The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

Avatier simplifies and secures IAM with release of iOS and Android mobile app platform

Avatier announced the release of Avatier for iOS and Android, a new mobile app platform that creates a collaborative, self-service approach to enterprise access without compromising security.

Avatier promises to simplify identity access management (IAM) by empowering organizations with greater control over enterprise access requests, compliance access certifications, single sign-on (SSO) to reduce SaaS license cost and self-service password management, all for a better value than buying individual point solutions.

Avatier’s new mobile experience is designed for the modern workforce, giving employees, customers, contractors and vendors a single mobile app that enables self-service business agility for time-sensitive security requests.

Now anyone in the company can be alerted on their mobile device to approve business requests to access data and assets. Change management for the entire business can run through Avatier’s new mobile workflow experience, reducing overhead for IGA, streamlining provisioning and ensuring security compliance.

The new mobile platform is secure and frictionless because Avatier’s password-less authentication automatically integrates with third-party multifactor authentication (MFA) solutions already deployed in most enterprises.

Avatier has MFA support for Duo Security, Google Authenticator, Okta Verify, Ping Identity, Radius, RSA SecureID, Symantec VIP and any FIDO2-compliant solution. Additionally, Avatier provides one-time passcode (OTP) support for SMS and email as well as biometric MFA solutions.

“IT staffs spend an inordinate amount of time managing user access requests and conducting access audits,” said Nelson Cicchitto, founder and CEO of Avatier.

“Research from HDI shows that 30 percent of help desk calls are for access requests at an average cost of 17 dollars per call. Avatier’s user experience changes the game with push notifications and a touch interface that can save companies millions of dollars by streamlining security controls and authorization while enabling their entire workforce to approve access immediately when needed.

“With Avatier’s mobile application support, CSOs, IT personnel, security and compliance teams save time and resources by simplifying identity management and truly enabling enterprise-wide self-service.”

Avatier’s mobile platform includes a complete set of self-service identity management solutions, including:

  • Universal workflow: For the first time, the workflow interface used for all business requests and change control is now also the same interface used to conduct certification campaigns and verify access. Push notifications call attention to urgent business requests that need to be approved or denied. All role, access, assets, change control and user management is controlled through Avatier’s Universal Workflow Platform. Access governance is part of workflow support, streamlining verification of granular access/assets, roles, direct reports, self-certification and native system security controls., including empowering attestors to allow, deny, allow exceptions, reassign attestor, or even return to the certification campaign owner.
  • Self-service group management: Enable self-service group membership requests with push notification for workflow approvals, including group creation, deletion, renaming and modifying group ownership.
  • User management: User access can be granted, disabled, or deleted either in real-time or as a scheduled task. As part of user management, Avatier Mobile makes it easy to manage data assets and software licenses to reallocate seats as needed.
  • Single sign-on: Onboard mobile and remote workers faster with Just-in-Time (JIT) cloud app user provisioning and de-provisioning to provide secure remote access to assets by simply adding users to your active directory groups. Avatier SSO supports leading industry standards like SAML, oAuth, OpenID and SCIM for JIT provisioning.
  • Self-service password management: Eliminate help desk calls by giving users secure control over password reset and synchronization using leading MFA providers to verify identity. Avatier’s Password Policy Manager enforces enterprise password policy to maintain strong passwords across all systems.

Chrome 86 delivers more security features for mobile users

Google has released Chrome 86 for desktop and mobile, which comes with several new and improved security features for mobile users, including:

  • New password protections
  • Enhanced Safe Browsing
  • Easier password filling
  • Mixed form warnings and mixed downloads warnings/blocks

New password security features in Chrome 86

The Password Checkup feature came first in the form of a Chrome extension, then was built into Google Account’s password manager and Chrome, and now it has been enhanced with support for the “.well-known/change-password” standard – a W3C specification that defines a well-known URL that sites can use to make their change password forms discoverable by tools (e.g. Chrome, or the latest version of Safari)

Chrome 86 security

This change means that, after they’ve been alerted that their password has been compromised, Chrome will take users directly to the right “change password” form. Hopefully, this will spur more users to act upon the alert.

Enhanced Safe Browsing is added to Chrome for Android

Enhanced Safe Browsing mode, which was first introduced in Chrome 83 (for desktop versions), allows users to get a more personalized protection against malicious sites.

“When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against phishing, malware, and other dangerous sites by sharing real-time data with Google’s Safe Browsing service. Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites,” noted AbdelKarim Mardini, Senior Product Manager, Chrome.

In addition to this, Safety Check – an option that allows users to scan their Chrome installation to check whether the browser is up to date, whether the Safe Browsing service is enabled, and whether any of the passwords the user uses have been compromised in a known breach – is now available to Chrome for Android and iOS.

Biometric authentication for autofilling of passwords on iOS

iOS users can finally take advantage of the convenient password autofill option that was made available a few months ago to Android users.

The option allows iOS users to authenticate using Face ID, Touch ID, or their phone passcode before their saved passwords are automatically filled into sites and iOS apps (the Chrome autofill option must be turned on in Settings).

Chrome 86 security

Mixed form/download warnings

Mixed content, i.e., insecure content served from otherwise secure (HTTPS) pages, is a danger to users.

Chrome 86 will warn users when they are about to submit information through a non-secure form embedded in an HTTPS page and when they are about to initiate insecure downloads over non-secure links.

For the moment, Chrome will block the download of executables and archive files over non-secure links but show a warning if the user tries to download documents files, PDFs, and multimatedia files. The next few Chrome versions will block those as well.

Last but not least, Google has fixed 35 security issues in Chrome 86, including a critical use after free vulnerabilities in payments (CVE-2020-15967).

Google aims to improve security of browser engines, third-party Android devices and apps on Google Play

Google has announced two new security initiatives: one is aimed at helping bug hunters improve the security of various browsers’ JavaScript engines, the other at helping Android OEMs improve the security of the mobile devices they ship.

