Two US universities, the IMDEA Networks Institute, the International Computer Science Institute, and AppCensus have tested the behavior of 88,113 Android apps: to see if applications can bypass system privileges and access data they were not allowed to access – typically to those that can identify a user, such as an IMEI, Ethernet MAC address of the device and router, and geolocation data. The researchers found 61 applications that sent such data illegally, and 12,923 others that contained the code to retrieve the data.
These applications received unauthorized access to data:
- secret channels: for example, if application A has the right to find out the IMEI identifier, it can pass it to application B that does not have that right – usually through shared memory on the memory card;
- by side channels: for example, if the application has not been allowed access to geolocation data, the geolocation server could request it from the IP address of the phone or router, or find out from the EXIF metadata of the recently taken photos.
When researchers analyzed these guilty applications, they found the Salmonads and Baidu SDKs that were able to detect IMEIs and store them in a hidden file on a memory card for use by other applications. Unity game engine in turn can find out the MAC address of the phone and 9 other SDKs allow access to the router MAC address and ARP table; they can also get geolocation data and other interesting information.
The researchers gave their conclusions to Google, which paid them a reward and promised to remove many of these problems in the upcoming Android Q. Users of previous versions of Android can still read the research report 50 Ways to Leak Your Data: An Exploration of Apps Circumvention of the Android Permissions System or find detailed information about all 88,000 explored applications.
Check Point Research researchers have published data on the new “Agent Smith” malware named after a fictional character from the Matrix movie, which has reportedly infected over 25 million Android devices. If a user has obtained a Trojan horse containing this malware from an unofficial source, Agent Smith will use Android’s “Janus flaw” or “Man in the Disk” vulnerabilities to infect any already installed applications listed in his or her goal list, reinstall them, and disable them. their update from official sources. But he can infect them himself with a newer code himself. Therefore, the user can still use their applications and do not know that they are infected. For the time being, this infection is only manifested by the fact that the phone illegally displays a larger number of ads and hackers earn money; in the future, however, Agent Smith may begin to commit other damages, such as exfiltrating bank details or eavesdropping on user communications.
You can protect against Agent Smith by following known security policies:
- Don’t download software from unofficial sources
- Update operating system and applications in time
- If a user suspects an application is infected, you must uninstall it and download and reinstall it from an official source (Google Play).
Anomali and Intezer workers unveiled a new ransomware named eCh0raix (Anomali) or QNAPCrypt (Intezer). It focuses on the network data storage of QNAP, a Taiwanese company that infects through the brute-force attack on SSH. It requests a public RSA key from its CC server to encrypt the extension files contained in its list, as well as the bitcoin account address for ransom. The first version of malware sent a different bitcoin address to each victim; but Intezer’s employees took advantage of this and blocked the malware. Thus, malware authors have created another version that already uses a single public RSA key and a single bitcoin address.
Interestingly, this ransomware controls the NAS locale; if they find themselves belonging to Belarus, Russia or Ukraine, they will cease their activities and cause no damage there.
Against this ransomware, we can once again protect ourselves with familiar principles:
- Use safe enough credentials
- Enable NAS firmware update
- Connect NAS to local network where it won’t be available from the Internet
- Back up NAS data in another location.
At the end of June 2019, two OpenPGP experts found that someone on the SKS (Synchronizing Key Servers) network attacked their public PGP keys by adding tens of thousands of additional signatures to them. In doing so, he misused the well-known fact that the entire network of SKS servers is designed so that information can only be added to, but cannot be deleted, due to censorship concerns and fake information. therefore, the original correct information cannot be removed from it. However, this advantage now appears to be negative: Each user’s certificate can have up to 150,000 signatures under OpenPGP, but, for example, GnuPG cannot tolerate such a number of signatures and seize. It can also be assumed that other PGP users who have posted their keys to SKS servers will also be affected by a similar attack.
Anyone who now wants to communicate with Robert J. Hansen or Daniel Kahn Gillmore using their PGP keys to download from a SKS server, risking his GPG installation biting and stopping working, perhaps irrevocably . Public Key R.J.H. it already has 150 thousand signatures.
These “poisoned” certificates cannot be removed from the SKS server network at this time; this would have to change their entire system, which would be very difficult.
Autor příspěvku R.J.H. proposes these interim solutions for GnuPG:
- In the “gpg.conf” file, comment out all lines beginning with “keyserver”
- At the end of the “dirmngr.conf” file, add the line “keyserver hkps: //keys.openpgp.org”. This line refers to a new experimental key server that does not belong to the SKS server network and its functionality is limited, but it is resistant to the described attack and will run the “gpg -refresh-keys” command again without risk.
Vulnerable Video Conference Software Zoom
Back door in the Ruby library, strong_password
Huge fine for British Airways and Marriott hotels
DNS over HTTPS (DoH) litigation; Critics of DNS over HTTPS withdrew
American mayors commit not to pay if their networks are infected by ransomware