November 26, 2014

Google expands its patch reward program

google logoIn early October Google launched its patch reward program that awards members of the open source community for making security improvements to open source projects. The program was designed to more than just a open source bug hunting exhibition but rather a way to provide financial incentives for proactive security enhancements that go beyond fixing a known security vulnerability.

The project started out quite small in scope with Google only considering patches for projects like OpenSSH, BIND, ISC DHCP, libjpeg, libjpeg-turbo, libpng, giflib and OpenSSL. To qualify patches need to be submitted to the maintainers of the individual projects and then Google need to be notified about the improvements. If Google considers the submission has a positive impact on security then the coder qualifies for a reward ranging from $500 to $3,133.7.

Now after almost six weeks of running the initial program Google has announced that it is ready to expand the program to include more open source projects including Android. The full list of new projects now eligible for rewards are:

  • All the open-source components of Android: Android Open Source Project
  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
  • Virtual private networking: OpenVPN
  • Network time: University of Delaware NTPD
  • Additional core libraries: Mozilla NSS, libxml2
  • Toolchain security improvements for GCC, binutils, and llvm

The inclusion of Android is interesting as it shows that Google is keen to continue making security improvements to its very popular mobile operating system. Recently Google has added SELinux and nosuid protection to Android as well as creating a free built-in service called Verify Apps. Available for all versions of Android from 2.3 onwards, Verify Apps behaves very much like an antivirus scanner and blocks the installation of malicious software, regardless of the source.

In the past Android has been seen as less secure than Apple’s iOS primarily because Android allows users to install apps from anywhere not just from Google’s Play Store. Since Apple maintains a walled garden and only allows apps into its store after rigorous testing it means that malware scares have been less prominent on iOS. Vendors of Android security software suites seem to constantly write sensational headlines about how many new variants of Android malware are being created each month. Although technically they are right, users who stick to Google’s Play Store shouldn’t be in any danger.

Many Android apps open to man-in-the-middle attacks due to weak SSL usage

After injecting a virus signature database via a MITM attack over broken SSL, the AntiVirus app recognized itself as a virus and recommended to delete the detected malware.

Security researchers from the Leibniz University of Hanover and the computer science department at the Philipps University of Marburg have tested 13,500 popular free Android apps and found that 8.0% of these apps contain SSL/TLS implementations that are vulnerable to  Man-in-the-Middle (MITM) attacks.

The researchers created a tool called MalloDroid which is designed to detect potential vulnerabilities against MITM attacks. The tool performs static code analysis to analyze the networking API calls and extract valid HTTP(S) URLs, check the validity of the SSL certificates of all the extracted HTTPS hosts; and  identify apps that contain non-default trust managers. Running the tool on the 13,500 samples showed that 1,074 of the apps exhibited some kind of potential vulnerability.

From this 1,074 app a further 100 apps were picked for manual audit to investigate different SSL problem  including the accepting of all SSL certificates regardless of their validity. This manual audit revealed that 41 of the apps were vulnerable to MITM attacks due to SSL misuse.

A particularly embarrassing case the researchers found that the Zoner AntiVirus app updated its virus signatures via a broken SSL connection. As the developers considered the connection to be secure and couldn’t be tampered with there is no built-in verification or validation of the signature files downloaded. This meant that the team was able to insert its own signatures files. In one test they added the signature for the anti-virus app itself. The app then proceeded to recognize itself as malware and recommended that itself be to deleted. The Zoner AntiVirus app has been downloaded more than 500,000 times!

By the end of their research the team had managed to capture credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts.

The total cumulative number of installs of all the MITM vulnerable apps is between 39.5 and 185 million users, according to the download numbers from Google’s Play Store.

WebKit Vulnerability Allows Attackers to Take Control of Android Devices

(LiveHacking.Com) – CrowdStrike, a new security technology company formed by key cyber security executives from McAfee, will demonstrate a new WebKit based attack against Google Android which results in the attacker gaining access to critical system processes and taking complete control of the victim’s device. The firm plans the demo as part of its debut at the RSA Conference 2012.

To launch the attack a hacker sends an email or text message that tricks the recipient (via social engineering) to click on a link, which in turn infects the device. At this point, the hacker gains complete control of the phone, enabling him to eavesdrop on phone calls and monitor the location of the device.

Since WebKit is also used in Google Chrome, Research in Motion’s BlackBerry, Apple’s Safari web browser and Apple’s iOS devices, this could open up exploits across multiple platforms.

“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.

The CrowdStrike exploit only works on Android 2.2 (Froyo) but Alperovitch said he expects to have a second version of the hack soon that can attack phones running Android 2.3 (Gingerbread, which runs on about 59% of all Android devices).

The consequences of such a vulnerability are enormous as once the hole is patched in the WebKit project it can take months for the fix to trickle down to actual devices. Worse still many handset manufacturers never update the firmware on older phones meaning that some Android 2.2 users will be left with a vulnerable phone with no possibility of a fix other than resorting to custom ROM images.

