Thursday, January 18, 2018
Home Tags Google Android

Tag: Google Android

Paper lays out how to bypass Google's ASLR A group of Israeli researchers reckon they've cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year. In a paper [PDF] that's a cookbook on how to build the exploit for yourself, they suggest millions of unpatched Android devices are vulnerable to their design, which bypasses Android's security defenses.
Visiting a hacker's webpage is enough to trigger a system compromise, we're told. Since no hot piece of infosec action exists without a name these days, the paper, written by Hanan Be’er of North-Bit, dubs the implementation of the Stagefright exploit “Metaphor.” Stagefright is the name of a software library used by Android to parse videos and other media; it can be exploited by a booby-trapped message or webpage to execute malicious code on vulnerable devices. The paper describes a three-step process to reliably hijacking an Android device: the victim surfs to a malicious webpage that sends over a video file that crashes the operating system's mediaserver software to reset its internal state.
Some JavaScript on the page waits for mediaserver to restart, and then sends information about the device over the internet to the attacker's private server. This server then generates a custom video file that is sent to the device, which exploits Stagefright to reveal more information about the device's internal state.

This information is beamed back by the JavaScript to the attacker's server, which uses the data to craft another video file that, when processed by Stagefright, starts executing a payload of malware embedded within the file on the victim's handheld.

This code runs with all the privileges it needs to spy on the device's owner. While North-Bit reckons its exploit design is reliable, you'll have to, as described above, do some server-side work to deploy Metaphor. In particular, you need to gather information about where and are loaded in memory, and the jemalloc configuration in the device.

This is why the aforementioned JavaScript phones home data about a victim's device so the exploit can be tailored to attack the memory structures and firmware in that particular handset. The exploit also needs a perform a heap spray to work, and that means the attacker may need to attempt exploitation multiple times on the target. However, North-Bit says that with “further research it may be possible to lay aside all or some of the lookup tables” used to generate custom malicious video files – and that would lay the groundwork for a generic exploit. The exploit specifically attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way that bypasses ASLR – aka address space layout randomization, a mechanism that thwarts a lot of exploit writers. It's also important to note that the victim doesn't have to press play on a rigged MPEG4 video file, because the bug is triggered when the web browser simply fetches and parses the file upon first seeing it. "It was claimed [the bug] was impractical to exploit in­ the ­wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR," the paper states. "The team here at North-Bit has built a working exploit affecting Android versions 2.2 ­to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 ­to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR)." Google released security patches to kill Stagefright's vulnerabilities, although not every Android phone and tablet can receive and install them: some manufacturers and network carriers were in no rush to update older models, leaving potentially millions of gadgets at the mercy of exploits like the one built by North-Bit. There's a vid demonstrating North-Bit's proof-of-concept exploit below. ® Youtube Video Sponsored: Hyperconverged infrastructure
Shawn Collins It was just days ago when the federal judge presiding over the upcoming Oracle v.

Google API copyright trial said he was concerned that the tech giants were already preparing for a mistrial—despite the fact that the San Francisco jury hasn't even been picked yet. US District Judge William Alsup said he was suspicious that, during the trial, the two might perform intensive Internet searches on the chosen jurors in hopes of finding some "lie" or "omission" that could be used in a mistrial bid. To placate the judge's fears, Google said (PDF) it won't do Internet research on jurors after a panel is picked for the closely watched trial, set to begin on May 9."The Court stated that it is considering imposing on both sides a ban on any and all Internet research on the jury members prior to verdict. Provided the ban applies equally to both parties, Google has no objection to imposition of such a ban in this case," Google attorney Robert Van Nest wrote to the judge in a Tuesday filing. Enlarge Peter Kaminski Google was referring solely to Internet searches of the jury once jurors were picked. Oracle didn't go so far in its response Tuesday and said the dueling companies should be able to investigate jurors both before and after they are chosen. "...the parties should be permitted to conduct passive Internet searches for public information, including searches for publicly available demographic information, blogs, biographies, articles, announcements, public Twitter and other social media posts, and other such public information," Oracle attorney Peter Bicks wrote (PDF) Alsup on Tuesday. However, Oracle was concerned that Google might tap its vast database of "proprietary" information connected to jurors' Google accounts and said such research should be off-limits. "Neither party should access any proprietary databases, services, or other such sources of information, including by way of example information related to jurors', prospective jurors', or their acquaintances' use of Google accounts, Google search history information, or any information regarding jurors' or prospective jurors' Gmail accounts, browsing history, or viewing of Google served ads..." Oracle wrote. Google has never suggested it would violate its customers' privacy in such a way. Oracle is seeking $1 billion in damages after successfully suing the search giant for infringing Oracle's Java APIs that were once used in the Android operating system.

