The Android Security 2017 Year in Review has good news for enterprises

Device security is of paramount importance to enterprises. It’s why the Android Security team (and many other teams at Google) continuously work to improve protections across more than 2 billion active Android devices.

To ensure customers, partners, and Android users are up to date on our ongoing work, we recently published the fourth annual Android Security Year in Review. This document details improvements to Google’s security offerings in Android, updated platform features, and key metrics that inform our initiatives.

While the report provides a broad view of the breadth of the security work across the ecosystem, there are important highlights for our enterprise users.

Enterprise-grade security in Android

In 2017 we launched Google Play Protect, Android’s built-in device, data, and apps security scanning technology. Google Play Protect protects users from potentially harmful apps (PHAs) in real-time and uses cloud-based services for analyzing device and app data to identify possible security concerns.

Every day, Google Play Protect automatically reviews more than 50 billion apps, other potential sources of PHAs, and checks devices, warning users about potential harm. These automatic reviews enabled us to remove nearly 39 million PHAs last year.

PGA install rates
The installation of potentially harmful apps (PHAs) from outside the Google Play store saw a significant drop in 2016.

Enterprises can leverage Google Play Protect with managed Google Play, a curated Google Play Store for enterprise customers. By using managed Google Play, an organization can ensure that team members are selecting prescribed apps for work that are secured through Google Play Protect. Last year, the number of 30-day active devices running managed Google Play increased by 2,000 percent.

We also introduced a bundle of new security features in Android Oreo, making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, and hardening the kernel.

In its second year, the Android Security Rewards program paid researchers $1.28 million in 2017 for work identifying potential vulnerabilities in Android. We also introduced the Google Play Security Rewards Program for developers that discover and disclose select critical vulnerabilities in apps hosted on Play.

Additionally we launched zero-touch enrollment, a fast and secure method for simplified provisioning of corporate-distributed devices. Our focus on security starts from the moment a device is powered on, through deployment, and during daily interaction with apps and services.

Looking ahead

Our efforts continue into 2018. We recently launched the Android Enterprise Recommended program for OEMs, which addresses the pain point that many organizations face when choosing devices for large deployments. Our program features a curated selection of devices that meet common requirements for security (including which devices are getting regular security patches), and supported features, all validated by Google.

For a more detailed look at all of the Android security improvements during the last year, see the dedicated Security Blog or read the full security report at

from Official Google Blog


MWC 2018: Digital and Mobile Security in the 5G IoT Era

Mobile World Congress 2018 is upon us and the big news includes the launch of a bunch of new devices, including the Sony Xperia XZ2 Compact, Samsung Galaxy S9, Sony Xperia XZ Premium 2 and Samsung Galaxy Tab S4.

In addition to these and dozens of other devices launching at this year’s event in Barcelona, we are seeing the acceleration of the trend for domestic and industrial smart devices, voice-controlled digital assistants and other internet of things (IoT) enabled smart devices.

Google, for example, is using MWC 2018 as a platform to publicise Google Assistant and the Google Home smart speaker, though one thing we still haven’t heard enough about are the many new security threats and issues surrounding new smart devices, digital assistants and IoT technologies.

Biometric Authentication, 5G Realities and IoT security

Another notable trend at MWC 2018 has been the focus from Samsung and some of the other major mobile players on improved forms of biometric authentication, with Samsung releasing a much-improved Iris Scanner as part of the new Galaxy S9 range.

It’s certainly a really positive move to see this focus on identity authentication at this year’s show, with a notable shift at this year’s event from the hype surrounding virtual and augmented reality and voice-controlled smart homes to far more realistic and practical concerns around security, biometrics and the real-world use cases of superfast 5G networking tech.

Much of the conversation around 5G, of course, is still dominated around how edge computing and low latency in 5G networks will actually translate into valuable and useable services for consumers and businesses alike.

These new 5G use cases dominated the IoT news at MWC 2018, with numerous exhibitors talking up their latest 5G IoT applications and concepts. And almost by default digital security has also become one of the hottest topics in Barcelona this year, as small developers and the major multinational mobile brands alike wake up to the fact that security is of paramount importance across the entire IoT supply chain

Evolving Digital Security for the 5G IoT Era

Firms are realising that their digital security strategy has to evolve at the same pace as the many new developments in the current buzzword bingo card such as 5G IoT, artificial intelligence (AI) and machine learning.

