Weekly Mobile Security News Roundup

What’s new on the mobile security front? From an uncovered APT campaign that had been running since 2007, to new Android research unveiled platform issues affecting the permissions, and Snapchat hacks.
If you weren’t able to keep up with the news – we did it for you.

• An APT report named “Careto” (Spanish slang for “Mask” or “Ugly Face”) was released by Kaspersky. According to the report, the “Careto” campaign involved cyber espionage and has been running since at least 2007. In January 2014, its C&C (command and control) servers have been down – and now we have the news of the analysis.

  Careto is almost unique in the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS). Careto infects users by way of targeted phishing e-mails with links to a malicious website.

  So far, it looks like there are hundreds of victims in countries from every corner of the world, with most of them fitting into one of the following categories:

  • Government institutions
  • Diplomatic offices and embassies
  • Energy, oil and gas companies
  • Research institutions
  • Private equity firms
  • Activists

  The researches have seen unique identifiers lead them to believe that Careto does have both Android & iOS capabilities, but this is yet to be confirmed.

  http://www.securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_Asked_Questions

  Why is this Significant?
  The fact that Careto might possess capabilities against the trifecta of Desktop, Android & iOS places it at as a major APT campaign. Having been active for the past 7 years, we should expect this trend to continue.

• There are lots of rumors that Nokia is due to unveil low-cost Android phone. Despite the company’s close partnership with Microsoft & Windows OS, the Wall Street Journal has said that Nokia plan to release a new entry level Android phone aimed at emerging markets.

  http://www.reuters.com/article/2014/02/10/us-nokia-android-idUSBREA191Q520140210

  Why is this significant?
  The mobile world is looking more like a two-horse race as the days go by. Recent surveys show that iOS and Android now account for around 75% of enterprise devices. Although Nokia & Google are yet to confirm the story, this is another interesting development that sheds a bit more light on the future playing field of mobile devices and OSs.

• An interesting article was published this week, discussing the fact that Android’s custom permissions system can be misused, allowing malware to hold a custom permission without the user’s awareness or even downgrade another app’s permissions.

  Let’s start from the beginning. Android has always offered both platform permissions (defined by the framework) and custom permissions (defined by apps). Unfortunately, custom permissions have some undocumented limitations that make potentially dangerous. Specifically, custom permissions can be defined by anyone, so if two apps define the same custom permission, it comes down to Android’s “first come first serve” system, which opens up the possibility of unexpected behavior.

  Although this requires the malware to “get there first” there a number of entirely possible scenarios that enable this (apart from the case where its installation process is faster than the genuine app):

  • Somebody could sell a used Android device, and the buyer could neglect to factory-restore it, retaining the malware installed by the seller. This could also be more than an “oversight”, if the buyer intended to buy a device with a preinstalled ROM (like CyanogenMod), enabling the seller to install malware while knowing that it will be safe from a restore.
  • Devices distributed to low-level user who might think that the pre-installed malware is actually a legitimate app.

  https://github.com/commonsguy/cwac-security/blob/master/PERMS.md

  Why is this Significant?
  Without going into too many details, this is obviously a serious issue. It seems to be unknown to most developers and showcases another way to take advantage of Android devices. It goes to show that there are many different parts of Android’s framework that are vulnerable to different kinds of attacks and malware.

• Two entirely different Snapchat security issues have been discovered and exploited by hackers.
  • The more serious of the two enables a Denial of Service (DoS) attack against users’ phones. Due to a bug in how Snapchat handles authentication tokens, attackers are able to aim a DoS attack against both iPhone and Android users.
    According to what initial reports say, the DoS can cause iPhones to freeze while only slowing Android devices down. It also makes it impossible to use the app until the attack ends.
    http://www.theregister.co.uk/2014/02/10/snapchat_token_bug_creates_dos_attack_for_ios_android
  • The second seems to be more of an irritation than anything else, but still highlights several underlying issues. The hack is sending users pictures of smoothies emblazoned with the URL for a weight loss company called Snapfroot.
    http://www.theverge.com/2014/2/12/5404208/snapchat-hack-sends-people-pictures-of-smoothies

  So far, Snapchat have failed to acknowledge the first issue and when addressing the second, said that it’s only possible when the attacker already has a user’s email address and guesses their password/acquires it by other means.

  Why is this Significant?
  This isn’t the first time Snapchat has been in the headlines for the wrong reasons. It’s one of the most popular apps in the US yet its security continues to fail. Additionally, this raises the question as to what security issues have yet to be discovered in other mega-popular apps.