WiFi Routers Riddled With Holes: Report

By Jack M. Germain

Feb 6, 2018 3:27 PM PT

Most WiFi router vendors have not patched numerous firmware vulnerabilities discovered more than two years ago, according to a report
Insignary released on Tuesday.

OEM firmware built into WiFi routers use open source components that contain numerous known security vulnerabilities that can be exploited by hackers, it notes.

Insignary, a startup security firm based in South Korea, conducted comprehensive binary code scans for known security vulnerabilities in WiFi routers. The company conducted scans across a spectrum of the firmware used by the most popular home, small and mid-sized business and enterprise-class WiFi routers.

KRACK may be the newest and potentially most harmful WPA2 security vulnerability, router firmware vulnerabilities are far more extensive and dangerous, based on the firm’s findings.

“While KRACK WPA2 is the latest WiFi security vulnerability, it appears to be just the tip of the iceberg, compared to what currently exists in router firmware,” said Tae-Jin Kang, CEO of Insignary.

The company has been monitoring WiFi router issues since the infamous botnet attack in the fall of 2015 brought down the Internet for a couple of days. Many of the vulnerabilities Insignary found in 2016 were present in scans performed last year.

“This is distressing. Many vendors continued to ignore problems that could easily be fixed. These are devices that we use on a daily basis,” Kang told LinuxInsider.

Time to Raise Awareness

The 2015 attack was carried out not by zombie PCs but by 300,000 compromised IoT devices. People had theorized about the possibility of such an attack, and that incident proved it could be done, said Kang.

“So we decided it was time to raise awareness. This is a serious problem. We are talking about well-known security issues that still exist in the routers. These devices can be compromised in many ways. WiFi devices are pervasive,” he warned.

The threat is specific to IoT devices rather than to computers and other mobile devices. However, the Linux operating system also may be in the crosshairs because so many variations of Linux distributions prevent a centralized patch deployment solution, Kang explained.

Windows 10 and the macOS have addressed the security issues to neutralize the router vulnerabilities. An important factor in their doing so is that those OSes are not open source, he said.

“I’m not saying that open source itself is inherently less secure, Kang emphasized. “The Linux community has done a very good job of responding to security issues. The problem is that even with rapid updating of patches, the distribution process is decentralized and fragmented with the Linux OS.”

About the Study

Insignary conducted the scans during the last two weeks of November 2017. Its research and development team scanned 32 pieces of WiFi router firmware offered in the U.S., Europe and Asia by more than 10 of the most popular home, SMB and enterprise-class WiFi router manufacturers: Asus, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link.

The researchers used a specialized tool Insignary developed to scan the firmware. They also leveraged Clarity, a security solution that enables proactive scanning of software binaries for known, preventable security vulnerabilities, and identifies license compliance issues.

Clarity uses a unique fingerprint-based technology. It works on the binary-level without the need for source code or reverse engineering. Clarity compares the scan results against more than 180,000 known vulnerabilities based on the fingerprints collected from open source components in numerous open source repositories.

Once a component and its version are identified through Clarity’s fingerprint-based matching using numerous databases such as NVD and VulnDB. Clarity adds enterprise support, “fuzzy matching” of binary code, and support for automation servers like Jenkins.

Key Findings

The WiFi router firmware sold by the top manufacturers contained versions of open source components with security vulnerabilities, the binary scans indicated. Most models’ firmware contained “Severity High” and “Severity Middle” security vulnerabilities. This means that the deployed products and firmware updates remained vulnerable to potential security threats.

A majority of the models’ firmware made use of open source components with more than 10 “Severity High” security vulnerabilities, based on the examination.

Half of the firmware used open source components containing “Severity Critical” security vulnerabilities, according to researchers.

The report lists the following “Severity Critical” security vulnerabilities found in open source firmware components:

  • WPA2 (KRACK) — Key reinstallation attack;
  • ffmpeg — Denial of Service;
  • openssl — DoS, buffer overflow and remote code execution;
  • Samba — Remote code execution.

