Connect with us

Biz & IT

Google Play apps with 470k installs can log in to your Facebook and Google accounts

Published

on

Researchers on Thursday documented two new malware campaigns targeting Android users.

The first involved nine apps that had been downloaded from Google Play more than 470,000 times. With names such as Speed Clean and Super Clean, the apps masqueraded as utilities for optimizing device performance. Behind the scenes, they connected to servers that could download as many as 3,000 different malware variants on compromised devices. Once installed, the apps could log in to users’ Facebook and Google accounts to perform ad fraud. A second, unrelated campaign used cleverly crafted phishing emails to trick users into installing one of the nastiest pieces of malware targeting the Android OS (more about that later).

Not the Play Protect you’re looking for

Once installed, the apps posing as optimizer utilities connected to an attacker-controlled server that’s capable of downloading other malicious apps that perform a variety of fraudulent tasks, including:

  • Displaying ads from legitimate advertising platforms such as Google AdMob and Facebook Audience Network and then simulating users clicking on the ads
  • Installing reward apps from the ad networks and running them in a virtual environment to make them more covert
  • Tricking users into enabling Android accessibility permissions and disabling Play Protect, the malware scanner built into Android. This capability allows malicious payloads to download and install apps without being detected
  • Using the accessibility function to post fake reviews and log in to users’ Google and Facebook accounts

The campaign—reported by Trend Micro—was most active in Japan, Taiwan, the United States, India, and Thailand. One place the campaign was not active was in China. When Trend Micro researchers modified geographic parameters to China, the apps didn’t do any malicious downloads. (Often, malware campaigns exclude the attackers’ countries of origin to prevent crackdowns by local authorities.)

The apps participating in the campaign included:

App Name Package No. of Installs
Shoot Clean-Junk Cleaner,Phone Booster,CPU Cooler com.boost.cpu.shootcleaner 10,000+
Super Clean Lite- Booster, Clean&CPU Cooler com.boost.superclean.cpucool.lite 50,000+
Super Clean-Phone Booster,Junk Cleaner&CPU Cooler com.booster.supercleaner 100,000+
Quick Games-H5 Game Center com.h5games.center.quickgames 100,000+
Rocket Cleaner com.party.rocketcleaner 100,000+
Rocket Cleaner Lite com.party.rocketcleaner.lite 10,000+
Speed Clean-Phone Booster,Junk Cleaner&App Manager com.party.speedclean 100,000+
LinkWorldVPN com.linkworld.fast.free.vpn 1,000+
H5 gamebox com.games.h5gamebox 1,000+

Google has removed the apps from Play.

Anubis returns

The second campaign disclosed on Thursday uses a clever phishing campaign to infect Android devices with Anubis, which is arguably one of the nastiest and most resourceful pieces of malware written for the mobile OS. Anubis is a piece of Android malware that’s known for its ingenuity. In mid-2018, researchers with IBM’s X-Force group documented a variety of Google Play apps that surreptitiously installed the bank and financial fraud malware. Not long after that, researchers found an updated version of Anubis that used the motion sensors of devices to detect when it was installed on researchers’ emulators rather than on a real piece of hardware.

The campaign disclosed on Thursday uses emails that present targets with an attachment that’s ostensibly a billing invoice. In fact, it’s an APK file, which is the format typically used to install Android apps. Devices that are allowed to install apps from sources other than Google Play will display a fake Google Protect message that asks for the two innocuous privileges.

When users click OK, the app disables Play Protect and gains 19 permissions, many of them highly sensitive. Researchers from Cofense—the security firm that documented the campaign—suspect the ruse is the result of the fake message overlaying and blocking the authentic Android dialog.

Anubis then checks infected devices to see if 263 different banking and shopping apps are installed. Once a user opens any of those apps, the malware uses an overlay screen to phish the account password for the app. Other capabilities include:

  • Capturing screenshots
  • Enabling or changing administration settings
  • Opening and visiting any URL
  • Disabling Play Protect
  • Recording audio
  • Making phone calls
  • Stealing the contact list
  • Controlling the device via VNC
  • Sending, receiving and deleting SMS
  • Locking the device
  • Encrypting files on the device and external drives
  • Searching for files
  • Retrieving the GPS location
  • Capturing remote control commands from Twitter and Telegram
  • Pushing overlays
  • Reading the device ID

The malware also includes a ransomware component that encrypts files in both internal and external storage and adds the file extension .AnubisCrypt. It then sends each encrypted file to an attacker-controlled server.

“The ransomware module is an extra or secondary ‘feature’ that can be enabled remotely once the attacker has no other use for the phone,” a Cofense researcher wrote in an email. “For example, once the attacker has harvested and exploited all the credentials, contacts, emails, messages, sensitive photos, etc., they might chose to encrypt the phone for a ransom or simply destroy the phone out of malice.”

Taken together, Thursday’s disclosures underscore the age-old advice for keeping Android devices free of malware. The first is to be suspicious of apps available in Play. People should steer clear of apps that have relatively few users, come from obscure developers, or have user reviews that report dubious behaviors. Apps that provide minimal benefit or haven’t been used recently should always be uninstalled.