Failure to undertake the appropriate due diligence in these new emerging technologies open them up for significant penalties when the inevitable data breaches occur.

In addition to the focus on improving mobile handset security and raising awareness of digital security issues in the smart home, the onus for 5G network level security really needs to shift back to the telecommunications companies themselves.

The 5G Security Challenge for Telecoms

The bottom line is this: the security of 5G networks presents a fundamental challenge to the telecommunications industry at large. Something that the hype machine surrounding 5G at MWC 2018 generally fails to highlight, for obvious reasons!

The promise of 5G-enabled services in smart cities, connected cars and across the burgeoning e-health sector, for example, is clear. Yet the fact that network-wide security and security across the IoT value chain is fundamental to these types of applications and services operating safely is still too often overlooked.

Driverless cars, smart surgery and IoT applications across the manufacturing sector are good examples to cite, where digital security is crucial.

All of which is why we as an industry have to work better together – from digital security specialists through to 5G IoT app and hardware developers through to the multinational telecommunications companies themselves – to ensure that we are doing all we can to meet the security challenges and the many increasingly sophisticated attacks that are sure to come in the 5G era.

The post MWC 2018: Digital and Mobile Security in the 5G IoT Era appeared first on McAfee Blogs.

from Blog Central » McAfee Labs

Key Mobile Threat Takeaways from the 2018 Mobile Threat Report

The term “mobile” has come to encompass a wide range of devices these days. Mobile devices have become much more than our Androids and iPhones. Wearable watches, tablets, even home devices all fall under the mobile umbrella of IoT and have the ability to impact our lives for better, or for worse.

This rich IoT landscape holds the key to your digital identity, your connected home and potentially, even your kid’s digital future. Gartner predicts that by the year 2020, 20.8 billion connected devices will populate the consumer home. (Current global population is 7.6 billion people.) As these devices continue to increase in presence in our daily lives, it’s important to understand not only the convenience they offer, but the threats they pose as well.

With the dawn of an even more connected era fast approaching, we at McAfee are examining the mobile threats that might be waiting on the horizon. This year’s Mobile Threat Report, takes a deep dive into some significant trends that demonstrate just how these mobile platforms are targeting what’s most sacred to us – our home. Let’s take a look into some of the most common trends in mobile malware, and a few tips on how to protect your home.

Mobile Malware in the IoT Home  

According to Gartner, 8.4 billion connected “things” were in use last year, and chances are one or more of these devices is living in your home today. While many of these devices bring convenience and ease to the home, it’s important to note that they also significantly increase the risk of attack. Many of these devices are developed with innovation in mind, and little to no focus on – security. With that being said, everyday users of mobile devices have grown phenomenally, hence the increased need for security as the frequency of mobile attacks continues to grow.

DDoS Causes SOS  

IoT attacks such as Mirai and Reaper showed the world just how vulnerable smart homes and connected devices can be to malicious code. These attacks targeted millions of IoT devices with the intent of creating a botnet army from trusted connected items within the household.

The Mirai malware authors, leveraged consumer devices such as IP cameras and home routers to create a botnet army, launching distributed denial of service (DDoS) attacks against popular websites. By taking advantage of the low-levels of security on most home connected devices, this malware was able to seize control of millions of devices. All it had to do was guess the factory default password.

The “Reaper” malware strain also took advantage of limited security of many connected home devices. However, these malware authors evolved their tactics by looking for devices with known vulnerabilities to exploit and by implementing a set of hacking tools that showed greater sophistication. The IoT reaper clocked in as many as 2 million infected devices, at nearly ten times the rate as Mirai.

The evolution of the malicious code targeting mobile and IoT devices represents a growing threat to consumers who wish to embrace a culture of connected living. So how can we welcome these devices into our homes without opening the door to cyberthreats? Here are a few tips to consider:

  • Protect your devices, protect your home. As we continue to embrace a culture of smart homes and connected devices, it is also important for us to embrace internet security at a network level. With the presence of targeted attacks growing globally, we must remain vigilant in protecting our connected lives by making sure each individual device is secure, especially the home network. The MTR has dubbed 2018 as “The Year of Mobile Malware,” and very tech user should consider using a home gateway with built-in security to ensure every device in their home is protected.


