, which has happened before, valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate,” the researchers wrote in their paper.
However, there are two key parts to verify an SSL connection—the first (authentication) is to verify whether the certificate is from a trusted source and the second (authorization) is to make sure the server you are connecting to presents the right certificate.
Researchers found that due to lack of hostname verification, several banking applications were not checking if they connected to a trusted source.
Verifying a hostname ensures the hostname in the URL to which the banking app connects matches the hostname in the digital certificate that the server sends back as part of the SSL connection.
“TLS misconfiguration vulnerabilities are clearly common; however none of the existing frameworks will detect that a client pins a root or intermediate certificate, but fails to check the hostname in the leaf,” the paper reads.
Besides this issue, the researchers also detailed an “in-app phishing attack” affecting Santander and Allied Irish Banks, which could have allowed attackers to hijack part of the victim’s screen while the app was running and use it to phish for the victim’s login credentials.
To test this vulnerability in hundreds of banking apps quickly and without requiring to purchase certificates, researchers created a new automated tool, dubbed Spinner.
Spinner leverages Censys IoT search engine for finding certificate chains for alternate hosts that only differ in the leaf certificate.
“Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that only differ in the leaf certificate. The tool then redirects the traffic from the app under test to a website which has a certificate signed by the same CA certificate, but of course a different hostname (Common Name),” the researchers explain.
“If the connection fails during the establishment phase then we know the app detected the wrong hostname. Whereas, if the connection is established and encrypted application data is transferred by the client before the connection fails then we know the app has accepted the hostname and is vulnerable.”
The trio, Chris McMahon Stone, Tom Chothia, and Flavio D. Garcia, worked with the National Cyber Security Centre (NCSC) to notify all affected banks, which then resolved the issues before they publicly disclosed their research this week.
This online video training course offers 47 lectures, which focuses on the practical side penetration testing using Android without neglecting the theory behind each attack.
This course will help you learn how to turn your Android smartphone into a hacking machine, practically perform various cyber attacks, and at the same time, how you can protect yourself against such attacks.
This course will walk you through basics of pentesting to advanced level using Android platform, including ‘Weaponising’, ‘Information Gathering’, ‘Spying’, and ‘Exploitation’, which eventually help you gain full control over the target device.
You will also learn to practically launch an attack with a full understanding of the vectors that would allow attacks to be successfully executed, which will help you to detect and sometimes prevent this attack from happening.
Practically, by the end of this course, you will also learn how to root your Android device, which hacking apps are required for penetration testing, how to crack Wi-Fi passwords, how to perform man-in-the-middle attacks to spy on internet connections, how to scan connected devices for vulnerabilities, as well as how to take control over Windows/OSX/Linux devices and many more techniques.
Security researchers have discovered several severe zero-day vulnerabilities in the mobile bootloaders from at least four popular device manufacturers that could allow an attacker to gain persistent root access on the device.
A team of nine security researchers from the University of California Santa Barbara created a special static binary tool called BootStomp that automatically detects security vulnerabilities in bootloaders.
Since bootloaders are usually closed source and hard to reverse-engineer, performing analysis on them is difficult, especially because hardware dependencies hinder dynamic analysis.
Therefore, the researchers created BootStomp, which “uses a novel combination of static analysis techniques and underconstrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities.”
The tool helped the researchers discover six previously-unknown critical security bugs across bootloaders from HiSilicon (Huawei), Qualcomm, MediaTek, and NVIDIA, which could be exploited by attackers to unlock device bootloader, install custom malicious ROM and persistent rootkits.
Five of the vulnerabilities have already been confirmed by their respective by the chipset vendors. Researchers also found a known bug (CVE-2014-9798) in Qualcomm’s bootloaders, which was previously reported in 2014, but still present and usable.
In a research paper [PDF], titled “BootStomp: On the Security of Bootloaders in Mobile Devices,” presented at the USENIX conference in Vancouver, the researchers explain that some of the discovered flaws even allow an attacker with root privileges on the Android operating system to execute malicious code as part of the bootloader or to perform permanent denial-of-service attacks.
According to the researchers, the vulnerabilities impact the ARM’s “Trusted Boot” or Android’s “Verified Boot” mechanisms that chip-set vendors have implemented to establish a Chain of Trust (CoT), which verifies the integrity of each component the system loads while booting the device.
Overview: Discovered Bootloader Vulnerabilities
The researchers tested five different bootloader implementations in Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Nexus 9 (NVIDIA Tegra chipset), Sony Xperia XA (MediaTek chipset) and two versions of the LK-based bootloader, developed by Qualcomm.
The researcher discovered five critical vulnerabilities in the Huawei Android bootloader:
An arbitrary memory write or denial of service (DoS) issue when parsing Linux Kernel’s DeviceTree (DTB) stored in the boot partition.
A heap buffer overflow issue when reading the root-writable oem_info partition.
A root user’s ability to write the nve and oem_info partitions, from which configuration data and memory access permissions governing the smartphone’s peripherals can be read.
A memory corruption issue that could allow an attacker to install a persistent rootkit.
An arbitrary memory write bug that lets an attacker run arbitrary code as the bootloader itself.
Another flaw was discovered in NVIDIA’s hboot, which operates at EL1, meaning that it has equivalent privilege on the hardware as the Linux kernel, which once compromised, can lead to an attacker gaining persistence.
The researchers also discovered a known, already patched vulnerability (CVE-2014-9798) in old versions of Qualcomm’s bootloader that could be exploited to cause a denial of service situation.
The researchers reported all the vulnerabilities to the affected vendors. Huawei confirmed all the five vulnerabilities and NVIDIA is working with the researchers on a fix.
The team of researchers has also proposed a series of mitigations to both limit the attack surface of the bootloader as well as enforce various desirable properties aimed at safeguarding the security and privacy of users.
While the moon was eclipsing the sun, Google announced the launch of its new mobile operating system called Android 8.0 Oreo in an Eclipse-themed launch event in New York City.
Yes, the next version of sugary snack-themed Android and the successor to Android Nougat will now be known as Android Oreo, the company revealed on Monday.
Google has maintained the tradition of naming its Android operating system by the names of alphabetically-ordered sugary delights beginning with Android Cupcake and followed by Donut, Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat, Lollipop, Marshmallow and Nougat.
The good news is that the Android team has brought several significant features to your smartphone and tablet with the release of Android Oreo to make its mobile platform more secure, fast, power efficient and offer better multitasking.
The new updated mobile operating system, which has been available for the last few months in developer beta, will arrive on your Android devices by the end of this year.
Here’s the list of features what I like in the new Android Oreo so far:
1. No More ‘Unknown Sources’ Setting (Install other apps)
Not all applications installed from third-party sources are malicious, but most of the apps installed from outside of the official Play Store could land you in trouble.
Prior to Android Oreo, third-party app installation requires users to enable just one setting by turning on “Install from unknown sources”—doesn’t matter from where the user has downloaded an APK file, i.e. from a browser, Bluetooth, transferred from a computer via USB or downloaded using another app.
Android 8.0 Oreo has completely changed the way this feature works, bringing a much smarter and safer system called “Install Unknown apps,” in which user has to manually permit 3rd-party app installation from different sources.
2. Autofill API Framework
It has already been advised to make use of complex and different passwords for online accounts and change them frequently, but this makes it difficult for users to remember them at the same time.
To follow the best password policy in order to keep their accounts safe, most users rely on notepad/excel files to save their passwords insecurely, while some use password managers.
Some password manager apps for Android allow their users to Autofill saved information into forms on other apps for which they require access to device’s accessibility permission and features.
However, with Android Oreo, password managers will no longer require Android’s accessibility features to fill in forms.
Android 8.0 Oreo brings a built-in secure AutoFill API that allows users-chosen password manager to store different types of sensitive data, such as passwords, credit card numbers, phone numbers, and addresses—and works throughout the entire system.
3. Picture-in-Picture (multitasking)
How many times does it happen to you when you want to watch a video on YouTube while chatting on WhatsApp?
It happens with me a lot of times, and I really get annoyed that if I’m watching a video, I can only watch that video and can’t do anything on other apps simultaneously. But this would not be a problem in Android 8.0 Oreo.
With Android Oreo, you can view a YouTube video while reading through a report in Word or be chatting on WhatsApp on your Android device—thanks to Picture-in-Picture (PIP) feature.
PIP is one of the biggest features in the latest version of Android. If you open an app and start playing a video, just press the home button, which will shrink the video down to the bottom-right corner of your screen while the rest of the app disappears.
Now you can open any app and do other activities, while the video continues in the background. You can even move the video along the border of your screen, just like the Facebook Messenger icons, and tapping on the video will expand the video back into full-view.
4. Google Play Protect
Android Oreo has been developed keeping ‘Security’ in mind, with Google cracking down on the fastest-growing problem of Android malware with a new anti-malware tool called Google Play Protect.
“Play Protect is built into every device with Google Play, is always updating, and automatically takes action to keep your data and device safe, so you don’t have to lift a finger,” Dave Burke, Vice President of engineering at Google said.
Play Protect helps in detecting and removing harmful applications with more than 50 billion apps scanned every day.
