E-Z-2-Use attack code exploits critical bug in majority of Android phones

Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and tablets that run the Google operating system, its creators said.

The attack was published last week as a module to the open-source Metasploit exploit framework used by security professionals and hackers alike. The code exploits a critical bug in Android’s WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone’s camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books. Google patched the vulnerability in November with the release of Android 4.2, but according to the company’s figures, the fix is installed on well under half of the handsets it tracks.

“This vulnerability is kind of a huge deal,” Tod Beardsley, a researcher for Metasploit maintainer Rapid7, wrote in a recent blog post. “I’m hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don’t last for 93+ weeks in the wild. Don’t believe me that this thing is that old? Just take a look at the module’s references if you don’t believe me.”

The WebView vulnerability allows attackers to inject malicious JavaScript into the Android browser and, in some cases, other apps. In turn, it helps attackers gain the same level of control as the targeted program. The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone’s file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network. By hijacking the app’s update process, attackers can gain control over the same resources already granted to the app, including permissions such as access to SD cards and geographic data.

Popping a shell

The threat is closely related to one Ars wrote about in September. In addition to making the native Android browser included in vulnerable versions of the mobile operating system susceptible, the weakness can also affect third-party apps developed with older code libraries. Readers can see a video of the newly released Metasploit exploit module in action here. The resulting command shell can do anything the native Android browser can do.

Rapid7’s Beardsley raises a good point about the proliferation of devices still running out-of-date versions of Android with known security vulnerabilities. Indeed, it’s not hard to find big-name sellers offering handsets that are vulnerable right out of the box. Ars has chronicled the checkered, slow history of Android updates before, as well as efforts by civil liberties groups to force US regulators to take action. Until carriers and sellers can be counted on to provide security updates for all their customers, the best bet for Android users is to use a Google-managed device such as the Nexus 4, which provides timely security updates directly from Google.

via E-Z-2-Use attack code exploits critical bug in majority of Android phones | Ars Technica.

Mobile malware reported riding on Google messaging service

\Mobile botnets are on the rise and cybercriminals are using the Google Cloud Messaging service as a conduit for sending data from command-and-control servers to malware, a new report says.

In its latest IT Threat Evolution report, Kaspersky Lab said the third quarter was \”undoubtedly the quarter of mobile botnets,” as cybercriminals tried to improve the ways they manage their networks of infected Android devices.

The latest weapon in criminals’ arsenal is GCM, which enables them to send short messages in the JSON format to instruct malware on Android devices. JSON, or JavaScript Object Notation, is an open standard format that uses human-readable text to transmit data from a server to Web applications.

GCM is being used to communicate with the most widespread SMS Trojans, Kaspersky said in the report released last week. SMS Trojans are a common form of mobile malware that sends text messages to premium-rate phone services. The charges, which are not easily recovered, show up later on the victim\’s wireless phone bill.

“The only way of preventing this channel from being used by malware writers to communicate to their malware is to block the GCM accounts of developers who use them to spread malware,” Kaspersky said.

Very few malicious programs use GCM, but those that can are growing in popularity, the security vendor said.

SMS Trojans, the most common type of mobile malware, are mostly found in Russia and other regions where Android users regularly download software from third-party app stores. Malware is much less likely to hide in Google Play, the official Android store.

Android infection low

Nevertheless, the overall rate of infection on Android devices is very low. A study by the Georgia Institute of Technology found an infection rate of 0.0009 percent, or roughly 3500 out of more than 380 million mobile devices.

Infection hurdles include bypassing defenses Google builds into the operating system and the lack of effective mechanisms for mass distribution. Criminals are turning to botnets to clear the latter, and Kaspersky in mid-July recorded what the vendor said were the first third-party botnets.

Criminals rent such networks to others for malware distribution. Among the malware distributed is the most sophisticated Android Trojan, known as Obad, Kaspersky said.

The malware opens a backdoor in an infected device in order to download additional malicious code for stealing money from victims’ bank accounts. While not common in the U.S., people in other countries often use their smartphone for money transfers.

Kaspersky found Obad being distributed through mobile devices infected with malware called Trojan-SMS.AndroidOS.Opfake.a. Upon receiving instructions from a command-and-control server, Opfake would send text messages to everyone on a victim’s contact list, inviting them to download multimedia content.

Clicking on the link in the text, automatically downloaded Obad, Kaspersky said.

Typical for mobile malware reports, Kaspersky recorded an increasing number of samples. The number in the vendor’s collection rose nearly 20 percent from the second quarter to 120,000.

via Mobile malware reported riding on Google messaging service | TechHive.

Windows 8's complexity leaves it vulnerable, Kaspersky says

The complexity of the Windows 8 operating system has increased its vulnerability, according to Kaspersky Lab A/NZ product specialist, Wayne Kirby.
This complexity is the result of three different types of operating systems running Windows 8, namely the legacy Windows desktop, Windows RT, and Windows RT running on ARM-based systems.

Kirby said this approach has increased the vulnerability of the OS, as the multiple OS approach provides hackers with more places to find vulnerabilities to exploit.
“Because it contains three platforms, it leaves the gateway open for a much broader opening for ways into the system,” he said in a recent interview.
Another security risk Kirby identifies in Windows 8 is the introduction of the simple sign-on.
“With one web console, you can now log in and have local administrative rights on a remote computer, go as far as manipulate registry on computers,” he said.
“That leaves it open to a lot of vulnerabilities.”
SkyDrive is the limit
The integration of Microsoft’s Cloud storage service, SkyDrive, into Windows 8 also gets highlighted as worrisome feature.

If adequate security measures are not put in place, Kirby said Cloud data could potentially be accessed by anyone with the right know how.
“Since SkyDrive is embedded in the operating system, it is one of the biggest threats to the security of personal data in the new operating system,” he said. Access to SkyDrive is already available on Windows 7 and other operating systems, though Kirby said the fact that it is built directly into Windows 8 sets it apart.”
The reason why Microsoft adopted a multi-OS approach and SkyDrive integration was to make Windows 8 attractive to developers, though Kirby said this move may have been counterproductive from a security standpoint. Inversely, the developer friendly aspect of Windows 8 is likely to be “embraced” by cyber criminals who will “heavily exploit” the vulnerabilities of the new OS.
via Windows 8’s complexity leaves it vulnerable, Kaspersky says | PCWorld.