Showing posts with label mobile security. Show all posts
Showing posts with label mobile security. Show all posts

Monday, 23 November 2015

Chrome for Android vulnerability Discovered by Researcher

Chrome

Chinese Researcher Discovered Susceptibilities in Android Operating System

Google, over the past few months had been busy crushing security susceptibilities in its prevalent Android mobile operating system, though several tends to remain undiscovered and some could be easily misused. Guang Gong, a Chinese researcher from Qihoo 360, demonstrated at MobilPwn2Own at the PacSec conference in Tokyo on how an Android device running the latest version of the operating system could be hijacked by exploiting JavaScript v8 vulnerability through Chrome browser.

 Gong observed JavaScript v8 susceptibility in Chrome for Android enabled him to install a random application on the affected device, a BMX Bike game in this case, without the need of user interaction. Dragos Ruiu, PacSec organizer had explained in a Google+ post. V8 is Google’s open source JavaScript engine and V8 is written in C++, used in Google Chrome which is the open source browser from Google.

Google security engineer on site had received the bug. Spotpedia had informed that `a Google engineer instantly got in touch with Gong after his presentation and rumours were on that the Chrome team had already got it fixed. Gong had commented on 9to5Google that the exploit was created by someone whose job was to find vulnerabilities and not a hacker with malicious intentions.

Vulnerability in JavaScript Engine in Chrome

As long as Chrome is utilised in navigating to a malicious site an attacker has set up, the device could be infected.This was demonstrated on a Google Project Fi Nexus 6 operating the latest Android 6.0 Marshmallow build with all applications updated. The vulnerability was also demonstrated by the researcher which could provide an attacker with total control of the device and success of the exploitation does not need chaining in multiple susceptibilities.

Ruiu informs that this particular shot exploit had been exposed after three months of work, though the exact details on the security flaw had not been publicly known. The exploit had been tested on other devices too and worked on all of them, according to Ruiu.Considering that the vulnerability is in the JavaScript engine in Chrome, it is said to affect the entire Android version with the new version of the browser which is installed. Ruiu had announced through Twitter that the details on the vulnerability had been handed over to Chrome engineer at the conference.

Series of Critical Android Vulnerabilities Observed

However, unfortunately for Gong, his presentation at the conference did not gain him an immediate reward for his efforts though probably Google would reward him for the discovery of the vulnerability, since the company has a bug bounty program set up for Chrome and Chrome OS. According to The Register, Ruiu would fly Gong to the CanSecWest security conference next year.

Google would most probably handle this vulnerability soon, even though the details on the exploit have not been made public so far. A series of critical Android vulnerabilities have been discovered by security researchers this year comprising of the Stagefright flaw which has affected almost a billion devices and a Stagefright2issue alleged to have affected devices running all Android version, began with the initial release.

Tuesday, 1 September 2015

Certifi-gate Vulnerability

Certifi-gate

Certifi-gate Vulnerability – Disclosed at Black Hat Conference

Mobile application manipulating the Certifi-gate vulnerability which was disclosed at Black Hat conference in Las Vegas earlier this month has been removed from the Google Play store. Although the number of Recordable Activator downloads, which is a screen recorder app for Android devices soars between 100,000 and a half million, researchers at Check Point Software Technologies discovering the vulnerability stated that it would be successfully manipulated on only three devices.

The company had mentioned in a blog post, that the data seems to come from Check Point’s home-based Certifi-gate scanner application. Data from scans utilising the scanning app portray that LG devices the most are at a risk, together with Samsung and HTC, and 16% of the devices responding to scans indicate that they host vulnerable plugins. Certifi-gate which was revealed at Black Hat, three weeks ago and when misused, enables an attacker to take complete control of the device by using malicious mobile app or SMS message. The weakness is due to the third party remote support tools which are either pre-installed on Android devices by the developers and/or carriers, or are available to be downloaded.

Mobile Remote Support Tools – mRST

Mobile remote support tools – mRST tend to be generally signed with OEM certificates proving them system level privileges for the purpose of handling remote support tasks. It was revealed by Check Point at Black Hat that there are authentication problems which could be bypassed by malicious app utilising one of these mRST tools.

The issue with Recordable Activator is that it tends to download vulnerable form of TeamViewer as well as abused insecure communication between the app and system-level plugins. App that are signed with OEM certificates are treated as trusted and evade native Android restriction avoiding app like Recordable Activator in obtaining excessive permissions.

It could then be utilised in exploiting the prevailing authentication vulnerability as well as connect with the plugin in order to record whatever is happening on the screen, according to Check Point. Ohad Bobrov, researcher of Check Point, had explained at Black Hat that a malicious app tends to impersonate the original mRST to obtain access to everything on the device.

Tools Pre-installed with No UI

Bobrov stated during a press conference at Black Hat that the reason of this problem was that on several devices, these tools are preinstalled and in many cases since these tools do not have a UI, one is not aware of its existence on the device since one does not see an icon and it is not visible on the device to show that it exists.

Thus it tends to get easier for an attacker to take control of it. Check Point states that to patch up this problem is not easy since the tools which are generally preinstalled, may need manufacturers to push updated ROMs to vulnerable devices. Though new versions of remote support tools like TeamViewer tend to be released, the older versions could still be likely to be in circulation for a while.

He further adds that it would take a long time till a new version comes up though but the more problematic issue is not the bug but its architecture. The vendors and OEMS have signed this vulnerable mRST with their certificate and one cannot withdraw or else the plugin will not function.