mobile antivirus - Online Cyber Security News

Remotely Exploitable Bug in Truecaller Puts Over 100 Million Users at Risk

Tuesday, March 29, 2016 Swati Khandelwal

Security researchers have discovered a remotely exploitable vulnerability in Called ID app "Truecaller" that could expose personal details of Millions of its users.

Truecaller is a popular service that claims to "search and identify any phone number," as well as helps users block incoming calls or SMSes from phone numbers categorized as spammers and telemarketers.

The service has mobile apps for Android, iOS, Windows, Symbian devices and BlackBerry phones.

The vulnerability, discovered by Cheetah Mobile Security Research Lab, affects Truecaller Android version of the app that has been downloaded more than 100 Million times.

The actual problem resides in the way Truecaller identify users in its systems.

While installation, Truecaller Android app asks users to enter their phone number, email address, and other personal details, which is verified by phone call or SMS message. After this, whenever users open the app, no login screen is ever shown again.

This is because Truecaller uses the device's IMEI to authenticate users, according to researchers.

"Anyone gaining the IMEI of a device will be able to get Truecaller users' personal information (including the phone number, home address, mail box, gender, etc.) and tamper app settings without users' consent, exposing them to malicious phishers," Cheetah Mobile wrote in a blog post.

Cheetah Mobile researchers told The Hacker News that they were able to retrieve personal data belonged to other users with the help of exploit code just by interacting with Truecaller's servers.

On a successful exploitation of this flaw, the attackers can:

Steal personal information like account name, gender, e-mail, profile pic, home address, and more.
Modify a user's application settings.
Disable spam blockers.
Add to a black list for users.
Delete a user's blacklist.

Cheetah Mobile informed Truecaller of this flaw, and the company updated their servers as well as released an upgraded version of its Android app on March 22 in order to prevent abuse exploiting this flaw.

Truecaller said in its blog post published Monday that the vulnerability did not compromise any of its user information.

If you haven’t, download the latest version of Truecaller for your Android devices from the Google Play Store Now!

New Android Malware 'HijackRAT' Attacks Mobile Banking Users

Wednesday, July 02, 2014 Mohit Kumar

Cybercriminals have rolled out a new malicious Android application that wraps different varieties of banking fraud trick into a single piece of advanced mobile malware.

GOOGLE SERVICE FRAMEWORK - APPLICATION OR MALWARE?

Security researchers at the security firm FireEye have came across a malicious Android application that binds together the latest and older hijacking techniques. The malicious Android app combines private data theft, banking credential theft and spoofing, and remote access into a single unit, where traditional malware has had only one such capability included in it.

Researchers dubbed the malware as HijackRAT, a banking trojan that comes loaded with a malicious Android application which disguises itself as “Google Service Framework,” first and the most advanced Android malware sample of its kind ever discovered, combining all the three malicious activities together.

MALWARE FEATURES

By giving the remote control of the infected device to hackers, the creepy malware application:

steals and sends SMS messages
steals contacts
initiates malicious app updates
scans for legitimate banking apps installed on the victim’s mobile phone and replace them with fakes utilities
attempts to disable any mobile security software or antivirus solution that might be installed on a compromised Android device

IS MOBILE ANTIVIRUS NEEDED? GOOGLE SAYS “NO”

Despite strict warnings from security companies, Google’s head of Android security says the majority of Android device users do not need to install any anti-virus solution and other security applications to protect their devices.

Google’s security researchers say those who used antivirus or security app on their phone would probably never actually receive protection from it, and because every Android app goes through the Google automated system that checked for every issue, and verified those apps that didn’t contain any malware or malicious activities, before they were made available on the app store.

But, the question here is that if every Android app goes through Google Automated System, then why Google Play Store is surrounded by so many malicious apps? Now this really need to answer.

CURRENTLY TARGETING KOREAN BANKS

Coming back to the topic, this malicious Android application cannot be removed from the device unless users deactivate its administrative privileges. The latest version of the malicious app is currently being used to defraud customers of eight popular Korean banks, but could easily be adapted by hackers to target European financial institutions.

"While it is limited to just the 8 Korean banks right now, the hacker could easily add in the functionality for any other bank with about 30 minutes of work," reads the blog post.

WARNING: ROBUST VARIANT COMING SOON

HijackRAT’s incomplete functionality appears to be designed to conduct “bank hijacking” attacks, according to an analysis carried out by FireEye.

