January 16, 2019

Proof Published that Carrier IQ is Recording Key Presses and Location Data

(LiveHacking.Com) – Trevor Eckhart has posted a YouTube video showing what could be conclusive proof that Carrier IQ are monitoring the key presses and location information of millions of smartphones.

Using a stock HTC EVO handset reset to its factory settings, Eckhart shows how each numeric tap and every received text message is logged by the Carrier IQ software.

“We can see that Carrier IQ is querying these strings over my wireless network [with] no 3G connectivity and it is reading HTTPS,” said Trevor in the video.

This is the latest revelation in a series of discoveries which Eckhart has been posting about the Carrier IQ “app” that resides in a number of HTC Android smartphones. In his original findings, which were published on November 14th, Eckhart analysed in great detail what Carrier IQ does, how it does it, and why it is a bad thing.

In response Carrier IQ threatened legal action and sent a cease-and-desist letter and asked Eckhart to issue a press release admitting “inaccuracies” and to “apologize to Carrier IQ, Inc. for misrepresenting the capabilities of their products and for distributing copyrighted content without permission.”

The Electronic Frontier Foundation (EFF) then got involved. Finally Carrier IQ posted a PDF to clarify how their product is used and the information that is gathered from smartphones and mobile devices. They also apologized to Eckhart and the EFF saying “Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”

The question is now what will Carrier IQ’s response be to this latest video. Trevor’s video ends with some important questions, “Why does SMSNotify get called and show to be dispatching text messages to [Carrier IQ]?” and “Why is my browser data being read, especially HTTPS on my Wi-Fi?”

Trevor and the rest of the information security fraternity are awaiting their reply.

Whisper Systems Bought by Twitter

(LiveHacking.Com) – Whisper Systems, a mobile device security and privacy company, has been bought by Twitter. The company, which specialises in security for Android devices, announced that during to the transition it is taking all of its products and services offline.

However they assure their fans that the products will live on (under a Twitter brand??) and that they have some surprises in store once the transition is complete.

The question is, what do Twitter want with an Android security company. Twitter is available on a multitude of platforms and not just Android.

One interesting possibility is that Whisper System developed a product called RedPhone, which provides end-to-end encryption for phone calls. Could it be that Twitter want to joing the likes of Skype, Google and Yahoo in providing a VoIP service?

Android Now Most “Popular” Platform for New Malware

(LiveHacking.Com) – McAfee have released their Third Quarter 2011 Threats Report and it shows that Android is now the most “popular” platform for new malware. Android targeted malware grew by nearly 37 percent since last quarter and stunningly nearly all new mobile malware in Q3 was targeted at Android.

The most common method for spreading Android malware continues to be maliciously modified apps. One of the most lucrative (for the malware author) forms of malware are the premium-rate SMS-sending Trojans. According to McAfee the Android/Wapaxy, Android/LoveTrp, and Android/HippoSMS families are new versions of premium-rate SMS Trojans that sign up victims to subscription services. These Trojans are also getting smarter as they delete all the subscription confirmation messages received. This menas that the victim remains unaware of the what the malware is doing.

The Symbian OS (for Nokia handsets) still remains the platform with the all-time greatest number of malware, but Android gaining fast.

Apart from the increase in Android malware, McAfee also noted the following trends:

  • Fake Anti-Virus (AV), AutoRun and password-stealing Trojans have bounced back strongly from previous quarters.
  • Mac malware also continues to grow, following a sharp increase in Q2.
  • Web sites are still a common way for attackers to spread malware, however the number of dangerous site dropped slightly, from an average of 7,300 new bad sites in Q2 to 6,500 new bad sites in Q3. The vast majority of new malicious sites are located in the United States.

With regards to the increase in OS X threats, McAfee point out that as OS X grows in popularity, malware authors will increasingly make use of it to target victims.

From a global point of view the top 5 malware threat are:

  1. Malicious Iframes
  2. Malicious Windows Shortcut Files
  3. Parasitic File Infector
  4. USB-Based AutoRun Parasitic Malware
  5. Web-Based File Infectors

“This has been a very steady quarter in terms of threats, as both general and mobile malware are more prevalent than ever,” said Vincent Weafer, senior vice president of McAfee Labs. “So far this year, we’ve seen many interesting yet challenging trends that are affecting the threat landscape, including heightened levels of sophistication and high-profile hacktivist attacks.”

WiMAX / 4G Information Leak Discovered on HTC Phones

(LiveHacking.Com) – It was just under a month ago that Trevor Eckhart (AKA TrevE) discovered that HTC preinstalled an application known as HtcLoggers on its phones. This logging program collected all kinds of data and then acted as a server to any connection that opens the right port.

TrevE hasn’t been sitting on his laurels and has now discovered that HTC preinstall a WiMAX monitoring system on its 4G enabled phones. An attacker who gains control over this can potentially manipulate data connectivity and to go even as far as being able to completely reprogram a device’s CDMA parameters remotely.

The WiMAX monitoring system exposes two open ports (7773/7774) to the outside world with no authentication. The only thing required for a malicious app to do anything is the INTERNET permission, which most Android apps request as a matter of course.

It is also possible to send commands to the WiMAX chipset via these ports, but sending a single comma can create an crashes the phone with an “out of bounds range exception.”

TrevE has posted a proof of concept app and a list of commands that can be sent to this monitoring system here.

QR Code Used to Spread Android Malware

(LiveHacking.Com) – Quick Response (QR) codes are a convient and fast way to convey information using a rectangular bar code that smart phones can scan and read. QR Codes can hold lots of different types of information including phone numbers, text and importantly URLs.

According to Kaspersky the world’s first QR code which installs malware has been found. If the QR code is scanned on an Android phone it will redirect the phone’s browser to a site where the app jimm.apk, a Trojanized version of the Jimm application (a mobile ICQ client), is  downloaded. The malware  sends several SMS messages to premium rate number 2476 (6 USD each).

Usage of QR codes for malware spreading was predictable. And as long as this technology is popular cybercriminals will use it. These two examples illustrate the very beginning of such usage and in the nearest future likely we will see more pieces of mobile malware which is spread via QR codes.

Security Problems with HTC’s Android Phones

(LiveHacking.Com) – HTC recently updated the software on some of its Android based phones which introduced a suite of logging tools that collect information from the device including locations data and SMS usage. This software has been rolling out for popular phones like the EVO 4G, the EVO 3D and the Thunderbolt. According to a new report this log data is available to any application installed on the phone that is granted ‘Internet’ permission (which is just about every app).

Once an app with ‘Internet’ permission is installed it can access HTC’s logging data and read:

  • the list of user accounts.
  • the last known network and GPS locations along with a short history of previous locations.
  • phone numbers from the phone log
  • SMS data

The problem is with a preinstalled app called HtcLoggers.apk that collects all kinds of data and then acts as a server to any connection that opens the right port. Once connected the app serves up data via a command line interface that even has a handy ‘help’ command.

The vulnerability was found by Trevor Eckhart (AKA TrevE) who has created a proof of concept app and has released a YouTube video walkthrough.

According to the Android Police report:

After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public.

Two-thirds of All New Mobile Malware Targets Android

(LiveHacking.Com) – McAfee has published its Threats Report for the second quarter 2011 and has found that two-thirds of all new malware is targeting the Android smartphone platform.

In the last three months the number of new Android-specific malware has risen sharply. In comparison, J2ME (Java Micro Edition) suffered only a third as much malware.

According to the report, “This quarter Android OS-based malware became the most popular target for mobile malware developers. That’s a rapid rise for Android, which outpaces second place Java Micro Edition threefold.”

Intentionally modifying popular apps to carry malware is still a popular way of infecting devices. By corrupting a legitimate app or game unsuspecting users will download and install malware on their smart phones by themselves without the attacker needing to find an exploit in the underlying OS.

“This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth,” says the report.

The “open” aspects of the Android ecosystem with its multiple app stores is the main reason this type of malware infection can happen. Although Apple’s app store admission policies are often seen as restrictive and draconian, its closed and moderated nature means that it is very hard for malware writers to get infected aplications into the app store.

Researchers Spot Security Flaws in Google’s ClientLogin Protocol

Researchers from Ulm University have discovered potential security vulnerabilities in Google’s ClientLogin Protocol primarily on Android but which also exists for any apps and desktop applications that use Google’s ClientLogin protocol over HTTP rather than HTTPS.

Recent research has found that using Android on open WiFi networks is dangerous as some Android applications, including the Google Calendar app and Google contacts, transmit data in the clear, allowing an attacker to eavesdrop any transmitted information.

Researchers Bastian Könings, Jens Nickels, and Florian Schaub wanted to know if it is possible to launch an impersonation attack against Google services and so started their own analysis. According to their research it is possible and such attacks are not just limited to Google Calendar and Contacts, but are theoretically possible with all Google services using the ClientLogin authentication protocol.

Google’s ClientLogin protocol works by using an authentication token (authToken) which is requested by an application via HTTPS. If the supplied username and password are correct the token is sent to the application. The token is then used in all other requests to the Google services but not necessarily over HTTPS (making it easy to capture) and since the authToken is not bound to any session or specific device an attacker can use a captured authToken to access any personal data which is made available through the service API.

It is clear that Google are aware of this problem because as from Android 2.3.4 the Calendar and Contacts apps now transmit requests over HTTPS. However Android 2.1, 2.2.1 and 2.3.3 are all vulnerable. Interestingly the new Picasa Web Albums synchronization found in Android 2.3 uses HTTP, not HTTPS, and as such is vulnerable.

Skype for Android Updated – Fixes Privacy Vulnerability

A few days ago Justin Case of the Android Police web site discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs, but that the permissions of the database where badly set exposing this private information to any other app on the device which cared to take a look.

Now Skype have updated the app to version 1.0.0.983 and in doing so have corrected the permissions on the database files. According to a post on the Skype Security blog Skype “have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices” but they “will continue to monitor closely.”

Skype is recommending that users update to this new version as soon as possible in order to help protect your information from the Get Skype section on skype.com, or from the Android Market links on skype.com.

According to the Android Police web site Justin Case, who originally found the issue, has taken a look at the updated version and confirmed that the proof-of-concept app he developed to demonstrate the vulnerability no longer functions.

As well as fixing the database permissions Skype have also added 3G calling in the U.S. Previously, calling in the States was only available via Wi-Fi (except for Verizon users who needed to download a special version of the app).

Skype for Android Stores Private Data in Unencrypted DB Accessible by Other Apps

Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.

The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.

Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.

Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”