No Permissions Android Application Can Harvest, Export Device Data

The term "permissions" may be a relative one for Google's Android operating system, which grants applications with no permissions access to a wide range of user and device data, according to research from the company Leviathan Security Group.

In a blog post Monday, researcher Paul Brodeur was able to show that Android applications without permissions can still access files used by other applications, including which applications are installed and a list of any readable files used by those applications. That capability could be used to identify applications that have weak permissions vulnerabilities and exploit those, Brodeur warned.

Brodeur unveiled a proof of concept Android application, dubbed "NoPermissions" that works with Android phones running version 4.0.3 and 2.3.5 of the operating system. 

His work builds on research done by other mobile security experts and academics and that has uncovered limitations to the Android permissions scheme. For example, even without any permissions, Brodeur's application was able to collection information about the Android device including the GSM and SIM vendor ID, a file that includes the kernel and ROM version installed, as well as the unique Android ID. His no-permission application could also access non-hidden files stored on the phone's SD card. That's as Google intended it to be, but Brodeur points out that applications use local storage in ways that are unpredictable - and mostly transparent to the phone's owners. Among the data he found on his own Android phone were certificates from his mobile Open VPN application.

Not only could an attacker take advantage of the lack of strict permissions to collect data, Brodeur wrote, they could also export it from the phone without permissions. The URI ACTION-VIEW Intent network access call is supported without permissions. That will open a browser on the Android device. An attacker could then pass data to the browser in the form of a URI with GET parameters to pass it to an Internet accessible server or device using successive browser calls. In fact, Brodeur found that the app can launch a browser in the background, when it does not have focus (that is: isn't the active application).

This isn't the first warning about the problem of loose application permissions on Android. Researchers from North Carolina State University designed a similar application in 2010 to highlight flaws in the Android permissions scheme. (PDF). And, in December, 2011, Thomas Cannon, a researcher at security firm viaForensics demonstrated that an Android application without permissions could still give an attacker access to a remote shell on an Android phone, allowing them to run commands on the device remotely.

Courtesy   Paul

Apple Developing Fix For Flashback Malware

Apple is planning to release a software fix that will find and remove the Flashback malware that has been haunting Mac users for several months now. The latest version of Flashback has built a botnet that at times has included more than 600,000 infected machines.

Apple said on Tuesday that it was in the process of developing a tool that would detect and remove Flashback, but the company did not specify when the fix would be available. Security researchers and customers have been questioning why Apple hasn't yet provided a fix for the malware even though Flashback has been around in one form or another for more than six months now. The most recent variant of the Trojan is exploiting a Java vulnerability through drive-by download attacks in order to infect users' machines.

Apple, which is typically mum on security issues, has remained so throughout the investigation by security firms into the Flashback botnet and it wasn't until Tuesday that the company made its first public statement about the issue.

"A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs. Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates," the company said in a statement. "Apple is developing software that will detect and remove the Flashback malware."

Apple also said that it is working with ISPs to help take down the sites that are serving the exploits and infecting Mac users. Researchers at Kaspersky Lab and other security companies have taken the step of sinkholing some of the command-and-control domains that the Flashback malware authors use to communicate with infected machines. That tactic has enabled the researchers to keep tabs on the size of the botnet, which was up over the 600,000 mark late last week but had fallen to less than 250,000 by Tuesday. 

In a podcast interview Tuesday on the Flashback botnet and the response by Apple, Costin Raiu of Kaspersky said that now that attackers have begun to focus some of their attention on Mac users, he would expect to see more of these kinds of attacks in the coming months. 

From what Apple said in its statement, it's not clear whether the fix that the company is developing will be an update for the XProtect anti-malware software that's included with OS X or whether it will be a standalone tool. Some earlier versions of Flashback have had the ability to disable XProtect on infected machines.

Courtesy  Dennis

Facebook Reassures Users, But Hole May Put Mobile Data at Risk

Facebook Security assured users on Thursday who access their Facebook account via Android or iOS devices that mobile sessions on the social networking site aren’t vulnerable to hacking. However, research published this week suggests otherwise.

A blog entry posted by UK-based mobile application developer Gareth Wright suggests that users who have their mobile phones compromised may be subject to account takeover attacks. 

Writing on Tuesday, Wright identified an alleged problem in the social network’s plain text access token, ‘com.Facebook.plist.’ Wright was able to take the unencrypted token, available in the application’s directory, and copy it to a friend’s device. After his friend removed his own token, he was able to see all of Wright’s personal Facebook posts, messages and likes on his own phone without even logging in.

The hole raises concern for anyone who may plug their phone into public computers or modified public charging stations, putting their .plist files in danger of being swiped by malware residing on those machines, Wright said. 

Attack scenarios include a hidden application which runs in the background on shared PCs and copies Plists from machines that are attached to it. Alternatively, attackers could devise a tool for copying plists from mobile devices that they had physical access to. 

