Connect with us


Kaspersky raises alarm over security breaches through apps



Cybersecurity firm, Kaspersky, has raised an alarm over security breaches, which emanated from apps downloads.

According to it, the target has primarily become mobile devices. Kaspersky noted that in 2019 the number of worldwide mobile phone users is expected to reach 4.68 billion of which 2.7 billion are smartphone users.

It noted that with smartphone users increasing, it makes users more vulnerable. Kaspersky said with several unsecured Wi-Fi connections, network spoofing, phishing attacks, ransomware, spyware and improper session handling – mobile devices make for the perfect easy target. In fact, according to Kaspersky mobile apps are often the cause of unintentional data leakage.

General Manager for Kaspersky in Africa, Riaan Badenhorst, said: “Apps pose a real problem for mobile users, who give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal – and potentially corporate – data to a remote server, where it is mined by advertisers or even cybercriminals.

“Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread valuable data across corporate networks without raising red flags.”

In fact, according to recent reports, six Android apps that were downloaded 90 million times from the Google Play Store were found to have been loaded with the PreAMo malware, while another recent threat saw 50 malware-filled apps on the Google Play Store infect over 30 million Android devices. Surveillance malware was also loaded onto fake versions of Android apps such as Evernote, Google Play and Skype.

Kaspersky said considering that as of 2019, Android users were able to choose between 2.46 million apps, while Apple users have almost 1.96 million app options to select from, and that the average person has 60-90 apps installed on their phone, using around 30 of them each month and launching nine per day – it’s easy to see how viral apps take several social media channels by storm.

Enterprise Sales Manager at Kaspersky in Africa, Bethwel Opil, “In this age where users jump onto a bandwagon because it’s fun or trendy, the Fear of Missing Out (FOMO) can overshadow basic security habits – like being vigilant on granting app permissions.

In fact, accordingly to a previous Kaspersky study, the majority (63 per cent) of consumers do not read license agreements and 43 per cent just tick all privacy permissions when they are installing new apps on their phone. And this is exactly where the danger lies – as there is certainly ‘no harm’ in joining online challenges or installing new apps.”

However, it is dangerous when users just grant these apps limitless permissions into their contacts, photos, private messages, and more. “Doing so allows the app makers possible, and even legal, access to what should remain confidential data. When this sensitive data is hacked or misused, a viral app can turn a source into a loophole which hackers can exploit to spread malicious viruses or ransomware,” Badenhorst added.

Kaspersky advised that online users should be mindful and be more careful when it comes to the Internet and their app habits including: only download apps from trusted sources. Read the reviews and ratings of the apps as well; select apps you wish to install on your devices wisely; read the license agreement carefully; pay attention to the list of permissions your apps are requesting. Only give apps permissions they absolutely insist on, and forgo any programme that asks for more than necessary; avoid simply clicking “next” during an app installation; for an additional security layer, be sure to have a security solution installed on your device.

“While the app market shows no signs of slowing down, it is changing. Consumers download the apps they love on their devices which in turn gives them access to content that is relevant and useful. The future of apps will be in real-world attribution, influenced by local content and this type of tailored in-app experience will lead consumers to share their data more willing in a trusted, premium app environment in exchange for more personalised experiences. But until then, proceed with caution,” Opil said.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Malicious Android apps containing Joker malware set up shop on Google Play




A new malware campaign has managed to infiltrate the official Google Play store to deploy the Joker Trojan to Android devices in a bid to conduct ad fraud. 

Last week, security researcher Aleksejs Kuprins from cybersecurity threat intelligence firm CSIS Security Group said the surge of malicious activity has been tracked in recent weeks, leading to the discovery of 24 Android applications containing the malware. 

In total, the applications — made available through Google Play — have been installed over 472,000 times by unwitting Android handset owners. 

The malicious applications contained a Trojan dubbed Joker by the cybersecurity firm, a name that references one of the domain names connected to the operator’s command-and-control (C2) server. 

Joker attempts to remain silent and undetected on infected devices by making use of as little JavaScript code as possible and locking down its code through obfuscation techniques. In many cases, the malware has been integrated within advertising frameworks linked to its malicious apps. 

The malicious code contains the usual list of Trojan functions including the theft of SMS messages, contact information, and device data, and constantly pings its C2 for commands. However, Joker goes further by attempting to generate profit for its operator through fraudulent advertising activity. 

Joker is able to interact with ad networks and websites by simulating clicks and silently signing up victims for premium services. In one example, Joker signed up users in Denmark for a premium website service costing roughly 7 euros a week by simulating clicks on the website, automatically entering the operator’s offer codes, and extracting confirmation codes from SMS messages sent to the target device. These codes are then submitted to the ad website to complete the process. 

In other cases, the malware may simply send SMS messages to premium numbers. 

Each fraudulent ‘job’ is received from the C2 and once premium service signups are complete, Joker informs the C2 and awaits further instructions. 

Joker’s operators focus on 37 specific countries as targets, including China, the UK, Germany, France, Singapore, and Australia. Many of the infected apps found by the researchers contain a list of Mobile Country Codes (MCC) and the SIM card on an infected device has to relate to acceptable MCC for Joker to execute. 

