May 17, 2020

Proof Published that Carrier IQ is Recording Key Presses and Location Data

(LiveHacking.Com) – Trevor Eckhart has posted a YouTube video showing what could be conclusive proof that Carrier IQ are monitoring the key presses and location information of millions of smartphones.

Using a stock HTC EVO handset reset to its factory settings, Eckhart shows how each numeric tap and every received text message is logged by the Carrier IQ software.

“We can see that Carrier IQ is querying these strings over my wireless network [with] no 3G connectivity and it is reading HTTPS,” said Trevor in the video.

This is the latest revelation in a series of discoveries which Eckhart has been posting about the Carrier IQ “app” that resides in a number of HTC Android smartphones. In his original findings, which were published on November 14th, Eckhart analysed in great detail what Carrier IQ does, how it does it, and why it is a bad thing.

In response Carrier IQ threatened legal action and sent a cease-and-desist letter and asked Eckhart to issue a press release admitting “inaccuracies” and to “apologize to Carrier IQ, Inc. for misrepresenting the capabilities of their products and for distributing copyrighted content without permission.”

The Electronic Frontier Foundation (EFF) then got involved. Finally Carrier IQ posted a PDF to clarify how their product is used and the information that is gathered from smartphones and mobile devices. They also apologized to Eckhart and the EFF saying “Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”

The question is now what will Carrier IQ’s response be to this latest video. Trevor’s video ends with some important questions, “Why does SMSNotify get called and show to be dispatching text messages to [Carrier IQ]?” and “Why is my browser data being read, especially HTTPS on my Wi-Fi?”

Trevor and the rest of the information security fraternity are awaiting their reply.

Android Now Most “Popular” Platform for New Malware

(LiveHacking.Com) – McAfee have released their Third Quarter 2011 Threats Report and it shows that Android is now the most “popular” platform for new malware. Android targeted malware grew by nearly 37 percent since last quarter and stunningly nearly all new mobile malware in Q3 was targeted at Android.

The most common method for spreading Android malware continues to be maliciously modified apps. One of the most lucrative (for the malware author) forms of malware are the premium-rate SMS-sending Trojans. According to McAfee the Android/Wapaxy, Android/LoveTrp, and Android/HippoSMS families are new versions of premium-rate SMS Trojans that sign up victims to subscription services. These Trojans are also getting smarter as they delete all the subscription confirmation messages received. This menas that the victim remains unaware of the what the malware is doing.

The Symbian OS (for Nokia handsets) still remains the platform with the all-time greatest number of malware, but Android gaining fast.

Apart from the increase in Android malware, McAfee also noted the following trends:

  • Fake Anti-Virus (AV), AutoRun and password-stealing Trojans have bounced back strongly from previous quarters.
  • Mac malware also continues to grow, following a sharp increase in Q2.
  • Web sites are still a common way for attackers to spread malware, however the number of dangerous site dropped slightly, from an average of 7,300 new bad sites in Q2 to 6,500 new bad sites in Q3. The vast majority of new malicious sites are located in the United States.

With regards to the increase in OS X threats, McAfee point out that as OS X grows in popularity, malware authors will increasingly make use of it to target victims.

From a global point of view the top 5 malware threat are:

  1. Malicious Iframes
  2. Malicious Windows Shortcut Files
  3. Parasitic File Infector
  4. USB-Based AutoRun Parasitic Malware
  5. Web-Based File Infectors

“This has been a very steady quarter in terms of threats, as both general and mobile malware are more prevalent than ever,” said Vincent Weafer, senior vice president of McAfee Labs. “So far this year, we’ve seen many interesting yet challenging trends that are affecting the threat landscape, including heightened levels of sophistication and high-profile hacktivist attacks.”

QR Code Used to Spread Android Malware

(LiveHacking.Com) – Quick Response (QR) codes are a convient and fast way to convey information using a rectangular bar code that smart phones can scan and read. QR Codes can hold lots of different types of information including phone numbers, text and importantly URLs.

