Weekly Mobile Security News Roundup – Heartbleed Leaves Mobile Users Vulnerable to Attacks

Another week of mobile security news has been mostly dominated by the after effects of the discovery of Heartbleed. It’s becoming apparent that fears regarding the magnitude of the event weren’t exaggerated. With Heartbleed based PC attacks already being reported, this issue is still evolving.

This week also exposes new threats with Android icon hijacking, Flash SMS flaws in iOS and a Samsung Galaxy S5 biometric hack leaving their owners and their Paypal accounts at risk.

  1. Lacoon’s Customers are Secure Against Heartbleed
    Lacoon MobileFortress can ensure that your enterprise mobile devices are secure against Heartbleed-related issues.

    We recommend you read our blog posts from the past week where you can download Lacoon’s tool to test your mobile device against Heartbleed, as well as learn more about our product updates. The entries also provide relevant background info on Heartbleed, the mobile impact, insights and recommendations to mobile users.

    Click here to test the security of your device
    Click here to read about the relevant update to Lacoon MobileFortress

    For readers who want to generally catch up on Heartbleed and its evolvement, have a look atthis timeline of events which makes an interesting read.
  2. Android Flaw Allows Home Screen Icons to be Hijacked
    Android users are now susceptible to a new attack where a malicious app with normal protection level permissions is able to access icons on the Android home screen, modify them to point to malicious websites or malware, without notifying the user.

    While requests for “dangerous”, high-level permissions require user approval, normal permissions are granted automatically, without displaying them to the victim.

    Google has released an Android patch which fixes this specific issue, but like many other updates, it will take a while before most users actively choose to install it.


    Why is this Significant?
    This is a new method of mobile attack that emphasises how vulnerable the Android OS is. We often talk about malware attempting to acquire “root” access or administrator-level permissions, but in this case – neither is needed.

    What can enterprises do?

    • Urge employees to update their devices with the released patched.
    • Educate employees to downloading apps only from trustworthy marketplaces and test the reputation of the developer.
    • Gain visibility into app activity – both on device and on the network in order to detect any abnormal or malicious activity.
  3. Flash SMS Flaw in iOS Can Be Exploited to Make the Lock Screen Unresponsive
    Researchers have discovered a Flash SMS flaw in iOS that can be exploited to make the lock screen on iPhone and iPad’s unresponsive.

    A Flash SMS is a type of SMS that appears directly on the main screen without user interaction and is not automatically stored in the inbox. It’s commonly used in cases like delivering one-time passwords.

    The problem is that if the Flash SMS isn’t dismissed (i.e acknowledged by the victim), the device enters sleep mode. If and when another Flash SMS is received after the phone has entered sleep mode, the lock screen becomes unresponsive when the user tries to unlock it. Although this can be solved by resetting the device, this is still a serious issue.

    An attacker can leverage this vulnerability to develop a ransomware attack, demanding payment or a premium-number call in order to unlock the device or to stop freezing it.


    Why is this Significant?
    Much like the Android flaw in the previous section, this vulnerability highlights just how “simple” mobile attacks are becoming. Attackers are making an effort to familiarize themselves with these highly specific OS vulnerabilities in order to maximize their arsenal of methods for attacking a mobile device.

    What can enterprises do?

    • Urge employees to update their iPhone or iPad to the latest iOS version. This vulnerability has been validated for iOS devices v.7.1 and below.
    • Gain network visibility to test any indicators of compromise, such as calls to premium-numbers.
  4. The Samsung Galaxy S5′s Fingerprint Scanner Has Already Been Hacked
    Just weeks after being released, the Samsung Galaxy S5’s new biometric system has been hacked, leaving Galaxy S5 owners’ devices and their PayPal accounts at risk.

    This mobile hack leverages a very similar method to the one used to hack iPhone 5S fingerprint scanner. However, due to the Galaxy S5′s fingerprint security implementation, the consequence of this mobile vulnerability is much more grave. Why? Unlike Apple’s Touch ID systems where users are required to input their password prior to using the fingerprint authentication and where the password must be entered each time the device is rebooted, on Samsung’s Galaxy S5, no password is needed to access the device. Even after a reboot, a swipe of a finger will unlock the phone.

    More worrisome is that, even after a reboot, users don’t need a password to access PayPal and make payments via the Paypal app if fingerprint authentication has been enabled.


    Why is this Significant?
    Biometrics are becoming a big part of modern authentication methods. While we continue to see how vulnerable regular passwords and encryption methods are, it’s important to evaluate how secure new biometric systems are. A victim’s fingerprint can be disabled with a simple hack, leaving a mobile device and the victim’s financial resources under the control of an attacker.
    What can enterprises do?

    For the time being, ensure employees with Galaxy S5 use password protection on top of any fingerprint authentication.