Android Oreo has added support for a new connectivity feature called Wi-Fi Aware, also known as Neighborhood Aware Networking (NAN), which allows apps and devices to automatically find, connect to, and share data with each other directly without any internet access point or cellular data.
Wi-Fi Aware is basically a combination of WiFi Direct and Nearby features to offer more reliable connection compared to Wi-Fi P2P, allowing users to share data at high speed with a longer distance communication compared to Bluetooth.
Wi-Fi Aware API gives app developers a great opportunity to create awesome apps based on the communication between nearby devices.
6. Android Instant Apps
With Android 8.0 Oreo, you can now access a range of Instant Apps without downloading them.
First unveiled in May 2016, a new feature called Android Instant Apps is now available for more than 500 million devices globally, allowing users to launch certain apps within Google Play without having to download them.
Users can access Android Instant apps with a single click on a URL, just like a web page.
This feature could be more useful for those who are running out of storage space on their phone, wants to use an app for just once or intends to take a demo before installing the full version.
7. Battery-Saving Background Limits
Prior to Android 8.0 Oreo, developers can develop apps that could listen for a broad range of system broadcasts or changes on an Android device such as Wi-Fi turning on or a picture being taken, which negatively impact system performance and battery life.
Now, with Android Oreo, Google has blocked apps from reacting to “implicit broadcasts” and carrying out certain tasks when they are running in the background in an effort to enhance the battery life of Android device.
Besides this, Android Oreo will also limit some background services and location updates when an app is not in use.
For example, if music app is playing music in the background, it will not be affected, but it will limit Instagram that doesn’t need to be refreshing your feed from running in the background, allowing apps to use less power and wake up occasionally to start its services.
8. AI-based Smart Text Selection
Android Oreo brings the ‘Smart Text Selection‘ feature, which uses Google’s machine learning to detect when something like physical addresses, email addresses, names or phone numbers is selected, then automatically suggests the relevant information on other apps.
For example, if double tap text and select an address of a restaurant your friend sends you, Google’s AI-based machine learning will figure out what you want and automatically launch directions with maps.
The Assistant feature can perform the same, but it’s always good to have multiple options to solve the same problem.
9. Notification Dots (Limit notifications)
This feature is something I needed badly, as I really get annoyed by so many notifications I receive on a daily basis.
With Android Oreo, this won’t be an issue. Oreo introduces Notification Dots that offers you to manage each app individually with “fine-grained control,” allowing you to control how many notifications you see and how they come through.
For example, in case of any news app, you will be able to select what areas you are interested in hearing about.
So, to check your notifications, you simply need to tap the three notification dots.
10. Find my Device
Google has introduced a new feature, called Find my Device, which is a similar feature to Apple’s Find my iPhone and allows people to locate, lock and wipe their Android devices in the event when they go missing or get stolen.
11. New Emoji and Downloadable Fonts and Emoji
Android Oreo introduces 60 new emoji and a redesign of the current “blob” characters. The update also offers new colour support to app developers and the ability to change or animate the shape of icons in their apps.
The “Downloadable Fonts” feature in Android Oreo is not for the end user, and instead, this feature is meant for app developers, allowing them to release their apps without packaging fonts inside. The fonts can then be downloaded by the app from a shared provider and support library.
This same implementation also supports “Downloadable Emoji,” so users can get updated emoji without just being limited to the emoji built into the device.
The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.
Malware Spy On Telephonic Conversations
Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.
When calls are made to or received from certain phone numbers on the victim’s device, the malware begins to record those conversations and sends the recordings to the attacker’s server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.
Malware Exploits Overlay Feature to Steal Credit Card Details
In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:
Google Play Store
Apps for paying traffic tickets
Apps for booking flights and hotel rooms
Apps for booking taxis
Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.
According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.
Ways to Protect Against Such Android Banking Trojans
The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.
Bad news for Android users — Source code of for one of the oldest mobile and popular Android ransomware families has been leaked online, making it available for cyber criminals who can use it to develop more customised and advanced variants of Android ransomware.
Source code for the SLocker ransomware, which saw a six-fold increase in the number of new versions over the past six months, has just been leaked on GitHub and is now available to anyone who wants it.
The SLocker source code has been leaked by a user who uses ‘fs0c1ety’ as an online moniker and is urging all GitHub users to contribute to the code and submit bug reports.
SLocker or Simple Locker is mobile lock screen and file-encrypting ransomware that encrypts files on the phone and uses the Tor for command and control (C&C) communication. The malware also posed as law enforcement agencies to convince victims into paying the ransom.
