Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Saturday, April 29, 2017 Mohit Kumar

android-open-port
A team of researchers from the University of Michigan discovered that hundreds of applications in Google Play Store have a security hole that could potentially allow hackers to steal data from and even implant malware on millions of Android smartphones.

The University of Michigan team says that the actual issue lies within apps that create open ports — a known problem with computers — on smartphones.

So, this issue has nothing to do with your device's operating system or the handset; instead, the origin of this so-called backdoor is due to insecure coding practices by various app developers.

The team used its custom tool to scan over 100,000 Android applications and found 410 potentially vulnerable applications — many of which have been downloaded between 10 and 50 Million times and at least one app comes pre-installed on Android smartphones.

Here I need you to stop and first let's understand exactly what ports do and what are the related threats.

Ports can be either physical or electronic in nature. Physical ports are connection points on your smartphones and computers, such as a USB port used to transfer data between devices.

Electronic ports are those invisible doors that an application or a service use to communicate with other devices or services. For example, File Transfer Protocol (FTP) service by default opens port 21 to transfer files, and you need port 80 opened in order to connect to the Internet.

In other words, every application installed on a device opens an unused port (1-to-65535), can be referred as a virtual door, to communicate for the exchange of data between devices, be it a smartphone, server, personal computer, or an Internet-connected smart appliance.

Over the years, more and more applications in the market function over the Internet or network, but at the same time, these applications and ports opened by them can be a weak link in your system, which could allow a hacker to breach or take control of your device without your knowledge.

This is exactly what the University of Michigan team has detailed in its research paper [PDF] titled, "Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications."

According to the researchers, the major issue is with the apps like WiFi File Transfer, which has been installed between 10 million and 50 million times and allows users to connect to a port on their smartphone via Wi-Fi, making it easy to transfer files from a phone to a computer.

But due to insufficient security, this ability of the apps is apparently not limited to merely the smartphone's owner, but also malicious actors.

However, applications like WiFi File Transfer pose fewer threats, as they are designed to work over a local network only, that requires attackers to be connected to the same network as yours.

On the other hand, this issue is extremely dangerous in the scenarios where you connect to a public Wi-Fi network or corporate network more often.

To get an initial estimate on the impact of these vulnerabilities, the team performed a port scanning in its campus network, and within 2 minutes it found a number of mobile devices potentially using these vulnerable apps.
"They manually confirmed the vulnerabilities for 57 applications, including popular mobile apps with 10 to 50 million downloads from official app marketplaces, and also an app that is pre-installed on a series of devices from one manufacturer," the researchers say.

"The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port."
No doubt, an open port is an attack surface, but it should be noted that port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws.

Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.

However, smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim.

To prove its point, the team of researchers has also demonstrated various attacks in a series of videos, posted below:

1. Using an app's open ports to steal photos with on-device malware

2. Stealing photos via a network attack

3. Forcing the device to send an SMS to a premium service

The team says these vulnerabilities can be exploited to cause highly-severe damage to users like remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution.

The easiest solution to this issue is to uninstall such apps that open insecure ports, or putting these applications behind a proper firewall could also solve most of the issues.

Tuesday, May 17, 2016 Swati Khandelwal

banking-app-hack
A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application.

Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.

Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.

While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.

Also Read: Best Password Manager — For Windows, Linux, Mac, Android, iOS and Enterprise

Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim's current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
"So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren't on my beneficiary list," Prakash wrote in his blog post.

"It was a matter of 5 lines of code [exploit] to enumerate the bank's customer records (Current Account Balance, and Deposits)."

Stealing Money from Anyone Else's Account

bank-hacking-news
If this wasn't enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender's account.

This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else's account, reported by Motherboard.
"I tested [the hack] with a bunch of accounts belonging to my family. Few of those accounts don't even have net banking or mobile banking activated," Prakash added. "And it all worked like a charm."
However, instead of taking advantage of these bugs, Prakash responsibly emailed the bank on November 13, 2015, and within few days, bank’s deputy general manager informed him that the security flaws had been fixed, without rewarding him with a bug bounty, that's unfair.

Friday, December 04, 2015 Swati Khandelwal

Serious Security Flaw Exposes 6.1 Million IoT, Mobile Devices to Remote Code Execution
As much as you protect your electronics from being hacked, hackers are clever enough at finding new ways to get into your devices. But, you would hope that once a flaw discovered it would at least be fixed in few days or weeks, but that's not always the case.

