Bancontact Payconiq Company
SEPA Rulebooks Scheme Manuals Remote Domain 46D0 – Schedules 1, 2, and 3 – News 65
Android, iOS Newsletter 65
Classification: Internal
Confidential
COPYRIGHT This document is confidential and protected by copyright. Its contents must not be disclosed or reproduced in any form whatsoever without the prior written consent of Bancontact Payconiq Company sa/nv. Except with respect to the limited license to download and print certain material from this document for non-commercial and personal use only, nothing contained in this document shall grant any license or right to use any of Bancontact Payconiq Company sa/nv’s proprietary material.
AUTHORS This monthly newsletter is written by NVISO Labs, experts in mobile security, on behalf of Bancontact Company sa/nv.
ABOUT NVISO
NVISO is a consultancy firm exclusively focusing on IT security. NVISO has a very clear sector focus with several references in the financial and governmental sectors. The Research and Development department of NVISO is NVISO Labs, whose goals are to allow our people to increase their skills and knowledge, to come up with innovative service offerings, to contribute to the security community, and to give valuable insights to our clients. The fundamental values of NVISO are client satisfaction, focus, entrepreneurship, innovation, and ability to adapt. Our mission is to be an innovative and respected partner for our clients. For more information, we are happy to refer you to our website: https://www.nviso.be. If you want to stay up to date with our latest research and other activities of NVISO Labs, we refer you to our blog: https://blog.nviso.be
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 2 of 22
Classification: Internal
Confidential
Table of Contents
1 Summary of security impacts 4 2 Vulnerabilities & Malware 5 2.1 iOS Malware 5 2.2 Android Malware 6 Clientor Android malware turns phone to proxy [2.N65.1] 6 3 Case study – Forcing users to update Android OS 8 3.1 Financial sector minimum version 8 3.2 Stagefright & Stagefright 2 8 Who discovered it? 9 What does it do? 9 Mitigations 9 3.3 One class to rule them all 10 Who discovered it? 10 What does it do? 10 Mitigations 10 3.4 Some security additions 11 ASLR 11 SElinux 11 3.5 Conclusion 12 4 Security updates 13 4.1 iOS security update 13 4.2 Android security update 13 5 Security news 14 5.1 Mobile security news 14 Google updates Play Protect to protect users better 14 Android is now FIDO2 certified 14 New vulnerabilities in 4G/5G called ToRPEDO puts privacy at risk 14 iOS 12.2 is going to support TLS 1.3 15 Google warns about 2 zero days being exploited in the wild 15 Google is going to add 6 extra vulnerability warnings to ASI 16 5.2 General security news 17 Whatsapp bug in Face ID 17 Disguised clipper malware discovered on Google Play Store 17 Severe flaw discovered in SHAREit Android app 17 Oracle discovered “DrainerBot”, a mobile ad fraud operation 18 Triout Android spyware makes a comeback 19 Fake Google reCAPTCHA used to drop banking malware 19 iOS apps use Glassbox SDK to record user screens without permission 20 6 Statistics 21 6.1 OS market shares 21 6.2 iOS 21 6.3 Android 22
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 3 of 22
Classification: Internal
Confidential
1 Summary of security impacts
February was a relatively quiet month for mobile security. Only one new type of Android malware was discovered, while no new security vulnerabilities were discovered on iOS. The only new malware discovered does not target banking applications specifically but still could lead to some impact as it opens a proxy server on the victim’s device. This can then be used by an attacker to gain access to the local network connected to the infected device. Even though no new iOS vulnerabilities were found, Apple did patch some critical-severity vulnerabilities that, according to Google, were actively being exploited in the wild. Apple’s competitor, Android, also fixed some very important vulnerabilities in their monthly security update. The update fixes 41 vulnerabilities spread across several components. The most critical issue being a vulnerability that could have allowed a remote attacker to execute arbitrary code through a specially crafted PNG file. The case study of this month focuses on the reasons why users should be forced to update to an Android version higher than Android 4.0. Furthermore, the study looks at the vulnerabilities that could be exploited on such outdated devices and the related security additions that Android developers made to improve the security of its OS. In this month’s mobile security news, we can see that Android and Apple are taking steps to keep their security up to date. Apple is going to support TLS 1.3 in their next update, while Android improved its Google Play Protect feature and also announced FIDO2 support.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 4 of 22
Classification: Internal
Confidential
2 Vulnerabilities & Malware
2.1 iOS Malware
During February, no malware was identified for iOS.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 5 of 22
Classification: Internal
Confidential
2.2 Android Malware
Clientor Android malware turns phone to proxy [2.N65.1]
Overall risk Low Impact High Likelihood Low
Summary Security researchers at Avira have revealed a new Android malware which appeared in the Google Play Store. Hidden as a “Voice Messages” app, it managed to avoid detection and not get booted off the app store. This malicious app creates a proxy server on the compromised device which could give an attacker a way into a connected internal network or use a collection of infected devices to launch DDOS- attacks. If the victim is on a limited data plan, this could run up the phone bill because the app will generate a lot of traffic. Let’s see how it managed to stay under the radar.
Details When an app is installed, it always displays the permissions it requests. During the installation, the “Voice Messages” app does not request any suspicious permissions or permissions that are out of the ordinary. It requests no SMS permissions which could generate costs, no permission to install packages which could allow the installation of malware, no GPS location, no lock screen, no camera access, nor anything else suspicious. All four of the permissions are understandably normal for a voice messaging app. After the installation is finished, it does not ask for Device Admin or SuperUser access permission and it does not display any phishing pages like the usual malicious apps do. It only displays 2 received voice messages. The malware is deliberately programmed this way to avoid raising any suspicion. However, after the app is installed, it is clear that the app is not a real voice messaging app because most of the functionalities do not work. Figure 1 - Requested permissions When the network traffic of the application is inspected using a (Source) packet sniffer, it can be seen that the app generates a lot of SSH traffic. By using reverse engineering techniques, we can analyze the inner functionalities of the app. In the AppService-class, the application starts an SSH tunnel after booting the device, which is possible because of the “run at startup” permission. Credentials to the SSH server are even stored hard-coded in a config-class.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 6 of 22
Classification: Internal
Confidential
Next to creating an SSH tunnel, the malicious application also starts a proxy server on the targeted device. The attacker can then remotely connect to this proxy server and use it as an intermediary router to request resources from the local network that the victim’s device is connected to.
Figure 2 - Code that starts proxy server (Source)
Mitigation The infected application has been removed from the Play Store. This application, however, may still be around on third party app stores, so it is recommended to only install apps from the Google Play Store. As a developer, it is not possible to protect the user against this kind of attack, as they have no control over the functionality inside other applications. This attack technique does show that relying on only IP whitelisting is not a valid access control measure, as end-user devices can always be compromised. Source: https://blog.avira.com/clientor-android-malware-makes-proxy/
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 7 of 22
Classification: Internal
Confidential
3 Case study – Forcing users to update Android OS
In order to protect company data, it is important that users update their systems. Older versions usually contain critical bugs allowing attackers to easily gain access to end user devices and the data they contain. A way of motivating end-users to update their systems as developers is to stop supporting older versions of the apps we make. In this case study, we will zoom in on several bugs found in older versions of Android as well as some of the mitigations that Android has implemented in more recent versions.
3.1 Financial sector minimum version
After conducting a short market study, we noticed that in the Belgian financial sector there is no trend with regards to the minimum supported Android version. Minimum required versions ranged from Android 2.3 to Android 5.0. This is a very broad range, and all of these Android versions are vulnerable to several vulnerabilities. Two of these bugs really stand out and we will dive into them a little bit more. These bugs fully compromise the security of the user’s device. The fact that there is no official regulation on which minimum version to support, or which versions to stop supporting, typically makes the requirement a battle between the security team and business priorities. A tradeoff has to be made between the risk of supporting a compromised device, and the number of customers that are currently using that specific version number. Supporting a higher Android version will reduce the attack surface as well as increase the security of your customer’s data.
3.2 Stagefright & Stagefright 2
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 8 of 22
Classification: Internal
Confidential
Who discovered it? The original Stagefright bug was discovered and reported by Joshua Drake. He is a security researcher at Zimperium and presented his findings at Blackhat 2015. If you are interested, you can find his talk on YouTube. (https://www.youtube.com/watch?v=71YP65UANP0) In august of 2015 a newer version of the Stagefright bug was reported and was subsequently named Stagefright 2. This bug was reported by Exodus Intelligence.
What does it do? Stagefright gets its name from the library that is vulnerable. This bug allows attackers to send MMS messages to victims that will give them full control of the victim’s device. By chaining a remote code execution and privilege escalation bug, an attacker can have full privileged access to the device, bypassing any application sandbox protections. Stagefright still requires the victim’s phone number in order to work, but as phone numbers are enumerable, this attack could relatively easy be carried out on a very large scale. As the attacker ends with full access to the device, it is easy to assume that the actual MMS message can be deleted, leaving no obvious trace of malicious behavior. Stagefright 2 no longer requires this information in order to carry out the attack, as the malicious file can be sent by any means, not just MMS. Just like Stagefright, the second version uses vulnerabilities in libstagefright to compromise the device. Stagefright affects Android versions 2.2 and greater meaning that billions of users are vulnerable to exploits abusing this vulnerability. While this bug impacts an incredibly large audience, the reporter maintains that there have not been a lot of exploits or malwares that are abusing this zero day. There have however been a number of Proof of Concepts (PoCs) such as Metaphor that show how this vulnerability can be leveraged.
Mitigations Initially, the ASLR (Address Space Layout Randomization) that is implemented in Android 5.1 was deemed to be a successful mitigation. However, later in 2016 an exploit named Metaphor was released which was able to bypass ASLR reintroducing Stagefright as a non-mitigated vulnerability. However, with Android 7, the media playback framework was rebuilt from the ground up in order to protect devices against the Stagefright attacks. Nougat updated ASLR by adding more entropy to it making the Metaphor bypass more difficult to achieve. In addition, the operating system scans for integer overflow attacks up front, thereby effectively mitigating the way Stagefright abuses the buffer overflow weakness.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 9 of 22
Classification: Internal
Confidential
3.3 One class to rule them all
Who discovered it? This bug was discovered by Or Peles and Roee Hay from IBM Security and was reported in May of 2015. The vulnerability was reported privately to the Nexus team who then published information about it on their Security Bulletin of August. (https://groups.google.com/forum/message/raw?msg=android- security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ) Or Peles and Roee Hay presented their findings at Woot15.
What does it do? The vulnerability abuses a well-known flaw, reported by Jann Horn, in the way Android deserializes objects via ObjectInputStream. In Android versions earlier than 5.0 the deserializing code does not verify that the object is in fact serializable. The class that is vulnerable is the OpenSSLX509Certificate class that contains an mContext member that is not transient and thus is automatically deserialized in the finalize method. The fact that the finalize method automatically deserializes serializable objects allows for this vulnerability to exist. If the member is marked as transient, then the finalize method will not automatically instantiate the object. Depending on the device this vulnerability allows for remote code execution inside the highly privileged system_server process. This bug allows for a successful bypass of the device’s SElinux policy, which is explained further below. The malware exploiting this vulnerability will have enough access to replace legitimate applications on the device, and access the data contained within the different application containers.
Mitigations This vulnerability was privately disclosed to Android and the Android team patched the vulnerable code by adding the Transient class to the mContext member. The fix was also backported to Android 4.4, but all older versions of Android will forever be vulnerable to this bug.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 10 of 22
Classification: Internal
Confidential
3.4 Some security additions
Android has added several features to improve its security. Below we explain a number of these features in detail. These features help mitigate the vulnerabilities described previously. More importantly we highlight these additions as they clearly show the usefulness of keeping your Android version up to date and the usefulness of forcing your users to keep their systems up to date. These updates limit the attack surface in general creating a safer environment for your company data.
ASLR Address Space Layout Randomization was introduced as of Android 4.0. This is a security technique that prevents exploitation of memory corruption vulnerabilities. To prevent an attacker from jumping to a function in memory, ASLR randomly arranges the address space positions of key data areas of a process. This makes it harder for an attacker to guess where in the memory a process or system libraries are loaded. Android 5.0 dropped support for libraries that don’t support Position-Independent-Executables (PIE), forcing all dynamically linked binaries to be position independent. This is an important condition for ASLR, as libraries need to work no matter at which memory location they are loaded. Library load ordering randomization was then included in the Android 7.0 release, making full use of all the PIE libraries. ASLR and the improvement of ASLR are also used as mitigations for the Stagefright vulnerabilities. This added feature of Android drastically improves the security of the Android platform and effectively makes it much harder to exploit identified vulnerabilities.
SElinux SElinux is a Security Enhancement of Linux which allows fine-grained access control. It was introduced in Android 4.3 in permissive mode and was moved to full enforcement in Android 5.0. SElinux assigns security domains to processes thereby adding the ability to restrict specific processes from performing certain tasks.
An overview of the complex internals of SElinux
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 11 of 22
Classification: Internal
Confidential
In Android 6.0 SElinux is further improved upon mainly by reducing the permissions of the policies to include better isolation between users. In Android 7.0 they decommissioned the monolithic media server stack and introduced smaller processes in place to reduce the scope of their permissions. It is this release that mitigates the Stagefright bug. Further improvements are continually being made to Android and to the SElinux implementation. The only way to profit from these improvements is by updating your system. As developer it is important to realize that by supporting older versions of Android you introduce the risk of exposing your data to known hacks on older versions.
3.5 Conclusion
So, you might ask yourself the question why is it still important to update to the latest version or to support a more recent minimal version of Android? The answer here is easy: Providers typically provide updates for flagship phones that are maximum 3 years old. This means that older devices typically get left out when critical vulnerabilities are patched. Android continually improves its security in order to keep end users safe but also to keep app provider’s data safe. The only way to take advantage of the increasing security posture of Android is to enforce end users to update their systems. One way of forcing this is by not supporting older Android versions as an app developer. There will always be a constant struggle to balance between supporting enough end users and securing company data. It is important to closely follow up the Android versions you’re your customers are using, and stop support for outdated versions each time a threshold is reached.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 12 of 22
Classification: Internal
Confidential
4 Security updates
4.1 iOS security update
On February 7th, Apple released their latest update for their mobile devices: iOS 12.1.4. In this update, Apple fixed 4 vulnerabilities, 2 of them found by Google’s Project Zero. The vulnerabilities are listed below: • FaceTime CVE-2019-6223: A logic issue existed in the handling of Group FaceTime calls. This could have led to the caller being able to cause the recipient to unwillingly answer the call. • Foundation CVE-2019-7286: Due to a memory corruption issue, an application could have gained elevated privileges. This was addressed with improved input validation. • IOKit CVE-2019-7287: An application may be able to execute arbitrary code with kernel privileges because of a memory corruption issue as well. • Live Photos in FaceTime CVE-2019-7288: This vulnerability, discovered by Apple themselves, could have allowed a local attacker to bypass security restrictions. An attacker could exploit this vulnerability to launch further attacks on the system. The full security update can be read on the following webpage: https://support.apple.com/en-us/HT209520
4.2 Android security update