  • Download apps with caution and update them regularly. Malware campaigns having been targeting users on the Google Play stores almost since its inception. In fact, McAfee recently discovered Android Grabos, one of the most significant campaigns of this year, found present within 144 apps on Google Play. Stay current on which applications are supported in your application store and update them regularly. If an app is no longer supported in the play store, delete it immediately.


  • Invest in comprehensive security. I can’t stress enough how important is to use comprehensive security software to protect your personal devices. Malware is constantly evolving with technology, so ensure your all of your devices are secured with built-in protection.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Key Mobile Threat Takeaways from the 2018 Mobile Threat Report appeared first on McAfee Blogs.

from Blog Central » McAfee Labs

WiFi Routers Riddled With Holes: Report

By Jack M. Germain

Feb 6, 2018 3:27 PM PT

Most WiFi router vendors have not patched numerous firmware vulnerabilities discovered more than two years ago, according to a report
Insignary released on Tuesday.

OEM firmware built into WiFi routers use open source components that contain numerous known security vulnerabilities that can be exploited by hackers, it notes.

Insignary, a startup security firm based in South Korea, conducted comprehensive binary code scans for known security vulnerabilities in WiFi routers. The company conducted scans across a spectrum of the firmware used by the most popular home, small and mid-sized business and enterprise-class WiFi routers.

KRACK may be the newest and potentially most harmful WPA2 security vulnerability, router firmware vulnerabilities are far more extensive and dangerous, based on the firm’s findings.

“While KRACK WPA2 is the latest WiFi security vulnerability, it appears to be just the tip of the iceberg, compared to what currently exists in router firmware,” said Tae-Jin Kang, CEO of Insignary.

The company has been monitoring WiFi router issues since the infamous botnet attack in the fall of 2015 brought down the Internet for a couple of days. Many of the vulnerabilities Insignary found in 2016 were present in scans performed last year.

“This is distressing. Many vendors continued to ignore problems that could easily be fixed. These are devices that we use on a daily basis,” Kang told LinuxInsider.

Time to Raise Awareness

The 2015 attack was carried out not by zombie PCs but by 300,000 compromised IoT devices. People had theorized about the possibility of such an attack, and that incident proved it could be done, said Kang.

“So we decided it was time to raise awareness. This is a serious problem. We are talking about well-known security issues that still exist in the routers. These devices can be compromised in many ways. WiFi devices are pervasive,” he warned.

The threat is specific to IoT devices rather than to computers and other mobile devices. However, the Linux operating system also may be in the crosshairs because so many variations of Linux distributions prevent a centralized patch deployment solution, Kang explained.

Windows 10 and the macOS have addressed the security issues to neutralize the router vulnerabilities. An important factor in their doing so is that those OSes are not open source, he said.

“I’m not saying that open source itself is inherently less secure, Kang emphasized. “The Linux community has done a very good job of responding to security issues. The problem is that even with rapid updating of patches, the distribution process is decentralized and fragmented with the Linux OS.”

About the Study

Insignary conducted the scans during the last two weeks of November 2017. Its research and development team scanned 32 pieces of WiFi router firmware offered in the U.S., Europe and Asia by more than 10 of the most popular home, SMB and enterprise-class WiFi router manufacturers: Asus, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link.

The researchers used a specialized tool Insignary developed to scan the firmware. They also leveraged Clarity, a security solution that enables proactive scanning of software binaries for known, preventable security vulnerabilities, and identifies license compliance issues.

Clarity uses a unique fingerprint-based technology. It works on the binary-level without the need for source code or reverse engineering. Clarity compares the scan results against more than 180,000 known vulnerabilities based on the fingerprints collected from open source components in numerous open source repositories.

Once a component and its version are identified through Clarity’s fingerprint-based matching using numerous databases such as NVD and VulnDB. Clarity adds enterprise support, “fuzzy matching” of binary code, and support for automation servers like Jenkins.

Key Findings

The WiFi router firmware sold by the top manufacturers contained versions of open source components with security vulnerabilities, the binary scans indicated. Most models’ firmware contained “Severity High” and “Severity Middle” security vulnerabilities. This means that the deployed products and firmware updates remained vulnerable to potential security threats.

A majority of the models’ firmware made use of open source components with more than 10 “Severity High” security vulnerabilities, based on the examination.