McAfee Says Malware Surpassed 75 Million Samples in 2011

(LiveHacking.Com) – McAfee has released its Q4 2011 Threat Report (a PDF) and it shows that last year McAfee collected over 75 million unique malware samples! It also shows that 2011 was by far the busiest periods for mobile malware with Android the number one target for writers of mobile malware.

The most common type of Android malware is the for-profit SMS-sending Trojans, which earn cyber-criminals significant amounts of money by sending messages to premium services. The rooting Android devices is getting easier and easier and there are now apps which combine vulnerability exploits to root phones with the click of a button. However the downside of this is that malware writers can repackage the very same root exploits apps with malware.

There is a sliver of good news in that the overall growth of PC malware is on the decline and is much lower that this time last year. The report also noted a continued decline in Fake AV malware with AutoRun and password-stealing Trojan malware showing only slight declines. However the context of this is that McAfee’s cumulative number of unique malware samples exceeded the 75 million samples.

In Q4 2011, the most common type of remote attack was via vulnerabilities in Microsoft Windows remote procedure calls. This was followed by a very close race between SQL-injection and cross-site scripting attacks. The result is that the number of reported data breaches has more than doubled since 2009 with more than 40 breaches publicly reported in Q4 alone.

“Although the release of new malware slowed a bit in Q4, mobile malware continued to increase and recorded its busiest year to date,” Dave Marcus, Director, Security Research at McAfee said in a blog post.

DDoS Attack Tool Comes to Android

(LiveHacking.Com) – McAfree has reported that the common Low Orbit Ion Cannon (LOIC) denial of service (DoS) tool has been ported to Android. ‘Ported’ might be too strong of a word as this mobile device version is in fact a wrapper around the Javascript version. Nonetheless, this is an interesting advancement in the ubiquity of hacking tools.

Hacktivism (hacking as political or social protest) is becoming increasingly popular with groups like Anonymous using hacking tools to launch distributed denial of service attacks on organizations all over the world. LOIC, one such tool used by the hackers, was originally developed to stress-test websites, however it has now been effectively used by hackers to take websites offline by sending a flood of TCP/UDP packets which overwhelms the server and makes it inaccessible.

Originally written in C#, LOIC inspired the creation of an independent JavaScript version. This version allowed a DoS attacked to be launched from a web browser. In conjunction with PasteHTML, which allows anyone to post HTML onto the web anonymously (no pun intended), and the free AppsGeyser service, which converts web pages into an App, an Android App has been created which encapsulates the Javascript version of LOIC in an Android app. Specifically, the version spotted by McAfee, targets the Argentinian government, but theoretically an Android app can be created to attack any web site. When the app is launched a WebView component is used to run the JavaScript that sends 1,000 HTTP requests with the message “We are LEGION!” as one of the parameters.

“Creating Android applications that perform DoS attacks is now easy: It requires only the URL of an active web LOIC–and zero programming skills–thanks to automated online tools,” wrote Carlos Castillo for McAfee.

Google’s Bouncer to Try and Keep Malware Out of the Android Market

(LiveHacking.Com) – One of the weakest aspects to Google’ Android eco system is that it is far too easy for hackers to submit apps which contain malware. Until now Google seemed to largely ignore the issue and only removed malicious apps if someone complained. However that could all be changing. Google has announced a new service codenamed Bouncer, which scans the Android Market for potentially malicious apps without requiring developers to go through an Apple-like application approval process.

The Bouncer does two things. First it performs a set of analyses on newly submitted apps (as well as on applications already in Android Market), and secondly it keeps an eye on developer accounts to help prevent malicious and repeat-offending developers from coming back.

Once an application is uploaded, the Bouncer starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. To do this Google run every application in a simulator to see how it will run on an Android device to look for hidden, malicious behavior.

It seems that the Bouncer has been running for at least the last six months as Google reporting that between the first and second halves of 2011, it saw a 40% decrease in the number of potentially-malicious downloads from Android Market.

“No security approach is foolproof, and added scrutiny can often lead to important improvements. Our systems are getting better at detecting and eliminating malware every day, and we continue to invite the community to work with us to keep Android safe.” said Google.

Google Removes 22 Dangerous Apps from Android Market

(LiveHacking.Com) – Over the past week Google has removed 22 malicious apps from its official Android Marketplace again highlighting the weakness of Google’s (almost non-existant) approval process. The malicious apps were spotted by the mobile security company Lookout who then notified Google. In response Google removed the apps.

The apps all used the RuFraud malware to send SMS messages to premium rate numbers. The apps didn’t affect users in the USA, but it did target users in Great Britain, Italy, Israel, France, and Germany as well as Russia, Azerbaijan, Armenia, Georgia, Czech Republic, Poland, Kazakhstan, Belarus, Latvia, Kyrgyzstan, Tajikistan, Ukraine and Estonia.

The initial batch of apps that Google posted in the Android Market place appeared as horoscope apps with an unclear ToS pointing out the charges. Once the app started, tapping on “Continue” meant the user accepted the terms.

Next come apps designed to capture a wider audience: 3 wallpaper apps for popular movies (including Twilight), and 3 apps claiming to be downloaders for popular games such as Angry Birds and Cut the Rope.