In many cases, router vendors evidently have not made use of the correct, up-to-date versions of the affected software components, the researchers concluded.

Serious Concerns

“Vendors rarely support and update routers after the first two years at most,” noted Brian Knopf, senior director of security research and IoT architect at

Two more reasons make the reports finding noteworthy, he told LinuxInsider. One, router manufacturers spend very little money on security because they tend to dislike cutting into their already-slim margins.

Also, many routers require customers to check for updates. This has been changed on some newer routers, but there are millions of old routers in use by consumers, which can be validated by some simple
Shodan queries, Knopf said.

“Device vendors not performing updates is definitely an unnecessary risk,” said Justin Yackoski, CTO of

Doing it right is non-trivial, and businesses and consumers need to look at the history of updates for a vendor before they make a purchase,” he told LinuxInsider.

However, price often wins out, Yackoski added, leaving it up to the FCC, DHS or an act of Congress to force the ultimate solution on router makers.

Significant Results

All of the firmware leveraged Busybox and Samba by default, the report shows. More than 60 percent used OpenSSL.

Significant security issues arise from OpenSSL. That should prompt vendors to apply the latest patches consistently or use the version of the software that contains the fix, the researchers maintained.

Much of the firmware did not utilize the correct, most up-to-date versions of the OSS components available, the study revealed.

Inadequate Vendor Response

The open source community has created new versions of the components to address all of the previously listed security vulnerabilities. Vendors can employ these versions to prevent data breaches and resulting litigation that can cause significant corporate losses, according to Insignary.

During discussions with various vendors, Insignary encountered one manufacturer that expressed a preference to apply patches manually, line by line. While that method may work, it is still recommended that firmware developers scan their binaries to ensure that they catch and address all known security vulnerabilities.

Insignary’s findings suggest two possibilities for the failure to use the correct component version by WiFi router vendors: 1) the home, SMB and enterprise-class router vendors did not consider the vulnerabilities worth addressing; 2) they did not use a system that accurately finds and reports known security vulnerabilities in their firmware.

Going Beyond Linux

Business and home users remain at risk even if they do not run the Linux desktop or server. Compromised WiFi routers provide hackers with a malicious way to takeover network equipment. It is a critical issue, said Andrew McDonnell, president of

“In addition to potentially becoming part of a botnet, the router also grants attackers a beachhead in your environment. They can surreptitiously disrupt or intercept communication along with using it as a launch point to attack other systems on the internal network,” he told LinuxInsider.

Unpatched router firmware is a very serious security issue that opens up vulnerable routers to various nefarious motives, noted Louis Creager, IoT security analyst at

Besides attracting botnets for purposes like DDoS attacks and spam campaigns, it can compromise sensitive user information going through the router.

“Home users and business owners could see their IP addresses end up on lists of known botnet traffic, which can impact their everyday browsing activity as websites and online services block traffic from these sources,” Creager told LinuxInsider.

The Fix: Difficult but Urgent

The patching process depends on who builds the device, where the vulnerability exists, and who is responsible for the fix, noted Neustar’s Knopf.

Then vendors have to get the SDK for the chipset from the chipset vendor (Intel, Qualcomm, Broadcom, etc.) and add their own Board Support Package utilities, which are the drivers for the chipset, to program the router and the tools used to validate the devices, he added.

“OEMs need to allocate resources to at least maintain awareness of newly discovered vulnerabilities in their systems and then issue updated firmware,” said AsTech’s McDonnell. “It’s also essential to make clear to users that the updates are available so that they are applied.”

If there is a known vulnerability, the end user really can’t do much. The best option would probably be to flash the router with an open source firmware such as DDWRT, OpenWRT or LEDE, he suggested.

