Mobile Security Weekly – Google, Apple & Facebook are causing problems

This week’s summary consists of news from perhaps the 3 biggest players in the modern world of mobile: Google, Apple and Facebook. All three are in the news for the wrong reasons – either due to an attack that has already occurred or one that’s just waiting to happen.

iOS devices in Oceania are being taken hostage
A large number of users, mostly located in Australia and New Zealand, are reporting they have come under an unexplained attack that holds their iPhones and iPads hostage and demands they pay a $100 ransom.

Users have been receiving a message saying: “Device hacked by Oleg Pliss. For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to email:[email protected] for unlock.”

Interestingly, it turns out that the PayPal account mentioned doesn’t even exist. Users who had set a passcode or had turned on two-factor authentication were able to avoid restoring their device, but the attack affected plenty of users nonetheless.

Apple has since denied that a breach of its iCloud service is the reason for the outbreak. Several other explanations have been offered, ranging from users having the same identifier for multiple services including iCloud to the more far-fetched DNS poisoning.

Why is this Significant?
Although the fact that the ransoms couldn’t even be paid is slightly odd, the bottom line is that, seemingly without too much effort, an attack managed to paralyze a large number of iOS devices.

Android security hole allows devices to capture photos without alerting the user
New research has revealed that a few lines of simple code can force an Android device to capture pictures in secret. These secret images can then be uploaded to a remote server without the device owner even knowing about it.

It’s possible to create an app that can essentially bypass Android’s requirement of displaying a preview on the device’s screen when the photo is captured. The app still displays a preview while capturing photos but it is only displayed on one single pixel. With modern smartphone screens consisting of millions of pixels, a single pixel turned on means that it is impossible for users to notice whether the screen is on or off.

Why is this Significant?
This is a massive security hole in Android, with the worst part being that users might never be aware that somebody is secretly spying on them, capturing photos and uploading them to a remote server. This is a perfect example of an OS not necessarily being safe or unsafe, but of the possibility of using the OS’s logic against itself.

Facebook to release new feature on iOS and Android apps that turns microphone on permanently

In a release last week, Facebook said the user-optional feature could capture and identify audio, using the phone’s microphone. Facebook would then attempt to identify the song being listened to or the show being watched and incorporate it into a status update.

According to Facebook, this feature can only be turned on via the iOS and Android apps. Users will know that the app has been activated when blue bars appear on the screen stating that the microphone has been turned on, and when it is in use it will state that it is “matching” the sounds it picks up.

Why is this Significant?
From a security perspective, this sounds like a loophole just waiting to happen. It seems almost obvious that malware will eventually take advantage of this feature and either record without the notification or extract the recorded audio.

From a privacy perspective, as consumers, we’ll have no control over whether data could be de-anonymized or what happens if third parties will receive access to the data. Another potential privacy violation of this app is the sounds that are recorded. Sounds from anyone and anything in the background may be picked up, including voices of people who haven’t.