Weekly Mobile Security News Roundup – Are your Mobile Apps Exposing Sensitive Data?

For the first time in several weeks, this week’s summary isn’t dominated by the OpenSSL vulnerability – Heartbleed. While Heartbleed may not breaking news anymore – we still recommend making it a priority to ensure your enterprise is protected. You can find out more here.

This week’s items serve as another reminder of the different ways an app or a device can expose sensitive data.

WhatsApp Location Vulnerability
A vulnerability in WhatsApp that can enable an attacker to intercept a victim’s shared locations. Although WhatsApp have acknowledged this, it is yet to be fixed.

When sharing their location on WhatsApp, users need to first locate themselves on Google Maps within the Whatsapp window. Upon selecting a location, WhatsApp fetches the location details and thumbnail (i.e. an image) from the Google Map service in order to share the image as the message icon.

Unfortunately WhatsApp downloads this image through an unencrypted channel from Google that could be exploited by a Man-in-the-Middle (MitM) attack. The captured image could be enough to expose users’ location.


Why is this Significant?
This attack is only possible when the attacker and the victim are connected to the same network (i.e a communal Wifi hotspot) thus facilitating the MITM attack.

The real issue is the underlying design flaw. Though WhatsApp have ensured that the main feature of the app (the text messaging) is safe and encrypted, other parts prove to be unsecure. This goes to show that although they mean well, developers might inadvertently be exposing user data. Even developers that have put security as a priority might be missing critical details.

New powerful iOS and Android mRAT ?
Over the past few weeks there have been several mentions on Russian forums regarding a new advanced botnet kit. Named iDroidbot, it costs $1,500 and claims to target devices running iOS 7.1 and earlier, as well as Android 2.2 and later.

iDroidbot is apparently spread via 2 main vectors:

  1. Malicious URLs that direct the user to the malware
  2. Embedded iDroidbot within a legitimate app

The claim is that iDroidbot can perform quite a few advanced methods of theft and espionage, including:

– Drain a victim’s Visa QIWI Wallet (up to Version 2.8.4)
– Drain WebMoney Keeper Mobile (up to Version 3.0.8 on R and Z purses)
– Drain Yandex 2.2 (up to Version 2.8.4)
– Steal Credit Card numbers

– Record keystrokes
– Record & extract emails.
– Send an SMS to a specified number while in stealth mode
– Record conversations
– Intercept SMS messages from a specific number
– Take screenshots

It’s important to note that many of iDroidbot’s methods (like credit card theft) can easily be configured to run only in specific countries – something we haven’t seen implemented in this way before.


Why is this Significant?
Although these claims are yet to be proven, iDroid seems to have an advanced mRAT that has several ways of stealing from victims. As it enables many very advanced methods of stealing sensitive user data, including targeting specific countries and also attacks both Android & iOS devices, it may prove to be a force to be reckoned with.

Premium SMS malware targets users worldwide
Malwares that aim to subscribe and use premium SMS services are becoming increasingly common worldwide. Till now, we’ve usually seen malware that targets specific countries and area codes. It seems that attackers are finding ways to create malware that can efficiently attack targets around the world.

Two major premium SMS malwares that have evolved to working on a global scale are:

  1. Trojan-SMS.AndroidOS.Stealer.a
    Recently Mentioned in Kaspersky’s top 20 malware report, it can send SMS messages to premium-rate numbers in 14 countries.


  1. Trojan-SMS.AndroidOS.FakeInst.ef
    Targets users in 66 countries, including the US. This is the first of a working SMS Trojan in the United States.

    Fakeinst disguises itself as an application for watching porn videos, but once installed on a device it downloads an encrypted configuration file and starts sending SMS messages to the predefined premium-rate numbers, depending on the user’s mobile country code.


Why is this Significant?
Here we have a case of malware that is evolving. Malware that used to only target specific countries (Fakeinst used to only work in Russia, while many other malwares targeted vulnerable / less advanced countries) can now attack targets worldwide. This highlights both the fact that mobile security is becoming a concern for all employees, regardless of their location, as well the fact that attackers are growing increasingly unsatisfied with small scale, simple attacks.

We don’t yet know how the malware is being distributed, but since fake apps are being used, it’s likely that 3rd party market places are the answer. Disabling the option to install apps from unknown sources on employees’ Android devices might be the key in this specific case.

iOS 7.1.1 update was released this week
With this update, Apple have fixed a substantial security issue that was discovered in iOS 7.1. Sadly, a vulnerability that 7.1.1 doesn’t fix has already been identified.

What did Apple fix?
The “Triple Handshake bug” (CVE-2014-1295) which was fixed was present in all devices running iOS 7.1. It allowed hackers to perform an attack that exploited the authentication system used to establish a secure connection by applications.

In a ‘triple handshake’ attack, it was possible for an attacker to create two encrypted connections, or “handshakes,” on an affected device, and then insert their own data into one of the connections, thereby creating a “handshake” between the attacker’s device and the victim, entirely bypassing SSL encryption and proper authentication procedures.

By exploiting this bug, attackers could easily conduct MitM attacks and capture now unprotected data transmitted to and from affected devices.

What are Apple yet to address?
Although they’ve been made aware of an issue with the iOS mail app, iOS 7.1.1 hasn’t fixed the problem. A bug is iOS 7 enables attachments in iOS mail app to be accessible without encryption or restriction.

By navigating to a specific folder, an attacker with access to the device can simply extract all of the existing attachments which are stored in plain text.


Why is this Significant?
Regarding the Triple Handshake – Apple claims that it only affects certain Apple applications that use certificates, and is therefore much less dangerous than, say, Heartbleed. This still means that under certain circumstances, iOS users have been transmitting unsecure data for several months.

The underlying issue regarding the mail app vulnerability is also important. Apple specifically claim to provide protection for email attachments. This adds insult to injury – iOS 7 has been available for quite a while now and users are not only vulnerable, but Apple are claiming to provide something that isn’t there.