Most of these applications will not deploy the malware if users are in the United States or Canada; however, a handful of them do not contain any country restrictions. 

When it comes to Joker’s attribution, nothing has been set in stone, but the interface of the C2’s administration panel and some of the bot’s coding indicate that the developers of the malware could be Chinese. 

While the number of installs is relatively high, without the need for disclosure from the researchers, Google has detected and removed all of the malicious apps from Google Play. Malware creeping into official app repositories is a constant challenge, but in this case, the CSIS Security Group says the tech giant “seems to be on top of this threat as much as it is possible.”


Continue Reading


How Safari and iMessage Have Made iPhones Less Secure




The security reputation of iOS, once considered the world’s most hardened mainstream operating system, has taken a beating over the past month: Half a dozen interactionless attacks that could take over iPhones without a click were revealed at the Black Hat security conference. Another five iOS exploit chains were exposed in malicious websites that took over scores of victim devices. Zero-day exploit brokers are complaining that hackers are glutting the market with iOS attacks, reducing the prices they command.

As Apple prepares for its iPhone 11 launch on Tuesday, the recent stumbles suggest it’s time for the company to go beyond fixing the individual security flaws that have made those iPhone attacks possible, and to instead examine the deeper issues in iOS that have produced those abundant bugs. According to iOS-focused security researchers, that means taking a hard look at two key inroads into an iPhone’s internals: Safari and iMessage.

While vulnerabilities in those apps offer only an initial foothold into an iOS device—a hacker still has to find other bugs that allow them to penetrate deeper into the phone’s operating system—those surface-level flaws have nonetheless helped to make the recent spate of iOS attacks possible. Apple declined to comment on the record.

“If you want to compromise an iPhone, these are the best ways to do it,” says independent security researcher Linus Henze of the two apps. Henze gained notoriety as an Apple hacker after revealing a macOS vulnerability known as KeySteal earlier this year. He and other iOS researchers argue that when it comes to the security of both iMessage and WebKit—the browser engine that serves as the foundation not just of Safari but all iOS browsers—iOS suffers from Apple’s preference for its own code above that of other companies. “Apple trusts their own code way more than the code of others,” says Henze. “They just don’t want to accept the fact that they make bugs in their own code, too.”

Caught in a WebKit

As a prime example, Apple requires that all iOS web browsers—Chrome, Firefox, Brave, or any other—be built on the same WebKit engine that Safari uses. “Basically it’s just like running Safari with a different user interface,” Henze says. Apple demands browsers use WebKit, Henze says, because the complexity of running websites’ JavaScript requires browsers to use a technique called just-in-time (or JIT) compilation as a time-saving trick. While programs that run on an iOS device generally need to be cryptographically signed by Apple or an approved developer, a browser’s JIT speed optimization doesn’t include that safeguard.

As a result, Apple has insisted that only its own WebKit engine be allowed to handle that unsigned code. “They trust their own stuff more,” Henze says. “And if they make an exception for Chrome, they have to make an exception for everyone.”

“They should assume their own code has bugs.”


The problem with making WebKit mandatory, according to security researchers, is that Apple’s browser engine is in some respects less secure than Chrome’s. Amy Burnett, a founder of security firm Ret2 who leads trainings in both Chrome and WebKit exploitation, says that it’s not clear which of the two browsers has the most exploitable bugs. But she argues that Chrome’s bugs are fixed faster, which she credits in part to Google’s internal efforts to find and eliminate security flaws in its own code, often through automated techniques like fuzzing.

Google also offers a bug bounty for Chrome flaws, which incentivizes hackers to find and report them, whereas Apple offers no such bounty for WebKit unless a WebKit bug is integrated into an attack technique that penetrates deeper into iOS. “You’re going to find similar bug classes in both browsers,” says Burnett. “The question is whether they can get rid of enough of the low hanging fruit, and it seems like Google is doing a better job there.” Burnett adds that Chrome’s sandbox, which isolates the browser from the rest of the operating system, is also “notoriously” difficult to bypass—more so than WebKit’s—making any Chrome bugs that do persist less useful for gaining further access to a device.

Shady References

Another specific element of WebKit’s architecture that can result in hackable flaws, says Luca Todesco, an independent security researcher who has released WebKit and full iOS hacking techniques, is its so-called document object model, known as WebCore, which WebKit browsers use to render websites. WebCore requires that a browser developer keep careful track of which data “object”—anything from a string of text to an array of data—references another object, a finicky process known as “reference counting.” Make a mistake, and one of those references might be left pointing at a missing object. A hacker can fill that void with an object of their choosing, like a spy who picks up someone else’s name tag at a conference registration table.

By contrast, Chrome’s own version of WebCore includes a safeguard known as a “garbage collector” that cleans up pointers to missing objects, so they can’t be mistakenly left unassigned and vulnerable to an attacker. WebKit by contrast uses an automated reference counting system called “smart pointers” that Todesco argues still leaves room for error. “There’s just so many things that can potentially happen, and in WebCore the browser developer has to keep track of all these possibilities,” Todesco says. “It’s impossible not to screw up.”

