Android Patch Fixes Two File Vulnerability Attacks

Android Vulnerability

Google has released a security update that patches two separate vulnerabilities that could modify apps without changing their digital signature. Thus malicious apps could be installed without triggering a warning.

The first was discovered in February of this year by BlueBox Security. They found that if you took two application install files, one legitimate and one hacked – but using the exact same file name, you could get Android to install the hacked one.

When the resulting zipped APK file is processed and installed, Android would correctly check the digital signature on the first file to verify it’s legitimacy, but would actually install the second file!

According to BlueBox, 99% of Andoid devices are vulnerable to this attack. Sophos has a great step by step write up on it here, or if you are at Black Hat USA 2013 later this month be sure to check out Jeff Forristal’s talk, “Android: one root to own them all

The second vulnerability was published last week on a Chinese website called the ‘Android Security Squad Blog‘ (Google Translation). According to the site, the signature verification process can be attacked by modifying file headers.

Apparently malicious code can be added into the file headers, which at the time of the post’s writing was not checked by the Android’s signature verification process.

Both vulnerabilities have since been patched by Google. But the problem is how long will it take device manufacturer’s to implement the changes and push them out to end user devices? Of concern too is older devices that are no longer being updated.

According to The Verge, Google has made changes to the Google Play store updating mechanism to help prevent attacks like this from happening, and Sophos recommends using an Android Anti-virus program to protect against the vulnerability.

620,000 Android Phones in China hit by Most Costly Malware in History

Flag of the People's Republic of China

China may be the source for a lot of international cyber attacks and malware, but they get hit by it too. 620,000 Android phones in China were infected with a nasty virus that takes over the phone, collects personal information from it and begins to send costly  text messages to benefit the malware maker.

Yesterday, security research company NQ Mobile created a press release about the discovery of the Android malware they dubbed “Bill Shocker”. Based on their findings they claim, “Bill Shocker is an SDK designed by malware developers that infects several of the most popular apps in China, including Tencent QQ Messenger and Sohu News.”

Bill Shocker then downloads itself in the background and takes over control of the phone, including dialing and texting features. And “Once the malware has turned the phone into a “zombie,” the infection uses the device to send text message to the profit of advertisers. In many cases, the threat will overrun the user’s bundling quota, which subjects the user to additional charges,” the report says.

The malware could affect phones outside China and has the potential to be the most costly malware in history, according to NQ.

So what can you do to keep your phone safe? NQ offers several tips to avoid infection including:

  • Only download apps from trusted sources
  • Never accept application requests from unknown sources
  • Closely monitor permissions requested by any application
  • And be alert for abnormal behavior from your smart device

NQ Mobile also offers a mobile device security solution that is already protects against threats like Bill Shocker.

With mobile malware becoming more prevalent, Bring Your Own Device (BYOD) is really starting to increase the attack surface of corporate networks. Companies really need to take a good look at their Mobile user security policy if they haven’t done so already.

Windows Phone Denial-of-Service Attack Disables Messaging

A specially crafted SMS text or Facebook chat message can disable the Windows Phone Messaging Hub according to Winrumors.com:

“The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts. We have tested the attack on a range of Windows Phone devices, including HTC’s TITAN and Samsung’s Focus Flash. Some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720.

The attack is not device specific and appears to be an issue with the way the Windows Phone messaging hub handles messages. The bug is also triggered if a user sends a Facebook chat message or Windows Live Messenger message to a recipient.”

The malicious text message causes the Windows Phone to reboot, and then when it is back up, the Messaging Hub is no longer accessible. The vulnerability has been reported to Microsoft, but as of now there is no fix for the problem other than hard resetting and wiping the phone.

Fun, fun – Who’s idea was it to make our cell phones into computers? Didn’t they realize that with the benefits of computers also come the pitfalls?

Android Phone “Face Unlock” Feature Fooled by Picture

Looks like the Face Unlock feature on the new Galaxy Nexus is more of a novelty item than a security feature. In the video above you can see the phone being unlocked by a picture from another cell phone.

According to PacketStorm Security this could be a security risk, “With your face literally all over the internet (think Facebook, Twitter, LinkedIn, etc.), this could be a potentially serious flaw in Android 4.0, codenamed Ice Cream Sandwich and unveiled last month in Hong Kong.”

Though facial recognition is cool, with smart phones already being touch sensitive, it would seem like finger print recognition (Like on the Motorola Atrix) would be a much better bet.