Half of the firmware used open source components containing “Severity Critical” security vulnerabilities, according to researchers.

The report lists the following “Severity Critical” security vulnerabilities found in open source firmware components:

  • WPA2 (KRACK) — Key reinstallation attack;
  • ffmpeg — Denial of Service;
  • openssl — DoS, buffer overflow and remote code execution;
  • Samba — Remote code execution.

In many cases, router vendors evidently have not made use of the correct, up-to-date versions of the affected software components, the researchers concluded.

Serious Concerns

“Vendors rarely support and update routers after the first two years at most,” noted Brian Knopf, senior director of security research and IoT architect at

Two more reasons make the reports finding noteworthy, he told LinuxInsider. One, router manufacturers spend very little money on security because they tend to dislike cutting into their already-slim margins.

Also, many routers require customers to check for updates. This has been changed on some newer routers, but there are millions of old routers in use by consumers, which can be validated by some simple
Shodan queries, Knopf said.

“Device vendors not performing updates is definitely an unnecessary risk,” said Justin Yackoski, CTO of

Doing it right is non-trivial, and businesses and consumers need to look at the history of updates for a vendor before they make a purchase,” he told LinuxInsider.

However, price often wins out, Yackoski added, leaving it up to the FCC, DHS or an act of Congress to force the ultimate solution on router makers.

Significant Results

All of the firmware leveraged Busybox and Samba by default, the report shows. More than 60 percent used OpenSSL.

Significant security issues arise from OpenSSL. That should prompt vendors to apply the latest patches consistently or use the version of the software that contains the fix, the researchers maintained.

Much of the firmware did not utilize the correct, most up-to-date versions of the OSS components available, the study revealed.

Inadequate Vendor Response

The open source community has created new versions of the components to address all of the previously listed security vulnerabilities. Vendors can employ these versions to prevent data breaches and resulting litigation that can cause significant corporate losses, according to Insignary.

During discussions with various vendors, Insignary encountered one manufacturer that expressed a preference to apply patches manually, line by line. While that method may work, it is still recommended that firmware developers scan their binaries to ensure that they catch and address all known security vulnerabilities.

Insignary’s findings suggest two possibilities for the failure to use the correct component version by WiFi router vendors: 1) the home, SMB and enterprise-class router vendors did not consider the vulnerabilities worth addressing; 2) they did not use a system that accurately finds and reports known security vulnerabilities in their firmware.

Going Beyond Linux

Business and home users remain at risk even if they do not run the Linux desktop or server. Compromised WiFi routers provide hackers with a malicious way to takeover network equipment. It is a critical issue, said Andrew McDonnell, president of

“In addition to potentially becoming part of a botnet, the router also grants attackers a beachhead in your environment. They can surreptitiously disrupt or intercept communication along with using it as a launch point to attack other systems on the internal network,” he told LinuxInsider.

Unpatched router firmware is a very serious security issue that opens up vulnerable routers to various nefarious motives, noted Louis Creager, IoT security analyst at

Besides attracting botnets for purposes like DDoS attacks and spam campaigns, it can compromise sensitive user information going through the router.

“Home users and business owners could see their IP addresses end up on lists of known botnet traffic, which can impact their everyday browsing activity as websites and online services block traffic from these sources,” Creager told LinuxInsider.

The Fix: Difficult but Urgent

The patching process depends on who builds the device, where the vulnerability exists, and who is responsible for the fix, noted Neustar’s Knopf.

Then vendors have to get the SDK for the chipset from the chipset vendor (Intel, Qualcomm, Broadcom, etc.) and add their own Board Support Package utilities, which are the drivers for the chipset, to program the router and the tools used to validate the devices, he added.

“OEMs need to allocate resources to at least maintain awareness of newly discovered vulnerabilities in their systems and then issue updated firmware,” said AsTech’s McDonnell. “It’s also essential to make clear to users that the updates are available so that they are applied.”

If there is a known vulnerability, the end user really can’t do much. The best option would probably be to flash the router with an open source firmware such as DDWRT, OpenWRT or LEDE, he suggested.