A federal appeals court has ruled that the "declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection." The decision reversed the outcome of the first Oracle-Google federal trial before Alsup in 2012.

APIs are essential and allow different programs to work with one another. The new jury will be tasked with deciding solely whether Google has a rightful fair-use defense to that infringement.
CryptoWall most prevalent nasty – survey File-encrypting ransomware has eclipsed botnets to become the main threat to enterprises, according to Trend Micro. During the fourth quarter of 2015, 83 per cent of all data extortion attacks were made with the use of crypto-ransomware. CryptoWall topped the list of 2015’s most notorious ransomware families, with a 31 per cent share.

According to FBI statistics released last June, CryptoWall managed to generate more than $18m for its creators in a little over a year. These revenues – traced by monitoring BitCoin wallets and similar techniques – provide evidence that a growing percentage of organisations affected by ransomware attacks are paying up. Healthcare is the most affected sector when it comes to cyber-attacks more generally, according to other findings from the 2015 edition of Trend Micro’s Annual Security Roundup Report.

Throughout 2015, almost 30 per cent of all data breaches happened in the healthcare sector, followed by education and government sectors (17 per cent and 16 per cent, respectively). Elsewhere, businesses at increased risk from the Internet of Things (IoT) attacks which are moving on from becoming something only consumers need to think about as wearables and the like enter the workplace, Trend warns. Given their susceptibly to attacks, IoT devices within the enterprise ecosystem can become liabilities. Unlike Android devices, which already have fragmentation problems of their own, IoT devices run on several different platforms, making device and system updates as well as data protection more complex than ever. More from Trend’s study, published on Tuesday, can be found here. ® Sponsored: Network monitoring and troubleshooting for Dummies
So update your software – now! Patch Tuesday Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft posted 13 bulletins this month: MS16-023 A cumulative update for Internet Explorer addressing 13 CVE-listed vulnerabilities, including remote code execution flaws.
Visiting a booby-trapped webpage using IE can trigger the execution of malicious code and malware on the system. MS16-024 A cumulative update for Microsoft Edge that addresses 10 CVE-listed memory corruption vulnerabilities and one information disclosure flaw. MS16-025 An update for a single remote code execution vulnerability in Windows.

This flaw only affects Windows Vista, Server 2008 and Server Core. "A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries," says Redmond. "An attacker who successfully exploited this vulnerability could take complete control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." MS16-026 Two CVE-listed vulnerabilities in Windows, one causing denial of service and another allowing remote code execution.
If an attacker convinces "a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts," then malicious code will execute on their system. MS16-027 Two CVE-listed vulnerabilities in Windows Media Parsing, both potentially allowing remote code execution.
Visiting a webpage with a booby-trapped video embedded in it can exploit the bug to hijack the PC. MS16-028 Two flaws in the Windows PDF Library that allow for remote code execution if you open a maliciously crafted document. MS16-029 An update for Office addressing two memory corruption flaws and one security feature bypass vulnerability. Opening a document laced with bad code will trigger the bugs. MS16-030 An update for two remote code execution vulnerabilities in Windows OLE. "An attacker must convince a user to open either a specially crafted file or a program from either a webpage or an email message," noted Microsoft.