The final wave of apps again masqueraded as free versions of popular games. In total 22 apps appeared in the Android Market and were downloaded over 14,000 times. Do the maths. That is a very quick way to make some money and Google helped by not having a decent app review process.

Bitdefender Releases Carrier IQ Finder for Android

(LiveHacking.Com) – Carrier IQ has been very much in the headlines this week with accusations, rebuttals and counter accusations over privacy deficiencies in Carrier IQ’s mobile phone diagnostic system. The system is shipped by default on a number of Android based mobile devices.

Although designed “just” to help carriers improve their networks there are concerns that the software is tracking and recording more than it should.

As a result Bitdefender have created a new tool that identifies the presence of the controversial mobile network diagnostic tool.

“Bitdefender values users’ privacy and their right to take informed decisions when entering a deal with a mobile carrier,” said Alexandru Balan, senior Product Manager of the Bitdefender Mobile Unit. “Although the manufacturer claims that only some of the information provided through the Carrier IQ application is used by the carrier, the amount of personal data the app has access to raises serious privacy concerns.”

Unfortunately the Bitdefender tool isn’t able to disable or uninstall the Carrer IQ app as it is deeply buried in the device firmware.

The application can be freely downloaded via the Android Market here.

Carrier IQ Fights Back – Says it isn’t Snooping

(LiveHacking.Com) – Carrier IQ hit back at allegations made by security researcher Trevor Eckhart that their Android app is recording and forwarding all kinds of personal information. The company has issued another press release to “clarify” what its app does and one of the company’s VPs has been speaking to AllThingsD.

In the press release Carrier IQ states that its app:

  • Measures and summarizes performance of a device to assist Operators in delivering better service.
  • Does not record, store or transmit the contents of SMS messages, email, photographs, audio or video.
  • Operates exclusively within that framework and under the laws of the applicable jurisdiction. Any data gathered is transmitted over an encrypted channel.
In the interview with AllThingD, Andrew Coward, Carrier IQ’s VP of marketing, says that the app receives a huge amount of information from the operating system. But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or is passed along to the carrier:
  • “What the Eckhart video demonstrates is that there’s a great deal of information available on a handset,” says Coward. “What it doesn’t show is that all information is processed, stored, or forwarded out of the device.”
  • “If there’s a dropped call, the carriers want to know about it,” says Coward. “So we record where you were when the call dropped, and the location of the tower being used. … Similarly, if you send an SMS to me and it doesn’t go through, the carriers want to know that, too. And they want to know why — if it’s a problem with your handset or the network.”
  • “We don’t read SMS messages. We see them come in. We see the phone numbers attached to them. But we are not storing, analyzing or otherwise processing the contents of those messages.”
  • “It’s the operator that determines what data is collected,” says Carrier IQ CEO Larry Lenhart. “They make that decision based on their privacy standards and their agreement with their users, and we implement it.”
  • “What’s actually gathered, stored and transmitted to the carrier is determined by its end-user agreement,” he says. “And, as I’m sure you’re aware, the carriers are highly sensitive about what data they’re allowed to capture and what they’re not allowed to capture.”

 

Android Flaw Allows Apps to Send SMS Messages and Record Calls Without Permission

(LiveHacking.Com) – A group of researchers from North Carolina State University have discovered [PDF] flaws in non-vanilla versions of Android which leak permissions or capabilities to other applications. By exploiting these leaked capabilities a 3rd party app can send SMS messages, record calls and even reboot the phone without asking for any permission.

Unlike Apple who strictly control their App Store and offer only one source for downloads, Android has multiple app stores and none of them, including the official Google Market, perform any kind of security checks on the apps made available for download. This means that when vulnerabilities are discovered in Android, hackers are free to upload apps to the Android Market which exploit the weaknesses.

To combat this, Android uses a permissions model where any app wanting to do something extra (including connecting to the Internet) needs to ask permission from the user. The model is severely flawed as most non-technical people have no idea what these permissions mean and normally just accept them anyway.

Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang have discovered that non-vanilla versions of Android come with extra pre-loaded apps and that these bundled apps have access to some permissions that are too privileged to be granted to third-party apps.

The team built an app called Woodpecker which scans the pre-loaded apps to see which apps offer a public interface exposing a capability that would normally require permission. They also use another technique to find “implicit capabilities” among apps signed with the same user identifier.

The researchers analyzed eight popular Android (2.2 and 2.3 based) smartphones (HTC
Legend, HTC EVO 4G, HTC Wildfire S, Motorola Droid and Droid X, Samsung Epic 4G and the Google Nexus One & Nexus S) and discovered 11 privileged permissions that are “leaked”. One phone, the HTC EVO 4G, leaks eight permissions.

In a video posted on YouTube Michael Grace demonstrates the installation of the Woodpecker app (which required no special permissions) and then how the app was able to record sounds (including phone calls), send an SMS message (which could have been to a premium phone number) and reboot the device without asking.

“The results are worrisome: among the 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission” say the report authors.