Android is the number one target of mobile hackers

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #1

Ghost Push Android malware infects 1.3m phones per day

2015/09/22 21:47:02

Taipei, Sept. 22 (CNA) Cheetah Mobile, a well-known developer of Android apps and utilities, recently released a warning that it has discovered a new malware dubbed "Ghost Push," which infects an estimated 1.3 million Android-based mobile phones globally per day, including many in Taiwan.

The malware is being distributed through non-Google app stores and has managed to infect 14,846 types of phones and 3,658 brands, according to Cheetah Mobile's security research lab.

The most affected users have been identified as residing in countries like the United States, India, China and Mexico, it said.

It was reported that some users in Taiwan have also been affected by the malware.

The company's security researchers claim to have gotten on Ghost Push's trail after they frequently ran into support topics on Android forums asking for help in removing a few uninstallable apps.

Taking a closer look at the apps in question, the researchers found malware hiding in its code that managed to root the victim's phone and install itself in the ROM.

By doing this, the malware became boot-persistent, automatically starting every time the phone was restarted. This meant that countermeasures like starting the device in safe mode or performing a factory reset would not be enough to remove the malware permanently from infected Android phones. The malware slows down the system, drains the battery and consumes large amounts of cellular data, according to the company.

The firm claims that it has detected 40 apps, distributed through unofficial channels, which were bundled with Ghost Push. These apps include MonkeyTest, SmartFolder and TimeService.

The firm claimed that its products Clean Master and CM Security can easily detect the infection.

Cheetah Mobile also said it offers users a remedy to delete this malware in the form of Stubborn Trojan Killer https://play.google.com/store/apps/details?id=com.cleanmaster.security.stubborntrjkiller&hl=en, a special app that is available in the Google Play Store. The app contains descriptive step-by-step instructions on how to delete the malware manually.

(By Esme Jiang and Evelyn Kao)

 

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #2

New malware can change PIN codes, locking Android users out of their own phones

By AJ Dellinger
Sep 11, 2015, 2:07am CT | Last updated Sep 11, 2015, 4:11pm CT

Your PIN code might keep your phone's contents from other people, but even it isn't safe from a new piece of ransomware capable of hijacking the safety measure on Android devices.

A group of researchers have discovered what is believed to be the first example of malware that can reset the PIN code on a device and lock the owner out of their own phone.

The ransomware, identified as "Android/Lockerpin.A," leaves a user locked out of their device with no recourse to regain access. If the user doesn't have a preemptive defense against the attack, such as root privileges or a security management solution installed on the device, the only option is complete factory reset that would delete all data on the phone.

Once the malicious locker is installed on the phone, it changes the PIN for unlocking the device. Shortly after, users will be presented with a fake warning message from the FBI. The alert tells the victim they must pay a $500 penalty for viewing and downloading pornographic material.

Previous lock screen attacks simply took over the lock screen itself but could be overridden by rebooting in Safe Mode and uninstalling the offending application or using Android Debug Bridge, a command line utility within the Android operating system.

The new bit of ransomware takes an extra precaution to prevent such a simple defeat by preserving its own administrator privileges on the infected device, making it next to impossible to simply uninstall it. The trojan will reactivate itself if disabled or present a phony overlay that states deactivating it is forbidden.

Android/Lockerpin.A has primarily been spotted in the United States, with over 75 percent of all confirmed cases occurring within the country. The malware is not obtained through the Google Play Store but rather from third party markets.

If you're worried about being left vulnerable to the latest mutation of lock screen ransomeware, Android app ESET Mobile Security can detect and help prevent against the threat.

H/T WeLiveSecurity | Illustration by Max Fleishman

 

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #3

U.S. security agencies say Android mobile main target for malware

Attendees gather at the Android developer sandbox during the Google I/O Conference at Moscone Center in San Francisco, California June 28, 2012. REUTERS/Stephen Lam

SAN FRANCISCO | Tue Aug 27, 2013 7:08pm EDT

(Reuters) - Google Inc's Android, the dominant mobile operating system, is by far the primary target for malware attacks, mostly because many users are still using older versions of the software, according to a study by the Department of Homeland Security and the Federal Bureau of Investigation.

Android was a target for 79 percent of all malware threats to mobile operating systems in 2012 with text messages representing about half of the malicious applications, according to the study from the government agencies, which was published by Public Intelligence website.

Google did not respond to a request for comment. DHS declined to comment.

