Last week news of the Heartbleed bug broke. Initial concern concentrated on the big service providers and whether they were bleeding their users’ credentials, but attention soon turned to client devices, and in particular Android. Google said only one version of Android was vulnerable (4.11 Jelly Bean); but it’s the one that is used on more than one-third of all Android devices.
The problem is, Android simply won’t be patched as fast as the big providers. Google itself is good at patching; but Android is fragmented across multiple manufacturers who are themselves responsible for patching their users – and historically, they are not so good. It prompted ZDNet to write yesterday,
The Heartbleed scenario does raise the question of the speed of patching and upgrading on Android. Take for instance, the example of the Samsung Galaxy S4, released this time last year, it has taken nine months from the July 2013 release of Jelly Bean 4.3 for devices on Australia’s Vodafone network to receive the update, it took a week for Nexus devices to receive the update.
Heartboned: Why Google needs to reclaim Android updates
Today we get further evidence of the need for Google to take control of Android updating – information from FireEye on a new and very dangerous Android flaw. In a nutshell, a malicious app can manipulate other icons.
FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.
Occupy Your Icons Silently on Android
The danger, however, is this can be done without any warning. Android only notifies users when an app requires ‘dangerous’ permissions. This flaw, however, makes use of normal permissions; and Android does not warn on normal permissions. The effect is that an apparently benign app can have dangerous consequences.
As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)
Google has already released a patch for Android, and Nexus users will soon be safe. But others? “Many android vendors were slow to adopt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” urges FireEye.
Experts have been warning for some time about the increasing sophistication of mobile malware. Now FireEye has discovered a new variant of Android.MisoSMS — which was already an advanced information-stealing Android Trojan.
Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.
FireEye — Android.MisoSMS : Its back! Now with XTEA
The latest variant seeks to communicate with its C&C server — still located in China — via a selection of hardcoded public DNS servers. This helps defeat sandbox detection and analysis since sandboxes “typically use internal DNS servers and cut off access to outside networks,” explains FireEye. “If the malware cannot access the hard-coded DNS servers, it does nothing and is therefore not detected.”
A further new sophistication is the use of encryption — a variant of the XTEA encryption algorithm — in communication with the C&C server. It is clear that it is malware designed to infiltrate and persist.
It suggests, warns FireEye, “that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment.”
Last week Bluebox Security published details of an Android vulnerability that affects up to 99% of all Android devices. I wrote about it on Infosecurity Magazine here. It’s a code signing flaw that allows attackers to trick the device into accepting an update as an official update even when it isn’t. The fractured nature of the Android market makes it difficult to fix – different manufacturers use different versions of the operating system, and it is likely that some manufacturers won’t bother fixing it all.
The immediate workaround is to avoid side loading. It will be difficult for attackers to use the flaw for a mal-modified app via the Play store. But not – nothing ever is – impossible.
Now Bluebox has come to the rescue with a new free app. It doesn’t negate the flaw, but will help you know if you’ve been done. Firstly, it allows you to check to see if your device has been patched. But, “It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability,” writes Jeff Forristal, Bluebox CTO, in a blog posting today.
Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”
Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.
Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.
But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.
Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:
Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”
Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.
So, two lessons: get your apps from Play; and dump Facebook anyway.
Years ago, when broadband first arrived, security experts warned of the dangers inherent in ‘always on’. That danger has increased exponentially with the rise of smartphones and their always-on sensors and cameras. Now a new proof of concept demonstrates the potential of 3D mobile spyware.
‘Proofs of concept’ (POCs) are developed by researchers to demonstrate what could be done in the future, in order to aid legitimate new development and to help anti-malware vendors produce defenses against less legitimate developments. What a new paper from researchers at the US Naval Surface Warfare Center in Crane, Indiana, and scientists from the University of Indiana demonstrates is spyware science fiction come true: a 3D visual map of the victim’s environment.
“We introduce,” say the researchers, “a proof-of-concept Trojan called ‘PlaceRaider’ to demonstrate the invasive potential of visual malware beyond simple photo or video uploads.” The paper describes an Android app (but suggests the concept will work equally well on iOS and Windows Phone), which it calls PlaceRaider, and “which we assume is embedded within a Trojan Horse application (such as one of the many enhanced camera applications already available on mobile app market places).” This app can then secretly and silently take photographs via the Android phone, and send them back to a C&C server for 3D processing.
PlaceRaider does three things. It collects orientation data from the Android’s sensors (“related to the accelerometers, gyroscopes, or magnetometers that a phone possesses”) in order to easily relate different photographs. It then surreptitiously takes photographs – in this case, one every 2 seconds. To remain unnoticed, it uses low resolution (so as to not use too much of the phone’s power), and temporarily mutes the shutter sound while the photo is taken. Finally, it uses a special algorithm to judge the quality of the photographs, discarding poor ones and transmitting the good ones.
Back at the main server, the received photos are compiled and used to construct a 3D map of the target’s location. Subsequent tests with volunteers showed that recognition of ‘points of interest’ is much higher from the 3D map than from static photos. However, since the original photos are of low resolution, further capabilities allow the attacker to use the orientation data to instruct the phone to take and transmit a high-resolution photo on demand – perhaps an open cheque book, or exposed documents.
The attraction of such spyware for both intelligence agencies and criminals is obvious – but the report also shows that there are easy defenses that the OS and hardware manufacturers could implement: making it impossible to mute the shutter sound, introducing permissions for collecting data from the sensors, and ensuring that photos can only be taken by physical interaction with the user. Furthermore, “There is no logical motivation for users to intentionally take poor-quality photos that have any combination of improper focus, motion blur, improper exposure, or unusual orientations/twist” – making heuristic detection of PlaceRaider by the anti-malware vendors a distinct probability.
Hat tip to Daniel Gyenesse for pointing me to the story
Microsoft once ruled a roost that is now dominated by that great cock, Apple. Apple dwarfs all other technology – in fact, all – companies. And Microsoft is jealous.
Apple’s secret is that it owns both the hardware and the software; and is a must-have brand. Microsoft owns only the software; and for many is a must-not-have brand. None of this is written in stone.
But Microsoft’s solution is just plain wrong. It is planning to build its own tablet, to compete with the iPad and Android.
This would be a mistake. Microsoft should remember its roots (software) and its history (it destroyed IBM’s PC-DOS, and the IBM PC, by making MS-DOS available to any and all hardware manufacturers; but made none itself). Google has learnt this lesson. Android is the antithesis – and possibly the ultimate nemesis – of iOS. It is open, cheap, and available to all hardware manufacturers.
Microsoft’s latest plan for its own tablet will merely hasten its own demise. Already, MS-fanboy Acer has said, “If Microsoft is going to do hardware business, what should we do? Should we still rely on Microsoft, or should we find other alternatives?” There’s some sort of advice here: if you want to rule the roost, don’t shit in your own hen-house.