Android phones vulnerable to Qualcomm bugs

Security researchers from Tencent’s Blade Team are warning Android smartphone and tablet users of flaws in Qualcomm chipsets, called QualPwn. The bugs collectively allow hackers to compromise Android devices remotely simply by sending malicious packets over-the-air – no user interaction required.

Three bugs make up QualPwn (CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538). The prerequisite for the attack is that both the attacker and targeted Android device must be active on the same shared Wi-Fi network.

“One of the vulnerabilities allows attackers to compromise the WLAN and modem, over-the-air. The other allows attackers to compromise the Android kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android kernel over-the-air in some circumstances,” wrote researchers.

All three vulnerabilities have been reported to Qualcomm and Google’s Android security team and patches are available for handsets. “We have not found this vulnerability to have a public full exploit code,” according to a brief public disclosure of the flaws by the Tencent Blade Team.

Researchers said their focus was on Google Pixel2 and Pixel3 handsets and that its tests indicated that unpatched phones running on Qualcomm Snapdragon 835 and Snapdragon 845 chips may be vulnerable.

A Qualcomm spokesperson told Threatpost in a statement: “Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.”

The first critical bug (CVE-2019-10539) is identified by researchers as a “buffer copy without checking size of input in WLAN.” Qualcomm describes it as a “possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length.”

A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.


Security flaw detected in popular Dolphin and Mercury browsers

Rotologix, a cyber-security enthusiast, has found out zero-day flaws, which could allow an attacker to perform remote code execution, in two popular Dolphin and Mercury Android mobile browsers, which have 100 million users.

The remote code execution exploit allows an attacker to replace the browser's theme package with an infected counterpart.

“The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser's data directory,” the researcher posted in a blog post.

It is said that the exploit allows the attackers to modify the downloading and applying new themes functions to the browser. Those who are affected, need to download, and apply a new Dolphin browser theme all again.


And for Dolphin, Rotologix said, "An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user's device.”

Your Android phones can be hacked with a single MMS message

Image Credits : Zimperium
 Researchers from Zimperium Mobile Security, a security firm, have discovered a bug dubbed Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

“These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction,” a report posted in its blog.

The flaw can be exploited by sending a photo or video message to a person's smartphone, without any action by the receiver.

“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the researchers wrote.

After Stagefright had been invoked, which required no action from the victim, other data and apps on the handset could be accessed by the malicious code.

Once the researchers had discovered the flaw, they reported it to the Google, which produced a patch to fix the problem.

According to a report published in BBC, the Google said in statement that the vulnerability was identified in a laboratory setting on older Android devices, and as far as they know, no-one has been affected.

"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at Black Hat," the report read.

Android Vulnerability allows hackers to Turn Legitimate Application into Virus

All Android applications contain a signature which helps the Android to determine if the app is legitimate and to make sure the apk hasn't been tampered with or modified.

Security Researchers from BlueBox Labs have uncovered a new security flaw in Android that allows hacker to modify the application's code without breaking the application's cryptographic signature.

It can be exploited by cyber criminals to turn the legitimate applications into Malicious apps.

Exploited HTC Phone. - Image Credits: BlueBox

In a blog post, Jeff Forristal, Bluebox CTO, noted that the security flaw is particularly dangerous if hackers managed to exploit the application developed by the device manufacturers.

He also pointed out that turning the apps from the device manufacturer into Malware will grant the app full access to Android system that allows hackers to gain access to email , Messages, documents, passwords and more sensitive data.

Security Alert: Linux Kernel Privilege escalation exploit affects Android platform


Android Operating System is based on the Linux, means the vulnerabilities affecting Linux kernel have the possibility of being exploited in the Android platform.

It appears the recently discovered Linux local kernel privilege escalation vulnerability (CVE-2013-2094) is affecting the Android operating system.

According to Symantec researchers, the exploit for the kernel vulnerability has now been modified to work on Android platform. The security flaw allows hacker to gain complete control of the infected devices.

The researchers have warned that malware will take advantage of this exploit to access data from other apps, prevent users from uninstalling the malware, and allows them to send premium rate SMS.

We are not sure how much time Google will take to patch the bug. So, users are advised to download the apps only from trusted marketplaces.

Bypassing Android encryption by freezing android phones


German Security Researchers have discovered that freezing an Android phone allows hackers to access the Encrypted data stored in the phone.

The encryption method introduced in the Android version "Ice cream sandwich" by Google. 

The researchers bypassed this encryption system method by freezing the smartphone for an hour.

"Quickly connecting and disconnecting the battery of a frozen phone forced the handset into a vulnerable mode. " According to BBC report.

"This loophole let them start it up with some custom-built software rather than its onboard Android operating system."

The hack allowed the researchers to access the encrypted contact lists, browsing histories and photos.

For more information:
https://www1.informatik.uni-erlangen.de/frost

Samsung Galaxy S3 Lock screen bypass vulnerability


Following the partial bypass vulnerability in Note II, a new security flaw has been discovered that allows hackers to completely bypass lock screen on Samsung Galaxy S3 .

The bug was discovered by Sean McMillan and posted as Full disclosure in the Seclists mailing list.

The instruction provided by McMillan : How to bypass the Lock screen in galaxy S3 
1) On the code entry screen press Emergency Call
2) Then press Emergency Contacts
3) Press the Home button once
4) Just after pressing the Home button press the power button quickly
5) If successful, pressing the power button again will
bring you to the S3's home screen


McMillan said that it can "take quite a few attempts to get this working, sometimes this method works straight away, other times it can
take more than 20 attempts." 

Security Flaw in Samsung allow hackers to bypass Android Lock screen

A Security flaw in the Samsung phones allows hacker to bypass the lock screen and launch apps and dial phone numbers on a locked device. The vulnerability has been discovered by a mobile enthusiast Terence Eden.

To exploit this security flaw, the hacker should activate the screen and press Emergency Call. Then,  Press the "ICE" button on the bottom left and hold down physical home key for a few seconds and then release. Now, you can access the Home screen and launch any app or widget.

Researcher has tested this vulnerability against Galaxy Note II N7100 running 4.1.2.

"This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed." Eden said in his blog post.

The researcher says he tried to contact Samsung regarding this vulnerability but there is no proper response from their side.





Spyware masquerade as greeting-sending app and steals your Mobile info


New Year coming up, there's naturally a lot of well wishes and holiday greetings being messaged around. Looks like somebody's decided to join in (a little late) — and also do a bit of data harvesting at the same time.

F-Secure researchers have spotted a malware application(na masquerade as greeting-sending applicaion that lets you send witty/sweet/funny messages to your contact. On execution, it displays a list of text messages that fall into different categories: new year wishes, friendship, love and jokes

When the user selects one of messages, the app prompts a dialog box asking for the next action: Contact, Edit or Cancel.

If Contact is chosen, the app tries to read the stored contact data. Presumably, it needs to know to whom to send the message.

Researchers tested the application with a test phone that has bogus contacts present, no text message was sent then either — AdBoo only produces a dialog box with the message "Sending fail"

When analyzing the app, researchers noticed that the app did do something else though. On selecting the Contacts options, it silently obtained the following information from the device:

1) Phone Model
2) Android Version
3) Phone number
4) International Mobile Equipment Identity (IMEI) number

The harvested details are then forwarded to remote server.

Incidentally, looking at the certificate for this variant of AdBoo, it appears to be from the same developer as Zsone.A.

Android Malware masquerades as AntiVirus & sends SMS to Premium rate numbers

Malware Application

What you will do ? , if you got these kind of message in your mobile : "Your Android mobile is infected by virus.  Install this antivirus and activate security system".  Will you ignore or follow the link and install the antivirus?

Kaspersky Researchers have spotted a android malware application that masquerade as Antivirus.  When researchers search for some popular applications in smartphone via Opera mini, they found that search results leads to scammer sites . The scam sites claim that the user’s device might be infected and that somebody has access to personal data and then will ask the user to check his or her device for malware. If the user clicks on the button, the web page will result some fake report that claims "Your mobile is infected" and ask you to activated the Security system.

If a user click the link , it will download and install "VirusScanner.apk file which is actually malicious and detected by us as Trojan-SMS.AndroidOS.Scavir. if you have non-Android mobile, it will download "VirusScanner.jar" a file which is detected by us as Trojan-SMS.J2ME.Agent.ij.

After the installation, an application named ‘Установщик’ (‘Installer’) with the Kaspersky icon appears in the menu.

When the application executes , the user is asked to press the ‘Continue’ button if he wants to launch VirusScanner with some options like ‘Turn on multi-level protection’, ‘Disable remote control of a device’ or ‘Turn on web site scanning’. But in fact after pressing ‘Continue’ this app will send SMS messages to expensive premium rate numbers.

"DroidLive" New SMS Android Trojan Being Disguised as a Google Library

A research team at NC State University  in collaboration with  NetQin, have uncovered a new SMS Android Trojan named as "DroidLive" in third-party Android markets. They detected this malware on Nov 5 and published about the trojan on Nov 11.

The Trojan attempts to disguise itself as a Google library, but actually receives commands from a remote Command and Control (C&C) server, which allow it to engage in sending text messages to premium numbers, making phone calls, collecting personal information, and other nefarious activities.

Also, one unusual behavior of this malware is its attempt of installing itself as a device administration app. Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device's firmware. To the best of our knowledge, this is the first malware that takes advantage of the device administration API.
 
How It Works

DroidLive is structured as a constellation of services and receivers that communicate using Android's standard inter-app communication layer (i.e., Binder). These relationships are shown in the following diagram:


1. DroidLive's heart is a main control service, MainService, which is invoked via the Android IPC mechanisms by other parts of the Trojan. This service takes action based on a string passed to it when it is invoked; these strings are in plain, human-readable text. MainService is initially invoked by other receivers that listen for a variety of (17) system events.

2.Once the malware has been initially invoked, it uses message queues and Android's alarm functionality to periodically wake up and contact its C&C server (http://xxxxxxxxxxxx/androidService/services/AndroidService). As part of this process, DroidLive sends a large amount of information to the server, including the device's unique hardware identifier (IMEI), current cell tower identifier (CID), subscriber identifier (IMSI) and more. In return, the server sends a list of actions for the bot to perform.

3.DroidLive features several commands, which are handled by dedicated components. It can send text messages, make phone calls, or attempt to install itself as a device administration app. This last feature requires user consent, but if granted allows DroidLive privileges closer to those granted only to the device's firmware. Inside the device admin code, it obtains a list of all the apps running on the device. Note this device admin-level access would allow other priviledged actions, such as wiping out all the data on the device.


Security Researcher recommends to follow the instruction to stay secure from these type of malware:

  • Download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
  • Check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
  • Be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.


Android facial recognition Unlock feature can be hacked using digital photo


Android facial recognition Unlock feature can be hacked using digital photo.  Google Android provide feature "Ice Cream Sandwich" that unlock a phone via Facial recognition.

A blogger showed the facial recognition technology can be fooled if it is presented with a digital picture.

"While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face. I have a few people there watching me do the video and if any one of them is watching this video I hope you can confirm that this test is 100% legit," he said in a YouTube video.

It is going to be work if the attacker has your digital photo.   Thief can't recognize whose phone is ,so he can't be unlock it.

Video Demo: