Mobile Security Weekly – A Whole New iWorld

This edition of the Mobile Security Weekly couldn’t start with anything but the release of the iPhone 6 and 6 Plus. With it, all the old discussions of Android vs iPhone have risen again, along with a series of new events that may make the decision even harder. The only thing that’s obvious is that whatever Google & Apple say, neither can provide a completely secure experience — something made exceedingly evident by this weeks stories.

iOS8 has arrived and brought more than 50 security fixes with it

Apple has released a substantial list of iOS 8 security updates and fixes as the operating system update delivered to users. While Apple credited many independent security experts, it continued it’s method of not differentiating bugs by their severity, and seems to have attempted to hide the fix to a major vulnerability.

The most serious vulnerabilities could allow a threat actor to execute malicious code on the device with root privileges. Others allow execution of code with kernel or system privileges. These vulnerabilities require the ability to execute code on the device, but that could be accomplished with one of the many remote code execution vulnerabilities also disclosed. Many of these could be launched if the user visited a malicious web page.

Other vulnerabilities are serious, if not so serious as those already described. Some could allow attackers to access sensitive information such as logs or the user’s Apple ID. Others enable a rogue access point to steal iOS Wi-Fi credentials using an old and broken authentication protocol which was on by default in iOS

It’s critical to note that all of the issues remain in earlier versions of iOS. Apple intentionally doesn’t fix them on earlier versions, so users who remain on iOS 7.x remain vulnerable.

http://support.apple.com/kb/HT6441

Why is this Significant?
The last paragraph is what really makes this update so important. The fact that Apple has admitted that iOS7 users are at risk from so many different directions makes installing iOS8 a must.

Another interesting point is that one of the more serious issues is hidden at the bottom of the list, separated from the other vulnerabilities as a “note” that reads, “iOS 8 contains changes to some diagnostic capabilities.” A few months ago, we mentioned that Apple had denied this was an issue. Now they seem to have closed the “backdoor” that a security researcher had found. Although we’re happy they’ve closed it, the way they went about it raises questions.

Windseeker app spies on Chinese chats using injection & hooking techniques

Our research team recently discovered a new Chinese Android surveillance app that implements a new, unique injection technique.

Named “Windseeker,” it runs on rooted Android devices and enables a cybercriminal to eavesdrop on popular Chinese Instant Messaging (IM) apps (WeChat and QQ).

Without going into too much detail (a full report can be found here), Windseeker can work via two main methods of attack:

• It can be incorporated into a fake app and uploaded to a 3rd party marketplace.
• Can be installed via physical access to a device.

Once installed, it can monitor all incoming and outgoing communications from the apps silently.

Why is this Significant?

This attack clearly demonstrates the ongoing evolution of malware capabilities in mobile operating systems — adopting the same methods from the PC world. Although this attack targets Chinese users, the methodology can be implemented anywhere.

Russian Duo Arrested over Widespread MMS Malware Attack

Russian police have arrested two mobile cybercrime suspects as part of an ongoing investigation that is the first of its kind in Russia. The suspects have allegedly attempted to defraud customers of Sberbank, one or Russia’s leading banks, using Android-based malware.

Towards the end of 2013, Sberbank detected a cyber attack on customers with Android devices. The attackers targeted the phones with malware via the mass mailing of MMS messages from “RomanticVK” or “VK_Gift” with the promise of a “romantic gift”.

One a victim navigated to the link, the malware was downloaded to their phones. The malware essentially enables a cybercriminal to withdraw funds from accounts connected to the devices and extract money by texting premium SMS services.

Assisted by a team of Russian security experts, the attackers were successfully tracked through two waves of attacks before finally being arrested.

http://www.group-ib.com/index.php/7-novosti/862-group-ib-another-major-botnet-destroyed

Why is this Significant?
The actual attack isn’t the point here. Even if it had posed a threat to users outside of Russia, it is still a relatively primitive method of attack. The way the Russian authorities handled the case, accompanied by a Russian cyber security firm, shows how severe the problem has become. This is something we expect will become more common throughout the world in the near future.