Category Archives: Android

Security News for the Week Ending August 13, 2021

Android Trojan Hits 140 Countries, 10,000 Victims Via Social Media Hijack

Security company Zimperium says they have found a new trojan they call Flytrap that has been around since March and compromises users’ phones who side load apps from third party app stores. Once the malicious app is on the user’s phone, it uses that user’s social media credibility to infect other users. They say the infected apps are still available for download on third party app stores. Credit: ZDNet

NY Police Department Bought Surveillance Gear Out of a Secret Slush Fund

While the police might not like my term for it, the fund is secret and not subject to oversight by anyone. Since 2007, the city has spent over $150 million this way for mobile x-ray vans, Stingrays and other stuff. The documents that were released were heavily redacted although transparency groups are still trying to get more information. Last year the city passed a law after heavy pressure outlawing the practice, but there are still a lot of gaps in the available information. Credit: Wired

U of Kentucky Had a Bad Day

The University of Kentucky has an active security program. As part of that program they conduct periodic penetration tests. This is a good thing. What made it a bad day is that the pentesters discovered that they weren’t the first people to hack the University. In fact, in January 2021, hackers broke in and stole the entire database of over 350,000 users. How/why did they get in? Two clues. First the university says that the platform was developed in the early 2000’s – long before we were worrying much about hackers. Second, they said they are moving the servers, after the breach, to its centralized server system. This likely means that this system was a second class citizen and protected accordingly. Credit: The Record

Amazon Stepping Up Employee Surveillance Due to Fraud

Data theft, insider threats and imposters accessing customer data at Amazon has gotten so bad that Amazon is considering using keystroke monitoring software to help identify who the good guys are. Credit: Threatpost

Hospitals In Way Over Their Heads on IoT

Phillips and CyberMDX released a new report on the state of IoT in hospitals. They split the survey between hospitals with more than 1,000 beds and those with less. A third of the respondents had less than 10,000 devices, almost a third had less than 25,000 devices and another 20% worked for hospitals with less than 50,000 devices. While most of the hospitals had an idea of the number of the devices on their network, 15% of the mid sized and 13% of the large hospitals did not even know how many devices were on their network. Almost half of the respondents said their staffing for IoT and medical device security was inadequate. The rest just don’t know that it is inadequate. The rest of the article is even more depressing. Credit: ZDNet

Trump Bans 8 More Chinese Apps

Donald Trump has signed an executive order banning the use of eight Chinese apps, namely Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.

The EO says that the apps can track users and capture personal data –

Just like, say, Facebook or Fox News or any other American app.

But Trump doesn’t like it that China is collecting that data because, basically, China bad. And, realistically, that is hard to argue with.

Part of the problem is that users “over share”.

Another part of the problem is that users opt for convenience over security and that means that these apps – including all of the American apps – can vacuum up an amazing amount of data that lives on most user’s phones.

Consider this. The last time YOU installed an app on your phone it probably asked for some permissions. Did you consider whether that app really needed those permissions? Almost no one else does either.

Some how Trump ties what these apps are doing to the Anthem and Office of Personnel Management breaches. I guess in the sense that all of those desire to collect your data – just like Twitter does – that is true. I am sure that even though Trump hates Twitter, he would hate it even more if it was not financially viable and disappeared. Therefore, if they have to harvest your data without any real permission – yes you can disagree, but if you do, they will delete your account, that is okay.

The basic difference here is not WHAT is being done, but rather WHO is doing it. All apps collect, use and monetize your data. Who are the good guys is a little less clear.

The order doesn’t take effect for 45 days, so likely it will be up to the next administration to figure out what to do.

Personally, I would be fine if half of the apps on the Apple and Android stores just went poof. No, actually 90% would be a good number to banish. I would not miss them at all. Just my opinion. Credit: The Register

THIS is Why Patching Your Phone Is Important

I tend to be a bit of a dog on a bone when it comes to patching your phone.  Apple helps its phone owners and usually shoves patches down your throat, whether you want them or not – as long as the phone is still supported.