Google new security initiatives

Fuzzing JavaScript engines

“JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome. Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input,” noted Project Zero’s Samuel Groß.

Researchers must also bear the costs of fuzzing in advance, even though there’s a possibility their approach may not discover any bugs or if it does, that they’ll receive a reward for finding them. This fact might deter many of them and, consequently, bugs stay unfixed and exploitable for longer.

That’s why Google is offering $5,000 research grants in the form of Google Compute Engine credits.

Interested researchers must submit a proposal with details about their intended approach and the awarded credits must be used for fuzzing JavaScript engines with the approach described in the proposal.

They can fuzz the JavaScriptCore (Safari), v8 (Chrome, Edge), or Spidermonkey (Firefox), and must report the found vulnerabilities to the affected vendor. They must also publicly report on their findings within 6 months of the grant getting awarded.

Helping third parties in the Android ecosystem

The company is also set on improving the security of the Android ecosystem, and to that point it’s launching the Android Partner Vulnerability Initiative (APVI).

“Until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP (Android Open Source Project) code that are unique to a much smaller set of specific Android OEMs,” the company explained.

“The APVI […] covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).”

Already discovered issues and those yet to be unearthed have been/will be shared through this bug tracker.

Simultaneously, the company has is looking for a Security Engineering Manager in Android Security that will, among other things, lead a team that “will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers.”

85% of COVID-19 tracking apps leak data

71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data, according to Intertrust.

COVID-19 tracking apps leak data

The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.

Cryptographic issues pose one of the most pervasive and serious threats, with 91% of the apps in the study failing one or more cryptographic tests. This means the encryption used in these medical apps can be easily broken by cybercriminals, potentially exposing confidential patient data, and enabling attackers to tamper with reported data, send illegitimate commands to connected medical devices, or otherwise use the application for malicious purposes.

Bringing medical apps security up to speed

The study’s overall findings suggest that the push to reshape care delivery under COVID-19 has often come at the expense of mobile application security.

“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” said Bill Horne, General Manager of the Secure Systems product group and CTO at Intertrust.

“The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.”

The report on healthcare and medical mobile apps is based on an audit of 100 iOS and Android applications from healthcare organizations worldwide. All 100 apps were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on the OWASP mobile app security guidelines.

COVID-19 tracking apps leak data

Report highlights

  • 71% of tested medical apps have at least one high level security vulnerability. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
  • The vast majority of medical apps (91%) have mishandled and/or weak encryption that puts them at risk for data exposure and IP (intellectual property) theft.
  • 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
  • The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
  • When looking specifically at COVID-tracking apps, 85% leak data.
  • 83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.

Popular Android apps are rife with cryptographic vulnerabilities

Columbia University researchers have released Crylogger, an open source dynamic analysis tool that shows which Android apps feature cryptographic vulnerabilities.

They also used it to test 1780 popular Android apps from the Google Play Store, and the results were abysmal:

  • All apps break at least one of the 26 crypto rules
  • 1775 apps use an unsafe pseudorandom number generator (PRNG)
  • 1,764 apps use a broken hash function (SHA1, MD2, MD5, etc.)
  • 1,076 apps use the CBC operation mode (which is vulnerable to padding oracle attacks in client-server scenarios)
  • 820 apps use a static symmetric encryption key (hardcoded)

Android apps cryptographic vulnerabilities

About Crylogger

Each of the tested apps with an instrumented crypto library were run in Crylogger, which logs the parameters that are passed to the crypto APIs during the execution and then checks their legitimacy offline by using a list of crypto rules.

Android apps cryptographic vulnerabilities

“Cryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality,” the researchers explained.

“A crypto misuse is an invocation to a crypto API that does not respect common security guidelines, such as those suggested by cryptographers or organizations like NIST and IETF.”

To confirm that the cryptographic vulnerabilities flagged by Crylogger can actually be exploited, the researchers manually reverse-engineered 28 of the tested apps and found that 14 of them are vulnerable to attacks (even though some issues may be considered out-of-scope by developers because they require privilege escalation for effective exploitation).

Recommended use

Comparing the results of Crylogger (a dynamic analysis tool) with those of CryptoGuard (an open source static analysis tool for detecting crypto misuses in Java-based applications) when testing 150 apps, the researchers found that the former flags some issues that the latter misses, and vice versa.

The best thing for developers would be to test their applications with both before they offer them for download, the researchers noted. Also, Crylogger can be used to check apps submitted to app stores.

“Using a dynamic tool on a large number of apps is hard, but Crylogger can refine the misuses identified with static analysis because, typically, many of them are false positives that cannot be discarded manually on such a large number of apps,” they concluded.

Worrying findings

As noted at the beginning of this piece, too many apps break too many cryptographic rules. What’s more, too many app and library developers are choosing to effectively ignore these problems.

The researchers emailed 306 developers of Android apps that violate 9 or more of the crypto rules: only 18 developers answered back, and only 8 of them continued to communicate after that first email and provided useful feedback on their findings. They also contacted 6 developers of popular Android libraries and received answers from 2 of them.

The researchers chose not to reveal the names of the vulnerable apps and libraries because they fear that information would benefit attackers, but they shared enough to show that these issues affect all types of apps: from media streaming and newspaper apps, to file and password managers, authentication apps, messaging apps, and so on.

20,000+ new vulnerability reports predicted for 2020, shattering previous records

Over 9,000 new vulnerabilities have been reported in the first six months of 2020, and we are on track to see more than 20,000 new vulnerability reports this year — a new record, Skybox Security reveals.

vulnerability reports 2020

Reshaping the way that people work

  • 50% increase in mobile vulnerabilities highlights dangers of blurring line between corporate and personal networks
  • Ransomware thrives during COVID-19 pandemic, with new samples increasing by 72%
  • Attacks on critical infrastructure, including healthcare companies and research labs, have added to chaos

“The global COVID-19 pandemic has completely reshaped the way that organizations and their employees work” said Ron Davidson, VP of R&D and CTO for Skybox Security.