Wright’s findings prompted Facebook's security group to issue a statement Thursday afternoon that claimed users accessing Facebook.com from an iOS or Android were only vulnerable if using a jailbroken iOS or modded Android device. The update insists that Facebook’s application is only for use with its manufacture-provided operating system, and suggests that if a “malicious actor” were granted access to the physical device, it could be vulnerable.

However, Wright’s hack, which used the app iExplore to browse iOS files, doesn’t require a jailbroken iPhone.  Further research from writers at TheNextWeb.com on Friday helped verify his findings and also found that file-syncing app Dropbox, which has been taking security heat of its own lately, also demonstrates the vulnerability.

In an interview with ZDNet, Wright claims Facebook “are aware and working on closing the hole.” yet it’s not known whether Dropbox are aware and taking action to fix the similar, purported vulnerability.

In a statement, Dropbox said that the company's Android application was not affected because it stores access tokens in a protected location. "We are currently updating our iOS app to do the same.  We note that the attack in question requires a malicious actor to have physical access to a user's device.  In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices," said the statement from a Dropbox spokeswoman. 

Facebook is reportedly working on a fix for the plist problem. 

Courtesy  Christoper

Kelihos Returns: Same Botnet or New Version?

The twice-shut-down Kelihos botnet remains active and continues spamming with a new variant, despite yesterday’s efforts by Kaspersky Lab and CrowdStrike that knocked offline and sinkholed the most recent version of the botnet.

According to a Seculert report, the indomitable botnet is using a Facebook worm to continue spreading itself and infecting new machines. Its command and control server is still capable of communicating with other members of the botnet.

Researchers at Seculert are reluctant to classify this as a ‘Kelihos.c’ (or three), claiming instead that this is the same botnet. Seculert says that the same criminals are still responsible for the network’s operation and, furthermore, have the capacity to regain control over sinkholed machines by using the Facebook worm mentioned above.

“…the sinkholed machines are also installed with the Facebook worm which downloaded the Kehilos.B botnet in the first place,” Seculert’s Aviv Raff told Threatpost via email. “This means they might get an instruction to re-install the Kehilos botnet again, but with the new configuration set (as with the new infected bots).”

The news that Kelihos is “live and social,” as Seculert put it, is not altogether surprising. In an email interview with Threatpost yesterday Tillmann Werner of CrowdStrike and Marco Preuss of Kaspersky said they expected Kelihos would emerge again, albeit not so soon.

Preuss today acknowledged the appearance of the new Kelihos, but, contrary to Seculert’s analysis, claims it is a different botnet.

“We confirm that a new Hlux/Kelihos sample exists but it has a different configuration,” Preuss explained via email, “which means it’s coming from a new Hlux botnet (Hlux C). The previous generation (Hlux B) is under control by the sinkhole server. It is not uncommon for new versions of botnets to appear that are operated by the same group.”

Kasperksy identifies the Kelihos botnet as Hlux.

Preuss went on to explain that the criminal group responsible has been operating various versions of this botnet since 2007 (Storm, Waledac, Hlux/Kelihos). It would be naive, he said, to think they wouldn’t create a new botnet.

“Our sinkholing operations for Hlux A and B have shown that our countermeasure efforts are successful,” Preuss went on, “even if it’s just a temporary way to slow the group down.”

It seems that the Kelihos.b vs. Kelihos.c discrepancy is merely a matter of semantics between the researchers. However, Kaspersky Lab claims that the criminals behind the bot are not capable of regaining access to machines in the sinkhole, and that Seculert's claim of such a capability is "not accurate."

Furthermore, Kasperky Lab's partner in the takedown, CrowdStrike, authored a blog this morning refuting a point made by Seculert. Bottom line, CrowdStrike claims, is this:

"There is no known means for the attacker to regain control over the sinkholed Kelihos.B machines at this point."

Courtesy Brain

Yahoo to Implement Do Not Track

Yahoo has decided that it's now time to start implementing a Do Not Track system across its various Web properties. The company is one of the last large Web content providers to officially commit to using a DNT technology, and Yahoo said that it plans to have the system implemented by early summer.

It's not clear exactly how Yahoo plans to implement a Do Not Track technology, but the company said that the system will be site-wide and will cover the company's Right Media and interclick subsidiaries. 

"Yahoo! has been a leader in the DNT discussion and has a proven history of providing enhanced transparency and heightened control to its users. This implementation continues our leadership in user privacy where Yahoo! was among the first to launch an Ad Interest Manager three years ago and the industry AdChoices Icon program two years ago. With this new feature, Yahoo! continues its leadership in privacy innovation while continuing to create the free online services consumers demand that are made possible through advertising," the company said in a statement.

Yahoo officials said that their Do Not Track implementation has been in development since 2011 and that it will be a simple way for consumers to turn on the DNT option. In most DNT implementations, which typically exist in browsers, users simply click on an option in the browser's settings to tell sites that they don't want to be tracked. What that does is instruct the browser to send a specific header to each site that includes the user's DNY preference.