“While open source firmware versions are never going to be perfect,” McDonnell acknowledged, “there is a whole community who maintains and fixes issues.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

from LinuxInsider http://ift.tt/2C1uBEd


How we fought bad apps and malicious developers in 2017

Posted by Andrew Ahn, Product Manager, Google Play

Apps bring devices to life — letting you book a ride instantly, connect and share memories with friends, be alerted about current events, play games with someone across the globe, and get work done in the office or on the road. Google Play is committed to providing a safe experience for billions of Android users to find and discover such apps. Over the years, this commitment has made Google Play a more trusted and safer place. Last year we’ve more than halved the probability of a user installing a bad app, protecting people and their devices from harm’s way, and making Google Play a more challenging place for those who seek to abuse the app ecosystem for their own gain.

In 2017, we took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016. Not only did we remove more bad apps, we were able to identify and action against them earlier. In fact, 99% of apps with abusive contents were identified and rejected before anyone could install them. This was possible through significant improvements in our ability to detect abuse – such as impersonation, inappropriate content, or malware – through new machine learning models and techniques.

We’ve also developed new detection models and techniques that can identify repeat offenders and abusive developer networks at scale. This resulted in taking down of 100,000 bad developers in 2017, and made it more difficult for bad actors to create new accounts and attempt to publish yet another set of bad apps.

Here are a few examples of bad apps we took action against in 2017:


Attempting to deceive users by impersonating famous apps is one of the most common violations. Famous titles get a lot of search traffic for particular keywords, so the bad actors try to amass installs leveraging such traffic. They do this by trying to sneak in impersonating apps to the Play Store through deceptive methods such as using confusable unicode characters or hiding impersonating app icons in a different locale. In 2017, we took down more than a quarter of a million of impersonating apps.

Inappropriate content

We don’t allow apps that contain or promote inappropriate content, such as pornography, extreme violence, hate, and illegal activities. The improved machine learning models sift through massive amounts of incoming app submissions and flag them for potential violations, aiding the human reviewers in effectively detecting and enforcing on the problematic apps. Tens of thousands of apps with inappropriate content were taken down last year as a result of such improved detection methods.

Potentially Harmful Applications (PHAs)

PHAs are a type of malware that can harm people or their devices — e.g., apps that conduct SMS fraud, act as trojans, or phishing user’s information. While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store. Finding these bad apps is non-trivial as the malicious developers go the extra mile to make their app look as legitimate as possible, but with the launch of Google Play Protect in 2017, the annual PHA installs rates on Google Play was reduced by 50 percent year over year.

Despite the new and enhanced detection capabilities that led to a record-high takedowns of bad apps and malicious developers, we know a few still manage to evade and trick our layers of defense. We take these extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them. We are committed to make Google Play the most trusted and safe app store in the world.

How useful did you find this blogpost?

from Android Developers Blog http://ift.tt/2DOdl7v

Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device.

As a rule, Apple always signs the latest stable version of iOS as well as the current beta version, if one is available. In addition, the company leaves a short window of about two weeks, during which Apple signs the current iOS build as well as the previous build, in order to allow users to roll back if they don’t like the update (rolling back wipes data).

Note: while users may save blobs from the previous version of iOS and then use them to go back at any time, this approach only works for the particular device from which the blobs have been captured from.

There could be exceptions. For example, on January 11, 2018, Apple accidentally allowed downgrades all the way back to iOS 6. This was a server-side glitch that didn’t last long.

From the user’s perspective, installing an iOS update requires a passcode, meaning that updating from a less vulnerable version of iOS to a more vulnerable one (e.g. updating to iOS 11 for resetting the iTunes backup password) will require the passcode.

This update policy has the following forensic consequences:

  1. Most Apple devices will be running an up to date version of iOS (which may not have a jailbreak available).
  2. If updating a device is needed during the investigation, you can only update to the allowable version of iOS, which is the latest version (sometimes updating to the build before the last version is possible).
  3. If the device is passcode-protected, the passcode will be required to update from iOS 10 to iOS 11 (for the purpose of resetting the iTunes backup password).

Android: a Bizarre Mess

While Apple is in charge of designing and manufacturing and its devices as well as the operating system, things are different on the other side of the pond. Smartphones and tablets powered by Android have a wild range of chip sets, models, and carrier variants, all requiring different versions of software.

Updates are a sore point of most Android smartphones and tablets, with the only exception being unlocked Google Pixel devices and the few phones participating in the Android One program.

It is also interesting to mention that Android OEMs may distribute updates through different channels depending on carrier branding, geographical designation of the model and the user’s current location. As an example, a Chinese or Brazilian Moto Z could be running Android 8.0 Oreo with December 2017 security patch, while Moto Z’s for the rest of the world would still be running Android 7.1.1 with the same December 2017 security patch, except for Verizon (USA) models that would receive the Oreo update. Weird? It’s just the beginning.

In Android land, the same phone may have several different models designed for different markets and carriers. Even if using identical hardware, those models may differ in supported radio bands. Manufacturers may have different policies regarding bootloader unlock for the different versions. No wonder the different versions of the same model will also have differences in software, making physical acquisition a gamble.

For a typical Android smartphone (or tablet), the following parties are involved in making a software update happen.

  1. The company releases Android sources for everyone to use. By this time, Google’s own Pixel smartphones will be already running the latest version of Android.
  2. Chipset manufacturer. The chipset manufacturer (Qualcomm, MediaTek, NVIDIA, Rockchip etc.) must make chipset drivers for the new version of Android and distribute it among its customers (OEMs). The chipset manufacturer may refuse making drivers for the new version of Android, meaning that all devices powered by that particular chipset will not be updated. This can happen to flagship chipsets, too, as in Qualcomm refusing to make Snapdragon 800/801 drivers for Android 7.
  3. Once the OEM receives the drivers from the chipset manufacturer, it may start adapting Android for its devices. This is further slowed down by the fact that many manufacturers use their own “skins” on top of pure Android that must be adapted to the new version of the OS. Obviously, this takes time.
  4. After the OEM makes a working build of Android for a particular model, the update must be certified by one of Google-approved labs. This takes more time. For unlocked smartphones, this is it: the update could be distributed by the OEM. For carrier-locked devices, one
  5. For carrier-branded smartphones, the update must be reviewed and certified by the carrier, who may then push the update to its customers. Needless to say, this extra step may not only introduce additional delays (sometimes as long as 6-9 months), but may prevent the update entirely if the carrier does not feel it sold enough of those phones.

Android scattered update policy may have the following forensic implications:

  1. Many users will run outdated versions of Android, which makes them vulnerable to exploits leading to root access, making physical acquisition trivial. In addition, they may run versions of Android that do not force full-disk encryption, making chip-off acquisition possible.
  2. Due to the sheer number of models and software versions, including carrier versions, a certain model (e.g. Moto G5) is never guaranteed to run a given version of software. Even worse; even if you have a certain model (say, Mogo G5) that runs a certain build of Android (e.g. Android 7.0, September 2017 security patch level), there will still be differences if the two Moto G5’s are branded by different carriers. For the expert, this means different offsets for bootloader-level exploits, making physical acquisition via bootloader-level exploits work on one phone and fail on its sibling. This is never the case with the iPhone: all iPhone devices (of the same model) running the same version of iOS are susceptible to the same exploits.
  3. Since full-disk encryption was introduced in Android 5 and enforced since Android 6 (but only on devices shipped with Android 6 out of the box), low-level acquisition is a hit or miss. However, some versions of Android are vulnerable to exploits. Since most manufacturers ignore or severely delay Google’s monthly security patches, the chance of successfully exploiting a vulnerability on a given device is much higher compared to iOS or Windows 10 Mobile.

Microsoft Windows 10 Mobile: It’s Interesting

We have already covered two different approaches: Apple’s (who distributes updates directly and simultaneously for all models) and Android OEM’s (who are all over the place). While those policies are very different by all accounts, there is one thing in common between Apple and Android OEMs. iOS 11.2.2 is always newer than iOS 11.2.1, and once there is an Android 8 update for a given smartphone, ROMs based on Android 7.x are no longer maintained.

Microsoft, on the other hand, has a complex (and complicated) update structure for Microsoft-branded and third-party smartphones running Windows 10 Mobile.

For W10M devices, there are different branches of Windows. There are the first Windows 10 Mobile, the November Update, the Anniversary Update, the Creators Update, and the Fall Creators Update. According to Microsoft, each branch is set to receive extended support updates and security patches for a minimum of 24 months after the lifecycle start date.

Interestingly, Microsoft delivers security patches and minor updates directly to handset users, while major updates may still have to go through the carrier for approval. However, users can bypass carriers completely by opting into the Windows Insider program, in which case Microsoft will deliver all updates directly to users.

What does it mean in practical terms? Even if the phone (e.g. Lumia 930) is not officially receiving the Fall Creators Update and is still running the previous Windows branch, it will still see bug fixes and security for two years since the initial release of the Windows 10 branch that was last available to that device. However, users may opt in to the Windows Insider program, and receive insider builds of Windows 10 Fall Creators Update on their device, even if they are not “officially” supported. The insider branch will also receive bug fixes and security patches in parallel with the older branch (Creators Update).

This update policy means that two identical phones may be both running the latest version of Windows 10 Mobile, yet one will be the Creators Update with up to date security patches, while the other could be Fall Creators Update (again, with up to date security patches).

Forensic consequences:

  1. You may never know for sure which Windows branch the phone is running. However, in most cases, the phone will have the latest security patches installed regardless of the Windows branch.
  2. Microsoft has a solid track record supporting and updating its phones. Even if Windows 10 Mobile is discontinued, existing devices will receive updates for at least two more years (yes, even the Lumia 950/950 XL released back in 2015).


The three mobile operating systems have vast differences in how they are updated and maintained. Ranging from Apple’s tight grip over iOS and the company’s full control over its updates to Android’s bizarre mess, software updates affect mobile forensics. While in most cases the newer builds are more secure compared to the older ones, iOS 11 proved to be a major exception, so updating iPhones to the latest version of iOS may be worth it.


from Advanced Password Cracking – Insight http://ift.tt/2Dh5eTG

Malware Displaying Porn Ads Discovered in Game Apps on Google Play

In the past, cyber-criminals have targeted businesses, hospitals, and governments; today, we’ve seen them begin to focus on games and apps intended for children.


Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside roughly 60 game apps, several of which are intended used by children. According to Google Play’s data, the apps have been downloaded between 3 million and 7 million times.


Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:

  1. Displaying ads from the web that are often highly inappropriate and pornographic.
  2. Attempting to trick users into installing fake ‘security apps’.
  3. Inducing users to register to premium services at the user’s expense.


In addition, the malicious code can be used to open the door for other attacks such as user credential theft.


How It Works

Once the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock their screen in order to initiate the attack. The attacker then selects which of the above three actions to take and then displays it on the device owner’s screen.

Figure 1: ‘AdultSwine’ Operation Flow


Inappropriate and Pornographic Ads

The most shocking element of this malicious app is its ability to cause pornographic ads (from the attacker’s 3rd party library) to pop up without warning on the screen over the legitimate game app being displayed.

Children exposed to inappropriate malware.

Figure 2: A mild example of the ads presented and a comment from a parent of a four-year old victim.


Scareware – Deceptive App Install Tactics

Another course of action the malicious app pursues is scaring users into installing unnecessary and possibly harmful “security” apps.

First, the malicious app displays a misleading ad claiming a virus has infected the user’s device.

Upon selecting the ‘Remove Virus Now’ call to action, the user is directed to another app in the Google Play Store posing as a virus removal solution.

The “virus removal solution” is anything but – it’s another fake app.

Google Play store displaying fake virus scanner.

Figure 3: Notifications shown to redirect users to download fake anti-virus apps.


Registering To Premium Services

Another technique used by the malicious app is registering to premium services and charging the victim’s account for fraudulent premium services they did not request. In a similar way to the scareware tactic presented above, the malicious app initially displays a pop-up ad, which attempts to persuade the user to register for this service.

This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the page informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the ad itself then uses this number to register to premium services.


Decisive Corrective Action

Upon being advised of our findings, Google collaborated with Check Point Research, took prompt action to remove affected apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to any users that still have the apps installed.

The scareware “virus removal solution” was suspended from Google Play for using inappropriate marketing tactics to drive installs.



Apps infected with the nasty ‘AdultSwine’ malicious code are able to cause emotional and financial distress.

Due to the pervasive use of mobile apps, ‘AdultSwine’ and other similar malicious apps will likely be continually repeated and imitated by hackers.  Users should be extra vigilant when installing apps, particularly those intended for use by children. We advise parents to verify that apps used by their children are categorized as “Designed for Families” on Google Play.

Effective protection from attack by these malicious apps, requires users to install  advanced mobile threat defense solutions such as Check Point Zone Alarm on all mobile devices.

For more full details of the research, please visit our Research Blog.

The post Malware Displaying Porn Ads Discovered in Game Apps on Google Play appeared first on Check Point Blog.

from Check Point Blog http://ift.tt/2ml89jO

LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play

Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google. The suspicious scripts overrides the user’s decision to disable ads showing outside of a legitimate context, and then, in many of the apps, hides its icon to hinder efforts to remove it. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.


Dubbed ‘LightsOut’, the code hid itself in 22 different flashlight and utility apps, and reached a spread of between 1.5 million and 7.5 million downloads. Its purpose? To generate illegal ad revenue for its perpetrators at the expense of unsuspecting users.


The deception was far reaching in its disruption to the user. Some users noted that they were forced to press on ads to answer calls and perform other activities on their device. Indeed, another user reported that the malicious ad activity continued even after he purchased the ad-free version of the app, taking the abuse to a whole new level.


Check Point notified Google about all these apps, who soon removed them from the Google Play store.


How It Works

As shown in our video, the malicious app offers the user a checkbox, as well as a control panel, in which they can enable or disable additional services, including the displaying of ads. The events that will trigger ads are any Wi-Fi connection, the ending of a call, a plugged in charger or the screen being locked.


However, if the user chooses to disable these functions, ‘LightsOut’ can override the user’s decision and continue to display ads out of context. Since the ads are not directly connected to LightsOut’s activity, the user is unlikely to understand what caused them, and even if he does he won’t be able to find the app’s icon and remove it from his device.


Main Takeaways:

Despite the vast investment Google has recently made in the security of their App Store, ‘LightsOut’ reminds us once again that users need to be wary of downloading from App Stores and are advised to have a ‘Plan B’ in the form of an advanced mobile threat defense solution that goes beyond anti-virus. Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights.


Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights, putting them at risk of making their winter months even darker.


Learn more:

For more details on how this malicious mobile app malware works, visit our Research Blog.

For more details on how to secure your phone, take a look at SandBlast Mobile, our mobile security solution, boasting the industry’s highest threat catch rate on iOS and Android.

The post LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play appeared first on Check Point Blog.

from Check Point Blog http://ift.tt/2CH0gzh

First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services

By Lorin Wu

We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications. The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.

Figure 1

Figure 1. Swift Cleaner, the malicious app posing as an Android cleaning app

Using Kotlin to develop malware

Google announced Kotlin as a first-class language for writing Android apps in May 2017. Since Kotlin’s release, 17 percent of Android Studio projects started to use the programming language. Twitter, Pinterest, and Netflix are among the top apps that use Kotlin.

