Weekly Mobile Security News Roundup

This week’s summary is a mix of both positive and negative signs surround the mobile security world. On one hand, we’re finally witnessing both relevant punishments for security lapses as well as service providers trying to take responsibility for their users’ security. On the other hand, major players that are widely presumed to be safest mobile options, are still letting users down.

  • Amazon Web Services has admitted it decompiles Android apps in order to perform security checks
    Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users’ accounts and services at risk. They are also decompiling Android apps to search for credentials that have been mistakenly hard-coded, as part of “normal operating procedures”.

    Following the discovery that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search, software developers have reported receiving a notice from Amazon that their credentials were discovered on Google Play in an Android application they had built.

    In essence, Amazon is being proactive and scanning common sources of account credentials, and then notifying customers.


    Why is this Significant?

    An Amazon official was quoted as saying: “To help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity”. Amazon’s findings show that many developers are still not as aware of security issues as they should be.

    Amazon’s actions, however, are a sign that some of the most relevant players in the mobile domain, in this case a large cloud service provider, are, albeit with baby steps, stepping up to the plate regarding security.

  • Fandango and Credit Karma have settled With FTC over App Security Flaws
    Following the US Federal Trade Commision’s discovery that the mobile apps of credit report provider Credit Karma and movie ticket seller Fandango may have exposed millions of consumers’ sensitive personal information, including credit card details – both companies have decided to settle the cases.

    The FTC concluded that both companies failed to take “reasonable steps” to secure their mobile apps, leaving them vulnerable to Man-in-the-Middle (MitM) intrusions, which could have allowed an attacker to intercept any information customers submitted via the apps.

    In short, the violation was that the companies had somehow disabled SSL certificate validation, an industry standard that would have verified that the apps’ communications were secure. The companies could have caught and/or prevented the vulnerabilities with basic security tests. To add insult to injury, both companies assured users that their credit card information was secure.
    The settlements require Fandango and Credit Karma to establish mobile app security programs and undergo independent security assessments every other year for the next 20 years.


    Why is this Significant?

    This is one of the first major cases of companies being held directly responsible for security lapses in their apps. Although it’s a step in the right direction, there are thousands of apps out there that are likely transferring secure financial or personal details in a highly insecure manner. It’s also worth noting that the “punishment”, ensuring future users’ security, demonstrates that mobile security is beginning to hit home.


  • Fake Google apps removed from Window Phone Store by Microsoft
    While the only Google app available in the Windows Phone Store should be the company’s search app, this week others such as Google Voice, Maps, and Hangouts appeared in the marketplace before being discovered as fakes.

    The six fake Google apps were:
    1. Hangouts 2. Google Voice 3. Gmail app 4. Google Search 5. Google+ 6. Google Maps.
    The apps were published under the name of “Google, Inc.” (note the comma) and are priced at $1.99 each.


    Why is this Significant?
    This event raises severe questions regarding Microsoft’s security checks on new apps. Microsoft quickly deleted the offending apps, but aren’t yet addressing the larger issue of these apps being approved in the first place. Fake apps carry several security risks and afflict user privacy – whether disguising a premium SMS service or a mobile Remote Access Trojan (mRAT), this is one of the most significant ways to direct malware to a victim’s device. This isn’t the first time Microsoft has been criticized for having a low bar when it comes to approving apps into the Windows Phone Store.


  • New Android Botnet targets Middle East banks
    A new botnet, with a crude yet remarkably effective method of attack, comes disguised as one of several online banking apps. So far, the malware has mainly targeted victims who bank at several financial institutions in the Middle East. It has now infected more than 2,700 phones, and has intercepted at least 28,000 text messages.

    In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain. The attacker behind the campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet – funnygammi.com – was also used to register the fake bank domains that are delivering the malicious payload itself.

    The Modus Operandi for banking malware is usually based on convincing the user to download a file that is that supposedly originates from the bank. The files are actually malicious apps that intercept and then relay the victim’s incoming SMS messages to the attacker. Since banks often transfer secure codes and login details by SMS, the attacker can obtain valuable information with which to impersonate the victim.


    Why is this Significant?

    This attack highlights several relevant issues:

    1. In practice, even though most AVs do in fact recognize this botnet – most users remain AV-less and are yet to realize the risk of doing so.
    2. AV is just one part of the picture. Many mRATs can’t be identified by even the most advanced AV apps. Most of these mRATs are installed when the device is rooted – a state that AVs are completed oblivious to.
    3. Organizations are, ironically, lowering the bar for attackers – whether by transferring critical details using insecure methods or omitting important security tests prior to releasing an app.
    • iOS 7 Bug enables strangers to Disable Find My iPhone and victim’s Delete iCloud Account

      With iOS 7, deleting an iCloud account or restoring a device requires Find My iPhone to be disabled. Find My iPhone, in turn, requires the user to enter the password for the Apple ID attached to the iCloud account.

      Unfortunately, there’s a rather easy way to bypass these requirements. Videos that have been circulating the web show a laughably simple process that, once finished, gives any stranger that has physical access to a victim’s phone, full access to their iCloud account as well as the ability to turn Find My iPhone off.


      Why is this Significant?
      Considering the invaluable data that exists on a modern smartphone, this simple hack shows that security levels and security testing just aren’t good enough yet.


    • Android Trojan Targets Cuba
      Researchers have identified a new mRAT (Mobile Remote Access Trojan) embedded into copies of a popular underground app in Cuba called EstecsaDroyd, which is an unauthorized copy of the telephone directory from the Cuban phone company ETECSA.

      Once installed, the mRAT surreptitiously takes over priority handling for any incoming SMS messages and waits to be remotely activated. On receiving the word cola, the mRAT looks for all MP3 files on the SD card and overwrites them with a sound file.

      Not satisfied with just destruction, the mRAT also replaces the content of the last remaining audio file with that of a file containing an encrypted list of contacts retrieved from the infected device.

      Why is this Significant?

      1. This is another demonstration that mRATs are becoming more advanced. Getting into semi-technical details, the mRAT can’t relay any of the stolen contact info back to a C&C server, which may imply that there’s a second app that may be assisting with relaying the data – possibly under the guise of recovering the damaged audio files.
      2. This attack is based in Cuba, one of the most isolated countries in the world. Mobile malware has in fact become a global concern.