“With the majority of the workforce now working remotely, the network perimeter has significantly widened – securing this perimeter now needs to be a top strategic priority. Organizations need to be able to identify the flaws that sit within both personal and professional devices.

“They also need to be able to model their expanded network so that they can understand all potential attack vectors. If they do not have these capabilities, then they will not be able to manage the mass of 20,000 new vulnerabilities, leaving them vulnerable to attack; something that they cannot afford at a time of global financial uncertainty.”

Increase of ransomware’s popularity

Also notable in the report is the increase of ransomware’s popularity, with the number of new samples rising by 72% over the first half of the year.

Sivan Nir, Threat Intelligence Team Leader for Skybox Security, commented on this rise. “We observed 77 ransomware campaigns during the first few months of the pandemic – including several on mission-critical research labs and healthcare companies.

“The focus and the capability of attackers is clear: they have the means to impart serious financial and reputational harm on organizations. The need for focused remediation strategies that are informed by full network visibility and contextual, data-rich intelligence has never been more pressing.”

vulnerability reports 2020

Increase in mobile vulnerabilities

The report further reveals that the volume of mobile vulnerabilities has increased by 50 percent. This increase is wholly driven by new Android deficiencies (which increased by 110 percent from 230 last year to 484 this year), after the number of new iOS vulnerabilities dropped by 23 percent from 152 to 117.

In previous years such an increase may not have concerned security leaders, but after COVID-19 pandemic blurred the line between corporate and domestic spaces it underlines the importance of securing all possible access points.

In order to weather the pandemic and the resulting new threat landscape, organizations need to incorporate accurate, up-to-date threat intelligence into their vulnerability management strategy.

Microsoft releases Defender ATP for Android and Linux

Microsoft has added support for Linux and Android to Microsoft Defender ATP, its unified enterprise endpoint security platform.

Microsoft Defender Advanced Threat Protection is designed to help enterprises prevent, detect, investigate, and respond to advanced cyber threats on company endpoints from one central point.

Microsoft Defender ATP for Linux

Microsoft Defender ATP initially offered protection only for Windows devices (it was called Windows Defender APT at the time), but the protection was extended to macOS devices in mid-2019.

Microsoft Defender Android Linux

“Adding Linux into the existing selection of natively supported platforms by Microsoft Defender ATP marks an important moment for all our customers. It makes Microsoft Defender Security Center a truly unified surface for monitoring and managing security of the full spectrum of desktop and server platforms that are common across enterprise environments (Windows, Windows Server, macOS, and Linux),” noted Helen Allas, a principal program manager at Microsoft.

Microsoft Defender ATP for Linux supports the most recent versions of CentOS Linux, Debian, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES) and Ubuntu.

“This initial release delivers strong preventive capabilities, a full command line experience on the client to configure and manage the agent, initiate scans, manage threats, and a familiar integrated experience for machines and alert monitoring in the Microsoft Defender Security Center,” Allas explained.

Microsoft Defender ATP for Linux requires the Microsoft Defender ATP for Servers license and can be deployed and configured using the Puppet or Ansible configuration management tool or the organization’s existing Linux configuration management tool.

Further requirements and info about deployment and use are available here.

Microsoft Defender ATP for Android

Microsoft has also announced on Tuesday the public preview of Defender ATP for Android.

Microsoft Defender ATP for Android will automatically block access to unsafe/phishing websites from SMS/text, WhatsApp, email, browsers, and other apps, as well as block unsafe network connections that apps might make on the user’s behalf.

Microsoft Defender Android Linux

Users will be informed about it and asked if they want to proceed, report the block, or dismiss the notification.

Microsoft Defender ATP for Android is also capable of detecting malicious apps, potentially unwanted applications and malicious files on the protected device.

“Additional layers of protection against malicious access to sensitive corporate information is offered by integrating with Microsoft Endpoint Manager, which includes both Microsoft Intune and Configuration Manager,” explained Kanishka Srivastava, a senior program manager at Microsoft.

“For example, a compromised device would be blocked from accessing Outlook email. When Microsoft Defender ATP for Android finds that a device has malicious apps installed, it will classify the device as ‘high risk’ and will flag it in the Microsoft Defender Security Center. Microsoft Intune uses the device’s risk level in conjunction with pre-defined compliance polices to activate Conditional Access rules that block access to corporate assets from the high risk device. (…) Once the malicious app is uninstalled, access to corporate assets is restored automatically for the mobile device.”

Enterprise admins will be able to see the alerts, threats and activities in the Microsoft Defender Security Center and make appropriate decisions.

Srivastava added that more capabilities for Android will be rolled our in the coming months and that Microsoft Defender ATP for iOS will be released later this year.

Most COVID-19 contact-tracing apps are not adequately secured

Security researchers have analyzed contact-tracing mobile apps from around the globe and found that their developers have generally failed to implement suitable security and privacy protections.

The results of the analysis

In an effort to stem the spread of COVID-19, governments are aiming to provide their citizenry with contact-tracing mobile apps. But, whether they are built by a government entity or by third-party developers contracted to do the job, security has largely taken a backseat to speed.

Guardsquare researchers have unpacked and decompiled 17 Android contact-tracing apps from 17 countries to see whether developers implement name obfuscation, string, asset/resource and class encryption. They’ve also checked to see whether the apps will run on rooted devices or emulators (virtual devices).

The results?

  • Only 41% of the apps have root detection
  • Only 41% include some level of name obfuscation
  • Only 29% include string encryption
  • Only 18% include emulator detection
  • Only 6% include asset / resource encryption
  • Only 6% include class encryption.

contact-tracing apps security

The percentages vary according to region (see above). Grant Goodes, Chief Scientist at Guardsquare, though made sure to note that they have not checked all existing contact-tracing apps, but that the sample they did test “provides a window into the security flaws most contact tracing apps contain.”

