Tag: malware

Samsung, LG, other Android devices vulnerable to malware after security leak

Post author By Mobile Syrup
Post date 2 December 2022

Google publicly disclosed a major security leak impacting devices from Samsung, LG, Xiaomi and more. The leak enabled the creation of ‘trusted’ malware apps that can gain access to the entire Android operating system.

Shared by Googler Łukasz Siewierski (via 9to5Google), Google’s Android Partner Vulnerability Initiative (APVI) revealed the details, which you can view here. The main issue is that multiple Android manufacturers had their platform signing keys leaked. Those keys ensure that the version of Android running on your device is legitimate and created by the manufacturer. However, those keys can also be used to sign individual apps, which Android trusts by design.

However, a malicious actor with those signing keys could abuse that trust to give malware full, system-level permissions on an affected device since that device would see the official, signed key and, by default, trust the app. Since some manufacturers use these keys to sign relatively common apps — for example, 9to5 points to Samsung’s Bixby, which is signed with the company’s key on at least some phones — attackers could add malware to a trusted app, sign it with the same key, and then Android would trust it. Worse, this malicious version of the app could come from various sources — the Play Store, Samsung’s Galaxy Store, or be sideloaded.

Google didn’t say which devices or manufacturers were affected in its disclosure. However, the company did include hashes of example malware files, which were uploaded to VirusTotal. 9to5 notes that VirusTotal reveals the names of some of the affected companies, which include Samsung, LG, MediaTek, Szroco (which makes ‘Onn’ tablets for Walmart), and Revoview. There are more keys as well, but they have not been identified.

In the disclosure, Google recommends that manufacturers change their platform signing keys from the ones that leaked. It also urged all manufacturers to reduce how often they use those keys to avoid potential security issues. Moreover, Google said that Samsung and other affected companies took “remediation measures to minimize the user impact” of the security leaks after the issue was first reported in May 2022.

However, 9to5Google notes that Samsung used its vulnerable platform signing key in several Android app updates within just the last few days, based on details from APKMirror. It also remains unclear which Android devices, if any, are still vulnerable.

Moreover, while Google notes the exploit was first reported in May 2022, VirusTotal first scanned some of the malware examples as early as 2016. It remains unclear whether the leak and associated exploits were actively used against anyone in that time.

Google said in a statement to 9to5 that there are several systems in place to protect people from these kinds of security vulnerabilities, such as Play Protect. The company also said that “there is no indication that this malware is or was on the Google Play Store.”

To protect themselves, Android users should make sure their devices are up-to-date and avoid sideloading apps.

Source: Google, Łukasz Siewierski Via: 9to5Google

Tags Android, LG, malware, Samsung, security leak, vulnerability

Mobile Syrup

Android 13 brought new security measures, but malware can bypass it

Post author By Mobile Syrup
Post date 22 August 2022

Google rolled out new security measures in Android 13 to protect users from malware, and attackers have already come up with a way to work around the new protections.

ThreatFabric, which seeks to prevent fraud and cybercrime via threat intelligence, detailed a new exploit that builds on top of existing malware (via Android Police). The new exploit effectively disguises itself as an app store to bypass new security measures. However, to fully understand what’s going on here, you first need to look at what Google added in Android 13 to protect users.

According to Android Police, Google added a new security measure that prevents sideloaded apps (apps installed from outside of an app store) from requesting access to accessibility services. Accessibility services are an important part of Android, offering various tools to make smartphones easier to use for people with disabilities (for example, screen readers for people with visual impairments).

However, the nature of accessibility services means they’re vulnerable to abuse, making it easy for malware to snoop on private data, like passwords. ThreatFabric detailed some existing malware, such as the ‘Xenomorph‘ banking malware, which uses accessibility services to view what’s on screen and capture personal information like log-in credentials.

Hence Google’s new security measures, which block sideloading apps from requesting accessibility services (there is, however, a convoluted way to enable accessibility services on sideloaded apps if you need to do so). Given how important accessibility services can be, Google doesn’t want to outright ban apps from using them either. As such, Android 13 doesn’t block accessibility services for apps downloaded from the Play Store or other app stores — this exemption relies on the ‘session-based package installation API.’

Attackers working on malware that acts like an app store to bypass security

The reasoning here seems to be that app store operators vet their store platforms for malicious apps, and so apps installed from these stores are likely safe. However, the session-based package installation API is also the main avenue for bypassing the new accessibility services security measures.

ThreatFabric notes that developers with the ‘Hadoken group’ are developing a two-part malware exploit. The first part involves installing a ‘dropper’ app that acts like an app store. It then uses the session-based package installation API to install another app, which contains the malware. Because of this approach, the second app is able to bypass the security measures and request accessibility services.

Before you panic, ThreatFabric said the malware is still very buggy and likely still early in development. However, it expects the Hadoken group to keep working on it, and it sounds like this style of getting malware onto Android devices could become more common.

Users should be extra careful when granting accessibility services to an app. Android Police describes accessibility services as the “weak link” for a variety of malware. As such, users should only grant access to accessibility services to trusted apps.

Those interested can read all the details in ThreatFabric’s report here.

Source: ThreatFabric Via: Android Police

Tags Android 13, malware

Mobile Syrup

Chinese hackers use VLC to launch malware on Windows: report

Post author By Mobile Syrup
Post date 8 April 2022

Chinese hacking group ‘Cicada’ is reportedly using popular media player VLC to launch malware on Windows machines.