A three-year-old security vulnerability within a software component used by more than 6.1 Million smart devices still remains unpatched by many vendors, thereby placing Smart TVs, Routers, Smartphones, and other Internet of Things (IoT) products at risk of exploit.

Security researchers at Trend Micro have brought the flaw to light that has been known since 2012 but has not been patched yet.

Remote Code Execution Vulnerabilities 


Researchers discovered a collection of Remote Code Execution (RCE) vulnerabilities in the Portable SDK for UPnP, or libupnp component – a software library used by mobile devices, routers, smart TVs, and other IoT devices to stream media files over a network.

The flaws occur due to a buffer overflow in Simple Service Discovery Protocol (SSDP), potentially allowing hackers to take full control over the targeted device running the vulnerable version of the software development kit (SDK).

According to the researchers, the vulnerabilities were actually patched in 2012, but many applications still use the outdated versions of the library, allowing remote code execution attacks against devices with flawed apps installed.
"We found 547 apps that used older versions of libupnp, 326 of which are available on the Google Play store," Trend Micro mobile analyst Veo Zhang wrote in a blog post published Thursday.

Vulnerable Apps Downloaded by Millions of People


The biggest app affected by the flaw is QQMusic, which is used by over 100 Million people in China alone and has been downloaded by millions of Android users from the Google Play store. However, the security issue has since been fixed by the developers.

The Netflix application, also downloaded by Millions of people, was also thought to be affected by the flaw though the researchers say:
"Upon further clarification with Netflix, we learned that Netflix uses their own fork of libupnp due to an API that is no longer a part of newer libupnp versions. However, their fork contains the fixes from newer versions of libupnp as well, so we believe they are not affected by potential remote code execution attacks targeting this vulnerability."
Other popular applications using the outdated version of the library include nScreen Mirroring for Samsung, CameraAccess Plus and Smart TV Remote.

List of Vulnerable Apps


Here's the list of some apps, Trend Micro knows, are vulnerable and has actually tested:
Common Name
Package Name
AirSmartPlayer
com.gk.airsmart.main
Big2Small
com.alitech.dvbtoip
CameraAccess plus
jp.co.pixela.cameraaccessplus
G-MScreen
mktvsmart.screen
HexLink Remote (TV client)
hihex.sbrc.services
HexLink-SmartTV remote control
com.hihex.hexlink
Hisense Android TV Remote
com.hisense.commonremote
nScreen Mirroring for Samsung
com.ht.nscreen.mirroring
Ooredoo TV Oman
com.ooredootv.ooredoo
PictPrint – WiFi Print App –
jp.co.tandem.pictprint
qa.MozaicGO.Android
Mozaic GO
QQMusic
com.tencent.qqmusic
QQ音乐HD
com.tencent.qqmusicpad
Smart TV Remote
com.hisense.common
Wifi Entertainment
com.infogo.entertainment.wifi
モバイルTV(StationTV)
jp.pixela.px01.stationtv.localtuner.full.app
에브리온TV (무료 실시간 TV)
com.everyontv
多屏看看
com.letv.smartControl
海信分享
com.hisense.hishare.hall

Though the makers of QQMusic and LinPhone have addressed the issue and released fixes for their apps, users are advised to check their devices for one of these apps and if discovered, simply removed it or check for an update.

The security researchers are continuing to find out more vulnerable app.

Monday, April 06, 2015 Mohit Kumar

Facebook Starts WhatsApp Integration for Android Users
Is Facebook planning to integrate WhatsApp Messenger into its 'Facebook for Android' app?

Yes, this might be possible soon. According to latest rumours, Facebook is reportedly working on it.

The social network giant, Facebook has begun testing a new feature in its Facebook app for Android that includes the first integration of WhatsApp Messenger, according to a blogger.

WHATSAPP INTEGRATION INTO FACEBOOK APP
According to this update, a year after of acquiring WhatsApp Messenger, Facebook has only added a 'Send' button with the WhatsApp icon.

This WhatsApp 'send' will work as part of the status actions options that appear under each status update.

It means that Facebook for Android users soon may have this particular version of Facebook app with a dedicated WhatsApp button that would allow an Android user to share posts, status and anything else directly through WhatsApp by just clicking the Share button.

If rumours are true, the upcoming version 31.0.0.7.13 of Facebook app for Android, which is not yet available publicly, could have this feature.

WILL FACEBOOK MERGE WITH WHATSAPP?
From past one year, we haven’t noticed any Facebook and WhatsApp integration, but this minor change made by the social network giant raised doubt in users’ mind that is Facebook going to merge WhatsApp with Facebook?

When Facebook acquired WhatsApp for over $20 billion in February last year, Facebook founder Mark Zuckerberg confirmed that Whatsapp and Facebook would continue to co-exist as separate platforms.

At that time, WhatsApp team also assured that nothing would change and that WhatsApp would operate independently.

However, this recent move by Facebook considered to be the first step towards merging the two popular platforms in order to take control of the popular messaging market and sustain growth together.

GeekTime blog also claimed that teams from both the companies are working on a deeper integration that will have the ability to send messages between WhatsApp and Facebook Messenger.

'SHARE WITH WHATSAPP USERS' IS A MINOR UPDATE
However, the new feature seems just like a share via WhatsApp app that is very common feature adopted by different websites to make it easier for users to share contents with large number of audiences.

However, how deep this integration will go for users of both services will be known in the near future.

Wednesday, November 26, 2014 Mohit Kumar

Twitter will now Track EVERY App You have Installed on Your Smartphone
Like Facebook and Google, Twitter will soon be collecting your smartphone data in order to provide a "more personal Twitter experience" by serving targeted advertisements.

The popular microblogging service Twitter said Wednesday that it will start collecting information about the other applications its users have installed onto their smartphones or tablet in a bid to better target ads and content, which some users may consider as another threat to their online privacy.
In the Security and Privacy section of its support site, Twitter says that it will be "collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in."
The company has updated its app with this new feature for iOS platform on Wednesday, and Android will integrate this new feature in the next week.

The app update is opt-out, which means Twitter will start collecting information from users automatically unless they explicitly tell it otherwise. So, if you have already opted out of interest-based ads on iOS and Android, "we will not collect your apps unless you adjust your device settings," Twitter said.

The approach is simple, by tracking the apps people are downloading, Twitter is trying to learn more about its user base, so that it can suggest more relevant ads to users and make more money. The company says it will also improve its suggestions for accounts to follow and adding "Tweets, accounts, or other content to your timeline that we think you'll find especially interesting."

Twitter assured its users that it will only track applications users have installed, not any data from within the applications. As it said, "We are only collecting the list of applications you have installed. We are not collecting any data within the applications."

Still if you are not interested, You can turn off this feature through main Twitter app's settings menu. 
  • For iOS device users, disable this through setting -> account -> privacy -> "Tailor Twitter based on my apps."
  • For Android users, settings -> account -> other -> "Tailor Twitter based on my apps."
If you are getting any issue regarding this, you can also go to Twitter’s website which details exactly how to opt-out this feature for both Android and iOS.

For your knowledge, Twitter isn’t the only service to be tracking its users' apps. Facebook, for instance, also checks which apps users have installed that use the Facebook SDK to better surface targeted ads, though it also allows users to opt out.

Friday, October 24, 2014 Swati Khandelwal

There’s a good news for app developers. On Wednesday at Twitter’s first annual developer conference Flight, the company announced a new tool for developers which will allow users to log-in to mobile applications using their phone numbers rather than a traditional username and password combinations.

SAY NO TO PASSWORD
The service will be called Digits, aimed at application developers looking for an easier, password-free login option for their mobile applications – in a similar way to Snapchat, WhatsApp and Viber that rely only on verified users’ mobile numbers for sign-in, rather than the traditional ID and password combination.
"This is an entirely new native mobile sign up service that makes mobile-first sign-up frictionless, and creates an identity relationship entirely between you and your users," said Twitter CEO Dick Costolo, speaking at the Twitter Flight developer conference in San Francisco.

DEVELOPERS DON’T TRUST TWITTER
On one hand, where other social networking companies encouraged third-party developers to develop their own applications and services on top of the platform. Twitter always tried to reassert control over its product and platform and therefore being hated by developer community, but this new move will definitely solve this all.