To Apple’s credit, iOS has for more than a year implemented a security mitigation called isolated heaps, or “isoheaps,” designed to make errors in reference counting impossible to exploit, as well as newer mitigations in the hardware of the iPhone XS, XS Max, and XR. But both Todesco and Burnett note that while isolated heaps significantly improved WebCore’s security and pushed many hackers towards attacking different parts of WebKit, they didn’t entirely prevent attacks on WebCore. Todesco says there have been multiple exploiting reference counting errors since isoheaps were introduced in 2018. “You can’t say they’re eliminated,” Ret2’s Burnett agrees.

Despite all those issues, and even as WebKit’s flaws have served as the entry point for one iOS attack after another, it’s debatable whether WebKit is measurably less secure than Chrome. In fact, a price chart from Zerodium, a firm which sells zero-day hacking techniques, values Chrome and Safari attacks equally. But another zero-day broker, Maor Shwartz, told WIRED by contrast that WebKit’s insecurity relative to Chrome contributed directly to top prices for an Android exploit surpassing those for iOS. “Chrome is the most secure browser today,” Shwartz says. “The prices are aligned with that.”

Getting the Message

Hackable flaws in iMessage are far rarer than those WebKit. But they’re also far more powerful, given that they can be used as the first step in a hacking technique that takes over a target phone with no user interaction. So it was all the more surprising last month to see Natalie Silvanovich, a researcher with Google’s Project Zero team, expose an entire collection of previously unknown flaws in iMessage that could be used to enable remote, zero-click takeovers of iPhones.

More disturbing than the existence of those individual bugs was that they all stemmed from the same security issue: iMessage exposes to attackers its “unserializer,” a component that essentially unpacks different types of data sent to the device via iMessage. Patrick Wardle, a security researcher at Apple-focused security firm Jamf, describes the mistake as something like blindly opening a box sent to you full of disassembled components, and reassembling them without an initial check that they won’t add up to something dangerous. “I could put the parts of a bomb in that box,” says Wardle. “If Apple is allowing you to unserialize all these objects, that exposes a big attack surface.”


How Safari and iMessage Have Made iPhones Less Secure
The WIRED Guide to the iPhone

More fundamentally, iMessage has innate privileges in iOS that other messaging apps are denied. In fact, non-Apple apps are cordoned off from the rest of the operating system by rigorous sandboxes. That means that if a third-party app like WhatsApp is compromised, for instance, a hacker still has to break through its sandbox with another, distinct technique to gain deeper control of the device. But Project Zero’s Silvanovich noted in her writeup of the iMessage flaws that some of iMessage’s vulnerable components are integrated with SpringBoard, iOS’s program for managing a device’s home screen, which Silvanovich writes has no sandbox at all.

“What I personally can’t understand is why they don’t sandbox it more,” Linus Henze says of iMessage. “They should assume their own code has bugs, and make sure their code is sandboxed in the same way they sandbox the code of other developers, just as they do with WhatsApp or Signal or any other app.”

Apple, after all, built the iPhone’s sterling reputation in part by carefully restricting what apps it allowed into its App Store, and even then carefully isolating those apps within the phone’s software. But to head off these high-profile incidents, it may need to reexamine that security caste system—and ultimately, to treat its own software’s code with the same suspicion it has always cast on everyone else’s.


Continue Reading


Security hole opens a billion Android users to advanced SMS phishing attacks




Check Point Research has revealed a security flaw in Samsung, Huawei, LG, Sony and other Android-based phones that leaves users vulnerable to advanced phishing attacks.

The affected Android phones use over-the-air (OTA) provisioning, which allows mobile network operators to deploy network-specific settings to a new phone joining their network. However, researchers found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods. This can be exploited, enabling hackers to pose as network operators and send deceptive OMA CP messages to users.

Android advanced phishing attacks

An unauthenticated CP message as it appears to a Samsung user

The message tricks users into accepting malicious settings that can, for example, route all their Internet traffic through a proxy server owned by the attacker and enable the attacker to read emails.

Samsung phones are the most vulnerable

Researchers found that certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages. The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.

“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, Security Researcher at Check Point Software Technologies. “Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”

Huawei, LG, and Sony phones do have a form of authentication checking, but hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to ‘confirm’ their identity.

Attackers can obtain a victim’s IMSI in a variety of ways, including creating a rogue Android app that reads a phone’s IMSI once it is installed. The attacker can also bypass the need for an IMSI by sending the user a text message posing as the network operator and asking them to accept a pin-protected OMA CP message. If the user enters the PIN number and accepts the OMA CP message, the CP can be installed without an IMSI.

Android advanced phishing attacks

A USERPIN-authenticated CP message as it appears to a Huawei user

Some fixes are available

The researchers disclosed their findings to the affected vendors in March 2019:

  • Samsung included a fix addressing this in their Security Maintenance Release for May (SVE-2019-14073)
  • LG released their fix in July (LVE-SMP-190006)
  • Huawei is planning to include UI fixes for OMA CP in the next generation of Mate-series or P-series smartphones
  • Sony stated that its devices follow the OMA CP specification.


Continue Reading


%d bloggers like this: