Android

Google fixes Android flaws that allow code execution with high system rights

Google fixes Android flaws that allow code execution with high system rights

Google has shipped security patches for dozens of vulnerabilities in its Android mobile operating system, two of which could allow hackers to remotely execute malicious code with extremely high system rights.

In some cases, the malware could run with highly elevated privileges, a possibility that raises the severity of the bugs. That’s because the bugs, located in the Android System component, could enable a specially crafted transmission to execute arbitrary code within the context of a privileged process. In all, Google released patches for at least 34 security flaws, although some of the vulnerabilities were present only in devices available from manufacturer Qualcomm.

Anyone with a mobile device should check to see if fixes are available for their device. Methods differ by device model, but one common method involves either checking the notification screen or clicking Settings > Security > Security update. Unfortunately, patches aren’t available for many devices.

Two vulnerabilities ranked as critical in Google’s June security bulletin are indexed as CVE-2020-0117 and CVE-2020-8597. They’re among four System flaws located in the Android system (the other two are ranked with a severity of high). The critical vulnerabilities reside in Android versions 8 through the most recent release of 11.

“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files,” an advisory from the Department of Homeland Security-funded Multi-State-Information Sharing and Analysis Center said. “Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Vulnerabilities with a severity rating of high affected the Android media framework, the Android framework, and the Android kernel. Other vulnerabilities were contained in components shipped in devices from Qualcomm. The two Qualcomm-specific critical flaws reside in closed source components. The severity of other Qualcomm flaws were rated as high.

Vulnerability in fully patched Android phones under active attack by bank thieves

Vulnerability in fully patched Android phones under active attack by bank thieves

A vulnerability in millions of fully patched Android phones is being actively exploited by malware that’s designed to drain the bank accounts of infected users, researchers said on Monday.

The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.

Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market.

The vulnerability is most serious in versions 6 through 10, which (according to Statista) account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There’s no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user’s only defense is to click “no” to the requests.

An affinity for multitasking

The vulnerability is found in a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment. Malicious apps can exploit this functionality by setting the TaskAffinity for one or more of its activities to match a package name of a trusted third-party app. By either combining the spoofed activity with an additional allowTaskReparenting activity or launching the malicious activity with an Intent.FLAG_ACTIVITY_NEW_TASK, the malicious apps will be placed inside and on top of the targeted task.

“Thus the malicious activity hijacks the target’s task,” Promon researchers wrote. “The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible. The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed.”

Promon said Google has removed malicious apps from its Play Market, but, so far, the vulnerability appears to be unfixed in all versions of Android. Promon is calling the vulnerability “StrandHogg,” an old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom. Neither Promon nor Lookout identified the names of the malicious apps. That omission makes it hard for people to know if they are or were infected.

Google representatives didn’t respond to questions about when the flaw will be patched, how many Google Play apps were caught exploiting it, or how many end users were affected. The representatives wrote only:

“We appreciate the researchers[‘] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”

StrandHogg represents the biggest threat to less-experienced users or those who have cognitive or other types of impairments that make it hard to pay close attention to subtle behaviors of apps. Still, there are several things alert users can do to detect malicious apps that attempt to exploit the vulnerability. Suspicious signs include:

  • An app or service that you’re already logged into is asking for a login.
  • Permission popups that don’t contain an app name.
  • Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
  • Typos and mistakes in the user interface.
  • Buttons and links in the user interface that do nothing when clicked on.
  • Back button does not work as expected.

Tip-off from a Czech bank

Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security company for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts. The partner gave Promon a sample of suspected malware. Promon eventually found that the malware was exploiting the vulnerability. Promon partner Lookout later identified the 36 apps exploiting the vulnerability, including BankBot variants.

Monday’s post didn’t say how many financial institutions were targeted in total.

The malware sample Promon analyzed was installed through several droppers apps and downloaders distributed on Google Play. While Google has removed them, it’s not uncommon for new malicious apps to make their way into the Google-operated service. Update: In an email sent after this post went live, a Lookout representative said none of the 36 apps it found was available in Google Play.

Readers are once again reminded to be highly suspicious of Android apps available both in and outside of Google Play. People should also pay close attention to permissions requested by any app.

Google Play app with 100 million downloads executed secret payloads

Google Play app with 100 million downloads executed secret payloads

The perils of Google Play are once again on display with the discovery of an app with 100 million downloads that contained a malicious component that downloaded secret payloads onto infected Android devices.

Throughout most of its life, CamScanner was a legitimate app that provided useful functions for scanning and managing documents, researchers from antivirus provider Kaspersky Lab said on Tuesday. To make money, the developers displayed ads and offered in-app purchases.

Then, at some point things changed. The app was updated to add an advertising library that contained a malicious module. This component was what’s known as a “Trojan dropper,” meaning it regularly downloaded encrypted code from a developer-designated server at https://abc.abcdserver[.]com and then decrypted and executed it on infected devices. The module, which Kaspersky Lab researchers named Trojan-Dropper.AndroidOS.Necro.n, could download and execute whatever the developers wanted at any time. The researchers said that they have previously found Trojan-Dropper.AndroidOS.Necro.n lurking inside apps that are preinstalled on some phones sold in China.

“The above-described Trojan-Dropper.AndroidOS.Necro.n functions carry out the main task of the malware: to download and launch a payload from malicious servers,” a separate post from Kaspersky Lab explained. “As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”

The incident underscores the challenge Android users face when looking for useful apps. Google scanners are unable to catch everything, particularly when developers sneak malicious or unethical code into apps that have already passed initial inspections. The result: there’s no easy way to be sure an app is safe. This reality is disappointing, because Google has made real strides in securing more recent versions of Android.

One way to vet apps is to read reviews left by other users. Kaspersky Lab researchers said that negative feedback left over the past month “indicated the presence of unwanted features” in CamScanner. And of course, people should always scrutinize the permissions an app requires. Access to the microphone, camera, contacts, location data, or the phone app can often be telltale signs something is wrong, but not always. Often apps need this access for legitimate reasons. CamScanner, for instance, would obviously need access to the camera to work as advertised. Seeking out apps from known developers, when possible, can often be helpful.

Ultimately, the best strategy is to install only the apps that are truly useful and to uninstall apps that haven’t been used in a while. The practicality and effectiveness of this guidance is by no means ideal, but that’s unfortunately the current state of security for Android apps.