According to the app developer Marco Arment, Twitter can’t be trusted again. "We’re just innocent bystanders getting hit whenever this fundamentally insecure, jealous, unstable company changes direction, which happens every few years," wrote Arment, who most recently developed Overcast, an app for listening to podcasts. "Twitter will never, and should never, have any credibility with developers again."

HOW DIGITS WORKS
Basically, Digits uses SMS messages to control access to registered accounts. When a developer adds Digits to its application, the user will be able to sign-in to that application using his or her mobile phone number.

Once the user provides the mobile phone number, Twitter will send a verification code on the provided mobile number via an SMS. User then enters that the SMS-based confirmation code to the log-in, and have access to the application. Note that each code Twitter sends you via SMS will expire after it's used. The process is just like a two-step verification one.


INTRODUCING FABRIC
Digits is one of many products announced at the developers conference in San Francisco. The company also introduced Fabric – a free software development kit for apps. Fabric will have three components:
  • MoPub – It is a mobile advertising platform bought by Twitter for $350m last year. It will help developers monetise their products on the Twitter platform.
  • Crashlytics – Crash reporting service, Crashlytics, bought by Twitter for $100m in 2013, will help developers test and build their apps as well as debug them.
  • TwitterKit – It enables apps to integrate into Twitter for streamlining real-time information. For example, the popular transport app Citymapper will now Tweet live updates from San Francisco’s Bart train system to users. TwitterKit allows developers to embed Tweets natively, as well as allows users to log into apps via Twitter.
"Fabric was built with ease of use in mind," Twitter's director of product, Jeff Seibert, wrote in a blog post. "Installation takes just minutes, and most features only require a few lines of code—so you spend less time managing SDKs and more time building the best experience for your users."
You can also go to the Digits website, which looks very basic at this time, in order to know more about it. Digits is launching now in 216 countries and 28 languages, which represents a serious move from Twitter’s end in terms of owning a piece of the mobile landscape.

Saturday, August 23, 2014 Mohit Kumar

Hacking Gmail with 92 Percent Success Rate
A group of security researchers has successfully discovered a method to hack into six out of seven popular Smartphone apps, including Gmail across all the three platforms - Android, Windows, and iOS operating systems - with shockingly high success rate of up to 92 percent.

Computer scientists the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a new weakness they believe to exist in Android, Windows, and iOS platforms that could allow possibly be used by hackers to obtain users’ personal information using malicious apps.

The team of researchers - Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan - will present its paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" (PDF), at the USENIX Security Symposium in San Diego on August 23.

The paper detailed a new type of hack method, which they call a UI [user interface] state interference attack - running the malicious app in the background without users’ knowledge. You can watch some short videos of the attacks in action below.

Although, the researchers demonstrated the hack using an Android device, but they believe that the same method could be used across all three operating system platforms because when a users download multiple number of apps to their smartphone devices, the apps are all running on the same shared platform, or operating system.
"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
Therefore users leave themselves open to such attacks as an Android phone allows itself to be hijacked or pre-empted. According to the team, the method could allow a hacker to steal a user's password, social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data. The team tested and found some of apps including WebMD, Chase and Gmail vulnerable.

Demonstrating the method of attack on an Android device, an unsigned app such as a wallpaper changer carrying malicious code is first installed on the user's phone. Once installed, an attacker can use it to access an entry point that the researchers call a "shared-memory side channel" - exists in nearly all popular Graphical User Interface (GUI) systems - of any process, which doesn't require any special privileges.

The researchers then monitor the changes in this shared memory and were able to determine specific "activity transition events" like a user logging into Gmail, H&R Block or taking a picture of a cheque to deposit it online via Chase Bank.

In all the team tried to access seven apps, out of which six were easily hacked. Gmail and H&R Block were easiest to the hack with a success rate of 92 percent. On the other hand, Amazon was by far the hardest with just a 48 percent success rate.
"The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature," the researchers write in the paper.
Using a few other side channels, the team was able to accurately detect what a user was doing in real-time on app. Because this security hole is not unique just to Android, so the hack could presumably be used in iOS and Windows as well, the researchers say.