As problematic as Google Play can be, it’s almost always even more risky to obtain apps from third-party sources (unless they’re from Amazon or a developer known to the user or the users’ employer). Under no circumstances should people install apps sent in emails.

Continue Reading

Biz & IT

Chrome “Feed” is tantalizing, but it’s not the return of Google Reader

Published

on

Enlarge / Digging into bleeding-edge Chrome code has made some bloggers hopeful, but Google has been focused on its own feeds for a while now. (credit: Getty Images)

Does Google enjoy teasing and sometimes outright torturing some of its products’ most devoted fans? It can seem that way.

Tucked away inside a recent bleeding-edge Chrome build is a “Following feed” that has some bloggers dreaming of the return of Google Reader. It’s unlikely, but never say never when it comes to Google product decisions.

Chrome added a sidebar for browsing bookmarks and Reading List articles back in March. Over the weekend, the Chrome Story blog noticed a new flag in Gerrit, the unstable testing build of Chrome’s open source counterpart Chromium. Enabling that #following-feed-sidepanel flag (now also available in Chrome’s testing build, Canary) adds another option to the sidebar: Feed.

Read 7 remaining paragraphs | Comments

Continue Reading

Biz & IT

1,900 Signal users’ phone numbers exposed by Twilio phishing

Published

on

Enlarge / Signal’s security-minded messaging app is dealing with a third-party phishing attempt that exposed a small number of users’ phone numbers.

Getty Images

A successful phishing attack at SMS services company Twilio may have exposed the phone numbers of roughly 1,900 users of the secure messaging app Signal—but that’s about the extent of the breach, says Signal, noting that no further user data could be accessed.

In a Twitter thread and support document, Signal states that a recent successful (and deeply resourced) phishing attack on Twilio allowed access to the phone numbers linked with 1,900 users. That’s “a very small percentage of Signal’s total users,” Signal writes, and all 1,900 affected users will be notified (via SMS) to re-register their devices. Signal, like many app companies, uses Twilio to send SMS verification codes to users registering their Signal app.

With momentary access to Twilio’s customer support console, attackers could have potentially used the verification codes sent by Twilio to activate Signal on another device and thereby send or receive new Signal messages. Or an attacker could confirm that these 1,900 phone numbers were actually registered to Signal devices.

No other data could be accessed, in large part because of Signal’s design. Message history is stored entirely on user devices. Contact and block lists, profile details, and other user data require a Signal PIN to access. And Signal is asking users to enable registration lock, which prevents Signal access on new devices until the user’s PIN is correctly entered.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against,” Signal’s support document reads. The messaging app notes that while Signal doesn’t “have the ability to directly fix the issues affecting the telecom ecosystem,” it will work with Twilio and other providers “to tighten up their security where it matters for our users.”

Signal PINs were introduced in May 2020, in part to de-emphasize the reliance on phone numbers as a primary user ID. This latest incident may provide another nudge to de-couple Signal’s strong security from the SMS ecosystem, where cheap, effective spoofing and broad network hacks remain all too common.

Continue Reading

Biz & IT

Update Zoom for Mac now to avoid root-access vulnerability

Published

on

Enlarge / A critical vulnerability in Zoom for Mac OS allowed unauthorized users to downgrade Zoom or even gain root access. It has been fixed, and users should update now.

Getty Images

If you’re using Zoom on a Mac, it’s time for a manual update. The video conferencing software’s latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.

The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom’s installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn’t need one. Wardle found that Zoom’s updater is owned and runs as the root user.

The gist of how Zoom's auto-update utility allows for privilege escalation exploits, from Patrick Wardle's Def Con talk.
Enlarge / The gist of how Zoom’s auto-update utility allows for privilege escalation exploits, from Patrick Wardle’s Def Con talk.

It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for (“Zoom Video ... Certification Authority Apple Root CA.pkg“), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

Some of Wardle’s findings had been patched in a prior update, but key root access was still available as of Wardle’s talk on Saturday. Zoom issued a security bulletin the same day, and a patch for version Zoom 5.11.5 (9788) followed soon after. You can download the update directly from Zoom or click on your menu bar options to “Check for updates.” We wouldn’t suggest waiting for an automatic update, for multiple reasons.

Zoom’s software security record is spotty—and at times, downright scary. The company settled with the FTC in 2020 after admitting that it lied for years about offering end-to-end encryption. Wardle previously revealed a Zoom vulnerability that let attackers steal Windows credentials by sending a string of text. Prior to that, Zoom was caught running an entire undocumented web server on Macs, causing Apple to issue its own silent update to kill the server.

Last May, a Zoom vulnerability that enabled a zero-click remote code execution used a similar downgrade and signature-check bypass. Ars’ Dan Goodin noted that his Zoom client didn’t actually update when the fix for that issue arrived, requiring a manual download of an intermediate version first. Hackers can take advantage of exposed Zoom vulnerabilities quickly, Goodin noted, if Zoom users aren’t updated right away. Minus the root access, of course.

Continue Reading

Trending