Mobile Security Weekly – Threats are Everywhere

This week’s issue contains four entirely different but all highly volatile mobile security threats. New vulnerabilities and threat vectors are rapidly appearing. These aren’t small issues either – they potentially place millions of devices and users in danger and all need receive due attention.


Researchers have discovered a vulnerability present on an estimated 10% of Android phones that may allow threat actors to obtain highly sensitive credentials, including cryptographic keys for some banking services and virtual private networks, as well as PINs or patterns used to unlock vulnerable devices.

The vulnerability resides in the Android KeyStore, a sensitive area of Android OS dedicated to storing cryptographic keys and other credentials. By exploiting the vulnerability, threat actors can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. It looks like the vulnerability only affects Android 4.3, which runs on about 10.3 % of handsets.

Why is this Significant?
If a threat actor can compromise the KeyStore, they can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password. Although this means that most banking apps are safe, it’s still a severe issue. While nobody seems to have exploited this vulnerability yet, it’s still worrying that it went unknown for so long. It’s also unlikely to be the last of its kind.

Another Android SMS worm is on the rampage
Researchers have found a rare SMS worm targeting Android devices, which is being used to further a pay-per-install scheme. The worm, dubbed “Selfmite” has only been detected on dozens of devices in North America, but sports a rather unique attack method.
Victims receive SMS messages containing a shortened link, which actually leads to the Selmite worm.

The malware will then immediately text victims’ contacts, continuing the malicious cycle via the spread of malicious URLs. The interesting part is down to the fact that Selfmite will also invite users to download a legitimate app, Mobogenie (a highly popular legitamate Android app with millions of downloads), which allows attackers to profit on a per download basis.

Why is this Significant?
It looks like Selfmite’s sole purpose is to download on the victim’s device a copy of Mobogenie, which is a legitimate app for managing and installing mobile apps, as well as multimedia content. Researchers believe that the attack is part of a software affiliation scheme which brings the threat actors revenue for each successful installation of Mobogenie – something we haven’t seen before.

The discovery of Selfmite also comes two months after researchers discovered “Samsapo,” – believed to be the first Android worm in the wild. Android worms seem to have become an increasingly popular method to target innocent users.

A significant security vulnerability has been discovered in the Facebook SDK (V3.15.0) for both iOS and Android. Nicknamed Social Login Session Hijacking, when exploited this vulnerability, a threat actor can obtain access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).

Many iOS and Android apps build on the Facebook SDK and leverage Facebook for user authentication. Once an app has successfully authenticated with Facebook, a local session token is cached and used to authenticate future sessions. The insecure storage of this session token is what places apps using the Facebook SDK for user authentication at risk of session hijacking.

The Facebook SDK is one of the most popular integrated libraries used by free and fee-based app developers for iOS and Android platforms. Specifically, 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.

Why is this Significant?
Because the SDK is so widely used and given the strength of the vulnerability, this issue represents a substantial threat as it enable causing substantial damage to the reputations and brands of both individuals and organizations. There are so many vulnerable apps that we’re undoubtedly going to be hearing more about this problem over the coming days.

A new Android mRAT (Mobile remote access trojan) – HijackRAT, has been discovered.
HijackRAT can steal banking information by disabling anti-virus applications, as well as download more malware.

Once it has finished its initial hiding techniques, HijackRAT immediately contacts a C&C server and begins collecting sensitive information from the device, including the phone number, device ID, and contact lists. Although the C&C server was traced back to Hong Kong, it is likely a victim’s system controlled by the RAT. Evidence in the user interface suggests that the developers are Korean and the victims are Korean, as well.

The malware specifically targets eight Korean banking applications, all of which require a popular anti-virus application, known as V3 Mobile Plus. HijackRAT is designed to disable that anti-virus application, so it can download a malicious fake update to the targeted bank application.

Why is this Significant?
Although only targeting Korean banks now, HijackRAT can easily be updated to target other financial institutions. Initial research also shows that there is room within the framework to enhance its bank targeting features.

It seems the app isn’t easily available in the wild yet and perhaps is more of a POC. Either way, threat actors are catching up to the latest security protocols and have their sights on where the money is in mobile: banking apps.

photo cred: