Malware Is Still Spying On Android After Your Mobile Is Off

As posted on the AVG blog, a new piece of Android Malware has been found.

After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on.

While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.

How does this happen?

First, we have to analyze in detail, the shutting down process.

On Android devices, when the power off button is pressed it will invoke the interceptKeyBeforeQueueingfunction of the class interceptKeyBeforeQueueing.interceptKeyBeforeQueueing will check if the power off button is pressed and go to certain process.

Malware Is Still Spying On You After Your Mobile Is Off.

Investigating Malware Pawn Storm for iPhone

As posted on the Fortinet Blog!

What does the malware do?

To summarize the malware’s goals, it fetches commands via HTTP GET from a remote C&C, and uploads information via HTTP POST. The command it recognizes are listed in the table below.

0 Get Info Device

1 Start Record

2 Get Audio File

3 Get Contact List

4 Current Location

5 Get Installed Apps

6 Wifi Status

7 Get all Pictures from Photo Library

8 List a given directory

9 Get a given file

10 Get process list

11 Get SMS

The code shows a few interesting things:

via Investigating on Pawn Storm for iPhone | Fortinet Blog.

Bank Hackers Steal Millions via Malware

PALO ALTO, Calif. — In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.

BankMalware

But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank’s problems.

via Bank Hackers Steal Millions via Malware – NYTimes.com.

WhatsApp security still broken…

“WhatsSpy Public” a tool for spying on WhatsApp users bypassing security settings

WhatsAppSpy

Social media is growing at a fast pace nowadays but with growing socialization the safety measures and privacy option should also be developed so that one’s information cannot be leaked at any endpoints. Social apps such as Facebook, WhatsApp, Hike, Instagram etc. are used by several people without knowing that how safe they really are or if their messages or personal information are not leaked.

The smartphone stand alone instant messaging App, WhatsApp is once again in the news due to a certain tool which can break its security features.  WhatsSpy Public tool which was recently released can give you status updates of any WhatsApp user, even if privacy options have been enabled.

WhatsSpy Public uses the web-based utility to trace the moments of a WhatsApp user and shows them in a dashboard with events being displayed in a timeline. The tool can be used to compare activities from one user to those of another for a more comfortable experience.

via WhatsSpy Public : WhatsApp status tool lets stalkers track you bypassing privacy settings.

Dark Clouds above the Netatmo Weather Station After Sending WPA Passphrase in the Clear

I have the bad habit of playing with home automation and various data acquisition tools. I could quit any time if I wanted to, but so far, I decided not to. My latest toy to add to the collection was a “Netatmo” weather station. It fits in nicely with the aluminum design of my MacBook, so who cares if the manufacturer considered security in its design, as long as it looks cool and is easy to set up.

Setting up the device was pretty straight forward, and looked “secure”. It requires connecting to the device via USB, and a custom application is used to configure the device with your username, password and WiFi settings including the WiFi password. After the initial setup, the station needs USB for power only, and communicates via WiFi to the “Cloud”.

InfoSec Handlers Diary Blog - Did You Remove That Debug Code? Netatmo Weather Station Sending WPA Passphrase in the Clear

But after the simple setup, a nice “surprise” waited for me in my snort logs:

[**] [1:1000284:0] WPA PSK Passphrase Leak [**] [Priority: 0] {TCP} a.b.c.d:21908 -> 195.154.176.41:25050

I do have a custom rule in my snort rule set, alerting me of the passphrase being sent in the clear. Lets just say that it happened before. The rule is very simple:

alert ip any any -> any any ( sid: 1000284; msg: “WPA PSK Passphrase Leak”; content: “[Iamnotgoingtotellyou]”; )

So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to “the cloud”, along with some other data. The data include the weather stations MAC address, the SSID of the WiFi network, and some hex encoded snippets.

Not only should data like this not be transmitted “in the clear”, but in addition, there is no need for Netatmo to know the WPA password for my network.

I reported the problem to Netatmo, and got the following reply:

Hi,

 

Indeed at first startup we dump weather station memory for debug purposes, we will not dump it anymore.

We will remove this debug memory very soon (coming weeks).

 

So far I haven’t seen any additional transmissions from the weather station containing the password, even after restarting it. I didn’t do a full factory reset yet. But in general, the data appears to be unencrypted. The MAC address of the station and the outdoor sensor are easily found in the payload. So far, I couldn’t find a documentation for the protocol, so it will take a bit more time to reverse it.

According to the weather station map provided by Netatmo, these devices are already quite popuplar. Here a snapshot of the map in my “Neighborhood”:

via InfoSec Handlers Diary Blog – Did You Remove That Debug Code? Netatmo Weather Station Sending WPA Passphrase in the Clear.

Alcatel-Lucent report on malware in 2014 sees rise in device and network attacks that place personal and workplace privacy at risk | Alcatel-Lucent

The Motive Security Labs report – which looked at all popular mobile device platforms – found that such malware infections in mobile devices increased 25% in 2014, compared to a 20% increase in 2013. Android™ devices have now caught up with Windows™ laptops, which had been the primary workhorse of cybercrime, with infection rates between Android and Windows devices split 50/50 in 2014. While less than 1% of infections come from iPhone® and Blackberry® smartphones, new vulnerabilities emerged last year to show they are not immune to malware threats.

Malware growth continues to be aided by the fact that a vast majority of mobile device owners do not take proper device security precautions. A recent Motive Security Labs survey found that 65% of subscribers instead expect their service provider to protect both their mobile and home devices. Motive’s malware report concluded that infection rates in residential networks also rose significantly in 2014, with malware found in 13.6% of residences, an increase of 5% over the previous year.

“With malware attacks on devices steadily rising with consumer ultra-broadband usage, the impact on customer experience becomes a primary concern for service providers,” said Patrick Tan, General Manager of Network Intelligence at Alcatel-Lucent. “As a result, we’re seeing more operators take a proactive approach to this problem by providing services that alert subscribers to malware on their devices along with self-help instructions for removing it.”

Other Motive Security Lab report highlights include:

The mobile infection rate in 2014 is 0.68%. Based on this Alcatel-Lucent estimates that worldwide, about 16 million mobile devices are infected by malware.

Mobile malware is increasing in sophistication with more robust command and control protocols

Mobile spyware, used to spy on a phone’s owner, is also on the increase. It tracks the phone’s location, monitors ingoing and outgoing calls, text messages, e-mail and tracks web browsing.

The overall monthly infection rate in residential fixed broadband networks is just under 14%. This is up substantially from the 9% seen in 2013. This is mostly attributable to an increase in infections by moderate threat level adware.

High-level threats such as ‘bots’, ‘rootkits’, and ‘banking trojans’ remain steady at around 5%.

via Alcatel-Lucent report on malware in 2014 sees rise in device and network attacks that place personal and workplace privacy at risk | Alcatel-Lucent.

Need for Security grows Again after Anthem Breach

Gov-Security

Mobile devices are a potential entry point for hackers and their malware. If you’re considering solutions to plug your mobile security gaps, our cross-platform solution is well-positioned to help deliver those security gains and satisfy the needs of both enterprises and government agencies. BES12 supports iOS, Android and Windows Phone devices and provides the confidentiality, integrity and authenticity to help protect your organization from data loss and theft.

Furthermore, as the leading EMM provider, BlackBerry counts all G7 governments and 16 of the G20 governments among its customers.

For even more proven security, consider devices running the BlackBerry 10 platform, which is the first to obtain a coveted approval from the U.S. Defence Information Systems Agency (DISA) for Full Operational Capability on U.S. Department of Defense networks.

via U.S. Gov Cybersecurity Budget, Anthem Breach, Need for Security | Inside BlackBerry for Business Blog.

Remotely install and launch Android apps from the Play Store Vulnerability

Lucky for me… i am using a Blackberry Passport! 

Vulnerability Summary

Android Metasploit

Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google’s Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).

 

Affected Platforms

Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.

 

Simplified Demonstration of the XFO Gap

The following Javascript is sufficient to elicit a response from the play.google.com domain without an appropriate XFO header:

via Metasploit: R7-2015-02: Google Play Store X-Fra… | SecurityStreet.

Web Security Analysis of 12 BlackBerry 10 Applications | FileArchiveHaven

There are many things that tie BlackBerry users together, and one of those has always been the importance of security.  Some people forget that being secure means more than just ensuring an application is virus free!  Nefarious (what a great word) applications can access private data, sneak that data out to private websites, and even monitor your device traffic to keep tabs on what your doing all without the user knowing.  Real dangerous applications can go even farther, allowing a developer to remotely execute code on a users device without the users permission!  Imagine, applications that can decide what you can and can’t do, search the internet for things without you knowing or perform actions on your phone without your knowledge.

Web Security BB10 Apps

Not only are these security concerns very real, but they go unnoticed by all major platforms during testing and validation cycles.  No major device manufacturer at this time is monitoring applications submitted to their platforms for what data is being sent and received.  Although, to give them credit, BlackBerry has done a fantastic job of limiting what applications with back-doors can do.

via Web Security Analysis of 12 BlackBerry 10 Applications | FileArchiveHaven.