Dropbox Ball Drop, Podec Pwns Captcha, Apple (Again) Patches iOS – Mobile Security Weekly

Mobile technology has had a few big weeks. We’ve been given a glimpse into the future at Mobile World Congress in Barcelona (Lacoon was also there) and Apple has raised the stakes again with its upcoming release of iWatch — which is priced from about $350 up to a mind boggling $17,000.

In mobile security news, threat actors have defeated the Captcha security system, and another substantial vulnerability that can affect millions of Android users has been discovered. We won’t be surprised if this one causes quite a bit of confusion.

Vulnerability Discovered in Dropbox SDK

A software vulnerability in Dropbox’s SDK for Android (versions 1.5.4 through 1.6.1) could allow hackers to connect apps from a mobile device to their own Dropbox account without a user knowing. Although Dropbox has already released a patch, users that don’t download it are still vulnerable.

The flaw exists within the implementation of the authentication mechanism used to give the app access to DropBox. In theory, while the user is providing their username-password combo to log in, the SDK is generating a large random number (for encryption) to authenticate the device to DropBox. In practice, researchers have succeeded in finding an exploit that enables attackers to insert “an arbitrary access token into the SDK, thus completely bypassing the encryption.

This can be used in the following way:

  • An attacker tricks a user (using social engineering) into downloading malware that implements the aforementioned exploit.
  • Once this happens, a highway between the victim’s device and the attacker’s DropBox is opened.
  • This can be used to steal data and/or to install further malware.

The serious catch is this: This entire issue isn’t actually tied to the Dropbox app, which isn’t even vulnerable. 1.4% percent of the top 500 Android apps use the DropBox SDK, including Microsoft Office Mobile.


Why is this Significant?

The vulnerability here is owned by DropBox, not also appears outside of the DropBox app itself, so users can easily misunderstand this problem and remain vulnerable for lengthy periods of time. Also, this is another serious example of a severe failure in attempts to encrypt and protect users’ data, which is something we’ve highlighted before.

Podec – the First Malware that can fool Captcha Checks

Researchers have discovered the first malware capable of bypassing Captcha image recognition systems targeting Android devices. The malware is believed to have been active since late last year, and has already subscribed “thousands of infected Android users” to premium-rate services. Podec bypasses Captcha by automatically forwarding requests in real time to Antigate.com, a human translation service.

Podec also has the ability to bypass the “Advice on Charge” system that notifies users about the price of a service and requests authorization before allowing payments. Effectively, users aren’t alerted to the fact they have been signed up to a premium-rate service. The group behind Podec is spreading the malware via links to fake ‘cracked’ versions of popular games on social networks. Once clicked, the links install Podec which in turn requests administrator privileges. If this is granted Podec is almost impossible to delete.


Why is this Significant?

This is a perfect example of how security is a game of innovation and quid pro quo. Each side reacts and evolves based on what the other side is doing – Captcha was developed to combat automated fraud attacks and has now been beaten. Podec is more than likely to be a work in progress – new functions, versions and copies are almost certainly going to appear in the near future.

Apple’s iOS 8.2 fixes security issues (+ Apple release iWatch)

Apple released iOS 8.2 this week, alongside their other announcements regarding iWatch and the new Macbook. In its iOS update, Apple tended to two major security issues alongside several other bug fixes:

  • FREAK Attack – a vulnerability that enables attackers to decrypt SSL-protected traffic passing between Android or Apple devices and millions of websites.
  • Jailbreaking – Like iOS 8.1.3, the newest version is also currently immune to jailbreaking. The TaiG iOS 8 jailbreak is still blocked despite their best efforts.


Why is this Significant?

Until the jailbreakers succeed, this version of iOS is temporarily the safest options for iPhone users. We’ll be paying attention to adoption numbers over the coming weeks. On a side note, this is also a good opportunity to start raising questions regarding iWatch and security. Watches go many places that phones don’t and if history tells us anything, hackers will eventually find vulnerabilities and exploits in all things iOS (whether for jailbreaks or malicious activities). This is is beginning of a whole new chapter in iOS security.