By comparison, about 19 percent of malware attacks were targeted at Nokia's Symbian system and less than 1 percent each at Apple Inc's iOS software, Microsoft Corp's Windows and BlackBerry Ltd.

Android continues to be a "primary target for malware attacks due to its market share and open source architecture," said the study, which was addressed to police, fire, emergency medical and security personnel.

(Reporting By Poornima Gupta. Editing by Andre Grenon)

 

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #4

One in every 10 Android apps 'contains malicious code': US-China study

PUBLISHED : Friday, 26 June, 2015, 2:42pm
UPDATED : Friday, 26 June, 2015, 3:53pm

Stephen Chen [email protected]

Google's Sundar Pichai speaks at an event in San Francisco. New research suggests as many as one in 10 Android apps may contain malware. Photo: AP

A joint study by computer scientists from the US and mainland China found that one in every ten Android apps contained malicious code.

Using a new algorithm that could detect malware and viruses within apps in less than 10 seconds, the team scanned 1.2 million Android apps on more than 30 major app stores around the world, about a tenth of them contained malicious code.

Over 2,000 of these apps had each been downloaded more than 50,000 times, meaning at least 100 million users were exposed to security risks.

The paper, with Chen Kai of the Chinese Academy of Sciences' State Key Laboratory of Information Security as lead author, has been accepted to the Usenix Security Symposium, an annual gathering of international security experts to be held in Washington DC later this year.

Full content of the study was not disclosed, but a report on the academy’s website said that their new detection method could trace the “origin” of source codes in an Android app and analyse their internal structure for suspicious traits.

Scientists were able to discover unknown security threats with unprecedented speed, and the study had generated “huge repercussion” in mobile software industry, the report said.

It is unclear whether the same algorithm could be applied to iOS apps. The researchers could not immediately be reached for comment.

According to a report by Singaporean security company Pulse Security this week, 97 per cent of mobile malware targeted Android devices.

There are about 1.5 million Android apps and 1.4 million iOS apps currently available to download.

Tang Wei, senior engineer with Chinese security company Rising, said Android users inevitably faced greater security challenges than iOS users because it is an open environment.

Android is open source, and any company or individual can create and distribute apps, whereas iOS apps must be approved by Apple before they can be downloaded through the iTunes store.

“An Android user must be very careful when downloading an app, must make sure it comes from a trustworthy source, and must verify every rights request before installation,” Tang said.

He said that mainland Chinese Android devices users faced greater risk because they could not access the official Google Play market due to the censorship of Google services by the authorities, and therefore had to download apps from alternative markets.

 

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #5

Attackers could take over Android devices by exploiting built-in remote support apps

Many smart phone manufacturers preload remote support tools on their Android devices in an insecure way, providing a method for hackers to take control of the devices through rogue apps or even SMS messages.

By Lucian Constantin | 4 hours ago

Many smart phone manufacturers preload remote support tools on their Android devices in an insecure way, providing a method for hackers to take control of the devices through rogue apps or even SMS messages.

The vulnerability was discovered by researchers from security firm Check Point Software Technologies, who presented it Thursday at the Black Hat security conference in Las Vegas. According to them, it affects hundreds of millions of Android devices from many manufacturers including Samsung Electronics, LG Electronics, HTC, Huawei Technologies and ZTE.

Most of the flagship phones from different vendors come preloaded with remote support tools, Check Point researchers Ohad Bobrov and Avi Bashan said. In some cases they are installed by the manufacturers themselves, while in other cases by mobile carriers, they said.

These tools function as system applications, have a lot of powerful permissions and are digitally signed with manufacturers' certificates. They allow the technical support staff from device makers or carriers to troubleshoot problems with the devices by taking control of their screens remotely and interacting with them.

Unless they've had an issue with their devices that required this sort of interaction, users are probably not even aware that such tools exist on their phones, because they have no user interfaces, the researchers said.

The tools are made up of two components: a system plug-in that has the powerful privileges and permissions necessary for such tasks and an app that talks to it. While the plug-in is typically part of the firmware, the apps that are allowed to interact with it could be either preinstalled or downloaded later.

Because Android does not provide a native way for apps to verify each other, manufacturers had to implement the functionality themselves and in most cases made errors that could allow other apps to masquerade as the legitimate ones and interact with the plug-in, the researchers said.

These errors include hash collisions, certificate forging and inter-process communication (IPC) abuse that allow an attacker to create malware capable of taking complete control of a victim's device. The malicious apps could abuse the remote support functionality to steal personal data, track device locations, record conversations through the microphone and much more.

These rogue apps would need only minimal permissions, like access to the Internet, making it harder to flag them as malicious, the researchers said. They could pose as fully functional games or other legitimate applications and could abuse the remote support functionality in the background without any indication to the user, they said.

In one case the researchers found that the server where a particular tool was configured to connect in order to initiate a remote support session could be changed with a simple text message, enabling an even more direct attack.

Check Point reported the vulnerability, which it calls Certifi-gate, to Google and the affected manufacturers and some of them have already started releasing patches.

However, because the system plug-in is signed with a manufacturer's certificate, the problem can't easily be fixed, the researchers said. Such certificates cannot be revoked because that would cause all other apps added by those manufacturers to stop working as well. So, an attacker could trick users to install an older and vulnerable version of the plug-in, which would replace the patched one, re-enabling the attack, they said.

During a separate talk at the Black Hat security conference Wednesday, Adrian Ludwig, Google's lead engineer for Android security, described multiple defenses built into the OS that could potentially be used to detect such an attack.

Android has a feature called Verify Apps that acts like a built-in antivirus and an inter-application firewall that could be used to detect and block malicious interactions between applications, he said.

In an emailed statement, Google thanked the researchers and noted that the company's Nexus devices are not affected and it hasn't seen any exploitation attempts so far.

"The issue they've detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue," a Google representative said. "In order for a user to be affected, they'd need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet. We strongly encourage users to install applications from a trusted source, such as Google Play."

Samsung did not immediately respond to a request for comment about the remote support tool issue, but the company announced Wednesday that it plans to start releasing monthly security updates for its Android devices.

 

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #6

Android faces SECOND patching crisis, on the same scale as Stagefright

‘Certifi-gate’ vuln could allow unrestricted device access

6 Aug 2015 at 18:31, John Leyden

Hours after Google and smartphone makers promised an imminent patch for the infamous Stagefright vulnerability another critical flaw in Android is being outed.

The “Certifi-gate” vulnerability allows applications to gain illegitimate privileged access rights, typically reserved for remote support applications that are either pre-installed or personally installed on Android devices.

Attackers can exploit Certifi-gate to gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and much more.

The vulnerability allows an attacker to take advantage of insecure apps certified by OEMs and carriers to gain unrestricted access to any device, including screen scraping, key logging, private information exfiltration, and back door app installation.

The root causes of these vulnerabilities include hash collisions, IPC abuse and certificate forging, which allow an attacker to grant their malware complete control of a compromised device.

The flaw affects hundreds of millions of Android devices from vendors including LG, Samsung, HTC and ZTE, according to security researchers at Check Point. The latest mega-flaw isn’t related to Stagefright, but it’s on the same scale in terms of numbers of devices (Android smartphones and tablets) affected.

All affected vendors were notified by Check Point about Certifi-gate and have begun releasing updates. Even so, fixing Certifi-gate may be even trickier than resolving the Stagefright vulnerability1.

For one thing the Certifi-gate vulnerability can only be resolved after a new software build is pushed to the device – a notoriously slow process. Even smartphones and tablets running the latest version of Android (Lollipop) are at risk.

Worse yet, resolving Certifi-gate involves updating multiple components and mobile remote support tool (mRST) plugins, according to Check Point researcher Avi Bashan.

The Certifi-gate patching process is fragmented as it relies on multiple updates from a range of different vendors (Google, OEMs and developers, especially those that make mRSTs) pushing updates.

 

KimKaphwan

Alfrescian

Loyal

• Oct 5, 2015

• #7

New Stagefright attack targets Android phones with phony audio files

By Russell Brandom on October 1, 2015 10:43am

Stagefright is quickly becoming the bug that wouldn't die. First discovered in July, the vulnerability allowed attackers to target Android phones over text or MMS, exploiting a weakness in Android's multimedia preview function. Google, manufacturers and carriers scrambled to patch the bug, only to have another bug pop up two weeks later, requiring another round of patches. Now, three months after the initial disclosure, it's all happening again.

Zimperium security a new way to exploit Stagefright that isn't covered by existing patches, first reported by Motherboard. The new vulnerability works by encoding a malicious program into an audio file, delivered over mp3 or mp4. Once a user previews the file or visits a page where that file is embedded, Android's audio preview will activate the program, infecting the device. Even more troubling, the virus can also be deployed by an attacker on a public Wi-Fi network, potentially enabling a self-replicating or wormed version of Stagefright. Because some version of the preview function exists in most versions of Android, nearly every Android device is susceptible to the bug, although specific implementations vary from version to version.

That's particularly disconcerting since some of Android's mitigation strategies have proved to be not as effective against Stagefright as initially thought. Zimperium hasn't released a workable exploit for the new bug yet, so Google and its partners will have a head start in patching the bug, but it leaves Android users counting on carriers and manufacturers for yet another critical patch.

Google is currently working to fix the issue in the core Android code, and says a patch will be included in the October Monthly Security Update, provided to partners on September 10th and rolling out to Nexus phones on October 5th. Android Security has had no reports of active exploitation of the bug so far.

 

KimKaphwan

Alfrescian

Loyal

• Oct 7, 2015

• #8

Banking Malware Masked as PayPal App Targeting Android Users

By Carolina on October 7, 2015

Image Source: Flickr

Hackers are targeting users with fake PayPal app update email which actually comes with an embedded link of an Android banking malware.

Recently, an email circulation has been let loose by hackers. This email looks quite official in design and content, asking the recipient to update their Android PayPal app.

If the users click on the given link, a download is triggered. This download is a mobile online banking Trojan that has been detected by Trend Micro as AndroidOS_Marchcaban.HBT.

Trend Micro says in a post that the language used in the email suggests that people living in Germany are their main target. It also reports that this email has been sent over 14,000 times in variations.

Screenshot of the email sent by the hackers / Image Source: Trend Micro

After a user installs this application, a request to act as system administrator appears on the screen along with a request relating to other privileges.

Permissions request from the malware app

“Once the malware detects the real PayPal app is running, it will put up a fake UI on top of the real one, effectively hijacking the session and stealing the user’s PayPal credentials,” the post said. Furthermore, it has been said that this code is also employed to target various banking-related apps like Commerzbank.

Once the user installs the so-called update, the malware checks for the original PayPal app. Once detected, the malware puts up its own UI on the top of the original PayPal app which lets the fake app steal your PayPal login data.

 

KimKaphwan

Alfrescian

Loyal

• Dec 15, 2015

• #9

 

KimKaphwan

Alfrescian

Loyal

• Dec 15, 2015

• #10

"Backstabbing" malware steals mobile backups via infected computers

Posted on 07.12.2015

In this day and age, our mobile devices carry more personal and business information than any other electronic device. Is it any wonder, then, that attackers want to have access to them?

But sometimes they can't find a way in, and opt for the second-best option: stealing mobile backup files from the victims' computer.

Palo Alto researchers dubbed the attack technique "BackStab", and say it's not new.

"While the technique is well-known, few are aware of the fact that malicious attackers and data collectors have been using malware to execute BackStab in attacks around the world for years," they noted in a recently published whitepaper.

"Law enforcement of cials and jealous lovers around the world have used simple tools to capture and extract private phone information from computers to which they have gained access."

The researchers have identified 704 samples of six Trojan, adware and HackTool families for Windows or OS X systems that steal private user data from backup files of iOS and BlackBerry devices (click on the screenshot to enlarge it):

As it can be deduced from the table, iOS users were/are the most targeted. It's also interesting that, for once, Android users are mostly safe from (these) attacks. "Unlike iOS and BlackBerry, there isn’t any desktop software developed by Google for Android device backup," the researchers explained.

"The only official way to back up private data and application data from Android devices to a desktop computer is through the command line Android Debug Bridge (adb) utility included with the Android SDK. This is not a procedure commonly used by Android users, and the ADB backup le path and name are manually chosen by the user, making a successful attack of this kind much less likely."

Of course, there are other way for Android backups to be stolen, but this particular technique is not effective enough.

For a BackStab attack to be effective, the malware or adware doesn't have to have any special privileges on the infected computer, and the mobile devices from which the backups are extracted don't have to be jailbroken or rooted.

Attackers can get the following information from unencrypted backups: call logs, messages (SMS and MMS), voice mail, contacts, email, calendars, noted, photos, audio and video recordings, web browsing history, cookies, geolocation history, documents saved on the device, device info, and more.

"The technique has been known to the security and forensic community for over seven years. There are many public articles and video tutorials describing how to conduct the attack using tools and/or open source projects available to the public," the researchers pointed out. Two of the aforementioned six malware families have been capable of mounting this type of attack since at least five years ago.

iOS users can protect their data from this type of attacks by deleting all unencrypted iTunes backups they have on their computer, and by enabling encryption with a strong, unique password when they used the iTunes backup option. If they choose to backup into iCloud, a unique password and two-step verification for the iCloud account is the way to go.