After that, code execution is possible. MS16-031 An elevation of privilege vulnerability in Windows: applications can abuse handles in memory to gain administrator-level access. MS16-032 An elevation of privilege vulnerability in the Windows Secondary Logon Service: again, applications can abuse handles in memory to gain administrator-level access. MS16-033 An update to address a flaw in the Windows USB Mass Storage Class Driver that could allow attackers to gain elevation of privilege with a specially-crafted USB drive. MS16-034 A collection of four elevation of privilege flaws in the Windows Kernel-Mode Drivers: applications can exploit these to execute malicious code at the kernel level. MS16-035 A fix for one security feature bypass flaw in the .NET framework. Adobe, meanwhile, has issued two updates for its products: Digital Editions for Windows, OS X, iOS and Android has been updated to patch a remote code execution vulnerability. Acrobat and Reader for Windows and OS X have been updated to address three CVE-listed remote code execution flaws. Users should also expect an update for unspecified vulnerabilities in Flash Player "in the coming days." ® Sponsored: 2016 global cybersecurity assurance report card
Android gets patched for 19 new vulnerabilities in its latest security update. Google is pushing out its March Android security update, providing users with security fixes for 19 vulnerabilities, of which four are rated critical, eight have high severity and two are rated moderate.Among the high-severity issues is CVE-2016-0824, an information-disclosure vulnerability in the much-maligned Android libstagefright (Stagefright) media library.Flaws in Stagefright were first publicly disclosed in July 2015 by Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake.

The initial Stagefright flaws have been followed in the months since with a near-continuous stream of subsequent Stagefright flaws patched in Google's monthly update for Android.
In fact, Google only began its monthly updates for Android in response to Stagefright in a bid to help bring patches to users faster.Though Google has already patched multiple Stagefright-related flaws to date, Andrew Blaich, lead security analyst at Bluebox Security, expects users to continue to see patches in Stagefright or related libraries. "These libraries are having a lot of eyes looking at them all of a sudden, and what we're experiencing is a security audit being done in the wild at a global scale," Blaich told eWEEK. Among the related libraries is the core Android mediaserver, which Google is patching this month for six different vulnerabilities.

Two of the issues (CVE-2016-0815 and CVE-2016-0816) are identified as critical vulnerabilities in mediaserver that could lead to a potential remote-code execution.Another two issues (CVE-2016-0826 and CVE-2016-0827) are privilege escalation vulnerabilities in Android that Google rates as high-severity issues.

Google has identified two more high-severity issues (CVE-2016-0828 and CVE-2016-0829) in mediaserver as information-disclosure vulnerabilities.Beyond Stagefright and its related Android media libraries, Google is now also finally getting around to updating Android for flaws that were patched in the upstream Linux kernel in 2015.

Google identified the CVE-2016-0823 issue as a high-severity information disclosure vulnerability in the kernel, while CVE-2016-0821 is a high-severity mitigation bypass vulnerability in the kernel.The fact that there are Linux security vulnerabilities that have already been patched in the upstream kernel, but not in Android, isn't surprising, Blaich said. "There are probably many patches like CVE-2016-0823 and CVE-2016-0821 that have not made it into Android yet that may have equal, if not worse, consequences," Blaich said. "This is par for the course with Android."Updating software takes time, especially when bringing patches from one project into another, Blaich said, adding that there is definitely room for improvement to get patches into Android faster, which then takes even longer to make it into the hands of consumers.

Google makes its monthly patches freely available for supported Nexus device users.Google has publicly issued 123 fixes since it started the monthly Android security bulletin in August, Blaich explained."However, while Nexus devices are receiving these fixes, non-Nexus devices are not getting them in a timely manner, if at all," he said.Of the 123 fixes Google has issued since August, 45 percent have been critical. Blaich commented that this means that all of the unpatched Android devices are at risk of being compromised, exploited and having personal data stolen, sometimes remotely, without the attacker needing access to the device.Sean Michael Kerner is a senior editor at eWEEK and

Follow him on Twitter @TechJournalist.
Google addressed 19 security vulnerabilities, seven of them rated critical, in its latest Android security update.  The updates addressed critical security vulnerabilities in the keyring component, MediaTek Wi-Fi Driver, Conscrypt, the libvpx library, Mediaserver component, and the Qualcomm Performance component.

The most severe vulnerability is the remote code execution flaw in Mediaserver that could be exploited through multiple methods, including email, Web browsing, and MMS, when processing maliciously crafted media files. Mediaserver still vulnerable Google has patched more than two dozen Mediaserver flaws since August, when the original Stagefright flaw was disclosed.
Since then, Google's internal security team has been identifying and fixing other security vulnerabilities scattered throughout the rest of the Mediaserver and the libstagefright library code. The steady stream of Mediaserver vulnerabilities has slowed, as this month's update fixed only two critical flaws (CVE 2016 0815, CVE 2016 0816) and three high-priority issues in Mediaserver. "During the media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process," wrote Google in the security bulletin. Google also patched an information disclosure vulnerability in libstagefright (CVE 2016 0824), two elevation of privilege vulnerabilities in Mediaserver (CVE 2016 0826, CVE 2016 0827), and two information disclosure vulnerabilities in Mediaserver (CVE-2016-0828, CVE 2016-0829).

They are all rated as high priority because they cannot be used for remote code execution, but they can be used by attackers to gain elevated capabilities, such as Signature or SignatureOrSystem permissions, which most third-party apps should not have access to.

The information disclosure flaws can be used to bypass security measures, while the elevation of privilege flaw could be used by a malicious app to execute arbitrary code. The critical flaw in libvpx (CVE 2016 1621) is related to previous Mediaserver vulnerabilities, as attackers could exploit this issue to cause memory corruption and remote code execution as the mediaserver process.

The flaw can be triggered with remote content, such as MMS messages or playing media files through the browser. Multiple elevation of privilege bugs fixed The remaining critical vulnerabilities are elevation of privilege flaws.

The Conscrypt bug (CVE 2016 0818) could allow a specific type of invalid certificate to be trusted, resulting in a man-in-the-middle attack.

A malicious app could trigger the flaw in the Qualcomm performance component (CVE 2016-0819) to execute arbitrary code in the kernel.

The only way to repair the compromised device would be by re-flashing the operating system.

The Kernel Keyring bug (CVE 2016-0728) will also let a malicious app execute arbitrary code locally, requiring reflashing the operating system. However, the Kernel Keyring component is protected in Android versions 5.0 and above because SELinux rules prevent third-party applications from accessing the vulnerable code, according to the bulletin. The final critical vulnerability in the MediaTek Wi-Fi kernel driver (CVE 2016 0820) could also be abused by a malicious app. While another MediaTek flaw (CVE 2016 0822) could result in arbitrary code execution, it was rated only as high priority because the attacker would first have to compromise the conn_launcher service, "which may not even be possible," Google said. The patches for Qualcomm and MediaTek components are posted on the Google Developer site and not in the Android Open Source Project repository. High priority and medium priority bugs also addressed Google fixed a mitigation bypass vulnerability in the kernel (CVE 2016 0821) that could let attackers bypass security measures in place.

The vulnerability is related to a change made to poison pointer values in the Linux kernel back in September.

The updates also addressed an information disclosure vulnerability in the kernel (CVE 2016 0823) that could result in malicious apps locally bypassing exploit mitigation technologies like ASLR in a privileged process.

The bug was also fixed in the Linux upstream back in March 2015. The information disclosure vulnerability in the Widevine Trusted Application component could allow code running in the kernel context to access information in TrustZone secure storage, Google said in its bulletin. Like the high-priority Mediaserver flaws, this bug could be used to gain permissions typically not granted to third-party apps.

The final high-priority bug is a remote denial-of-service flaw in Bluetooth that could allow an attacker within a certain distance of the target device to block access.

The attacker could cause an overflow of identified Bluetooth devices in the component, leading to memory corruption and service stop.

The issue could potentially only be fixed by flashing the device, Google said. The two moderate-priority bugs are in the Telephony component and the Setup Wizard.

The information disclosure vulnerability in the telephony component could allow an app to access sensitive data on the device.

The elevation of privilege vulnerability in Setup Wizard can be exploited by an attacker who has physical access to the device and can perform a manual device reset. Patch if possible None of these issues have been exploited in the wild. Builds LMY49H or later and Android M with Security Patch Level of "March 01, 2016" or later contain fixes for these issues.

The Build information is available through the Settings app on Android devices, under the About phone option.