But when it comes to Android phones, it is an entirely different game unless you own a Google branded Pixel, Pixel 2 or Pixel 3 phone.  For those phones, Google releases and installs patches like Apple does.

For every other Android phone, Google publishes the open source code to a public repository every month.  Then the phone’s manufacturer had to download it and integrate any changes that it made.  Up until recently, this was a completely optional decision on the part of the phone manufacturer.  Once this is done and tested, the manufacturer, say LG Electronics, has to make the code available to each of the mobile carriers around the world.  The mobile carrier then needs to integrate its changes into the code and test it.  Again, completely voluntary.  There will be a new option for brand new phones released with Android 10 this fall, but nothing now.

One more thing.  Most manufacturers only patch a phone for a year or two AFTER THE INITIAL RELEASE – not after the date that you bought it.  So, if a phone was released in January 2017 and you bought it in March 2018, it likely will only be patched for the first 9 months that you own it, at best.  This means that for most of the time that you are using the phone, it will be vulnerable to be hacked.  If you keep the phone for say 3 years – many people keep Android phones longer – than for about 2 and a half of those years, it will be open to attack.

This is why understanding this and being vigilant about patching is so important.  And why many Android phones are already compromised.

So why today?

Security firm Tencent announced two critical bugs in the Qualcomm chipsets and one in the driver that would allow a hacker to take over an affected phone WITH NO USER ACTION REQUIRED.

Check out the link below for the details and CVE numbers.

Once compromised, the attack gives hackers full system access, including the ability to install rootkits (which are not detectable) and steal any information on the phone, most likely without being detected.

Some of the Qualcomm chipsets affected are:

“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Point is – a lot of them, affecting a lot of phones – most of which will never be patched.

While the researchers have not released all of the details on how to do the hack, all that is required is that you have WiFi enabled and be within WiFi range of the attacker such as being out in public in a store, coffee shop, airport, hotel or meeting area, just to name a couple of options.

If you use an Android phone, check to see if it is receiving patches.  if you store anything sensitive on the phone, disable WiFi if you can. 

IF YOUR PHONE IS NO LONGER RECEIVING PATCHES, THERE IS NOTHING THAT YOU CAN DO OTHER THAN NOT USING WIFI OR BUYING A NEW PHONE.

It will not be long before attackers figure out the details and start using this in the wild.

Source:  The Hacker News.

 

 

 

 

 

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.

 

Google Trying to Compete With Apple in Android Security

I think it would be hard to argue with the statement that when it comes to mobile (phone) security, Apple has it all over Google.

For the most part, other than for the Google branded phones, that is because they have to work through the handset manufacturers and wireless carriers.

Apparently, not any more.

For new phones running Android Q, currently in beta, Google will directly install updates for 14 modules of the Android OS – Without the user even having to reboot.  This is moving Android (very slowly) in the direction of a micro kernel operating system like Minix 3.0 (full disclosure – my brother’s team wrote Minix 3.0).

The 14 modules are:

ANGLE
APK
Captive portal login
Conscrypt
DNS resolver
Documents UI
ExtServices
Media codecs
Media framework components
Network permission configuration
Networking components
Permission controller
Time zone data
Module metadata

If one of these modules is updated, they stop the service, update it and restart it.  Transparently to the user.  And dealing out both the handset manufacturer and the carrier.

But only for phones that come with Android Q out of the box – not those that get it via an upgrade (probably due the the license agreement between Google and the handset vendor).

Handset manufacturers CAN opt out of this, called project Mainline, but why would they?

Android Q comes with 50 security enhancement in addition to this including TLS V3, MAC address randomization, increased control over location data and better user control over what apps have what permissions.

For users, they should be looking for phones that ship with Android Q out of the box and where handset manufacturers are supporting project Mainline.

For users, whether Q comes out of the box or via an upgrade, you still get the new security features.  If you are a security conscious Android user, you should definitely look for Q on your next phone.

Source: ZDNet.

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.