Known malware families, such as DarkComet, can be blocked by AV solutions. Also, it's a good idea to not click the “Trust” button when connecting the iOS device to an untrusted computer or charger via a USB cable.

"In some situations, official backup software, like that of iTunes, will automatically create backups of mobile devices without the user’s interaction and without encryption," the researchers warned. "It is also possible for malware to initiate a backup when the device is attached to an infected computer in some cases."

 

KimKaphwan

Alfrescian

Loyal

• Dec 15, 2015

• #11

 

Narong Wongwan

Alfrescian (Inf)

Asset

• Dec 15, 2015

• #12

Apple IOS is the best....this doesn't come as a surprise

 

L

lsztcdl

Alfrescian

Loyal

• Dec 16, 2015

• #13

Narong Wongwan said:

Apple IOS is the best....this doesn't come as a surprise

Click to expand...

This says a lot

 

N

nxeaszc

Alfrescian

Loyal

• Feb 6, 2016

• #14

Buy a gay phone and u won't have such problem

 

The_Hypocrite

Alfrescian (Inf)

Asset

• Feb 6, 2016

• #15

is winshit phones safer?

 

virus

Alfrescian

Loyal

• Feb 6, 2016

• #16

the safest is the 10ct coin fone.

 

KimKaphwan

Alfrescian

Loyal

• Feb 20, 2016

• #17

​

 

KimKaphwan

Alfrescian

Loyal

• Feb 25, 2016

• #18

Thousands of apps running Baidu code collect and leak personal data, researchers say

PUBLISHED : Wednesday, 24 February, 2016, 8:23am
UPDATED : Wednesday, 24 February, 2016, 8:23am

Reuters

Apps based on code by Chinese Internet giant Baidu have transmitted users' personal information to the company, researchers say. Photo illustration: Reuters

Thousands of apps running code built by Chinese Internet giant Baidu have collected and transmitted users’ personal information to the company, much of it easily intercepted, researchers say.

The apps have been downloaded hundreds of millions of times.

The researchers at Canada-based Citizen Lab said they found the problems in an Android software development kit developed by Baidu. These affected Baidu’s mobile browser and apps developed by Baidu and other firms using the same kit. Baidu’s Windows browser was also affected, they said.

The same researchers last year highlighted similar problems with unsecured personal data in Alibaba’s UC Browser, another mobile browser widely used in the world’s biggest Internet market.

Alibaba fixed those vulnerabilities, and Baidu said it would be fixing the encryption holes in its kits, but would still collect data for commercial use, some of which it said it shares with third parties. Baidu said it “only provides what data is lawfully requested by duly constituted law enforcement agencies.”

The unencrypted information that has been collected includes a user’s location, search terms and website visits, Jeffrey Knockel, chief researcher at Citizen Lab, said ahead of publication of the research on Wednesday.

The problem highlights how difficult it is for users to know just what data their phone collects and transmits, and the risk that personal data might leak because of poor or no encryption. It also highlights how many different groups might be interested in accessing such data.

“It’s either shoddy design or it’s surveillance by design,” said Citizen Lab director Ron Deibert.

Citizen Lab said Baidu - which reports quarterly earnings in New York on Thursday - had fixed some of the problems since it brought them to the company’s attention in November, but the Android browser still sends sensitive data such as the device ID in an easily decryptable format.

Baidu said its interest in the data was just commercial, but declined to say who else might have access.

Data security and privacy issues have been highlighted in the United States, where Apple is in a stand-off with the Federal Bureau of Investigation over requests to unlock an iPhone owned by one of those who went on a shooting rampage in San Bernardino, California in December.

Citizen Lab said its research into Alibaba’s UC Browser last year was prompted by documents from National Security Agency whistleblower Edward Snowden showing Western intelligence agencies had used holes in the browser to spy on users.

Alibaba said then there was no evidence that user data was taken, but it had addressed concerns by asking users to update their browsers.

The researchers said it was not possible to assess how many users were affected by the Baidu problem, both in China and beyond.

Some software developers in China say a lack of encryption is commonplace, and partly due to rapid growth and poor security awareness.

“It’s really, really painful, but it’s a growing pain,” said Andy Tian, CEO of Beijing-based app developer Asia Innovations.