Mobile Security Weekly – Cupid is here, but he’s not spreading love.

Only two items this week, but both discuss attacks that may be capable of causing quite a bit of havoc in the near future. One reminds us that the biggest mobile security of 2014 hasn’t yet finished while the other poses questions about things to come.

Just when you thought the Heartbleed Bug threat is over, it rears its ugly head again. Less than two months since the openSSL vulnerability was first exposed, exploiting it just became quite a bit simpler, especially against mobile devices. According to researchers in Portugal, the new attack method, named Cupid, exploits a vulnerability in OpenSSL the same way as Heartbleed – the same exploit can also be used to target any device running an unpatched version of OpenSSL.

It’s also worth noting that seven additional vulnerabilities had been discovered affecting OpenSSL 0.9.8, 1.0.0, 1.0.1, and 1.0.2 (meaning all versions, basically). Researchers aren’t yet sure whether this affects mobile devices, but a mobile MitM attack based on these vulnerabilities seems to be possible.

Back to ‘Cupid’ – The exploit can definitely be successfully turned against Android devices running 4.1.0 or 4.1.1. Researchers are not yet sure whether newer versions are vulnerable or not. Since all versions of Android connect to wireless networks in the same way, it is possible that all devices running on the OS may be vulnerable.

There are two attack scenarios for Cupid. The one relevant to mobile involves using an altered method of accessing a vulnerable client. This allows attackers to set up a network for sending malicious heartbeat requests.!U2mgS

Why is this Significant?
This is the first attack that has “spawned” from Heartbleed. Even though it may not be a technological breakthrough, this is a wakeup call regarding Heartbleed’s staying power.

Android Ransomware takes another step in the wrong direction

A new strain of Android ransomware has begun spreading, mainly through Europe. Called Simplocker, it targets SD cards, electronically scrambling certain types of files on them before demanding cash to decrypt the data.

The message is in Russian and the demand for payment is in Ukrainian hryvnias, equating to somewhere between $20 and $30. As is usually the case, the warning also accuses the victim of looking at rather unsavoury images on their phone. However, while the source of the malware is said to be an app called “Sex xionix”, it isn’t available at the Google Play Store, which generally means that its being distributed from a 3rd party marketplace.

Making these more difficult for authorities to crack down on malware authors and distributors, the remote server controlling the malware is hidden by TOR. Meaning, it’s almost impossible to track the attackers.

Why is this Significant?
While perhaps not yet on par with infamous PC ransomware – Cryptolocker, the mobile versions are definitely on their way. Even over the past few weeks, we’ve witnessed steadily improving methods of social engineering via ransomware. It’s worth paying attention before the attacks become even more advanced.