The Security Patch Level is shown in the same location on Android M devices and some Samsung devices running the latest Lollipop versions. Since phone makers and carriers control when the updates are actually pushed to Android devices, for most users, the best ways to stay up-to-date with the security fixes are to buy Nexus devices, upgrade to newer devices frequently, or install custom Android versions themselves. Partners, including handset makers and phone carriers, received the bulletin on Feb. 1.

The Nexus devices will receive over-the-air updates and the patches are expected to be posted to the Android Open Source Project repository. Non-Nexus devices will follow schedules determined by the manufacturers or the carriers. While Samsung has committed to updates for its latest models, many Android phones remain on older versions. Google's Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which both warn users of potentially harmful applications about to be installed. Introduced in Android 4.2, Verify Apps works by scanning all .apk packages downloaded from Google Play and other sources for potentially harmful applications. "Google's systems use machine learning to see patterns and make connections that humans would not," Elena Kovakina, a senior security analyst at Google, said in Febrary at the Kaspersky Lab Security Analyst Summit. Verify Apps scan for known attack vectors and scenarios such as phishing, rooting operations, ransomware, backdoors, spyware, harmful sites, SMS fraud, WAP fraud, and call fraud.

Because it's enabled by default, most malicious attacks are thwarted, Kovakina said.

An example is the recent Lockdroid malware, which could have affected a large percentage of Android devices, but turned out to have not infected any Android users. Even if users can't update their Android devices to the latest versions, the SafetyNet and Verify Apps features filter out the majority of bad apps which could take advantage of these flaws.
Google has released 16 patches for Android, including one for a critical remote-execution vulnerability in the operating system's media server. The company's own Nexus devices will receive an over-the-air update.

Google's partners have had at least a month to prepare they own versions of the updates.

Android device release updates independently of Google, and are often also constrained by their carriers' schedules. The vulnerabilities in the media server could be exploited if malicious content is displayed or played on a device, such as from an MMS message, email, or browser, Google's advisory said. A string of vulnerabilities has been found in Android media playback software since last year, most notably the Stagefright bug.  That flaw could have allowed an attacker to compromise a device just by sending a malicious MMS.

A successful compromise required an attacker only to know the victim's phone number. The severity of Stagefright prompted Google to move to a monthly patching schedule to address long-running concerns that Android was not regularly fixed.
Samsung and LG, both major Android manufacturers, also pledged to improve the speed at which security fixes are applied. Mobile devices, particularly those running Android, are a frequent target for cyberattacks. The other patches released by Google include five critical ones, eight rated as high-severity, and two considered moderate. The source code for the fixes will be published on the Android Open Source Project repository this week. Users who don't want to wait for an over-the-air update can download and install the Nexus firmware images directly.
Good news if you've got a Nexus, otherwise you're at risk Another month, another patching cycle for Android.

Google's mobile OS has picked up seven critical patches, ten classed as high priority, and a pair of moderately important fixes. In short, playing back a booby-trapped video or receiving a message with malware hidden in it could lead to malicious code running on a vulnerable Android device that hasn't been patched. "We have had no reports of active customer exploitation of these newly reported issues," the March advisory states. "Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier.
Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours." Most of the critical flaws were found by Google's internal security team, and nearly half deal with programming blunders in Android's Swiss-cheese-like mediaserver library, some directly and some indirectly via libvpx. Being able to inject malware into mediaserver, via a message or video, is bad because, according to Google, "the mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access." A critical flaw in Qualcomm's implementation on Android would also lead to a permanent root that would require re-flashing the operating system to fix.

The same drastic fix would also be needed if the kernel keyring component flaw isn't fixed. Meanwhile, moves to strengthen Android against the attacks involving libstagefright only get a high severity rating, as do yet more fixes for Mediaserver.

The full list of bugs – some reaching as far back as Android 4.4 as well as versions 5 and 6 – are below: Issue CVE Severity Remote Code Execution Vulnerability in Mediaserver CVE-2016-0815, CVE-2016-0816 Critical Remote Code Execution Vulnerabilities in libvpx CVE-2016-1621 Critical Elevation of Privilege in Conscrypt CVE-2016-0818 Critical Elevation of Privilege Vulnerability in the Qualcomm Performance Component CVE-2016-0819 Critical Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-0820 Critical Elevation of Privilege Vulnerability in Keyring Component CVE-2016-0728 Critical Mitigation Bypass Vulnerability in the Kernel CVE-2016-0821 High Elevation of Privilege in MediaTek Connectivity Driver CVE-2016-0822 High Information Disclosure Vulnerability in Kernel CVE-2016-0823 High Information Disclosure Vulnerability in libstagefright CVE-2016-0824 High Information Disclosure Vulnerability in Widevine CVE-2016-0825 High Elevation of Privilege Vulnerability in Mediaserver CVE-2016-0826, CVE-2016-0827 High Information Disclosure Vulnerability in Mediaserver CVE-2016-0828, CVE-2016-0829 High Remote Denial of Service Vulnerability in Bluetooth CVE-2016-0830 High Information Disclosure Vulnerability in Telephony CVE-2016-0831 Moderate Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-0832 Moderate The vast majority of Android users aren't going to be getting these updates soon enough, however. Nexus owners will get a push this week, and Samsung's better than most at pushing out fixes, but some other handset owners may carry these flaws until they upgrade their hardware. In the meantime, the malware writers will be getting busy reverse-engineering the Android patches and designing code to exploit the flaws.
In the PC sphere this can take as little as 48 hours, although for mobile it's taking a little longer. ® Sponsored: DevOps: hidden risks and how to achieve results
SAN FRANCISCO—Most of us aren't stupid enough to click on a window that hands over control of our phones to a stranger.

And most of us definitely wouldn't do it if our phones kicked up numerous warnings in the process.

But researchers at Skycure have demonstrated that they can take control of an Android phone without the victim being any the wiser. At the RSA Conference here, Skycure researchers will share their research with the gathered attendees. PCMag received a private briefing on the research from Skycure CTO Yair Amit prior to the public announcement—after Skycure took control of my iPhone during a phone call to prove a point. The attack uses the Android accessibility framework, which is designed to help users get the most out of their phones, even if they are visually impaired or have difficulty typing, for example.

But under malicious control, Amit explained, the accessibility framework can be used to monitor user activity and take actions without users' knowledge. Normally, activating the accessibility tools requires diving through a series of menus and confirming your choice on several screens.

These are powerful tools, and you are warned repeatedly by the operating system that granting access to the framework can expose your personal data.

But Skycure is able to circumvent these warnings using a technique called clickjacking. The AttackIn our demonstration, Amit showed off a game based off the popular TV series Rick and Morty.

The goal of the game was to tap a character as he moved around the screen, whack-a-mole style. While he was tapping, the game was actually hijacking the taps in order to grant the game permission to use the Android Accessibility framework.

At no point do the warning messages from the operating system appear.
Instead the victim's taps in the game are translated on to the hidden dialog boxes.
This is clickjacking, where a user's input is invisibly rerouted for another purpose.
It's most commonly seen on malicious webpages, where clicks are used to open other windows, or secretly view sites in order to push malicious software or earn money through affiliate advertising. Once the malicious app can use the accessibility tools, it can see every keystroke the user enters in any app.
In the demonstration PCMag saw, an email typed in the Gmail app was painstakingly captured by the malicious app. But this app can do more. Using the accessibility framework, the app is then able to get Device Administrator access on the device.

This is a special, privileged level of access usually reserved for trusted security apps or Google.

The Android Device Manager, for example, uses Device Admin privileges to remotely lock, wipe, and locate lost Android devices. In the demo we saw, the malicious app simply flashed an image on the screen—again, taken from Rick and Morty.

There was no flicker, or any indication that something was amiss, but in the background the app had granted itself Device Admin. Once it has this level of access, the malicious app and its author now have a lot of control over a victim's device.
Device Admin is different from root access, and in fact the Android phone we saw was never rooted at any point in the demonstration.

But Amit says that's part of the beauty of this attack. Root access can be difficult to get, and it's a dangerous move that will send up red flags.

Device Admin, on the other hand, can go unnoticed unless the victim checks their security settings. "The beauty of it is that it doesn't require rooting, but we still see everything the victim is doing and take actions," Amit told PCMag. The Bulk of Android at RiskGoogle made changes to Android's accessibility framework in version 5.0 of Android, which prevents specific buttons from being hijacked in this manner.
Version 6.0 appears to be immune as well. But because of the fractured nature of Android, Google reports that only a combined 35 percent of Android users that visit the Google Play store are using either of these versions. Using those numbers, Skycure estimates that about 66 percent of Android phones could be susceptible to this attack.

