Weekly Mobile Security News Roundup

This week’s summary touches on several major security headlines that broke this week. We continue to witness security lapses both by major app developers and by the architects of the operating systems themselves – Google, Apple and now Microsoft.

  • GimmeRAT: Windows Attack Tool implements Android Functionality
    Winspy, a Remote Access Trojan (RAT) that until now solely targeted Windows machines, has been given Android attack features. This serves as an additional indication that attackers continue to perceive Android as a major target for collecting confidential user data.

    Researchers discovered the additional mobile functionality in WinSpy while investigating a recent attack on an American financial organization. The Android component of Winspy has been name GimmeRAT.

    The infection of an Android device begins once the device is connected to an Winspy-infected computer. Winspy uses a command line tool called Android Debug Bridge (ADB), that allows it to execute commands on Android . The Android Debug Bridge is a legitimate tool included in the Android software development kit (SDK). Once the Android malware has infected the device, it installs an app that will appear as a Google App Store

    By adapting Winspy into a Mobile Remote Access Trojan (mRAT), the attacker is able to control the victim’s device via SMS messages or through a Windows-based controller. Using the Android espionage features, the attackers can take screenshots of target devices and record their GPS location, sending the data to the malicious command and control servers. Text messages can also be monitored by the malware.


    Why is this Significant?
    The mobile industry is due to continue to attract cyber criminals and state-sponsored hackers that demand advanced mRATs for financially motivated attacks or surveillance. GimmeRAT is a prime example of the blurring of the lines between PC and mobile malware as well the idea that PC malware may soon become just a means of accessing the victim’s phone.

  • WhatsApp chat history on Android is liable to theft due to a file system flaw
    The latest WhatsApp publicized vulnerability may be one of its most severe flaws.

    Responsibility for the flaw is shared by both WhatsApp and Google. The issue comes down to Android’s handling of external storage, as well as sub-par security standards in WhatsApp.

    Essentially, the flaw allows any Android application with access to the device’s SD card to read and upload WhatsApp’s database. Since the chat database is saved on the user’s SD card, any Android application given SD permissions can access it (this is due to Android design – any app that can read and write to the external SD card can also read what other applications have stored). Seeing as most users pay little attention to a new app’s permission request – this becomes a severe problem.

    WhatsApp not only uses an insecure external database, but on earlier versions of the app, does so without any encryption at all. Although later versions have an encrypted database, the encryption is performed using a key which can be easily extracted by using 3rd party tools.


    Why is this Significant?
    Following its much publicised acquisition, WhatsApp has become increasingly scrutinised. However, we should take into account that many other massively popular apps have just as many security issues – yet received the similar attention.

    Another important aspect is the fact that regardless of WhatsApp’s faults, sometimes it’s the underlying design issues that create the problem. Mobile security is about much more than just dissecting one specific app.

  • Apple seem to have inadvertently downgraded iOS security
    In an attempt to upgrade iOS security, Apple have recently replaced the internal random number generator (between iOS 6 and iOS 7). New research shows that, in doing so, Apple might have accidentally decreased the operating system’s level of security.

    The research shows that the new pseudo-random-number-generator (PRNG) is “…alarmingly weak, deterministic and trivial to brute-force…”

    The research goes on to conclude that an unprivileged attacker, even when confined by the most restrictive sandbox permissions system, can recover arbitrary outputs from the generator and consequently bypass all the exploit mitigations that rely on the early random PRNG.

    Why is this Significant?
    Mobile attacks are advancing both in complexity and in perseverance. Apple’s iOS is more vulnerable than perceived to be – attackers have multiple platforms and “routes” to attack a device with. In this case, closing one route just opened up another.

  • Paypal is vulnerable to Remote Code Execution
    A vulnerability has recently been discovered on the Paypal application for Android. It allows an attacker to perform code execution via a Man in the Middle (MitM) attack.

    PayPal uses a Webview that ignores SSL certificates, while the same Webview has a Javascript Interface implemented. The combination of the two bugs allows attackers to establish MitM connections in order to execute code on the device. This means that it’s dangerous to use Paypal Android app on public Wi-Fi networks.

    This is an issue that Paypal were made aware of several months ago but haven’t acted on yet.


    Why is this Significant?
    Paypal is one of the most widespread methods of online payments. And even with this status – security falls between the cracks. With free public Wi-Fi becoming almost a requirement in every major city, this sort of security issue is a dangerous one.

  • Malicious 3rd party Windows Phone app causes mass leak of user credentials
    A Windows phone app has recently been implicated in the leakage of thousands of passwords from the Dutch cell carrier Telfort.

    After several false trails, the leak was eventually traced to a malicious Windows phone app.
    The app, Abonnement Status, promised to allow users to review their data and call usage as well as their last three statements, when in fact it was harvesting the users’ passwords.


    Why is this Significant?
    We hear much less about Windows phone malware than about malware in iOS or Android, yet this doesn’t necessarily mean that its security is superior. This is also a perfect example of social engineering enabling a mobile attack, which is something that we’ll expand on in the coming weeks.