As reported by cybersecurity researchers at Symantec (via Android Police), the hacking group targeted governments and related organizations, legal and non-profit businesses, and organizations with religious connections. The group hit targets in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

Symantec explained that Cicada — which also goes by Stone Pandar or APT10 — exploits legitimate versions of VLC by launching a “custom loader” via the software’s ‘Exports’ function. Then, it uses the ‘WinVNC’ tool to gain remote control of the victim’s machine.

Once Cicada has remote control, it can deploy a hacking tool called ‘Sodamaster’ to evade detection and scan systems, download more malicious packages, and conceal communications between compromised systems and the hackers’ command-and-control servers.

Symantec believes the VLC attacks may be ongoing, and that they began in 2021 after hackers exploited a known vulnerability with Microsoft Exchange.

The best thing for users to do to protect themselves is to keep software up-to-date, use strong passwords, and back up important data.

Source: Symantec Via: Android Police

Tags China, Cicada, hackers, malware, security, VLC

Mobile Syrup

Android spyware linked to Russian hackers tracks location, records audio

Post author By Mobile Syrup
Post date 2 April 2022

Researchers uncovered a previously unknown, Russian-linked Android malware that masquerades as a system app called ‘Process Manager’ while collecting a wealth of user data.

According to Lab52 (via Bleeping Computer), the malware is linked to Turla, a Russian state-sponsored hacking group. Turla is known for using custom malware to target European and American systems, typically for espionage. Moreover, Turla was recently linked to the ‘Sunburst‘ backdoor used in the 2020 SolarWinds attack.

Lab52 identified a malicious APK — the file type used for Android applications — called ‘Process Manager.’ It’s not clear how threat actors distribute the APK to users. Based on the connection to Turla, it’s possible threat actors use phishing schemes or social engineering to get the app installed on devices.

Once installed, however, the app disguises itself with a gear-shaped icon to look like a system component. Coupled with the ‘Process Manager’ name, it could be easily mistaken for part of the Android system.

On first launch, Lab52 says the app prompts the user to grant it 18 permissions, including access to location, camera, call logs, SMS, the ability to read and write to storage, and more. With these permissions, Process Manager can effectively gather a huge amount of data about the device’s owner.

Lab52 noted it’s not clear if the app uses the Android Accessibility service to grant itself permissions, or if it tricks users into granting permission.

Further, once the malware gets the permissions, it removes its icon and runs in the background. Interestingly, the app shows a notification saying that it’s running, which seems counterintuitive for a spyware app that would want to remain hidden.

Lab52 also found that the malware installed additional apps on victims’ devices, including one called ‘Roz Dhan: Earn Wallet cash,’ a popular money earning app. The malware appears to install the app using its referral system, likely earning a commission for the creators.

All this seems relatively strange for spyware — Bleeping Computer suggests the unsophisticated nature may indicate the spyware is part of a larger system.

The publication also suggests some ways Android users can protect themselves. For one, check the ‘Permission manager’ feature in the Settings app (on my phone, it’s available in the ‘Privacy’ menu). It’s a good idea to revoke permissions for any apps you don’t trust, or that appear risky. Users should also pay attention to the new camera and microphone use indicators that appear on devices running Android 12. If these indicators show up when you’re not using the camera or microphone, it could indicate the presence of spyware on your device.

Source: Lab52 Via: Bleeping Computer

Tags Android, lab52, malware, process manager, spyware

Mobile Syrup

Fake ShowBox apps found on Samsung Galaxy Store could infect phones with malware

Post author By Mobile Syrup
Post date 28 December 2021

Samsung’s Galaxy Store, an alternative to the Google Play Store for Samsung phones, has several clones of an app called ‘ShowBox’ that could potentially allow for the installation of malware on people’s phones.

Spotted initially by Max Weinbach, Android Police expanded on the findings with a more in-depth investigation. Weinbach tweeted about finding at least five of these sketchy apps, which trigger Google’s ‘Play Protect’ warning when users attempt to install them. Android Police analyzed one of the ShowBox APK files through Virustotal and found over a dozen alerts from security vendors. Moreover, several of the ShowBox clone apps request extra permissions like access to contacts, call logs and the telephone.

I gave Huawei shit for this, gonna do it to Samsung too.

Samsung is hosting literal malware on the Galaxy Store. Google's anti-virus protection software, built into Play Services, stops the install.
I've found at least 5 of these apps in a row on the Galaxy Store. pic.twitter.com/LiiDJtGwmb

— Max Weinbach (@MaxWinebach) December 27, 2021

Android Police also connected with security analyst ‘linuxct,’ which revealed more vulnerabilities in the ShowBox app. Particularly, the investigation found that code in the app’s ad tech was capable of executing dynamic code. In other words, the app doesn’t include malware but it could download and execute other code, which could include malware. Android Police says similar issues were demonstrated in at least two ShowBox apps from the Galaxy Store.

The other issue here is that the apps clone ShowBox, a platform with a reputation for enabling piracy and access to copyrighted content, such as movies and TV shows. It’s not clear if the cloned apps enable piracy.

Interestingly, a post on the ShowBox subreddit from two years ago warns that ShowBox is “down” with a promise that if the service does return, an announcement will be made on the subreddit. The post goes on to say that there are “no legitimate alternatives bearing the ‘ShowBox’ name” and even warns of some fakes that attempt to steal users’ personal information.

Samsung did not respond to Android Police’s request for comment, although that’s understandable given the holidays.

It’s worth noting that the Play Store didn’t have the ShowBox apps listed, although it has had its share of malware issues in the past. As usual, you should be careful when downloading any app — always make sure to check reviews and pay attention to warnings when downloading an app, regardless of the source.

Source: Android Police

Tags apps, galaxy store, malware, Samsung, showbox