The phone we saw that attack demonstrated on ran Android 4.4 Kitkat. Staying SafeThankfully, it's easy to check if an attacker is taking advantage of this vulnerability.
Simply open your accessibility settings and make sure that you recognize and approve of every service on the list. You can do the same for Device Admin. As always, the best way to avoid malware is to stick with the Google Play store. While not infallible, the Play store is an excellent first line of defense against malware. However, when asked if his demonstration app would be accepted to the Play store, Amit said it was entirely possible since it only asked for a single permission: to draw over apps.

Amit pointed out that trusted apps like Facebook also use this permission. The app Skycure used in its demonstration isn't available for download, but Amit pointed out it's more than just a proof of concept. He said that Symantec had previously detected clickjacking malware called Android.Lockdroid.E that used the technique obtained admin access on Android devices. Given all that, Amit sees a future in this kind of attack. "We expect to see more attacks like this in the wild in the very near future," he said.
Amazon's $50 Fire tablet, which runs Fire OS 5.Mark Walton Apple's encryption battle To get back at Apple, GOP congressman introduces pointless bill Apple’s new ally in unlocking battle: A man whose wife was shot 3 times in attack FBI is asking courts to legalize crypto backdoors because Congress won’t Apple prevails in forced iPhone unlock case in New York court Most software already has a “golden key” backdoor: the system update View all…In the wake of Apple's high-profile fight with the FBI, more users and journalists have been paying attention to encryption of local storage in phones and tablets.

Apple strengthened the encryption on all iDevices in iOS 8, making it so that no one could decrypt the storage without knowing the user's passcode. Google made encryption a requirement for all Google-approved Android phones that ship with Marshmallow (after a false start in Lollipop), and it has been available as an optional Android security feature for years. Amazon's Fire OS is a fork of Android, based on the Android Open Source Project (AOSP) code but without Google's apps and services or guaranteed compatibility with apps developed for Google-approved Android.

Amazon has heavily customized the UI and provides its own app store, but it typically leans on AOSP code for under-the-hood, foundational features—in older Fire OS versions, the optional device encryption was handled the same way it was on any Android device. However, according to user David Scovetta and others on Amazon's support forums, that encryption support has been deprecated and removed in recent releases of Fire OS 5, both for new Fire tablets and for older devices that have been upgraded. We contacted Amazon for comment, and the company told us that local device encryption support was removed in FireOS 5 because the feature wasn't being used: "In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using," Amazon told Ars. "All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security including appropriate use of encryption." In short, encrypted connections between the Fire tablets and external servers are safe (or, as safe as the server involved and the method of encryption being used will allow for), but thieves and law enforcement officials will be able to grab user data stored locally without much trouble. Fire tablets aren't as widely used as those running iOS or some Google-approved version of Android, and the tablets Amazon currently sells are slow enough that enabling encryption would significantly impact the user experience. Older devices that haven't gotten the Fire OS 5 update, including the ill-starred Fire Phone, still support encryption.

This decision doesn't have the same impact that it would if Apple or Google removed encryption support from their operating systems, and if Amazon's statement is correct it doesn't look like many people were taking advantage of it anyway.

But given that Amazon gets encryption support for "free" with the Android source code, it's disappointing to see that the company can't leave the option buried in the settings as it has on older Fire devices.
EnlargeGenkin et al. Researchers have devised an attack on Android and iOS devices that successfully steals cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other high-value assets. The exploit is what cryptographers call a non-invasive side-channel attack.
It works against the Elliptic Curve Digital Signature Algorithm, a crypto system that's widely used because it's faster than many other crypto systems.

By placing a probe near a mobile device while it performs cryptographic operations, an attacker can measure enough electromagnetic emanations to fully extract the secret key that authenticates the end user's data or financial transactions.