Security promotes trust

The looked-for protections should make it difficult for malicious actors to tamper with and “trojanize” the legitimate apps.

Name obfuscation, for example, hides identifiers in the application’s code to prevent hackers from reverse engineering and analyzing source code. String encryption prevents hackers from extracting API keys and cryptographic keys included in the source code, which could be used by attackers to decrypt sensitive data (for identity theft, blackmailing, and other purposes), or to spoof communications to the server (to disrupt the contact-tracing service).

Asset/resource encryption should prevent hackers from accessing/reusing files that the Android OS uses to render the look and feel of the application (e.g., screen-layouts, internationalized messages, etc.) and custom/low-level files that the application may need for its own purposes.

These security and privacy protections are important for every mobile app, not just contact-tracing apps, Goodes noted, but they are particularly salient for the latter, since some of them are mandatory for citizens to use and since their efficacy hinges on widespread adoption.

“When security flaws are publicized, the whole app is suddenly distrusted and its utility wanes as users drop off. In the case of countries who build their own apps, this can erode citizen trust in the government as well, which further increases public health risks,” he added.

Google fixes Android flaws that allow code execution with high system rights

Google fixes Android flaws that allow code execution with high system rights

Google has shipped security patches for dozens of vulnerabilities in its Android mobile operating system, two of which could allow hackers to remotely execute malicious code with extremely high system rights.

In some cases, the malware could run with highly elevated privileges, a possibility that raises the severity of the bugs. That’s because the bugs, located in the Android System component, could enable a specially crafted transmission to execute arbitrary code within the context of a privileged process. In all, Google released patches for at least 34 security flaws, although some of the vulnerabilities were present only in devices available from manufacturer Qualcomm.

Anyone with a mobile device should check to see if fixes are available for their device. Methods differ by device model, but one common method involves either checking the notification screen or clicking Settings > Security > Security update. Unfortunately, patches aren’t available for many devices.

Two vulnerabilities ranked as critical in Google’s June security bulletin are indexed as CVE-2020-0117 and CVE-2020-8597. They’re among four System flaws located in the Android system (the other two are ranked with a severity of high). The critical vulnerabilities reside in Android versions 8 through the most recent release of 11.

“These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files,” an advisory from the Department of Homeland Security-funded Multi-State-Information Sharing and Analysis Center said. “Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Vulnerabilities with a severity rating of high affected the Android media framework, the Android framework, and the Android kernel. Other vulnerabilities were contained in components shipped in devices from Qualcomm. The two Qualcomm-specific critical flaws reside in closed source components. The severity of other Qualcomm flaws were rated as high.

StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data.


Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers.

About StrandHogg 2.0 (CVE-2020-0096)

Like StrandHogg before it, CVE-2020-0096:

  • Doesn’t need the target device to be rooted and doesn’t require any specific permissions
  • Allows hackers to hijack nearly any app, i.e., to insert an overlay when the app is opened. The overlay take the form of a login screen, request for permissions, etc.

Unlike StrandHogg, StrandHogg 2.0:

  • Can attack nearly any app on a given device simultaneously at the touch of a button (and not just one app at a time)
  • Is more difficult to detect because of its code-based execution.

“The key difference between StrandHogg (1.0), and StrandHogg 2.0 is that the former uses an attribute called taskAffinity to achieve the task hijacking,” Promon researchers explained.

“For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext. While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”

StrandHogg 2.0 uses a different method for task hijacking that leaves no markers. Also, hackers can use obfuscation and reflection to make static analysis of the malicious app difficult.

Promon researcher John Høegh-Omdal says that malware that exploits StrandHogg 2.0 will be harder for anti-virus and security scanners to detect.

Who’s affected and what to do?

According to Promon’s research, the vulnerability affects all Android versions below Android 10 (with the caveat that early Android versions (<4.0.1) have not been tested). Google has released a patch to Android ecosystem partners in April 2020 and a fix for Android versions 8.0, 8.1, and 9 to the public in May 2020.

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” says Tom Lysemose Hansen, CTO and founder of Promon.

As with StrandHogg, users are advised to be wary of permission pop-ups that don’t contain an app name and apps that they have already logged into asking for login credentials.

“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild,” Hansen advises.

These measures include setting all of the app’s public activities to launchMode=”singleTask” OR launchMode=”singleIn stance” in AndroidManifest.xml.

APT attacks targeting Linux, Windows and Android remained undetected for nearly a decade

Five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade, according to BlackBerry.

APT groups

The report provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices.

Most large organizations rely on Linux

The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks.

While the majority of the workforce has left the office as part of containment efforts in response to the COVID-19 outbreak, intellectual property remains in enterprise data centers, most of which run on Linux.

Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).

Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. The report examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.

“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry.

“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”

APT groups: Other key findings

The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.

The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.

The research identifies two new examples of Android malware, continuing a trend seen in a previous report which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.

One of the Android malware samples very closely resembles the code in a commercially available penetration testing tool, yet the malware is shown to have been created nearly two years before the commercial tool was first made available for purchase.

The report examines several new variants of well-known malware that are getting by network defenders through the use code-signing certificates for adware, a tactic that the attackers hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts.

The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control and data exfiltration communications which appear to be trusted network traffic.

Avast Secure Browser for Android released, includes a built-in VPN

Avast has released an Android version of Avast Secure Browser to extend its platform support beyond Windows and Mac on desktop to mobile.

Avast Secure Browser for Android

Avast Secure Browser for Android

Avast Secure Browser for Android was developed following Avast’s 2019 acquisition of Tenta, a private browser backed by Blockchain pioneers ConsenSys, and has been built from the ground up by privacy and cybersecurity engineers focused on total encryption.