On February 4th, the Android development team released their security update. In this update, Google’s security team patched 3 critical vulnerabilities that impact the Android Framework. The most severe issue being CVE-2019-1987, a critical vulnerability where a remote attacker could have crafted a malicious PNG that could have led to remote code execution. Besides the critical vulnerabilities, they also found 4 vulnerabilities in the Android Library. The most severe vulnerability could have enabled remote attackers to execute arbitrary code within the context of an unprivileged process through a maliciously crafted file. More details have not been publicly disclosed. The Google security team also identified 4 vulnerabilities each in Android’s Kernel components and in the NVIDIA’s components. 7 of those have been assigned a severity of “high” and one even as “critical”. To top things off, they have fixed 17 vulnerabilities in the Qualcomm components which were all found in 2018. 5 out of 17 are identified as critical vulnerabilities while the rest are high vulnerabilities. Next to the fixes on the Android operating system, the team also released an update of Google Play Protect. This feature has been released a few years back, to better protect Android users from unwanted and malicious apps found in the Google Play store and through third parties. In this update, Google made changes to the following: • Google Play Protect will now be enabled by default so users don’t have to enable it in settings first. • When users open a new or rare Android app, Google Play Protect will display a warning. This warning will stop appearing when Android has analyzed the app and deemed it safe for use. To view the full security bulletin, head over to the following address: https://source.android.com/security/bulletin/2019-02-01
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 13 of 22
Classification: Internal
Confidential
5 Security news
5.1 Mobile security news
Google updates Play Protect to protect users better In 2017, Google launched Play Protect to protect Android users from installing malicious apps from the Play Store. When this feature is activated the following checks are preformed: • Run safety checks on the app before you download • Checks your device for malware installed from other sources • If it finds harmful apps it will warn you and remove the app • Warns you about apps that violate Google’s Unwanted Software Policy With the new update, Play Protect is enabled by default and it also adds a feature that will display a warning when opening an installed app that it doesn’t recognize. As time progresses and Play Protect becomes more familiar with the app, it will stop these warnings if it decides to trust the application. This process probably makes use of a machine learning algorithm, but this hasn’t been confirmed by Google. Source: https://www.bleepingcomputer.com/news/google/google-enhances-google-play-protect-on- android-but-is-it-enough/
Android is now FIDO2 certified The FIDO (Fast IDentity Online) Alliance announced that all compatible devices running Android 7.0+ are now FIDO2 certified out of the box or after an automated Google Play Services update. FIDO2 enables users to authenticate on Android apps and websites using their device’s built-in fingerprint sensor, facial recognition camera and/or FIDO security keys. This way people can authenticate themselves without the use of passwords. The FIDO alliance closely worked together with Google and W3C to standardize the FIDO2 protocols. Last spring, these specifications were also disclosed to the public. Figure 3 - FIDO Alliance logo (Source) Source: https://fidoalliance.org/android-now-fido2- certified-accelerating-global-migration-beyond- passwords/
New vulnerabilities in 4G/5G called ToRPEDO puts privacy at risk A research team from Purdue University and the University of Iowa discovered some vulnerabilities in the 4G and 5G mobile protocols that could allow attackers to intercept calls, send fake amber alerts or other notifications, track location and more. In a paper presented at the Mobile World Congress in Barcelona, the team disclosed some issues with the cellular paging protocol. This protocol is used by the mobile device when in it’s in an idle, low-power state to conserve battery life by polling for pending services only periodically. The paging protocol will only notify the phone when there is a phone call or SMS message, saving unnecessary requests to the phone. The researchers uncovered three types of attacks that use this paging mechanism. The main attack, dubbed ToRPEDO (TRacking via Paging mEssage DistributiOn), could be used to verify the location of a specific device, inject fake paging messages by attackers and perform DoS attacks. For ToRPEDO to be successful, an attacker needs to have a sniffer in the same cellular area as the victim. The two other vulnerabilities are possible because of this attack.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 14 of 22
Classification: Internal
Confidential