Kotlin is described as concise, drastically reducing the amount of boilerplate code; safe, because it avoids entire classes of errors such as null pointer exceptions; interoperable for leveraging existing libraries for JVM, Android, and the browser; and tool-friendly because of its capability to choose any Java IDE or build from the command line.

Its tooling support is also quite handy: Android Studio 3.0 provides tools for helping users with Kotlin. In addition, it can convert all Java files or code snippets on the fly when pasting Java code into a Kotlin file.

However, it’s still unknown if the abovementioned features of Kotlin can make a difference when creating malware.

Figure 2

Figure 2. Package structure of the malicious app developed using Kotlin

Technical analysis

Upon launching Swift Cleaner, the malware sends the victim’s device information to its remote server and starts the background service to get tasks from its remote C&C server. When the device gets infected the first time, the malware will send an SMS to a specified number provided by its C&C server.

Figure 3

Figure 3. Malicious app collects and sends victim’s device information via SMS

After the malware receives the SMS command, the remote server will execute URL forwarding and click ad fraud.

Figure 4

Figure 4. Left: C&C server sends task via network. Right: code snippet of the malware in process.

In its click ad fraud routine, the malware receives a remote command that executes the Wireless Application Protocol (WAP) task. WAP is a technical standard for accessing information over a mobile wireless network. After that, the injection of the malicious Javascript code will take place, followed by the replacement of regular expressions, which are a series of characters that define a search pattern. This will allow the malicious actor to parse the ads’ HTML code in a specific search string. Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server.

Figure 5

Figure 5. Malicious app uploading the finished task to the C&C Server

The malware can also upload the information of the user’s service provider, along with the login information and CAPTCHA images, to the C&C server. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money.

Figure 6

Figure 6. The malicious app uploads the token that will be used to subscribe to a premium SMS service

Figure 7

Figure 7. The malicious app uploads the CAPTCHA image used to subscribe to a premium SMS service


Users should take advantage of mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed. Enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

We have disclosed this security issue to Google, who verified that Google Play Protect has protections in place to protect users from this malware family.

Indicators of Compromise (IoCs):

SHA256 Package Name App Label
77D0C7DD4B3D87BE6D9DFB0A9C371B4D8EEADCCB8FDE41D942F1C35E5E3EC063 Com[.]pho[.]nec[.]sg[.]app[.]CleanApplication Swift Cleaner
5886316C0B54BBB7CE6978ACDB1AB4E2CF2B1494647B9D9AD014802E6BF5C7B8 com[.]pho[.]nec[.]pcs Swift Cleaner
AEEF3FF7CC543BBACB6AB4DF8DA639B98BE8F3C225678A4D0935F467BC6D720E com[.]pho[.]nec[.]pcs Swift Cleaner
621092856E20E628A577DBE9248649EAE78D1AF611D9168635B22057C6C7552B com[.]pho[.]nec[.]pcs Swift Cleaner
329B9C5670ECDF25248E484E23C21BBC86F943D7573FF131C0DC71BC80812D1C com[.]pho[.]nec[.]pcs Swift Cleaner
2856F3D1282DDC6BCFE65B0C91A87D998EDCCB777387E3F998BC3B6F1D0B3342 com[.]pho[.]nec[.]pcs Swift Cleaner
4F649E0EA6A6F022E7A5701CECB5B7653D1334EB40918E52DB8F3DAACFB3B660 com[.]pho[.]nec[.]pcs Swift Cleaner
AB2C4886A4E0681A55B29C653B506B66721A3F36A1B098AFA7F56DA6F89BF5DE com[.]pho[.]nec[.]pcs Swift Cleaner
7D3E61C2C58906E09D56121BE94601744E362E6F8C6B7BF87472B62B0CF8CE57 com[.]pho[.]nec[.]sg Swift Cleaner
B4822EEB71C83E4AAB5DDFECFB58459E5C5E10D382A2364DA1C42621F58E119B com[.]pho[.]nec[.]sg Swift Cleaner


C&C servers:


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services

from TrendLabs Security Intelligence Blog http://ift.tt/2FhA8JI

New Open Source Mobile OS Puts Privacy Front and Center

A renowned Linux innovator has developed a new mobile operating system, called “Project eelo,” in an effort to provide a level of data privacy that traditional Android and iOS devices fail to offer.