At its core is strong encryption including AES-256, ChaCha 256-bit, and the latest TLS/SSL cryptographic protocols for the data transport layer. To ensure that user DNS requests are kept private and secure, Avast Secure Browser for Android supports multiple DNS options straight out of the box, such as DNS over TLS, DNSSEC and decentralized DNS support.

Security and privacy features

Additional built-in security and privacy features available with Avast Secure Browser for Android include:

  • A VPN that encrypts all inbound and outbound connections to the VPN location
  • A user PIN code for device access that is never stored on any server nor on the device itself
  • Anti-tracking technologies used to prevent websites, advertisers and other web services from tracking online activity
  • Adblock integration to improve website load time
  • An encrypted media vault.

“Our goal is to be the first all-in-one browser to secure our users’ privacy along with a frictionless secure browsing experience. Adding support for mobile is another milestone in our journey towards this long-term goal,” said Scott Curtiss, VP and General Manager of Avast Secure Browser.

Mobile threats increase

In early March, Avast Threat Lab researchers found that the increasing use of mobile devices around the globe is fueling the growth of mobile-related malware. To date, 131 COVID-19 related apps have been detected as malicious through Avast’s platform as cybercriminals look to exploit the pandemic using social engineering tactics.

According to statistics gathered by the Avast researchers between October and December 2019, adware (software that hijacks user devices to spam them with malicious ads) is responsible for 72% of mobile malware, with the remaining 28% of threats linked to banking trojans, fake apps, lockers and downloaders.

“There is still a perception among many consumers that on mobile, internet and browser-based threats do not exist,” said Curtiss. “This is not the case. Mobile is a lucrative platform for cybercriminals because of its majority market share versus desktop and higher levels of internet traffic. In the past 12 months, we’ve seen adware rise by 38% on Android.”

Later this year, the mobile version of Avast Secure Browser will be made available on iOS. Avast Secure Browser is currently compatible with Windows 10, 8 and 7, Android and macOS.

Google Advanced Protection users get new protections against Android malware

Google has announced the rollout of two new non-negotiable security features for Android users who have also enrolled in the company’s Advanced Protection Program (APP).

Google Advanced Protection features

What is the Advanced Protection Program?

In late 2017, Google decided to provide additional security for those who are at an elevated risk of targeted attacks – e.g., journalists, human rights and civil society activists, campaign staffers, people in abusive relationships, etc. – and are willing to trade off a bit of convenience for more protection.

Initially offered only for consumer/personal Google accounts, in 2019 the program was made available for G Suite accounts, so that high-risk employees such as IT admins, executives, and employees in regulated or high-risk verticals such as finance or government can better secure their email accounts.

Users who enroll must use a physical security key (or their Android, iPhone or iPad device) to gain access their account, are not able to use untrusted third-party apps that require access to their email account, must go through a stricter account recovery process, have some download protections from Google Safe Browsing (when signed into Google Chrome with the same identity), and their accounts have enhanced email scanning for threats.

The new Google Advanced Protection security features

On Wednesday, Google said that the company is now automatically turning Google Play Protect on for all devices with a Google Account enrolled in Advanced Protection and will require that it remain enabled.

Google Play Protect is a security suite for Android devices that scans and verifies apps users want to download/ have downloaded from Google Play and third-party app stores, periodically scans the device for potentially malicious apps, and more.

Google will now also start blocking most apps that come from third-party app stores from being installed on any devices with a Google Account enrolled in Advanced Protection.

“You can still install non-Play apps through app stores that were pre-installed by the device manufacturer and through Android Debug Bridge. Any apps that you’ve already installed from sources outside of Google Play will not be removed and can still be updated,” explained Roman Kirillov, Engineering Manager, Android Security and Privacy.

“G Suite users enrolled in the Advanced Protection Program will not get these new Android protections for now; however, equivalent protections are available as part of endpoint management.”

Fake Covid-19 tracker app delivers ransomware, disinformation abounds

As Covid-19 spreads across the globe and countries do their best to slow down the infection rate, cybercriminals’ onslaught against worried users is getting more intense by the day. The latest scheme includes a malicious Android tracker app that supposedly allows users to keep an eye on the spread of the virus, but locks victims’ phone and demands money to unlock it.

Also, as many have already discovered, the spread of potentially very dangerous disinformation is reaching massive proportions.

Ransomware disguised as Fake Covid-19 tracker app

The DomainTools security research team is warning about a discovered a malicious domain (coronavirusapp[.]site) distributing a fake Coronavirus outbreak tracker app (Covid 19 Tracker), which will purportedly provide users tracking and statistical information about Covid-19 and heatmap visuals.

fake Covid-19 tracker

Once downloaded and run, the app locks the screen of the device and shows a ransom note claiming that the phone has been encrypted and that all the contents (contacts, pictures, videos, etc.) will be erased if the victim does not pay $100 in Bitcoin in the next 48 hours.

“Since Android Nougat has rolled out, there is protection in place against this type of attack. However, it only works if you have set a password. If you haven’t set a password on your phone to unlock the screen, you’re still vulnerable to the CovidLock ransomware,” the researchers noted.

But there is good news for those who fell for the trick: the researchers have reverse engineered the decryption key and will make them public (check the update at the end of this item).

This is not the first time that cybercriminals have taken advantage of the public’s demand for Covid-19 information in the helpful form of a global map: earlier this month Malwarebytes researchers warned about a site that delivers information-stealing malware while purportedly showing users updated coronavirus cases on a global map:

fake Covid-19 tracker

Battling disinformation

Many cybersecurity companies have detected a considerable increase of coronavirus-related domains registered globally, some of which are bound to be used for phishing, malware delivery, snake oil peddling and disinformation.

The latter has become quite a problem, as fake news spreads fast through social networks.

Users are urged to check the source of each piece of information they receive and to get their information directly from official sources like the World Health Organization, which is, by the way, actively fighting the “infodemic” of fake coronavirs-themed news online.

For those who really want to see the spreading of Covid-19 in a map format, Microsoft created a web portal for tracking infections across the globe, which is based on official sources.

UPDATE (March 16, 2020, 8:35 a.m. PT):

DomainTools has published an in-depth analysis of the fake Covid 19 Tracker app (i.e., the CovidLock malware), as well as the decryption key victims can use do unblock their device/decrypt its contents: 4865083501.

“CovidLock’s author did not bother implementing any type of obfuscation of the key in the application’s source code. While it’s easy to write about how this is not sophisticated from a malware development standpoint, it’s important to note that CovidLock is still effective at its lock-screen attack,” they noted.

Mac threats are growing faster than their Windows counterparts

Mac threats growing faster than their Windows counterparts for the first time ever, with nearly twice as many Mac threats detected per endpoint as Windows threats, according to Malwarebytes.

mac threats growing

In addition, cybercriminals continue to focus on business targets with a diversification of threat types and attack strategies in 2019.

Emotet and TrickBot were back in 2019

Trojan-turned-botnets Emotet and TrickBot made a return in 2019 to target organizations alongside new ransomware families, such as Ryuk, Sodinokibi and Phobos.

In addition, a wave of new hack tools and registry key disablers made a splashy debut, reflecting greater sophistication used by today’s business-focused attackers.

Threat actors are becoming more creative

Adware was particularly problematic for consumers and businesses on Windows, Mac and Android devices, deploying aggressive techniques for serving up advertisements, hijacking browsers, redirecting web traffic and proving extremely difficult to uninstall.

“A rise in pre-installed malware, adware and multi-vector attacks signals that threat actors are becoming more creative and increasingly persistent with their campaigns,” said Marcin Kleczynski, CEO of Malwarebytes.

“It is imperative that, as an industry, we continue to raise the bar in defending against these sophisticated attacks, actively protecting both users and businesses by flagging and blocking all programs that may violate their privacy, infect their devices, or even turn the infrastructure they depend on against them.”

Mac threats are growing, other threats in the spotlight

Mac threats significantly ramp up – An average of 11 threats per Mac endpoint were detected in 2019—nearly double the average of 5.8 threats per endpoint on Windows. Overall Mac threats increased by more than 400 percent, year-over-year.

Business detections continued to rise – In 2019, global business threats rose 13 percent to about 9.6 million detections.

HackTools triumph – With consumer detections of HackTools up 42 percent, this is a threat to watch in 2020, bolstered by families such as MimiKatz, which also targeted businesses.

Dynamic duo does damage – TrickBot and Emotet once again reigned globally, targeting businesses heavily in the last year. Emotet was second-most detected threat against businesses in 2019.

mac threats growing

Meanwhile, TrickBot saw enormous growth, with business detections on-the-rise by 52 percent, year-over-year.

Ransomware is rampantRansomware targeted cities, schools and healthcare organizations with increased vigor in 2019. Newer ransomware families saw the highest growth, with Ryuk business detections up by 543 percent, year-over-year, and Sodinokibi increasing by 820 percent since its introduction in May 2019.

Beware of adware – Adware increased 13 percent, year-over-year, for consumers and 463 percent for businesses. Seven of the 10 top consumer threat families were adware variants, as well as five of the top 10 business threat families.

Pre-installed malware became pervasive – Top-rated mobile threat in 2019 was a team of pre-installed potentially unwanted program (PUP) variants that combined for 321,103 detections.

These auto installers ship with Android devices and are used to update the phone’s firmware—but they also take and sell personal information.

Just keep skimming – Credit card skimmers, or Magecart, were one of the most prevalent web threats in 2019. Magecart activity will continue in 2020 with more e-commerce platforms targeted.

Key targets shift – The services sector leapfrogged over education and retail, snagging the top spot for industries impacted by threats in 2019. Notably this includes managed service providers (MSPs), which are being leveraged to take advantage of their network of clients.

93% of attempted mobile transactions in 2019 were fraudulent

93 percent of total mobile transactions in 20 countries were blocked as fraudulent in 2019 according to a report on the state of malware and mobile ad fraud released by Upstream.

fraudulent mobile transactions

The number of malicious apps discovered in 2019 rose to 98,000, up from 63K in 2018. These 98,000 malicious apps had infected 43 million Android devices.

Android is the most vulnerable OS

With Android devices now accounting for an estimate 75-85% of all smartphone sales worldwide Android is by far the most dominant mobile OS. At the same time it is the most vulnerable due to its open nature, making it a favorite playground for fraudsters.

While it is always a good rule of thumb for consumers to only download mobile applications from Google’s official storefront, Google Play, thanks to its scale and set up, rogue apps are still getting through its defenses.

Of the top 100 most active malicious apps that were blocked in 2019, 32 percent are reported still available to download on Google Play. A further 19 percent of the worst-offending apps were previously on Google Play but have since been removed, while the remaining 49 percent are available through third-party app stores.

Fraudulent mobile transactions: Most targeted apps

Fraudsters appear to target some app categories more than others. Ironically, apps designed to make a device function better and make everyday life easier are the ones most likely to be harmful with 22.32 percent of malicious apps for 2019 falling under the Tools / Personalization / Productivity category globally.

The next most popular categories cybercriminals target are Games (18.97 percent) and Entertainment/Shopping (15.76 percent).

Indicating scale, in the course of only a few months in 2019, Secure-D reported on the suspicious background activity of five very popular Android apps: 4shared, a popular file-sharing app, Vidmate, a video downloader, Weather Forecast a preinstalled app on Alcatel devices, Snaptube, another video and audio app, and ai.type, an on-screen keyboard app.

With a total of nearly 700 million downloads, these were or had been at some point available on Google Play. In these five cases alone, 353 million suspicious mobile transactions were detected and blocked preventing $430 million in fraudulent charges.

“Mobile ad fraud is a criminal enterprise on a massive scale. Though it may seem that it is only targeted at advertisers, it greatly affects the whole mobile ecosystem. Most importantly it adversely impacts consumers; eating up their data allowance, bringing unwanted charges, messing with the performance of their device, and even targeting and collecting their personal data,” said Dimitris Maniatis, CEO of Upstream.