The second vulnerability allows a malicious actor to fully uncover a US victim’s unique International Mobile Subscriber Identity (IMSI) number (if the phone number is known) which opens the door to targeted user location-tracking. The third attack is dubbed PIERCER (short for Persistent Information ExposuRe by the CorE netwoRk) allows an attacker, who knows the phone number of the victim, to associate the victim device’s IMSI with its phone number. To perform a ToRPEDO-attack, an attacker would need to have a sniffer in the same cellular area as the victim. If the number of possible locations that the victim could be in is large, then the expense of installing sniffers (i.e., $200 each) will be quite large in order to carry out a successful attack. For a successful PIERCER-attack, the malicious actor would need to have a paging message sniffer and also a fake base station which would cost around 400 dollars. Source: https://threatpost.com/torpedo-privacy-4g-5g/142174/ iOS 12.2 is going to support TLS 1.3 The successor of TLS 1.2, TLS 1.3, is going to be available in the update of iOS 12.2. TLS is a protocol that allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS 1.3 replaces the older encryption and hashing algorithms with newer, more secure protocols like ChaCha20, Poly1305, Ed25519, x25519, and x448. Next to this, the TLS 1.3 handshake is a lot faster and protects against downgrade attacks which trick users to use a less secure, older version of the TLS- protocol. Figure 4 - TLS 1.3 (Source) Desktop users can already use TLS 1.3 if they browse the web with the latest releases of Google Chrome or Mozilla Firefox on Windows, macOS, or Linux provided that the visited website supports TLS 1.3. Source: https://www.bleepingcomputer.com/news/security/tls-13-support-coming-to-ios-122-enabled- system-wide-in-beta-releases/
Google warns about 2 zero days being exploited in the wild Earlier this month, Apple released update 12.1.4 which patched the famous FaceTime bug where an initiator of a Group FaceTime call could be able to cause the recipient to answer. In this update, Apple fixed 2 other vulnerabilities that apparently have been abused as zero days before the patch according to Google. The first vulnerability could exploit a memory corruption in the iOS Foundation component via a malicious app to gain elevated privileges. The second vulnerability impacts I/O Kit, another iOS core framework that handles I/O data streams between the hardware and the software. An attacker could exploit another memory corruption in this framework via a malicious app to execute arbitrary code with kernel privileges.
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 15 of 22
Classification: Internal
Confidential
Both Apple and Google have yet to respond to a request for comment, but it is unlikely that they will in order to prevent other threat actors from gaining insight into how the zero-days work. Source: https://www.zdnet.com/article/google-warns-about- two-ios-zero-days-exploited-in-the-wild/
Google is going to add 6 extra vulnerability warnings to ASI Google announced it is going to be adding 6 Figure 5 - Tweet by team leader at Google’s Project additional vulnerability warnings to its ASI program. Zero The ASI (Application Security Improvement) program is a service designed to scan for potential security issues in apps uploaded to the Google Play Store. When a vulnerability is found in an Android app, developers are warned through the Google Play Console and receive a detailed remediation procedure to remove the issue, and sometimes a remediation deadline. The ASI program already covered easy to check vulnerabilities like the usage of unsafe library versions or TLS/SSL certificate errors but now it added checks for the following vulnerabilities as well:
• SQL Injection • File-based Cross-Site Scripting • Cross-App Scripting • Leaked Third-Party Credentials • Scheme Hijacking • JavaScript Interface Injection Google ensures developers that they’ll continue to work on improving the ASI program so we might expect more updates in 2019. Source: https://android-developers.googleblog.com/2019/02/android-security-improvement-update.html
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 16 of 22
Classification: Internal
Confidential
5.2 General security news
Whatsapp bug in Face ID In early February, WhatsApp rolled out an update which introduced a new feature that uses Face ID and Touch ID to their iOS app. This feature adds another layer of defense when an unauthorized individual would gain access to your unlocked device. WhatsApp then checks using Face ID, if it recognizes the person who is holding the phone. When Face ID does not recognize the user, he/she gets locked out of WhatsApp. Several weeks later a Reddit user discovered that the new protection can be easily bypassed by using the “Share Sheet”-functionality in iOS. After this, WhatsApp will become accessible without any authentication. In the iOS app, users can set how quickly they want the application to lock itself when an unauthorized user interacts with an unlocked iOS device. This bypass technique can be avoided if this parameter is set to Figure 6 - The Share Sheet used for the bypass (Source) “immediately”. Source: https://www.securityweek.com/bug-allows-bypass-whatsapp-face-id-touch-id-protection
Disguised clipper malware discovered on Google Play Store In early February, security researcher Lukas Stephanko discovered clipper malware lurking on the Google Play Store, impersonating a legitimate service called MetaMask. The legitimate service is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, there is no official application released on android or iOS. This clipper malware can steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds and replace a copied Bitcoin and Ethereum wallet address with the attacker’s address. Once this transaction is sent, it cannot be changed or canceled. Source: https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/
