Hello and welcome back to #MobSec5, your run-down of the week’s mobile security news.
This edition includes:
- Malware inflates ratings on Google Play store
- Botnet victims’ connected devices subject to search?
- Google aims to make open-source more secure
Thanks for reading. Have a great weekend, be good, and stay safe.
More Than 1 Million Google Accounts Breached by Gooligan
(Check Point Blog)
“The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day.”
Gooligan is malware that installs on Android devices via seemingly legitimate carrier apps downloaded from third-party app stores, or as part of a phishing campaign. A variant of the Ghost Push family, Gooligan exploits vulnerabilities in older versions of Android (4 and 5) and harvests e-mail credentials and authorization tokens for a number of Google applications. Google has notified affected users and detailed the actions taken to combat Gooligan in a statement. Director of Android Security Adrian Ludwig wrote, “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.” Researchers claim Gooligan can automatically install apps from Google Play, rate them, and publish reviews. This incident provides additional evidence that mobile operating systems can be compromised, and so apps cannot rely solely on OS protections to remain secure.
When it comes to security, Android is the new Windows
“Android, the world’s leading mobile operating system, keeps improving security, but it suffered several notable issues this month.”
Announcing OSS-Fuzz: Continuous Fuzzing for Open Source Software
(Google Security Blog)
“We are happy to announce OSS-Fuzz, a new Beta program developed over the past years with the Core Infrastructure Initiative community. This program will provide continuous fuzzing for select core open source software.”
In a NowSecure webinar, Security Researcher Jake Van Dyke warned developers against assuming that third-party protocols and libraries (including open-source libraries) are secure. Google’s goal with OSS-Fuzz is to make open-source software more secure and stable by conducting fuzz testing against open-source projects, notifying project owners of vulnerabilities or bugs, and verifying fixes.
A Rowhammer ban-hammer for all, and it’s all in software
“That’s what the authors of this ArXiv paper claim: a software-only defence for x86 and ARM machines that isolates the memory of different system entities – for example, the kernel from the user space.”
“The changes expand the FBI’s ability to search multiple computers, phones and other devices across the country, and even overseas, on a single warrant. In an increasingly connected world, amending the rules is both necessary for law enforcement agencies and deeply concerning for digital privacy advocates.”
The article goes on to explain that with changes to Rule 41, victims of a botnet attack, such as Mirai, may find their Internet-connected devices subject to search. A blog post published in April by the Electronic Frontier Foundation (EFF), a non-profit digital rights group, called the changes “a dangerous expansion of powers.”
New Mirai Worm Knocks 900K Germans Offline
(Krebs on Security)
“More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai.”
The limitations of Android N Encryption
(A Few Thoughts on Cryptographic Engineering)
“Over the past few years we’ve heard more about smartphone encryption than, quite frankly, most of us expected to hear in a lifetime. We learned that proper encryption can slow down even sophisticated decryption attempts if done correctly. We’ve also learned that incorrect implementations can undo most of that security.”
Balancing Employee Privacy with Company Security in Mobile Policies
(Information Management Online)
“With an influx of personal device usage in the enterprise today, it’s vital companies have guidelines in place to help draw the line between securing corporate data and respecting employee privacy.”
Grand Theft Tesla: Android App Hack Unlocks, Starts Car
“Norwegian researchers hacked the Tesla Android app to unlock a Tesla car and drive it away without a keyfob.”
BitUnmap: Attacking Android Ashmem
(Google Project Zero Blog)
“The law of leaky abstractions states that ‘all non-trivial abstractions, to some degree, are leaky.’ In this blog post we’ll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result in security vulnerabilities affecting core system code.”
“AirDroid, the popular Android desktop manager, has some pretty nasty security vulnerabilities according to a recent report.”
If you liked what you’ve read, SUBSCRIBE NOW using the form in the upper-right margin of this page to receive #MobSec5 and other updates in your inbox.