The new eelo system will allow mobile phone users to regain control over their personal information at a price they can afford, said Gael Duval, who created Mandrake Linux back in 1998.

Apple has become too expensive, too boring and is “going crazy with its products,” he said, while Google has “become too big” and is capturing too much information about what we do.

“They want to know us as much as possible to sell advertising,” Duval wrote in a post introducing eelo’s Kickstarter campaign, which has more than doubled its goal with 14 days remaining.

“People are free to do what they want,” Duval wrote. “They can choose to be voluntary slaves. “But I do not want this situation for me anymore.”

After deciding to leave Google and Apple for eelo, Duval received more than 6,000 reads from a couple of articles he posted detailing his plans, he told LinuxInsider.

The eelo project on Kickstarter reached more than 200 percent of goal after only 15 days.

More than 2,000 people have registered at
eelo.io since December 20 in response to his posted updates, Duval added.

eelo’s Lineage

The new eelo project is a fork of the LineageOS, which is an open source system that runs mainstream Android applications. Open source modules are layered on top of that, which help create a consistent mobile and Web system, Duval said.

The project, which calls for the developers to sell preloaded eelo smartphones and provide some premium services, will run as a nonprofit. As a community project, it will welcome contributors.

The developers will release privacy-enabled smartphone ROMs, as well as smartphones for ordinary users, with associated Web services.

They have been testing custom builds of LineageOS/eelo on the LeEcho Le2 — a 5.5-inch smartphone with a 1080 x 1920 pixel screen, 3G RAM, 32 GB storage, a finger sensor on the back and a 4K camera — for about Pounds130, and on a Xiaomi Mi5S.

The developers plan to have downloadable ROMs for a range of devices by 2018, Duval said, as well as a limited number of post-market Flashed devices. He also plans to discuss partnerships with Fairphone, Essential phone or similar devices, and plans to industrialize the phone by 2019.

Privacy Tradeoffs

Many consumers have expressed a desire for greater control over their experience with mobile devices, but there has to be a balance between the value proposition and customers’ willingness to share on a personal level.

“Information is currency, and people are going to want more control over who has information on their behaviors and habits on a mobile device,” said Ryan Spanier, director of research at
Kudelski Security.

“Eelo is focused on maintaining privacy,” he told LinuxInsider, “preventing tracking and monetization of your actions without your consent.”

There is growing consumer interest in a potentially less-intrusive operating system for mobile devices, but the task of establishing one in the market is daunting, said independent analyst Jeff Kagan.

Though there have been some prior efforts, no alternative mobile OS has been able to compete with iOS and Android, he told LinuxInsider.

Even if privacy is a concern, the majority of consumers don’t understand the relationship between privacy and the mechanics of their personal technology well enough to persuade them to make the shift to eelo, suggested Paul Teich, principal analyst at Tirias Research.

“Success will be made on social media stickiness and whether enough consumers or organizations think they can get ‘more privacy’ — whatever that means to them — than stock Google Android or Apple iOS products,” he told LinuxInsider.

Developing leading products like the iPhone and other devices involves the willingness to make tradeoffs, noted Gartner analyst Tuong Nguyen.

Companies must invest substantial resources to make their products appeal to the specific needs of their customers, he told LinuxInsider.

“Google spends a lot of time and effort to make [products] easy to use,” Nguyen said, “to keep you within their ecosystem.”

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain’s New York Business and The New York Times.

from LinuxInsider http://ift.tt/2CutxK9