Figure 7 - Fake MetaMask app on the Play Store(Source)
Severe flaw discovered in SHAREit Android app Security researchers of RedForce have uncovered 2 high-severity vulnerabilities in SHAREit’s Android app. SHAREit is a widely-used platform that lets users transfer files between devices the internet. The first vulnerability allows attackers to bypass the authentication mechanism on a device. The bypass is performed when an unauthenticated user fetches a non-existing page. Instead of responding with the
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 17 of 22
Classification: Internal
Confidential classic 404-page, the SHAREit app responds with a status 200 and adds the user to the recognized devices list, thus authenticating the attacker. The second vulnerability is a perfect follow up of the first vulnerability and lets an authenticated attacker download arbitrary files from the victim’s device. The researchers informed the SHAREit-team about the vulnerabilities back in February 2018 and patched the issues accordingly in March 2018. The researchers gave users enough time to patch their devices and only disclosed the vulnerability earlier this month. They also released an additional tool/proof-of-concept called DUMPit, which can be used to automate the exploitation of the vulnerability. Source: https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
Figure 8 - DUMPit proof-of-concept by RedForce (Source)
Oracle discovered “DrainerBot”, a mobile ad fraud operation On the 20th of February, Oracle announced the discovery of “DrainerBot”, the newest mobile ad fraud operation. DrainerBot uses an infected SDK which is implemented in hundreds of popular Android apps that users can install trough the Play Store. Oracle estimates that apps with the infected DrainerBot have been downloaded over 10 million times. Infected apps display invisible video ads on the target device. This quickly drains the battery and could consume more than 10GB of mobile data per month. DrainerBot even operates when the infected device is in sleep mode or not in use. The infected SDK has been distributed by Tapcore, a company in The Netherlands that is supposed to help app developers (hackers) monetize their stolen or pirated apps through ads. Users who downloaded the infected applications should notice that their devices get hot and that battery life drains quickly even when the phone is not in active use. A dramatic increase in data usage, sluggish performance and high application crash rates are also indicators of an infection. Oracle Data Cloud’s Moat Analytics lists more detailed information and mitigation measures: http://info.moat.com/drainerbot Source: https://www.oracle.com/corporate/pressrelease/mobilebot-fraud-operation-022019.html
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 18 of 22
Classification: Internal
Confidential
Triout Android spyware makes a comeback Back in August 2018, Bitdefender researchers discovered a spyware framework called Triout, hidden inside a legitimate application. The malware can hide its existence on the device, record phone calls, log incoming text messages, record videos, take pictures, and even collect GPS coordinates. All the information is sent to a Command & Control server, without triggering alarms. The malicious application was removed from the official app store when it was discovered. Now a new malicious application was discovered housing this powerful spyware framework. The new application tries to impersonate the legitimate application “Psiphon3”, which is a popular Android VPN app with over 50 million installs. Although the official app is distributed on the Google Play Store, the malicious imposter is being delivered through third party app stores. This application holds the same malicious code as the previous version but comes bundled with three extra adware components – Google Ads, Inmobi Ads, Mopub Ads – to generate extra revenue for the threat actors. Source: https://labs.bitdefender.com/2019/02/triout-android- spyware-framework-makes-a-comeback-abusing- Figure 9 - Comparison of the clean vs fake app app-with-50-million-downloads/ (Source)
Fake Google reCAPTCHA used to drop banking malware Security researchers of Sucuri have uncovered a phishing attack targeted at users of a Polish bank. The attacker starts by sending the victim an email asking to verify non-existent transactions by clicking a link which brings the user to a php webpage. The webpage checks which user agent is used to visit the site. If the user agent is Google crawler-related, the webserver will send a 404. Otherwise the webserver serves a fake Google reCAPTCHA form in order to trick users into downloading a malicious APK (or .zip file incase the visitor is using Windows).
