FREAK (Out!) Attack, Fake Amazon Voucher, Google Doesn’t Encrypt – Mobile Security Weekly

This was a busy week for cybersecurity! Researchers discovered FREAK Attack, a vulnerability that allows attackers to intercept HTTPS connections between vulnerable clients and servers. And Android users haven’t had the best of weeks either, after now learning about Google’s failure to provide promised encryption, as well as a new SMS campaign hitting Android users worldwide.

FREAK Attack Leaves Millions of iOS and Android Users Vulnerable

Researchers have discovered a potentially catastrophic flaw that, for more than a decade, has made it possible for attackers to decrypt SSL-protected traffic passing between Android or Apple devices and millions of websites, including Americanexpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers.

FREAK stands for Factoring RSA Export Keys, and can be used by cybercriminals to force a weaker version of SSL encryption in browsers which they can then crack over the course of just a few hours. Essentially, by implementing a MitM (Man in the Middle) attack, threat actors can steal passwords and other personal information, and can potentially launch a broader attack on the web sites themselves by taking over elements on a page, such as a Facebook “Like” button.

A slightly more technical explanation is that a connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. The RSA Export suite is much more vulnerable to cracking the people have known until now.

https://freakattack.com

Why is this Significant?

This incident illustrates the danger of governments asking technology companies to provide “backdoors” into systems so that law enforcement and intelligence agencies can conduct surveillance. Although we have yet to see FREAK Attack being used in the wild, it may take quite a while for both client and server side patches to be released and installed, leaving millions of people vulnerable.

Fake Amazon Voucher App is Spreading Malware

Fake Amazon vouchers are being used as part of a campaign to target Android devices with malware. The attack is called “Gazon” and sends messages of various kinds to victims’ mobile phone contacts. These messages contain links to offers for non-existent Amazon vouchers that supposedly promise gifts of up to $200. If opened on Android, the messages will actually attempt to install malware that re-initiates the infection cycle and launches a fresh wave of malicious messages to the victim’s contact list.

In just under two weeks, the attack has already generated over 16 thousand clicks via SMS, email and Facebook (with SMS being the dominant platform), infecting thousands of mobile devices in more than 30 countries.

http://www.theregister.co.uk/2015/03/04/fake_amazon_voucher_mobile_malware/

Why is this Significant?

It’s worth differentiating this type attack from others that attempt to actually install malware that collects data. In this case, all the attacker is doing is generating clicks that generate cash – it’s simple but effective. Not every type of modern malware has to end up in a sophisticated mRAT (Mobile Remote Access Trojan).

Google Hasn’t Kept Its Promise to Automatically Encrypt Data on Android

During last year’s release of Android 5.0 (Lollipop), Google claimed the contents of smartphones and tablets would be encrypted by default. This isn’t exactly the case. In practice, Google has left it up to the manufacturers of the various mobile devices that run Android.

Some Android Lollipop handhelds, many of them brand new, have opted against automatically encrypting their files. This includes the second-generation Moto E and the new Samsung Galaxy S6.

Many people have been looking into this issue over the past few days and it seems that Google quietly relaxed their demands due to performance issues. Lollipop’s encryption requirement had a huge impact on performance – due to the automatic encryption, the devices slowed down dramatically.

http://arstechnica.com/gadgets/2015/03/google-quietly-backs-away-from-encrypting-new-lollipop-devices-by-default/

Why is this Significant?

With performance and battery life being possibly the most critical selling points, customer security just isn’t that much of a priority. It is possible for users to turn on the encryption themselves but as we all know, most people will use their phones exactly the way they came out of the box. While Google has been quoted lately as saying that they’re “…firmly committed to encryption,” they seem to be more committed to profit.