Quantcast

Security flaw opens all modern Android devices to "zombie botnet" takeover

Discussion in 'Off-Topic Discussion' started by sparkyscott21, Jul 3, 2013.

  1. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]


    A newly discovered flaw in Google's Android security model enables rogue apps to gain full access to the Android system and all installed apps, read all data on the device, harvest passwords and create a botnet of "always-on, always-connected and always-moving" spy devices tracking users' location while secretly recording.

    The far reaching vulnerability, discovered by San Francisco's Bluebox Security, involves "discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.""A device affected by this exploit could ...become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device."

    Android apps (packaged as an "APK") are signed with an encryption key (just like iOS apps) to prevent a malicious party from changing the code. Signed apps are expressly designed to enable the system to detect any tampering or modification.

    However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything.

    "A device affected by this exploit could do anything in the realm of computer malice, including become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device," a representative of the company wroteAppleInsider.

    Affects everything Android, in a big way

    The flaw has been in place since the release of Android 1.6 "Donut," meaning it affects virtually all Android devices sold in over the last four years, essentially all of the installed base of Android devices: Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich and Jelly Bean.


    [​IMG]


    A compromised app exploiting the vulnerability can take the appearance of a legitimate app that has been given wide access to system resources. Bluebox notes that many of Android licensees' own apps (such as those from HTC, Samsung, Motorola or LG) as well as many VPN apps (such as Cisco's AnyConnect) are customarily "granted special elevated privileges within Android – specifically System UID access.""most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

    After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain "full access to Android system and all applications (and their data) currently installed."

    This means the app subsequently "not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)."

    Bluebox adds, "finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

    A big flaw to fix, requiring 900 million firmware updates



    Bluebox disclosed the vulnerability to Google in February 2013, but the firm notes that "it’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.""The Android malware ecosystem is beginning to resemble to that which surrounds Windows."

    So far, Android licensees have been extremely slow to roll out any updates for their users, often refusing to bother with distributing even significant security patches.

    Android's unaddressed security lapses have helped make it the world's leading mobile platform for malware, a problem many of its supporters simply refused to acknowledge. However, this new vulnerability means puts Android users at even more risk, because now they can't even trust apps signed by a legitimate developer.

    As security firm F-Secure noted in May, "the Android malware ecosystem is beginning to resemble to that which surrounds Windows."

    Bluebox will be detailing the vulnerability in a Black Hat USA 2013 session by its chief technology officer Jeff Forristal




    7-3-13

    Source
     
    • Like Like x 2
  2. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    Just three weeks after Bluebox Security first announced the discovery of a key flaw in Google's Android with the potential to turn devices into a "zombie botnet," Symantec has reported finding rogue apps that take advantage of the vulnerability.

    [​IMG]

    Source: Symantec spots new signed malware that Android can't


    At the beginning of July, Bluebox went public with news of the flaw, which affected virtually every Android device in use.

    Google "declined to comment on the matter," but quickly acted to block distribution of apps seeking to exploit the issue in its own Google Play market. However, one of the primary key features of Android is the "openness" to allow users to install software from other stores.

    That freedom has now morphed into a liability. While researchers quickly released "test tube" apps demonstrating how the vulnerability can be exploited, Symantec has now identified the first malware in the wild that's seeking to take advantage of the flaw, and Google's extreme difficulty in patching millions of vulnerable devices.

    [​IMG]


    There's a role in Post-PC devices for Symantec after all



    In a new report, Symantec stated, "we expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has."

    The company has been scanning Android apps from "hundreds of marketplaces" using its Norton Mobile Insight tool, and initially discovered two on Tuesday.

    Both (show above) were "legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

    The next day, Symantec identified another four contaminated apps, "infected by the same attacker and being distributed on third-party app sites." The exploited apps included "a popular news app, an arcade game, a card game, and a betting and lottery app," all targeting Chinese users.

    The discovered malware apps are secretly modified versions of legitimate apps that most Android devices can't detect as being contaminated, thanks to longstanding flaws in Android's security system that all the eyes of the open source community failed to detect.

    Weaponized for malware monetization, facilitated by flaws



    Symantec earlier explained that "Injecting malicious code into legitimate apps has been a common tactic by malicious app creators for some time."

    However, "they previously needed to change both the application and publisher name and also sign any Trojanized app with their own digital signature."

    These modifications would render the contaminated apps easy to spot, thanks to app signing. "Someone who examined the app details could instantly realize the application was not created by the legitimate publisher," the security firm explained.

    With the newly discovered Android flaw, "attackers no longer need to change these digital signature details," meaning that "they can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code."

    While iOS apps can also be hacked, Apple's app signing security works to identify and block contaminated apps from working. Apple's App Store also serves as the only source for third party software outside of custom development that requires organizations to distribute their own security credentials to sign the secure encryption of such apps.

    Android malware authors party like its 1999



    Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination.The malware in the wild that Symantec has discovered has modified both apps with code "to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available."

    The firm subsequently discovered the the malware payload, dubbed "Android.Skullkey," is also designed to send a spam text message to all phone numbers in the device's contacts, directing them to a malware website URL in a customized message that addresses the recipient by name.

    Apple's iOS 6 does not allow apps to access contacts or message users without the permission of the user, but Android apps routinely demand vast, unnecessary and inappropriate permissions to a wide range of capabilities prior to installation, in a process most users click through without examination.

    Android is the platform of wide open marketing research



    Examples of such broad and unnecessary permissions demands start at the top: Facebook for Android, the platform's most popular app, demands access to a broad range of permissions before installation, including the ability to observe phone numbers in contacts and on calls in progress.

    [​IMG]


    Earlier this month, the popular app was caught harvesting users' entire phone books for upload into the social network's vast graph, without notice, and subsequently "sharing" information with other users "having some connection to them" on the site.

    Samsung, the largest Android licensee, also launched a "free" Jay Z app this month promoting its flagship "SAFE" Galaxy S4 and Note 2 phones, but with conditions that demanded access to users' precise GPS location, access to users' contacts and or social network accounts, and stats on what apps they used and what phone numbers they were calling.


    [​IMG]


    Source: Google Play

    Facebook and Samsung are both simply using Android the way Google intends for its platform to work. Earlier this year, after it was reported that Google Play was sending third party developers that name, physical address and email of anyone buying their apps, with "no indication that this information is actually being transferred."

    Google's response was to take offense at journalists' characterization of the matter as a "flaw" and lean on publishers to remove any unflattering description of the practice from their headlines, stories, and SEO on the subject so that users simply wouldn't be aware of the issue and unable to search for information about it.






    7-25-13

    Source
     
  3. sparkyscott21

    sparkyscott21 Moderator Staff Member

    Joined:
    Nov 4, 2010
    Messages:
    7,280
    Likes Received:
    103
    Trophy Points:
    63
    Location:
    Northern Mich.
    [​IMG]




    Hackers have been uncovering a lot of Android security holes lately, including one vulnerability that lets hackers turn legitimate Android apps into malware and another that has given the FBI the ability to remotely flip on Android phones’ microphones to record conversations. Now IDG News, via PCWorld, reports that a security researcher at the Defcon security conference in Las Vegas this weekend showed off a new Android exploit that uses Google’s one-click authentication feature to steal users’ passwords.

    As IDG News writes, Tripwire researcher Craig Young has created “a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and otherGoogle services.” The app is able to do this by getting Android users to give it permission “to access a URL that starts with ‘weblogin’ and includes finance.google.com,” which then gives it access to the tokens it needs to log into all of the users’ Google accounts. From there, hackers can access Android users’ email, their Google Drive documents, their search history and much, much more.

    8-6-13

    Source

     

Share This Page