Exploits use Apple's enterprise app distribution model and 'private APIs' to seed adware on iPhones, sidestepping App Store inspections
A group of University researchers has created a new method for detecting malicious apps running on an Android devices called MassVet. MassVet doesn't use the old method of signatures scanning, instead it compares legitimate Android frameworks to establish those that are malicious.
The architecture behind MassVet can be seen below:
The authors argue that MassVet is able to identify a malicious app in less than 10 seconds and with a low probability of false positives:
" Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated. Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious. This analysis is made scalable by its simple, static nature and the feature projection techniques that enable a cloud-based, fast search for view/code differences and similarities." wrote the researchers in the paper they published.
The researchers argue that this new method can help do find a Zero-day malware, but criticized Google for only ban a player that releases malicious payload, and not blocking a malicious payload, what leads to other people reusing the malicious payload:
"Another interesting finding is that we saw that some of these developers uploaded the same or similar malicious apps again after they were removed. Actually, among the 2125 reappeared apps, 604 confirmed malware (28.4 percent) showed up in the Play Store unchanged, with the same MD5 and same names. Further, those developers also published 829 apps with the same malicious code (as that of the malware) but under different names. The fact that the apps with known malicious payloads still got slipped in suggests that Google might not pay adequate attention to even known malware."
The MassVet implements a comparison algorithm, but on top of that uses a difference and similarities comparison mechanism, which allows it to be more efficient and "smart."
MassVet analyzed around 1.2 million apps deployed in 33 Android apps stores discovering 127.429 malicious apps, 30.552 are hosted in Google Play.
The disconcerting aspect of the story is that many of these apps weren't recognized by common antivirus solutions available in the market.
"We observed that most scanners react slowly to the emergence of new malware. For all 91,648 malicious apps confirmed by VirusTotal, only 4.1% were alarmed by at least 25 out of 54 scanners it hosts. The results are present in Figure 7. This finding also demonstrates the capability of MassVet to capture new malicious content missed by most commercial scanners. "
Projects like this one, are important and help the security community in discovering quickly the malicious apps that are deployed in app stores.
Antoine Vincent Jebara and Raja Rahbani, the co-founder and lead engineer of MyKi – an identity management company in Beirut - have discovered a vulnerability in Apple's password management system (Keychain), which if exploited, enables an attacker to compromise stored credentials at will.
While working with Apple's password manager for their own product, Jebara and Rahbani noticed that if specially crafted terminal commands were issued, they could make Keychain disclose passwords with little to no user interaction.
The command creates a situation where, instead of asking for a user's Keychain password, Keychain will prompt them to click an allow button instead. The two researchers then took their theory further and developed a proof-of-concept exploit that triggers the command and simulates a user mouse click in the exact location where the allow button would appear.
This process happens in milliseconds (less than 200ms to be exact), right in front of the user, who wouldn't notice a thing.
"The 'allow' button appears 10% to the right of the centre of the screen and 7% below it," Jebara said in an email.
"We noticed that the only issue that could affect the location of this 'allow' button is the size of the dock, so we also issue a command that hides the dock for 500ms in order for us to successfully press the 'allow' button."
After the allow button is pressed, the password is intercepted and sent via SMS to the attacker's phone. However, SMS could be replaced by any delivery system, including exfiltration to a C&C server, or it could be stored locally for later retrieval.
The code needed to trigger this attack could be wrapped around anything. In a video, the researchers used an image as the trigger.
Once the image is displayed, the user wouldn't notice the rest of the attack, which is over almost as soon as it started. Because the code is wrapped around a harmless file, and the code itself is a legitimate command, followed by an expected user response (even if it is simulated), security products would likely ignore this attack; because there really isn't anything bad happening from their point of view.
Jebara said that the fix for this flaw would be to alter the way the Keychain responds to the commands they've discovered and prompt the user for a password the way it is supposed to. Another alternative would be to stop using the Keychain, he added, but that is difficult to accomplish knowing that OS X relies heavily on it. Naturally, Jebara has a hose in this race too, as his own product would address this flaw.
The vulnerability was disclosed to Apple, but they haven't responded to Jebara or Rahbani.
When asked for comment, Apple didn't respond before this story went live.
"We disclosed, because we feel that it is the right thing to do, knowing that a vulnerability of this magnitude would have disastrous consequences (you wouldn't be able to open any third-party file on your computer without the risk of losing all of your sensitive information until Apple issues a patch). But this doesn't prevent us from going public either," Jebara explained in a follow-up email.
"The vulnerability is extremely critical. It allows anyone to steal all of your passwords remotely by simply downloading a file that doesn't look malicious, and can't be detected by malware detectors - as it doesn't behave the way malware usually does," Jebara said.
More than 70 percent of Android phones from LG have a plugin installed that exposes them to the Certifi-gate remote support app vulnerability, where a rogue application -- or even a text message -- can completely take over a device.
Check Point Software Technologies reported the vulnerability in April to Google, device manufacturers, and the remote support app vendors but, so far, none of the device manufacturers have pushed out updates to their customers.
Business continuity and disaster recovery planning: The basics
Good business continuity plans will keep your company up and running through interruptions of any kind:
Although LG devices are most exposed, 18 percent of Samsung devices also have the vulnerable plugin, as well as 9 percent of HTC devices, according to a Check Point scan of around 100,000 smartphones.
But even devices that don't currently have the vulnerable plugin installed are at risk, if an app either maliciously or accidentally installs the plugin. Of Samsung smartphones, an additional 67 percent are at risk of this, as are 19 percent of LG phones, and 86 percent of HTC phones.