The same can be done using an adapter connected to the USB charging cable. "An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone's USB cable, and a USB sound card," the researchers wrote in a blog post published Wednesday. "Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices. We also showed partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto." Enlarge / This version of the attack exploits an iPhone 4 through its charging port. Genkin et al. While the researchers stopped short of fully extracting the key on a Sony-Ericsson Xperia x10 Phone running Android, they said they believe such an attack is feasible.

They also cited recently published research by a separate team that found a similar side-channel vulnerability in Android's version of the BouncyCastle crypto library. Enlarge Older versions of iOS—specifically, 7.1.2 through 8.3—appear to be vulnerable.

The current 9.x version does not appear to be vulnerable because it added defenses against side-channel attacks. However, users of even current versions of iOS are still at risk when using vulnerable apps. One such vulnerable iOS app is CoreBitcoin, which is used to protect Bitcoin wallets on iPhones and iPads.

Because it uses its own cryptographic implementation rather than the iOS CommonCrypto library, it is vulnerable to the key-extraction attack.

CoreBitcoin developers told the researchers they plan to replace their current crypto library with one that's not susceptible to the attack.

The latest version of Bitcoin Core, meanwhile, is not vulnerable. Both the 1.0.x and 1.1.x versions of the OpenSSL code library are also susceptible except when compiled for x-86-64 processors with a non-default option selected or when running a special option available for ARM CPUs.

The researchers said they reported the vulnerability to OpenSSL maintainers, and the maintainers said that hardware side-channel attacks aren't a part of their threat model.

The full research paper is here. The researchers—from Tel Aviv University, Technion and The University of Adelaide—recently published a separate paper that showed how to extract secret ECDH keys from a standard laptop even when it was locked in an adjacent room.

The attack is able to obtain the key in seconds.

A separate side-channel attack against RSA secret keys was devised in 2013. Unlike the one against mobile phones, it uses sound emitted by the electronics, rather than electromagnetic emanation or power consumption. At the moment, the attack would require a hacker to have physical possession of—or at least have a cable or probe in close physical proximity to—a vulnerable mobile device while it performed enough operations to measure "a few thousand ECDSA signatures." The length of time required would depend on the specific application being targeted.

The requirements might make the hack impractical in some settings, as long as device owners take care to closely inspect USB cables before plugging them in and look for probes near their phones. Still, averting attacks may sometimes prove difficult, since cables or probes could be disguised to conceal what they're doing.

And as the images in this post demonstrate, probes could be hidden on the underside of a table.
It's also possible that over time, researchers could devise ways to measure the leaks from further distances.

For that reason, while the vulnerabilities probably don't pose an immediate threat to end users, they should nonetheless be a top concern for developers.

The researchers have been working with the vendors of the specific software they analyzed to help them evaluate and mitigate the risk to their users.
THE CODE PRONGERS at Kaspersky have found another scary trojan to wave under our noses and cause us to consider getting off the internet. This one is called Triada and it targets Android devices with Windows-style malware swagger.

Anyone running Android 4.4.4 and earlier is in trouble, according to Kaspersky, as they face an opponent created by "very professional cyber criminals" that can allow for in-app purchase theft and all the problems that come with privilege escalation. And guess what? Android users dangle themselves in the way of the Triada threat when they download things from untrusted sources.

Does no one listen to anything these days? Does it even matter? Kaspersky said in a blog post that the likely apps can "sometimes" make their way onto the official Android store. There is something different about this attack. Kaspersky reports on a lot of these things, but Triada exploits Zygote, and that is a first. "A distinguishing feature of this malware is the use of Zygote, the parent of the application process on an Android device that contains system libraries and frameworks used by every application installed on the device.
In other words, it's a demon whose purpose is to launch Android applications," Kaspersky explained. "This is the first time technology like this has been seen in the wild. Prior to this, a trojan using Zygote was known only as a proof-of-concept.

The stealth capabilities of this malware are very advanced. "After getting into the user's device Triada implements in nearly every working process and continues to exist in the short-term memory.

This makes it almost impossible to detect and delete using anti-malware solutions." The security firm added that the complexity of Triada's functionality proves that professional cyber criminals with a deep understanding of the targeted mobile platform are behind the creation of this malware. Kaspersky reckons that it is nigh on impossible to rid a device of the malware, and suggested that you might as well nuke your phone and start again. µ To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.