June 13, 2021

WebKit Vulnerability Allows Attackers to Take Control of Android Devices

(LiveHacking.Com) – CrowdStrike, a new security technology company formed by key cyber security executives from McAfee, will demonstrate a new WebKit based attack against Google Android which results in the attacker gaining access to critical system processes and taking complete control of the victim’s device. The firm plans the demo as part of its debut at the RSA Conference 2012.

To launch the attack a hacker sends an email or text message that tricks the recipient (via social engineering) to click on a link, which in turn infects the device. At this point, the hacker gains complete control of the phone, enabling him to eavesdrop on phone calls and monitor the location of the device.

Since WebKit is also used in Google Chrome, Research in Motion’s BlackBerry, Apple’s Safari web browser and Apple’s iOS devices, this could open up exploits across multiple platforms.

“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.

The CrowdStrike exploit only works on Android 2.2 (Froyo) but Alperovitch said he expects to have a second version of the hack soon that can attack phones running Android 2.3 (Gingerbread, which runs on about 59% of all Android devices).

The consequences of such a vulnerability are enormous as once the hole is patched in the WebKit project it can take months for the fix to trickle down to actual devices. Worse still many handset manufacturers never update the firmware on older phones meaning that some Android 2.2 users will be left with a vulnerable phone with no possibility of a fix other than resorting to custom ROM images.

WiMAX / 4G Information Leak Discovered on HTC Phones

(LiveHacking.Com) – It was just under a month ago that Trevor Eckhart (AKA TrevE) discovered that HTC preinstalled an application known as HtcLoggers on its phones. This logging program collected all kinds of data and then acted as a server to any connection that opens the right port.

TrevE hasn’t been sitting on his laurels and has now discovered that HTC preinstall a WiMAX monitoring system on its 4G enabled phones. An attacker who gains control over this can potentially manipulate data connectivity and to go even as far as being able to completely reprogram a device’s CDMA parameters remotely.

The WiMAX monitoring system exposes two open ports (7773/7774) to the outside world with no authentication. The only thing required for a malicious app to do anything is the INTERNET permission, which most Android apps request as a matter of course.

It is also possible to send commands to the WiMAX chipset via these ports, but sending a single comma can create an crashes the phone with an “out of bounds range exception.”

TrevE has posted a proof of concept app and a list of commands that can be sent to this monitoring system here.

Security Problems with HTC’s Android Phones

(LiveHacking.Com) – HTC recently updated the software on some of its Android based phones which introduced a suite of logging tools that collect information from the device including locations data and SMS usage. This software has been rolling out for popular phones like the EVO 4G, the EVO 3D and the Thunderbolt. According to a new report this log data is available to any application installed on the phone that is granted ‘Internet’ permission (which is just about every app).

Once an app with ‘Internet’ permission is installed it can access HTC’s logging data and read:

  • the list of user accounts.
  • the last known network and GPS locations along with a short history of previous locations.
  • phone numbers from the phone log
  • SMS data

The problem is with a preinstalled app called HtcLoggers.apk that collects all kinds of data and then acts as a server to any connection that opens the right port. Once connected the app serves up data via a command line interface that even has a handy ‘help’ command.

The vulnerability was found by Trevor Eckhart (AKA TrevE) who has created a proof of concept app and has released a YouTube video walkthrough.

According to the Android Police report:

After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public.

Researchers Spot Security Flaws in Google’s ClientLogin Protocol

Researchers from Ulm University have discovered potential security vulnerabilities in Google’s ClientLogin Protocol primarily on Android but which also exists for any apps and desktop applications that use Google’s ClientLogin protocol over HTTP rather than HTTPS.

Recent research has found that using Android on open WiFi networks is dangerous as some Android applications, including the Google Calendar app and Google contacts, transmit data in the clear, allowing an attacker to eavesdrop any transmitted information.

Researchers Bastian Könings, Jens Nickels, and Florian Schaub wanted to know if it is possible to launch an impersonation attack against Google services and so started their own analysis. According to their research it is possible and such attacks are not just limited to Google Calendar and Contacts, but are theoretically possible with all Google services using the ClientLogin authentication protocol.

Google’s ClientLogin protocol works by using an authentication token (authToken) which is requested by an application via HTTPS. If the supplied username and password are correct the token is sent to the application. The token is then used in all other requests to the Google services but not necessarily over HTTPS (making it easy to capture) and since the authToken is not bound to any session or specific device an attacker can use a captured authToken to access any personal data which is made available through the service API.

It is clear that Google are aware of this problem because as from Android 2.3.4 the Calendar and Contacts apps now transmit requests over HTTPS. However Android 2.1, 2.2.1 and 2.3.3 are all vulnerable. Interestingly the new Picasa Web Albums synchronization found in Android 2.3 uses HTTP, not HTTPS, and as such is vulnerable.

Skype for Android Stores Private Data in Unencrypted DB Accessible by Other Apps

Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.

The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.

Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.

Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”

Trend Micro’s Chairman Says iOS is More Secure Than Android. But Is He Right?

Trend MicroThe chairman and one of the founders of Trend Micro, the Japanese Security and Anti-Virus company, has revealed in a recent interview that he believes that the Android platform is more susceptible to attacks than Apple’s iOS.

Speaking to Bloomberg Chang said “Android is open-source, which means the hacker can also understand the underlying architecture and source code”. Which seems to be the exact opposite of what Google have found with its Chrome web browser and its reward program.

In contrast Chang says that Apple’s sandbox in iOS “isolates the platform, which prevents certain viruses that want to replicate themselves or decompose and recompose to avoid virus scanners”.

His comments come just after the launch of Trend Micro’s Mobile Security for Android. The $3.99 app can block viruses, malicious programs and unwanted calls. Are Chang’s comments just good marketing or does he have a point? Leave your comments below.

Android Browser Data Stealing Vulnerability

Information security expert Thomas Cannon has discovered a security vulnerability in the Android browser. This vulnerubility can be exploited by attackers to access to the the local files when a smartphone user visits a crafted web page.

Cannon has explined about the vulnerability in his blog and here is its highlights:

  • The Android browser doesn’t prompt the user when downloading a file, for example "payload.html", it automatically downloads to /sdcard/download/payload.html
  • It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.
  • When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.
  • While in this local context, the JavaScript is able to read the contents of files (and other data).

One limiting factor of this exploit is that you have to know the name and path of the file you want to steal. However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too. It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.

The vulnerability appears to affect all versions of Android, including the current version 2.2. The Android security team has been informed about this vulnerability on November 20, 2010 with reference to Cannon’s blog.

Android holes allow secret installation of apps

Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user’s permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.

Read the full story here.


Back door exploit for Android phones

A security expert working at Alert Logic has published a demonstration back door exploit for smartphones running Android. Criminals could use the principles of this exploit to gain control of a phone and install trojans. A potential victim need only call a malicious web site for infection to occur.

Read the full story here.


Study: Many free iPhone apps pass device ID to the app vendor

It’s not just Android apps that transmit users’ personal data to vendors – iPhone app developers also appear to gather user data. According to a study by pskl.us blogger Eric Smith, a number of free iOS apps send private user data back to their application developers.

Read the full story here.