According to Kaspersky the world’s first QR code which installs malware has been found. If the QR code is scanned on an Android phone it will redirect the phone’s browser to a site where the app jimm.apk, a Trojanized version of the Jimm application (a mobile ICQ client), is  downloaded. The malware  sends several SMS messages to premium rate number 2476 (6 USD each).

Usage of QR codes for malware spreading was predictable. And as long as this technology is popular cybercriminals will use it. These two examples illustrate the very beginning of such usage and in the nearest future likely we will see more pieces of mobile malware which is spread via QR codes.

Two-thirds of All New Mobile Malware Targets Android

(LiveHacking.Com) – McAfee has published its Threats Report for the second quarter 2011 and has found that two-thirds of all new malware is targeting the Android smartphone platform.

In the last three months the number of new Android-specific malware has risen sharply. In comparison, J2ME (Java Micro Edition) suffered only a third as much malware.

According to the report, “This quarter Android OS-based malware became the most popular target for mobile malware developers. That’s a rapid rise for Android, which outpaces second place Java Micro Edition threefold.”

Intentionally modifying popular apps to carry malware is still a popular way of infecting devices. By corrupting a legitimate app or game unsuspecting users will download and install malware on their smart phones by themselves without the attacker needing to find an exploit in the underlying OS.

“This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth,” says the report.

The “open” aspects of the Android ecosystem with its multiple app stores is the main reason this type of malware infection can happen. Although Apple’s app store admission policies are often seen as restrictive and draconian, its closed and moderated nature means that it is very hard for malware writers to get infected aplications into the app store.

Researchers Spot Security Flaws in Google’s ClientLogin Protocol

Researchers from Ulm University have discovered potential security vulnerabilities in Google’s ClientLogin Protocol primarily on Android but which also exists for any apps and desktop applications that use Google’s ClientLogin protocol over HTTP rather than HTTPS.

Recent research has found that using Android on open WiFi networks is dangerous as some Android applications, including the Google Calendar app and Google contacts, transmit data in the clear, allowing an attacker to eavesdrop any transmitted information.

Researchers Bastian Könings, Jens Nickels, and Florian Schaub wanted to know if it is possible to launch an impersonation attack against Google services and so started their own analysis. According to their research it is possible and such attacks are not just limited to Google Calendar and Contacts, but are theoretically possible with all Google services using the ClientLogin authentication protocol.

Google’s ClientLogin protocol works by using an authentication token (authToken) which is requested by an application via HTTPS. If the supplied username and password are correct the token is sent to the application. The token is then used in all other requests to the Google services but not necessarily over HTTPS (making it easy to capture) and since the authToken is not bound to any session or specific device an attacker can use a captured authToken to access any personal data which is made available through the service API.

It is clear that Google are aware of this problem because as from Android 2.3.4 the Calendar and Contacts apps now transmit requests over HTTPS. However Android 2.1, 2.2.1 and 2.3.3 are all vulnerable. Interestingly the new Picasa Web Albums synchronization found in Android 2.3 uses HTTP, not HTTPS, and as such is vulnerable.

Skype for Android Updated – Fixes Privacy Vulnerability

A few days ago Justin Case of the Android Police web site discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs, but that the permissions of the database where badly set exposing this private information to any other app on the device which cared to take a look.

Now Skype have updated the app to version 1.0.0.983 and in doing so have corrected the permissions on the database files. According to a post on the Skype Security blog Skype “have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices” but they “will continue to monitor closely.”

Skype is recommending that users update to this new version as soon as possible in order to help protect your information from the Get Skype section on skype.com, or from the Android Market links on skype.com.

According to the Android Police web site Justin Case, who originally found the issue, has taken a look at the updated version and confirmed that the proof-of-concept app he developed to demonstrate the vulnerability no longer functions.

As well as fixing the database permissions Skype have also added 3G calling in the U.S. Previously, calling in the States was only available via Wi-Fi (except for Verizon users who needed to download a special version of the app).

Skype for Android Stores Private Data in Unencrypted DB Accessible by Other Apps

Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.

The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.

Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.

Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”

Adobe Fixes Critical Vulnerabilities in Flash Across the Desktop and on Android

Last week Google released a new version of Chrome with an updated version of Flash to address new zero-day vulnerabilities. Now, as anticipated, Adobe has released the official Flash Player update for Windows, OS X and Linux. Simultaneously it has also released Flash Player 10.2 for Android which also addresses the same vulnerabilities as well as adding new features to the mobile version of the player.

According to the Adobe security bulletins (APSB11-02 and APSA11-01) there are critical vulnerabilities in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Affected versions are: Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. Also affected is Adobe Flash Player 10.1.106.16 and earlier versions for Android.

On the Android mobile platform, Flash Player 10.2 is now available for download for Android 2.2 (Froyo) and 2.3 (Gingerbread) devices and an initial beta release for Android 3.x (Honeycomb) tablets.

Flash support for Android 3.x devices has been keenly awaited and “brings a full web browsing experience, including video, games and other interactive content.”

Improvements included in Flash Player 10.2 for Android are:

  • Performance enhancements to take advantage of new hardware in both Android 3.x tablets, as well as existing hardware in many Android 2.2 and 2.3 devices
  • Tight integration with the new Android 3.x browser to treat Flash content as part of the web page instead of as a separate “overlay.” This results in improved scrolling of web pages and the ability to display pages in the way intended by the page designer, including new support for compositing HTML and other web content over Flash Player rendered content.
  • Automatic soft keyboard support to simplify text entry for rich mobile and multi-screen experiences

As mentioned above, this new version of Flash for Android also incorporates the security fixes as described in Security Bulletins APSB11-02 and APSA11-01.

Google Pulls 50 Apps from Android Market Due to Malware Infection

Apple’s App Store has lots of detractors who don’t like the restictions Apple place on developers and Apple has been forced to withdrawn GPL licensed applications due to claims that the App Store limits the freedom of users. However, one great thing about Apple’s control structure is that it is harder for malware infected apps to find their way into the store. This is not so with Google’s Android Market (which has less control systems) or with the dozens of unregulated Android application stores that exist today.

According to Symantec Android malware is on the increase. Symantec use the Android trojan Android.Pjapps as an example. This low risk trojan is able to open a back door on a compromised device.

But the Android Malware scene isn’t just about low risk trojans, androidpolice.com have discovered an Android Market publisher who took 21 popular free apps, injected them with root exploits and then republished them. Between them these infected apps had over 50,000 downloads over four days.

Once alerted to this situation, Google removed some 50 applications from the official Andoird Market and suspended the three accounts being used by the developer behind the apps.

When installing Android apps, always check what permissions the applications requires and if you spot extra permissions like “allow application to read (but not write) the user’s browsing history and bookmarks” or “allow application to read SMS messages” then proceed with caution.

Trend Micro’s Chairman Says iOS is More Secure Than Android. But Is He Right?

Trend MicroThe chairman and one of the founders of Trend Micro, the Japanese Security and Anti-Virus company, has revealed in a recent interview that he believes that the Android platform is more susceptible to attacks than Apple’s iOS.

Speaking to Bloomberg Chang said “Android is open-source, which means the hacker can also understand the underlying architecture and source code”. Which seems to be the exact opposite of what Google have found with its Chrome web browser and its reward program.

In contrast Chang says that Apple’s sandbox in iOS “isolates the platform, which prevents certain viruses that want to replicate themselves or decompose and recompose to avoid virus scanners”.

His comments come just after the launch of Trend Micro’s Mobile Security for Android. The $3.99 app can block viruses, malicious programs and unwanted calls. Are Chang’s comments just good marketing or does he have a point? Leave your comments below.