The unique nature of this malware app, particularly its ability to steal users’ personal information from the device and impersonate itself as banking apps, indicates it could be a test attack and an even more robust mobile banking threat could be on the horizon, said the researchers.

SOLUTION: WHAT TO DO?

Since, malware is at rise and specially Android users are facing majority of problems. Have a thought, If any malware is stealing your device messages then the app is definitely taking permissions to read messages and if it is stealing your device contacts then it’s taking permission to read your contacts, and likewise for other capabilities.

So, you are advised to read the app permission always before installing it to your phone, and if some application such as messaging app that definitely requires permission to read your contacts, messages, location etc then first check the reviews of that particular app on the Internet and Play Store, and always try to install only the reputed Android app to your device.

Most Sophisticated Android Bootkit Malware ever Detected; Infected Millions of Devices

Wednesday, April 02, 2014 Mohit Kumar

Hardly two month ago we reported about the first widely spread Android Bootkit malware, dubbed as 'Oldboot.A', which infected more than 500,000 Smartphone users worldwide with Android operating system in last eight months, especially in China.

Oldboot is a piece of Android malware that's designed to re-infect Mobile devices even after a thorough cleanup. It resides in the memory of infected devices; It modify the devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting.

Yet another alarming report about Oldboot malware has been released by the Chinese Security Researchers from '360 Mobile Security'. They have discovered a new variant of the Oldboot family, dubbed as 'Oldboot.B', designed exactly as Oldboot.A, but new variant has advance stealth techniques. Especially, the defense against with antivirus software, malware analyzer, and automatic analysis tools. "The Oldboot Trojan family is the most significant demonstration of this trend." researchers said.

Oldboot.B, Android Bootkit malware has following abilities:

It can install malicious apps silently in the background.
It can inject malicious modules into system process.
Prevent malware apps from uninstalling.
Oldboot.B can modify the browser's homepage.
It has ability to uninstall or disable installed Mobile Antivirus softwares.

INFECTION & INSTALLING MORE MALWARE APPS

Once an Android device is infected by Oldboot.B trojan, it will listen to the socket continuously and receive and execute commands received from the attacker's command-and-control server.

Malware has some hidden ELF binaries, that includes steganographically encrypted strings, executable codes and configuration file downloaded from C&C server, located at az.o65.org (IP is 61.160.248.67).

After installation, Oldboot Trojan install lots of other malicious android applications or games in the infected device, which are not manually installed by the user.

MALWARE ARCHITECTURE

Oldboot.B architecture includes four major Components, those automatically executes during the system startup by registering itself as a service in the init.rc script:

1) boot_tst - uses remote injection technique to inject an SO file and a JAR file to the 'system_server' process of the Android system, continuously listen to the socket, and execute commands sent.

2) adb_server - replaces pm script of Android system with itself and used for anti-uninstallation functionality.

3) meta_chk - update the configuration file, download and install Android Apps promoted in the background. The Configuration file is encrypted, that greatly increases the time required to analyze.

To evade detection, meta_chk destroys itself from the file system, and left with only the injected process. Android Antivirus software does not support the process memory scan in the Android platform, so they cannot detect or delete the Oldboot Trojan which resides in the memory.

4) agentsysline - module written in C++ programming language, run as a daemon in the background to receive commands from command-and-control server. This component can uninstall anti-virus software, delete the specific files and enable or disable network connection etc.

PROBLEMS FOR SECURITY RESEARCHERS

To increase the problem of malware analyzers:

It add some meaningless code and trigger some behavior randomly.
Check for SIM card availability in the device, and it will not perform certain behavior if there is no SIM card to fool sandbox or emulators.
Check for the existence of antivirus software, and may uninstall the anti-virus software before doing anything malicious.

Malware uses the steganography techniques to hide its configuration file into images:

"But after some analysis, we found that the configuration of meta_chk is hidden in this picture, which contains the command will be executed by meta_chk and other information." researchers said. The size of this configuration file is 12,508 bytes.

"Depending on the commands sent from the C&C server, it can do many different things, such as sending fake SMS messages or phishing attacks, and so on. Driven by profit, the Oldboot Trojan family changes very fast to react to any situation."

Oldboot.B is one of the most advanced Android malware that is very difficult to remove, but antivirus firm 360 Mobile Security also released Oldboot detection and removing tool for free, you can download it from their website.

To avoid infection, Smartphones users should only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; don't use untrusted custom ROMs and install a mobile security app.