“It is more than an invisible threat, it is an epidemic, calling for increased mobile security that urgently needs to rise up in the industry’s priority list. Left unchecked, ad fraud will choke mobile advertising, erode trust in operators and lead to higher tariffs for users.”

The effects of mobile ad fraud are particularly damaging in emerging markets where data costs are significantly higher. As evidenced from detailed data presented from five such markets including Brazil and South Africa fraud rates in most cases exceed the 90% mark.

fraudulent mobile transactions

Consumers in emerging markets more vulnerable to digital fraud

As the report highlights consumers in emerging markets are more vulnerable to digital fraud; they are unaware of the dangers as they often go online for the first time via their mobile devices and data depletion caused by malware has a much greater effect on them due to the high cost of data in their countries.

In Africa 1 GB of data costs prepaid mobile subscribers the equivalent of 16 hours of work at minimum wage.

“A key part of successfully tackling mobile fraud is awareness”, explains Maniatis, “something that the whole industry, surprisingly, lacks. With all indicators pointing that its value will grow in the hundreds of billions in the next three years, we cannot afford to remain idle. This is the main reason we steadily and openly share all our findings with the whole community.”

“Mobile ad fraud remains a hidden threat for most consumers. It usually goes undetected and is not high on people’s agendas when choosing apps. However, aas the industry delays its response, consumers should take steps to stay safe from mobile ad fraud in 2020.”

App on Google Play exploited Android bug to deliver spyware

Google has pulled three malicious apps from Google Play, one of which exploits a recently patched kernel privilege escalation bug in Android (CVE-2019-2215) to install the app aimed at spying on users.

malicious apps CVE-2019-2215

About CVE-2019-2215

The existence of CVE-2019-2215 was discovered in late 2019 when it was spotted being exploited in the wild.

Researchers with Google’s Threat Analysis Group and other external parties believe that the exploit originated with NSO Group, an Israel-based company that specializes in lawful surveillance software and whose Pegasus mobile spyware is abused by oppressive regimes to spy on “enemies”.

At the time, the Android team considered the bug to be of high severity and pointed out that a malicious application has to be installed on the target device to perform the exploit.

About the newly discovered malicious apps

Trend Micro researchers discovered three malicious apps on Google Play:

  • Camero – disguised as photo app
  • FileCrypt Manager – disguised as a file manager app
  • callCam – disguised as a camera calling app.

The first two acted as a dropper for the third one, which would perform the actual spying.

The Camero app would download a DEX file from a C&C, which would then download the callCam APK file and use the CVE-2019-2215 exploit to root the device, install the app and launch it without any user interaction or the user’s knowledge.

“This approach (…) only works on Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices,” the researchers noted.

The FileCrypt Manager app would ask users to enable Android Accessibility Services and, if they did, would install and launch the callCam app.

malicious apps CVE-2019-2215

The app callCam hides its icon after being launched, so users wouldn’t notice it.

It collects, encrypts, and sends back to the C&C server information such as:

  • Location
  • Battery status
  • Files on device
  • Installed app list
  • Device information
  • Sensor information
  • Camera information
  • Screenshot
  • Account
  • Wifi information
  • Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

Apps used by state-sponsored APT?

State-sponsored hackers occasionally take advantage of Google Play to deliver malicious apps to their targets.

This latest malicious trio has been tied to SideWinder, a threat actor group that has been known to target Pakistani military targets in the past, as they connect to C&C servers that are suspected to be part of SideWinder’s infrastructure.

A patch for CVE-2019-2215 has been provided by Google almost soon after the flaw was first spotted being exploited, but it’s unlikely that it has been disseminated to all Android users out there.

As always, users are advised to be careful about the apps they install on their devices. Google Play may host a much lesser number of malicious apps than a random third-party app marketplace, but the threat, however small, persists.

Crooks are exploiting unpatched Android flaw to drain users’ bank accounts

Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned.

StrandHogg vulnerability

“Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company [Wultra] for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts. At the time, this was covered (but not explained), in the Czech media. Promon’s partner gave Promon a sample of the suspected malware to investigate,” Promon researchers explained.

All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.

“StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted. To carry out attacks, the attacker doesn’t need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner,” they noted.

About the StrandHogg vulnerability

StrandHogg allows attackers to show to users fake login screens and ask for all types of permissions that may ultimately allow them to:

  • Read and send SMS messages (including those delivering second authentication factors)
  • Phish login credentials
  • Make and record phone conversations
  • Listen to the user through the microphone
  • Take photos through the device’s camera
  • Get access to photos, files on the device, location and GPS information,the contacts list, phone logs, etc.

“StrandHogg (…) uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device. This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire,” the researchers explained. (More technical details are available here.)

Malware taking advantage of this vulnerability springs into action when the victim clicks the app icon of a legitimate app (click on the image for a larger version):

StrandHogg vulnerability

“The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected,” noted Promon CTO Tom Lysemose Hansen.

What can users do?

Mobile security company Lookout has identified 36 malicious apps exploiting the StrandHogg vulnerability, and among them were variants of the BankBot banking trojan.

Malware using the StrandHogg flaw was not found on Google Play but was installed on target devices through several dropper apps/hostile downloaders distributed through Google Play.

These particular apps have been removed by Google, but dropper apps often bypass Google Play’s protections and trick users into downloading them by pretending to have the functionality of popular apps.

Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect’s ability to protect users against similar issues.

Promon researchers say that it’s difficult for app makers to detect if attackers are exploiting StrandHogg against their own app(s), but that the risk can be partly mitigated by setting the task affinity of all activities to “”(empty string) in the application tag of AndroidManifest.xml.

As, according to the researchers, there’s no effective block or reliable detection method against StrandHogg on Android devices, users are advised to be on the lookout for things like:

  • An app or service that they have already logged into asking for a login
  • Permission pop-ups that don’t contain an app name
  • Buttons and links in the user interface that do nothing when clicked on
  • Typos and mistakes in the user interface.

Vulnerability in fully patched Android phones under active attack by bank thieves

Vulnerability in fully patched Android phones under active attack by bank thieves

A vulnerability in millions of fully patched Android phones is being actively exploited by malware that’s designed to drain the bank accounts of infected users, researchers said on Monday.

The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in a post. Running under the guise of trusted apps already installed, the malicious apps can then request permissions to carry out sensitive tasks, such as recording audio or video, taking photos, reading text messages or phishing login credentials. Targets who click yes to the request are then compromised.

Researchers with Lookout, a mobile security provider and a Promon partner, reported last week that they found 36 apps exploiting the spoofing vulnerability. The malicious apps included variants of the BankBot banking trojan. BankBot has been active since 2017, and apps from the malware family have been caught repeatedly infiltrating the Google Play Market.

The vulnerability is most serious in versions 6 through 10, which (according to Statista) account for about 80% of Android phones worldwide. Attacks against those versions allow malicious apps to ask for permissions while posing as legitimate apps. There’s no limit to the permissions these malicious apps can seek. Access to text messages, photos, the microphone, camera, and GPS are some of the permissions that are possible. A user’s only defense is to click “no” to the requests.

An affinity for multitasking

The vulnerability is found in a function known as TaskAffinity, a multitasking feature that allows apps to assume the identity of other apps or tasks running in the multitasking environment. Malicious apps can exploit this functionality by setting the TaskAffinity for one or more of its activities to match a package name of a trusted third-party app. By either combining the spoofed activity with an additional allowTaskReparenting activity or launching the malicious activity with an Intent.FLAG_ACTIVITY_NEW_TASK, the malicious apps will be placed inside and on top of the targeted task.

“Thus the malicious activity hijacks the target’s task,” Promon researchers wrote. “The next time the target app is launched from Launcher, the hijacked task will be brought to the front and the malicious activity will be visible. The malicious app then only needs to appear like the target app to successfully launch sophisticated attacks against the user. It is possible to hijack such a task before the target app has even been installed.”

Promon said Google has removed malicious apps from its Play Market, but, so far, the vulnerability appears to be unfixed in all versions of Android. Promon is calling the vulnerability “StrandHogg,” an old Norse term for the Viking tactic of raiding coastal areas to plunder and hold people for ransom. Neither Promon nor Lookout identified the names of the malicious apps. That omission makes it hard for people to know if they are or were infected.

Google representatives didn’t respond to questions about when the flaw will be patched, how many Google Play apps were caught exploiting it, or how many end users were affected. The representatives wrote only:

“We appreciate the researchers[‘] work, and have suspended the potentially harmful apps they identified. Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”

StrandHogg represents the biggest threat to less-experienced users or those who have cognitive or other types of impairments that make it hard to pay close attention to subtle behaviors of apps. Still, there are several things alert users can do to detect malicious apps that attempt to exploit the vulnerability. Suspicious signs include:

  • An app or service that you’re already logged into is asking for a login.
  • Permission popups that don’t contain an app name.
  • Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
  • Typos and mistakes in the user interface.
  • Buttons and links in the user interface that do nothing when clicked on.
  • Back button does not work as expected.

Tip-off from a Czech bank

Promon researchers said they identified StrandHogg after learning from an unnamed Eastern European security company for financial institutions that several banks in the Czech Republic reported money disappearing from customer accounts. The partner gave Promon a sample of suspected malware. Promon eventually found that the malware was exploiting the vulnerability. Promon partner Lookout later identified the 36 apps exploiting the vulnerability, including BankBot variants.

Monday’s post didn’t say how many financial institutions were targeted in total.

The malware sample Promon analyzed was installed through several droppers apps and downloaders distributed on Google Play. While Google has removed them, it’s not uncommon for new malicious apps to make their way into the Google-operated service. Update: In an email sent after this post went live, a Lookout representative said none of the 36 apps it found was available in Google Play.

Readers are once again reminded to be highly suspicious of Android apps available both in and outside of Google Play. People should also pay close attention to permissions requested by any app.

Google ups bug bounties for Android flaws, exploits

Google has expanded the Android Security Rewards (ASR) program and increased the bug bounties it’s willing to award for certain kinds of exploits.

Android bug bounties exploits

About the Android Security Rewards Program

ASR covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets, which are currently Pixel 4, Pixel 3a and Pixel 3a XL, and Pixel 3 and Pixel 3 XL.

“Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS,” Google clarifies.

As it’s usual with bug bounty programs, the final amount received by vulnerability reporters depends on many things: the severity of the flaw, the quality of their write-up, the amount of user interaction required for the exploit to work, the reliability of the exploit, and more.

Latest changes and rewards increases

“We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million,” Jessica Lin of the Android Security Team announced on Thursday.

The Titan M chip – custom built for Pixel 3 to secure users’ most sensitive on-device data, the operating system, third-party apps and secure sensitive transactions – was launched a year ago.

Achieving arbitrary code execution that results in the compromise of other secure environments, the kernel and privileged processes can also lead to substantial rewards:

Android bug bounties exploits

“In addition to exploits involving Pixel Titan M, we have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category,” she added.

Rewards for lockscreen bypass exploits (maximum: $100,000) will be given out only for exploits achieved via software that would affect multiple or all devices. Those hoping to bypass the lockscreen via fake masks or fingerprints will be disappointed: spoofing attacks that use synthetic biometric data are not eligible for reward, Google says.

More information about the Android Security Rewards Program is available here.

Google is trying to secure as much of the Android attack surface it can: it has recently partnered with several mobile security companies to identify potentially harmful and unwanted Android apps before they are listed on Google Play and expanded the Google Play Security Reward Program to include all apps in Google Play with 100 million or more installs.