“While open source firmware versions are never going to be perfect,” McDonnell acknowledged, “there is a whole community who maintains and fixes issues.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

from LinuxInsider

How we fought bad apps and malicious developers in 2017

Posted by Andrew Ahn, Product Manager, Google Play

Apps bring devices to life — letting you book a ride instantly, connect and share memories with friends, be alerted about current events, play games with someone across the globe, and get work done in the office or on the road. Google Play is committed to providing a safe experience for billions of Android users to find and discover such apps. Over the years, this commitment has made Google Play a more trusted and safer place. Last year we’ve more than halved the probability of a user installing a bad app, protecting people and their devices from harm’s way, and making Google Play a more challenging place for those who seek to abuse the app ecosystem for their own gain.

In 2017, we took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016. Not only did we remove more bad apps, we were able to identify and action against them earlier. In fact, 99% of apps with abusive contents were identified and rejected before anyone could install them. This was possible through significant improvements in our ability to detect abuse – such as impersonation, inappropriate content, or malware – through new machine learning models and techniques.

We’ve also developed new detection models and techniques that can identify repeat offenders and abusive developer networks at scale. This resulted in taking down of 100,000 bad developers in 2017, and made it more difficult for bad actors to create new accounts and attempt to publish yet another set of bad apps.

Here are a few examples of bad apps we took action against in 2017:


Attempting to deceive users by impersonating famous apps is one of the most common violations. Famous titles get a lot of search traffic for particular keywords, so the bad actors try to amass installs leveraging such traffic. They do this by trying to sneak in impersonating apps to the Play Store through deceptive methods such as using confusable unicode characters or hiding impersonating app icons in a different locale. In 2017, we took down more than a quarter of a million of impersonating apps.

Inappropriate content

We don’t allow apps that contain or promote inappropriate content, such as pornography, extreme violence, hate, and illegal activities. The improved machine learning models sift through massive amounts of incoming app submissions and flag them for potential violations, aiding the human reviewers in effectively detecting and enforcing on the problematic apps. Tens of thousands of apps with inappropriate content were taken down last year as a result of such improved detection methods.

Potentially Harmful Applications (PHAs)

PHAs are a type of malware that can harm people or their devices — e.g., apps that conduct SMS fraud, act as trojans, or phishing user’s information. While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store. Finding these bad apps is non-trivial as the malicious developers go the extra mile to make their app look as legitimate as possible, but with the launch of Google Play Protect in 2017, the annual PHA installs rates on Google Play was reduced by 50 percent year over year.

Despite the new and enhanced detection capabilities that led to a record-high takedowns of bad apps and malicious developers, we know a few still manage to evade and trick our layers of defense. We take these extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them. We are committed to make Google Play the most trusted and safe app store in the world.

How useful did you find this blogpost?

from Android Developers Blog

Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device.

As a rule, Apple always signs the latest stable version of iOS as well as the current beta version, if one is available. In addition, the company leaves a short window of about two weeks, during which Apple signs the current iOS build as well as the previous build, in order to allow users to roll back if they don’t like the update (rolling back wipes data).

Note: while users may save blobs from the previous version of iOS and then use them to go back at any time, this approach only works for the particular device from which the blobs have been captured from.

There could be exceptions. For example, on January 11, 2018, Apple accidentally allowed downgrades all the way back to iOS 6. This was a server-side glitch that didn’t last long.

From the user’s perspective, installing an iOS update requires a passcode, meaning that updating from a less vulnerable version of iOS to a more vulnerable one (e.g. updating to iOS 11 for resetting the iTunes backup password) will require the passcode.

This update policy has the following forensic consequences:

  1. Most Apple devices will be running an up to date version of iOS (which may not have a jailbreak available).
  2. If updating a device is needed during the investigation, you can only update to the allowable version of iOS, which is the latest version (sometimes updating to the build before the last version is possible).
  3. If the device is passcode-protected, the passcode will be required to update from iOS 10 to iOS 11 (for the purpose of resetting the iTunes backup password).

Android: a Bizarre Mess

While Apple is in charge of designing and manufacturing and its devices as well as the operating system, things are different on the other side of the pond. Smartphones and tablets powered by Android have a wild range of chip sets, models, and carrier variants, all requiring different versions of software.

Updates are a sore point of most Android smartphones and tablets, with the only exception being unlocked Google Pixel devices and the few phones participating in the Android One program.