Check Point publicly disclosed the problem at Black Hat in Las Vegas earlier this month, and released a vulnerability scanner app that has been installed around 100,000 times.
Overall, 58 percent of all the devices scanned are potentially vulnerable to this exploit, the company said.
How it works
In order to make it easier for customers to get technical support, some smartphone manufacturers bundle remote support apps that allow techs to take over the handset.
"Most of the new LG devices come with pre-installed support software," said Michael Shaulov, Check Point's head of mobility product management. "And in order to actually operate, you can understand that this software requires very high privileges."
The problem is two-fold. First, the apps have authentication issues that allow unauthorized access. So far, two of the three vendors have fixed the access problems, but the old, insecure versions of the software are still around.
"In the cases where the support tool was pre-installed on the device, if the device manufacturer or carrier is not pushing the update to the users, the users can't update it by themselves," said Shaulov. "And none of the carriers have done the push so far."
Second, while the remote access software is signed with the manufacturer's digital certificates, there is no easy way to revoke those certificates, said Shaulov.
That means that even if the manufacturers and carriers do push out an update of the remote support software -- or the software was never installed on the device in the first place -- a third-party application can install the older, vulnerable version.
That is exactly what an app called "Recordable Activator" did. In order to allow users to record their screens without rooting the devices -- a feature not normally available on Android phones -- the app downloaded one of these remote support tools, and then leveraged the access provided to make screen recordings.
Google has since removed the Recordable Activator app from the Google Play store.
According to Check Point, device manufacturers need to push out a patch to their smartphones that revokes the certificates that the old vulnerable remote support tools were signed with.
Until then, users are warned to only download apps from the official stores, and to run the vulnerability scanner after installing any apps that might be questionable.
Experts discovered that the sandbox vulnerability affects all apps that use the managed app configuration setting in devices that run older versions.
Kevin Watkins, a security researcher from Appthority, argues that users without iOS 8.4.1 are affected by the sandbox vulnerability, CVE-2015-3269. The flaw affects all apps that use the managed app configuration settings, meaning that Apple is storing enterprise credentials in a directory that can be read by everyone.
"IT will commonly send the credential and authentication information along with the managed app binary for installation on corporate mobile devices [which] often included access to the corporate data security jewels, including server URLs, and credentials with plaintext passwords,".
"The underlying issue with our critical sandbox violation discovery is that ... anyone can also see the credential information on the mobile device as it is stored world readable." said Watkins.
"An attacker could target as many enterprises it can get into (using the iTunes store to spread an app designed to read and share the configuration files), or a specific target (traditional spear-phishing attack, through targeted e-mail, etc). In either case, they would develop an app that has a high chance of being installed in the enterprise, such as a productivity app. Once the app gets downloaded and installed on the devices, it would continuously monitor the directory for configuration settings being written to the world readable directory, harvesting and sending them to the attacker. Because all apps have access to the directory, it could hide in plain sight and operate as one of the many legitimate apps that have access to the directory in question."
"An attacker (or a malicious app) with access to an MDM managed device can read all managed configuration settings for an unpatched device. Managed configuration is used to make the provisioning of apps easier and enterprise apps may use this mechanism to provision credentials or details about internal infrastructure this way. Those can be used by the attacker to gain access to those services."
Corporate app data are more exposed, the expert highlighted the risk of a cyber attack that can allow hackers to steal information stored in an open directory (including mobile device management).
The tests conducted by Watkins revealed that medical apps used by doctors were leaking patient data, user names, passwords, authentication tokens.
"We also found apps used in the healthcare industry, giving doctors access to patient data and records (a likely HIPAA violation)." continues Watkins.
The analysis of the managed settings used by these apps revealed:
Close to half (47%) referenced credentials, including username, password and authentication tokens.
67% referenced server identification information.
The good news is that Apple patched the CVE-2015-3269 sandbox vulnerability with the release iOS 8.4.1, but yet many people are running older iOS versions. It has been estimated that around 70% of users still have older iOS versions and still taking some months until iOS 8.4.1 is fully spread.
Please keep in mind the following recommendations to avoid these type of problems:
Not using this mechanism to provision secret / confidential data
Credentials and other secrets should always be stored using the device keychain
A possible way to provision this data would be to use url schemes
Use iOS single-sign-on profiles if possible
Researchers identified a vulnerability in the Google Admin application for Android that could have been exploited to read arbitrary files from the app's sandbox. Google says it has released an update to patch the flaw.
The Google Admin application for Android is designed to allow administrators to manage their Google for Work accounts from their mobile devices. Admins of Google Apps for Work, Education, Google Coordinate, and Government can use the app to add and manage users, contact support, and view their organization's audit logs.
Researchers at security firm MWR InfoSecurity discovered a medium severity vulnerability that allows malicious applications installed on the same device as Google Admin to bypass the Android sandbox and read data from any file within Admin's sandbox.
"An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox," MWR InfoSecurity wrote in an advisory published last week.
According to MWR, the flaw was reported to Google in mid-March. The company noted in its advisory that the search giant had not released an update to patch the vulnerability.
However, Google says it has released an update for Google Admin to address the flaw reported by MWR. The company is not aware of any attacks leveraging this security hole.
"We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected," a Google spokesperson told SecurityWeek.
Technical details on the vulnerability are available in MWR's advisory.
Google announced in February that it has expanded its vulnerability reward program to mobile applications developed by the company.
As far as Android is concerned, numerous vulnerabilities have been uncovered in the mobile platform over the past months. The list includes several denial-of-service (DoS) bugs, and some critical issues such as the Stagefright vulnerabilities.