Famous for infecting thousands of Android devices in 2016, security researchers discovered more than 400 new variants of SLocker ransomware in the wild in May, and just after a month, the nasty Android ransomware was spotted copying the GUI of WannaCry.
Once infected, SLocker runs silently in the background of a victim’s device without their knowledge or consent and encrypts images, documents and videos on mobile devices.
Once it has encrypted files on the device, the Android ransomware hijacks the phone, blocking its user access completely, and attempts to threaten the victim into paying a ransom to unlock it.
Why Should You Worry?
Being in action from 2015, SLocker stands out as one of the first ransomware samples to encrypt Android files. The malware has modified beyond just locking screens and demanding payment to taking over administrative rights and controlling the device’s microphone, speakers, and the camera.
And now since the source code of this nasty Android ransomware has been released online on GitHub, Android devices are most likely to receive an increasing number of ransomware attacks in upcoming days.
The leaked source code would be a golden opportunity for those who always look for such opportunities as these kinds of malware programs are only offered for sale in underground forums, but SLocker is now accessible to cybercriminals and fraudsters for FREE.
Earlier this year, researchers discovered a variant of BankBot banking trojan in the wild which was developed using the leaked source code for the malware on an underground hacking forum.
Last year, the source code for the MazarBot (improved version of GM Bot) was also leaked online by its author in order to gain reputation on an underground forum.
How to Protect Yourself?
As I previously mentioned, users are always advised to follow some basic precautions in order to protect themselves against such threats:
Never open email attachments from unknown sources.
Never click on links in SMS or MMS messages.
Even if the email looks legit from some company, go directly to the source website and verify any possible updates.
Go to Settings → Security, and Turn OFF “Allow installation of apps from sources other than the Play Store.”
Always keep your Android devices, apps and Antivirus app up-to-date.
Avoid unknown and unsecured Wi-Fi hotspots and keep Wi-Fi switched off when not in use.
How often do you click the ‘back’ or the ‘Home’ button on your mobile device to exit an application immediately?
I believe, several times in a single day because a large number of apps do not have an exit button to directly force-close them instead of going back and back and back until they exit.
Sometimes Android users expect the back button to take them back to the back page, but sometimes they really want to exit the app immediately.
Often this has severe usability implications when a majority of users are already dealing with their low-performance mobile devices and believe that clicking back button multiple times would kill the app and save memory, but it doesn’t.
Google has now addressed this issue and silently included a feature within Android 7.1 Nougat that allows users to exit from apps by pressing the ‘back’ key successively within 0.3 seconds for over four times.
Dubbed “Panic Detection Mode,” the feature runs in the background of Android operating system and detects panic in situations when a user repeatedly presses the back button on their smartphone to exit an app and allows the operating system to override the application and send the user safely back to the home screen.
While Google did not publicly make any announcement about the panic detection mode feature, XDA Developers yesterday unearthed the feature within the source code of Android 7.1 Nougat.
Since then a number of media outlets described Android 7.1 Nougat Panic Detection Mode as a security feature that protects Android devices from malicious applications.
It has been reported as a new security feature that looks for the number of times a user presses the back button within a certain amount of time and allows users to exit from the apps that go rogue and try to take control of user’s device.
But the feature seems to be developed by Google engineers keeping usability as a priority, instead of security in mind.
Because activating panic detection mode neither automatically detects a malicious app and report back to Google, nor it behaves differently for a legitimate app.
However, it can help Android users in some cases to kill rogue app instantly; but again it’s up to users if they are able to identify malicious apps themselves and want to remove them manually.
So, this feature is also useful if a malicious application takes control over the display and prevents you from backing out of it.
The ‘panic detection mode’ feature is currently limited to the devices running Android 7.1 Nougat, and not available for all the Android users, XDA Developers pointed out. The feature also needs to be manually enabled by the user.
Google fights enough to keep its Android operating system safe and secure, but malware and viruses still make their ways into its platform, especially through malicious apps even on Google’s own Play Store.
It appears that Google also has plans for wider implementation of the ‘panic detection mode’ feature in the upcoming version of its Android OS and would most likely make it enabled by default in the future releases.
Scouting for technology trends, I attended the Mobile World Congress (MWC) exhibition 2017. Even though Barcelona, Spain is itself an amazing place to visit, this event, with over 2,000 exhibitors, really pulls you in. Whilst the media usually focuses on latest smartphone presentations and a bit about connected driving, I wanted to see how consumers will live in tomorrow’s […]
Now that you know how to set up Google Now let’s take a closer look at OK Google. If you want to use the app comfortably, you’ll need to know to what commands it will respond. And there are quite a few of them!