It is also interesting to mention that Android OEMs may distribute updates through different channels depending on carrier branding, geographical designation of the model and the user’s current location. As an example, a Chinese or Brazilian Moto Z could be running Android 8.0 Oreo with December 2017 security patch, while Moto Z’s for the rest of the world would still be running Android 7.1.1 with the same December 2017 security patch, except for Verizon (USA) models that would receive the Oreo update. Weird? It’s just the beginning.

In Android land, the same phone may have several different models designed for different markets and carriers. Even if using identical hardware, those models may differ in supported radio bands. Manufacturers may have different policies regarding bootloader unlock for the different versions. No wonder the different versions of the same model will also have differences in software, making physical acquisition a gamble.

For a typical Android smartphone (or tablet), the following parties are involved in making a software update happen.

  1. The company releases Android sources for everyone to use. By this time, Google’s own Pixel smartphones will be already running the latest version of Android.
  2. Chipset manufacturer. The chipset manufacturer (Qualcomm, MediaTek, NVIDIA, Rockchip etc.) must make chipset drivers for the new version of Android and distribute it among its customers (OEMs). The chipset manufacturer may refuse making drivers for the new version of Android, meaning that all devices powered by that particular chipset will not be updated. This can happen to flagship chipsets, too, as in Qualcomm refusing to make Snapdragon 800/801 drivers for Android 7.
  3. Once the OEM receives the drivers from the chipset manufacturer, it may start adapting Android for its devices. This is further slowed down by the fact that many manufacturers use their own “skins” on top of pure Android that must be adapted to the new version of the OS. Obviously, this takes time.
  4. After the OEM makes a working build of Android for a particular model, the update must be certified by one of Google-approved labs. This takes more time. For unlocked smartphones, this is it: the update could be distributed by the OEM. For carrier-locked devices, one
  5. For carrier-branded smartphones, the update must be reviewed and certified by the carrier, who may then push the update to its customers. Needless to say, this extra step may not only introduce additional delays (sometimes as long as 6-9 months), but may prevent the update entirely if the carrier does not feel it sold enough of those phones.

Android scattered update policy may have the following forensic implications:

  1. Many users will run outdated versions of Android, which makes them vulnerable to exploits leading to root access, making physical acquisition trivial. In addition, they may run versions of Android that do not force full-disk encryption, making chip-off acquisition possible.
  2. Due to the sheer number of models and software versions, including carrier versions, a certain model (e.g. Moto G5) is never guaranteed to run a given version of software. Even worse; even if you have a certain model (say, Mogo G5) that runs a certain build of Android (e.g. Android 7.0, September 2017 security patch level), there will still be differences if the two Moto G5’s are branded by different carriers. For the expert, this means different offsets for bootloader-level exploits, making physical acquisition via bootloader-level exploits work on one phone and fail on its sibling. This is never the case with the iPhone: all iPhone devices (of the same model) running the same version of iOS are susceptible to the same exploits.
  3. Since full-disk encryption was introduced in Android 5 and enforced since Android 6 (but only on devices shipped with Android 6 out of the box), low-level acquisition is a hit or miss. However, some versions of Android are vulnerable to exploits. Since most manufacturers ignore or severely delay Google’s monthly security patches, the chance of successfully exploiting a vulnerability on a given device is much higher compared to iOS or Windows 10 Mobile.

Microsoft Windows 10 Mobile: It’s Interesting

We have already covered two different approaches: Apple’s (who distributes updates directly and simultaneously for all models) and Android OEM’s (who are all over the place). While those policies are very different by all accounts, there is one thing in common between Apple and Android OEMs. iOS 11.2.2 is always newer than iOS 11.2.1, and once there is an Android 8 update for a given smartphone, ROMs based on Android 7.x are no longer maintained.

Microsoft, on the other hand, has a complex (and complicated) update structure for Microsoft-branded and third-party smartphones running Windows 10 Mobile.

For W10M devices, there are different branches of Windows. There are the first Windows 10 Mobile, the November Update, the Anniversary Update, the Creators Update, and the Fall Creators Update. According to Microsoft, each branch is set to receive extended support updates and security patches for a minimum of 24 months after the lifecycle start date.

Interestingly, Microsoft delivers security patches and minor updates directly to handset users, while major updates may still have to go through the carrier for approval. However, users can bypass carriers completely by opting into the Windows Insider program, in which case Microsoft will deliver all updates directly to users.