A successful attack requires two things:
  • First, the attack needs to take place at the exact moment that the user is performing the action.
  • Second, the attack needs to be conducted in such a way that the user is unaware of it.
The team managed to pull this off by carefully timing the attacks.
"We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen," said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. "It's seamless because we have this timing."
At USENIX Security Symposium, the researchers would recommend methods to try and eliminate the side channel, and would suggest more secure system designs, the team said in the paper. But even if you're want to keep yourself safe from an attack like this, it's always a good practice to be very careful about the apps you download onto your phone — especially apps from unofficial sources.

Wednesday, June 25, 2014 Swati Khandelwal

BBC News iOS App Not Hacked, Breaking News Push Messages Sent in Error
If you are one of the users of the BBC News iPhone app, then you might have receive a strange message as a breaking news notification earlier this morning.

The message was sent on two separate time durations. First the message reads: "NYPD Twitter campaign 'backfires' after hashtag hijacked," then strangely adds: "Push sucks! Pull blows!"

After a while it goes to: "BREAKING NEWS No nudity in latest episode of Game of Thrones!!! MORE BREAKING NEWS IIIIII like testing."

Beneath the message the text seems to get more serious as it adds: "This is a breaking news story and the BBC News app will bring you updates as soon as they are available."

From various media outlets, it was observed that the most popular BBC News smartphone app has been hijacked by the some attackers who compromised its “Breaking News” feature and sent bogus messages to the users of the BBC News iPhone app.

But BBC developers were actually testing some new push message features for their Apps and a test message was sent in error this morning by mistake.

BBC news has responded to this message and posted on their official Twitter account that this notification was by mistake “sent in error" to their app subscribers and that their account has not been hacked. "We apologise for previous two test push notifications which were sent in error to BBC News app subscribers.” BBC tweeted.

Sunday, April 06, 2014 Swati Khandelwal

Microsoft announces Free Windows OS for Internet of Things and Mobile Devices
Tomorrow, 8th April could be a sad day for all those who are still using Windows XP, as it is an official assassination day of it, but there is also a good news that Microsoft is going to stop charging for its Windows Operating System on on the devices with screens smaller than nine inches.

Yes, Free a Windows OS for the Internet of Things (IoTs)such as Mobile Devices, Smart thermostats, Smart TVs, wearable devices etc., that was announced by Microsoft at Build 2014 conference on Wednesday.

To accelerate the creation of great mobile devices running Windows and grow our number of users, we announced today that Windows will be available for $0 to hardware partners for Windows Phones and tablets smaller than 9” in size,” said Terry Myerson, executive vice president, OS Group at Microsoft and he also added that it will include a one-year subscription to Office 365.

FREE, BUT NOT OPEN SOURCE
Free Windows, means the manufacturers of small tablets, phones and any other small devices won't have to buy a license from Microsoft.

According to Microsoft, Windows for Internet of Things will use the same code base as Windows Phone 8, which will run only the mobile apps, not any desktop software, and also they didn't mention about open sourcing the code base of Windows for IoTs, as Google’s Android.

The reason behind it may be in an effort to make it tough for hackers to exploit the operating system and to ensure the code is sound and secure.

Distributing free Windows could be a prominent step, but it’s one that Microsoft needed to take earlier, because Google’s free mobile operating system - Android is used widespread among the consumer electronics devices. The reason Microsoft required to move on to some strategic approach is to catch up with Google's Android and Apple's iOS operating systems.

Since, Google’s android is an open source, which is freely available to everyone, so anyone can use it without paying a single penny and even Apple is also pushing itself hard to bring its operating system prices towards zero.

But, on the other hand, Microsoft is charging $10 for its Windows Phone operating system on each Smartphone and tablet, which made existence toilful for Microsoft in recent years. So, to boost its monopoly in the world of smart devices, Microsoft took a tremendous move in a right direction.

The new update will definitely help Microsoft to beef up its app marketplace, as it allows developers to build apps for Windows 8.1 tablets, as well as for Windows Phone 8.1 Devices.

WINDOWS PHONE 8.1
In addition, Microsoft has also announced the next version of the Windows Phone operating system, Windows Phone 8.1, which comes with several new features, including the voice controlled Cortana digital assistant.

Cortana is named after a female character in Microsoft's Halo video game, and is aimed as a competitor to Apple's Siri for iOS. Microsoft said Cortana can interact with third-party Windows Phone apps such Skype, Hulu Plus, Facebook and Twitter, all of which can be controlled via voice commands.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!