October 22, 2016

European Security Agency Publishes Report About the Security Risks of Smartphones

With the smartphones becoming more and more part of our daily lives, the European Network and Information Security Agency (ENISA) has published a new report detailing the top security risks of smartphone use and gives practical security advice for businesses, consumers and governments.

According to Gartner worldwide smartphone sales doubled last year and 80 million were sold worldwide in Q3 2010 alone. Any prevalent technology can pose security risks and the 61 page ENISA report lists several key risks including:

  • Data leakage: a stolen or lost phone with unprotected memory allows an attacker to access the data on it.
  • Unintentional data disclosure: most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
  • Phishing: an attacker collects user credentials (e.g. passwords, credit card numbers) using fake apps or SMS/Email messages that seem genuine.

The report goes on the highlight the risks of Spyware, network spoofing attacks and diallerware (where an attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers).

For consumers ENISA make the following recommendations:

  • Always configure your smartphone in such a way that it locks automatically after some minutes.
  • Before installing or using new smartphone apps or services, check their reputation. Never install any software onto the device unless it is from a trusted source and you were expecting to receive it.
  • Scrutinize permission requests when using or installing smartphone apps or services.

For consumers and businesses the report underlines the importance of properly decommissioning a phone before it is disposed of or transferred to another user. In such cases it is essential to wipe all the data and settings from the smartphone.

For government officials the ENISA recommends that sensitive data isn’t stored locally, that encryption software is used and the the smartphones should be periodically wiped (using secure deletion) and reloaded with a specially prepared and tested image.

Hacker Creates Modified Symbian S60 Firmware with Hidden Back Door

Professional security researcher, hacker and MalCon speaker Atul Alex has analyzed the firmware for the Symbian S60 smartphone (which also runs on the Nokia 5800, Nokia X6, Nokia 5530XM, Sony Ericsson Satio and Sony Ericsson Vivaz) and created a modified firmware with a back door which allows a 3rd party to record telephone calls and download emails, telephone lists and text messages from the phone’s memory.

To use the back door, the new firmware must be downloaded on to the target phone in a manoeuvre reminiscent of the best Hollywood spy films. The compromised firmware, which is created by modifying version 5 of the original software, allows all of the smartphone’s functions to be remotely controlled, including the camera.

Once installed, the hack contacts the attacker via a wireless connection and transmits the device’s current IP address. The attacker can then connect to the phone remotely and any stolen data can be transmitted via 3G or WLAN to the attacker’s file server.

The H are reporting that the back door uses a technique to hide the extra process from the system’s TaskManager. The only way to remove the back door is to overwrite the firmware with Symbian’s original software.

Web-injection Vulnerabilities in WebOS

Researchers at SecTheory has discovered multiple flaws in the WebOS smartphone platform with possibility of build a mobile botnet or execute other remote attacks.

The most dangerous of the vulnerabilities is an injection flaw on the WebOS version 1.4.X that allows remote command and control, including access to a phone’s files or injecting a remote JavaScript backdoor into the phone’s Contacts Application to build a botnet.

Read the full story here.


Android app secretly uploads GPS data, warns Symantec

Researchers from anti-virus provider Symantec have outted a gaming application in Google’s Android Market that tracks users’ whereabouts so they can be secretly monitored in real-time.

The free app is known as Tapsnake, which bills itself as an Android variation of a video game that has been around for three decades. What the description doesn’t say is that every 15 minutes, the app uploads the user’s GPS coordinates to a server that can be monitored by people running a separate $4.99 app known as GPS Spy, which is made by the same developer shop.

Read the full story here.

Source: [TheRegister]