Samples of the malware have been uploaded to Figure 10 - A fake reCAPTCHA page (Source) VirusTotal. The malware is often found in the wild and can read a mobile device's state, location, and contacts, scan and send SMS messages, make phone calls, record audio, and steal other sensitive information. To top things of, the malware can also intercept 2FA through SMS messages. Source: https://blog.sucuri.net/2019/02/hackers-use-fake-google-recaptcha-to-cloak-banking-malware.html
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 19 of 22
Classification: Internal
Confidential iOS apps use Glassbox SDK to record user screens without permission Analytics firm Glassbox allows customers to embed session replay technology into their respective apps. This enables app developers to capture screenshots and user interactions, including on-screen taps and in some cases keyboard entries, which are sent back to app developers or Glassbox servers for the analysis of user experience. Customers include big-name corporations like Abercrombie & Fitch and sister brand Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines. Air Canada for example, tries to add black boxes to obfuscate the sensitive fields it sends in the screenshots. Initially this obfuscation is performed correctly, however subsequent screenshots capture sensitive information like credit card information. Air Canada also attempts to cover the password form when logging in. But they do not obfuscate the password during account creation or when resetting a forgotten password. If these screenshots are stored on an insecure database, these passwords will be visible in plain-text. Figure 11 - Screenshots Air Canada collects (Source)
As some Glassbox customers currently do not mention the monitoring of users, users are largely unaware that their actions are being so closely observed. Source: https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 20 of 22
Classification: Internal
Confidential
6 Statistics
6.1 OS market shares
Figure 12 - OS market share (Source) If we compare this month’s operating system market shares to last month’s, we can see a small shift away from Android. All other OS’s have slightly increased in adoption. In comparison to last month, Android has lost around 1% in market share which is quite a big change. This would explain the increase in adoption across all OS’s apart from Android.
6.2 iOS
Figure 13 - Usage of iOS versions (Source)
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 21 of 22
Classification: Internal
Confidential
Similar to the previous three months, iOS users continue to shift towards the newest iOS 12 versions which is a good thing. Since the stable release of iOS 12 in mid-September, more than three quarters of all iOS users have installed it. iOS 12.x has seen an increase of 2,16% this month.
It seems that the amount of people who use iOS 7.X and other even older versions have decreased with 0,10%. These people probaply upgraded to iOS 8.X as the number of users has risen with 0,21%.
6.3 Android
Version Codename Distribution Android 2,56% Android 1.0 0,05% Android 1.1 Petit Four 0,02% Android 1.5 Cupcake 0,12% Android 1.6 Donut 0,05% Android 2.0 Eclair 0,09% Android 2.1 0,06% Android 2.2 Froyo 1,15% Android 2.3 Gingerbread 0,06% Ice Cream Android 4.0 Sandwich 1,14% Android 4.1 Jelly Bean 0,78% Android 4.2 2,37% Android 4.3 0,17% Android 4.4 KitKat 3,16% Android 5.0 Lollipop 1,75% Android 5.1 7,19% Android 6.0 Marshmallow 13,95% Android 6.1 0,05% Android 7.0 Nougat 11,77% Android 7.1 8,58% Android 8.0 Oreo 23,63% Android 8.1 20,99% Android 9.0 Pie 0,32% Android 9.1 0,00% (Source) As Google has stopped publishing updates on their dashboard, the data listed above is taken from NetMarketShare. This is an online service that provides web usage share statistics on real users and is trusted by many respectable vendors. NetMarketShare collects its data from approximately 100 million valid sessions per month extracted from over a thousand different websites. The service uses bot/fraud detection, country level weighting and removes hidden pages from the data to obtain accurate statistics. If we compare these statistics to the ones of the previous dashboard, it’s clear that the adoption of Androids Oreo has doubled since Google’s last assessment. The usage of all other versions has also decreased, which is a good thing. We can also see that the newest version, Android Pie, has arrived so we can expect to see a slow rise in the adoption of this version in the upcoming months. (end of document)
Newsletter 65 Copyright Bancontact Payconiq Company nv/sa Page 22 of 22
Classification: Internal