Microsoft and Mozilla have had DNT implementations in their browsers for some time now, and Google recently said that it will implement the technology in Chrome sometime soon, as well. The idea behind DNT systems is to enable consumers to stop sites from tracking them across the Web with special cookies and other technologies. Some members of Congress have been pushing for the broad implementation of DNT, including Mary Bono Mack.

"We applaud Chairman Bono Mack for her leadership and thoughtful approach to online privacy issues and her foresight to call a hearing on this issue today. Yahoo! looks forward to continuing the dialogue with policymakers to discuss commonsense solutions that protect user privacy while maintaining the free Internet model," Yahoo said in its statement.

Courtesy Dennis

Facebook Warns Users About Timeline Adware

Facebook issued a video warning to its hundreds of millions of users on Thursday about the dangers of adware programs that lure users with promises of special features.

In a video message from the Facebook Security group, the company said that a growing number of companies are fooling Facebook users into installing add-on software that can cover their Facebook account with adds, result in slower site performance and compromise user security.

The warnings come as online advertisers are looking for ways to capitalize on the Facebook platform and the hours each day that avid users can spend on the giant social network.

In a phenomenon that seems a throwback to the go-go days of the Web, Facebook users are now complaining to the company about their page and Timeline being overrun with noisy, distracting ads that also bog down site performance.

The adware programs may be promoted on the Walls and timelines of Facebook users, but are not part of the site. Instead, most are bundled with browser plugins and toolbars that must be installed on the user's Web browser.

Adware On Facebook: (courtesy of Facebook)

In a FAQ (Frequently Asked Questions) post on the adware problem, Facebook Security warned that sanctioned Facebook ads will never appear as banners, in the center, top or left column of the Facebook Web site. "If you're seeing ads in these locations, or ads that flash or play sound automatically, you probably have adware," the company said.

Facebook has posted a list of around a dozen known adware programs that are specific to the site, including applications with names like Facetheme.com, Pagerage.com and Pagemood.com. It also provided written and video instructions for removing adware by disabling the browser plugins, toolbars or add-ons.

Online scammers are gravitating to Facebook because of the relatively high levels of user engagement on the site. As with traditional, Web based attacks, scammers use interest in major news events (like the death of Osama bin Laden) to seed links to phishing, click fraud and malware sites. But they're also using Facebook's real estate to direct users to survey Web sites and other for-profit ventures.

In August, 2011, security firm Websense studied two Facebook scams and found that both achieved enormous penetration on the site. According to Websense, a July, 2011 scam based on malicious Wall posts took just over a week to hit peak numbers while a second in August took only two days, with upwards of 1700 Facebook users interacted with the scams every few seconds during each campaigns’ peak days.

In the August scam documented by Websense, malicious links posted on a users Facebook Wall with suggestive titles pointed users to a scam survey. Using an estimated average of 130 Facebook friends per user, Websense calculated that the survey may have reached over 800,000 people at its peak. A Web site associated with the scam saw roughly 1,267,200 visitors.

Courtesy Paul Roberts

New TGLoader Android Malware Found in Alternative Markets

Alternative mobile app markets have become a great place to find new games, utilities and other apps. But mostly they're great if you're looking for the latest stealthy Android malware. The newest example is a piece of malware called TGLoader that is showing up in repackaged legitimate apps and has the ability to get root privileges on victims' phones and also cost them quite a bit of money by sending SMS messages to premium-rate numbers.

The TGLoader malware has appeared in some alternative Android app markets recently, and researchers at North Carolina State University discovered and analyzed it, finding it has a wide range of capabilities. The malware uses the "exploid" root exploit to get root privileges on compromised phones, and from there it starts installing a variety of apps and Android code that are designed to perform a long list of malicious actions.

"After that, it further installed several payloads (including both native binary programs and Android apps) unbeknownst to users. The malware also listens to remote C&C servers for further instructions. Specifically, one particular 'phone-home' function supported in TGLoader is to retrieve a destination number and related message body from the C&C servers. Once received, it composes the message and sends it out in the background. This is a typical strategy that has been widely used in recent Android malware to send out SMS messages to premium-rate numbers," Xuxian Jiang, an assistant professor at NC State, wrote in an analysis of the new malware.

The TGLoader malware typically is found in otherwise legitimate apps that have been repackaged to include the malicious code. Once it's on the device, the malware will start a new service inside the compromised app, which will then be started every time the app is executed. 

"Upon the execution, it will copy all of its payloads, including native binaries and embedded apks into the current directory. In the meantime, it will also launch the exploid root exploit to elevate its privilege. After getting the root privilege, it will copy enclosed native binary programs into the system partition. One particular native program will connect to the remote C&C servers with information collected in the infected phones and wait for instructions," Jiang wrote.

The researchers have not found the TGLoader malware in the official Android Market at this point. There have been a number of incidents in the last year or so with malware being found in apps in the Android Market and Google has shown a willingness to pull those apps from the market, as well as from users' phones, when they're identified. But this incident has been confined to the alternative markets so far.

Courtesy Dennis Fisher