Welcome to #MobSec5.
This week’s digest of the mobile security news that matters includes:
- Exploiting Android app permissions
- Russian criminals foiled before launching more mobile banking attacks
- Android anti-WannaCry apps are probably hogwash
Thanks for reading. Have a great weekend, will ya?
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
How a New Breed of Android Malware Could Steal Your Password
“Since these exploits could be used by apps that come out of the official Play Store, it’s hard to offer any air-tight practical advice, or imagine an easy fix on Google’s part.”
We’ve covered problems with the Android app permission SYSTEM_ALERT_WINDOW in recent editions of #MobSec5, and this week researchers released details about exploits that abuse the permission (along with others). In response to the researchers’ work, Google claims an update to Google Play Protect will help detect and block malicious apps that use the permission and stated “we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.” That might not be enough to protect a majority of Android users. Learn why from a plain-language explanation of Android overlay view, the SYSTEM_ALERT_WINDOW permission, and how attackers can abuse them on the NowSecure blog.
“Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers.”
A forensics and information security company involved in the investigation, Group-IB, explains in a blog post that “the Trojan scanned the victim’s phone for a banking application and displayed a universal window with the icon and name of the bank retrieved from Google Play that prompted the user to enter his personal data.” While authorities thwarted the criminals before they could launch additional attacks, Group-IB said the malware had been updated to target customers of banks in Great Britain, Germany, France, the US, Turkey, Singapore, Australia, and elsewhere. A researcher quoted in the article mentions an increase in attacks targeting mobile and SMS-banking users in “developing nations or in the countryside where access to conventional banking is difficult for people.” Adoption of mobile banking is trending upward in the U.S. meaning more potential targets for criminals. NowSecure VP of Risk and Privacy Ted Eull explained how to deliver secure mobile financial services in a webinar earlier this month.
“Apps claiming to protect Android users against WannaCry ransomware are popping up on Google Play, but all of them are a bunch of hogwash.”
IT threat evolution Q1 2017 Statistics
“In the first quarter of 2017, we registered a dramatic growth in attacks involving mobile ransomware from the Trojan-Ransom.AndroidOS.Egat family: the number of users attacked by this type of malware increased more than 13 times from the previous quarter.”
“In simple terms, yes, exploits save lives. They are not weapons, but they can be powerful tools. I have, and I cannot be more literal than this, seen it with my own eyes.”
Android Encryption Demystified
“With Android Nougat accounting for roughly 7% of the market, the chance of not being adequately protected is still high for an average Android user.”
iPhone 7 and 7 Plus get a stable jailbreak on iOS 10.1.1 with extra_recipe+yaluX
“Developer xerub has just released an updated version of Ian Beer’s mach_portal exploit, entitled extra_recipe. This new iteration should resolve the stability issues which have been plaguing iPhone 7 and iPhone 7 Plus users on the iOS 10.1.1 jailbreak.”
2017 Qualcomm Mobile Security Summit
Slides from the 2017 Qualcomm Mobile Security Summit held last week are now posted on the summit web site.
BART hit with class action privacy lawsuit over personal data collected by its security app
(San Francisco Business Times)
“The San Francisco Bay Area Rapid Transit District and the maker of its BART Watch mobile app were hit with a class-action lawsuit Monday over allegations that the app violates users’ privacy rights by collecting personal data.”
XSS over SMS: Hacking Text Messages in Verizon Messages
“After I installed the Android app and signed up, I logged in to the web app and starting using it. After a while, I noticed that messages containing links were being displayed with a preview/summary embedded in both the web and mobile interfaces.”
“In the May 2017 Android Security Bulletin, Google released a patch to a critical and unique vulnerability CVE-2016-10277 in the Nexus 6 bootloader we had found and responsibly disclosed.”
Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8
(Chaos Computer Club)
“The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers of the Chaos Computer Club (CCC).”
“They mean police and MI5 can insist services like WhatsApp and Facebook remove all encryption from suspect messages themselves for the first time.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.