What does it mean in practical terms? Even if the phone (e.g. Lumia 930) is not officially receiving the Fall Creators Update and is still running the previous Windows branch, it will still see bug fixes and security for two years since the initial release of the Windows 10 branch that was last available to that device. However, users may opt in to the Windows Insider program, and receive insider builds of Windows 10 Fall Creators Update on their device, even if they are not “officially” supported. The insider branch will also receive bug fixes and security patches in parallel with the older branch (Creators Update).

This update policy means that two identical phones may be both running the latest version of Windows 10 Mobile, yet one will be the Creators Update with up to date security patches, while the other could be Fall Creators Update (again, with up to date security patches).

Forensic consequences:

  1. You may never know for sure which Windows branch the phone is running. However, in most cases, the phone will have the latest security patches installed regardless of the Windows branch.
  2. Microsoft has a solid track record supporting and updating its phones. Even if Windows 10 Mobile is discontinued, existing devices will receive updates for at least two more years (yes, even the Lumia 950/950 XL released back in 2015).


The three mobile operating systems have vast differences in how they are updated and maintained. Ranging from Apple’s tight grip over iOS and the company’s full control over its updates to Android’s bizarre mess, software updates affect mobile forensics. While in most cases the newer builds are more secure compared to the older ones, iOS 11 proved to be a major exception, so updating iPhones to the latest version of iOS may be worth it.


from Advanced Password Cracking – Insight

Malware Displaying Porn Ads Discovered in Game Apps on Google Play

In the past, cyber-criminals have targeted businesses, hospitals, and governments; today, we’ve seen them begin to focus on games and apps intended for children.


Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside roughly 60 game apps, several of which are intended used by children. According to Google Play’s data, the apps have been downloaded between 3 million and 7 million times.


Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:

  1. Displaying ads from the web that are often highly inappropriate and pornographic.
  2. Attempting to trick users into installing fake ‘security apps’.
  3. Inducing users to register to premium services at the user’s expense.


In addition, the malicious code can be used to open the door for other attacks such as user credential theft.


How It Works

Once the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock their screen in order to initiate the attack. The attacker then selects which of the above three actions to take and then displays it on the device owner’s screen.

Figure 1: ‘AdultSwine’ Operation Flow


Inappropriate and Pornographic Ads

The most shocking element of this malicious app is its ability to cause pornographic ads (from the attacker’s 3rd party library) to pop up without warning on the screen over the legitimate game app being displayed.

Children exposed to inappropriate malware.

Figure 2: A mild example of the ads presented and a comment from a parent of a four-year old victim.


Scareware – Deceptive App Install Tactics

Another course of action the malicious app pursues is scaring users into installing unnecessary and possibly harmful “security” apps.

First, the malicious app displays a misleading ad claiming a virus has infected the user’s device.

Upon selecting the ‘Remove Virus Now’ call to action, the user is directed to another app in the Google Play Store posing as a virus removal solution.

The “virus removal solution” is anything but – it’s another fake app.

Google Play store displaying fake virus scanner.

Figure 3: Notifications shown to redirect users to download fake anti-virus apps.


Registering To Premium Services

Another technique used by the malicious app is registering to premium services and charging the victim’s account for fraudulent premium services they did not request. In a similar way to the scareware tactic presented above, the malicious app initially displays a pop-up ad, which attempts to persuade the user to register for this service.

This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the page informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the ad itself then uses this number to register to premium services.


Decisive Corrective Action

Upon being advised of our findings, Google collaborated with Check Point Research, took prompt action to remove affected apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to any users that still have the apps installed.

The scareware “virus removal solution” was suspended from Google Play for using inappropriate marketing tactics to drive installs.



Apps infected with the nasty ‘AdultSwine’ malicious code are able to cause emotional and financial distress.

Due to the pervasive use of mobile apps, ‘AdultSwine’ and other similar malicious apps will likely be continually repeated and imitated by hackers.  Users should be extra vigilant when installing apps, particularly those intended for use by children. We advise parents to verify that apps used by their children are categorized as “Designed for Families” on Google Play.

Effective protection from attack by these malicious apps, requires users to install  advanced mobile threat defense solutions such as Check Point Zone Alarm on all mobile devices.

For more full details of the research, please visit our Research Blog.

The post Malware Displaying Porn Ads Discovered in Game Apps on Google Play appeared first on Check Point Blog.

from Check Point Blog