FREAK Lives On, Play Has Adware, iOS Brute-Force Attack – Mobile Security Weekly

This week we highlight several emerging trends within the world of mobile security, including a case of app developers leaving users vulnerable while the others showcase “foolproof” security measures getting duped. Not the best of weeks for mobile users.

Millions of User Still Vulnerable to FREAK Attacks

A few weeks ago, we updated you on FREAK attack – a vulnerability that made it possible for attackers to decrypt SSL-protected traffic passing between Android or Apple devices and millions of websites. Despite causing major headlines, it seems that many developers are yet to act.

Researchers have tested both the iOS and Google app stores and have found hundreds of Android and iOS apps are still vulnerable despite the issue being disclosed over a fortnight ago. The unpatched apps, which were not identified, are in categories including finance, communication, shopping, business, and medicine.

The findings highlight how even some of the most publicized and severe flaws can take quite a bit of time to get fixed. This is a severe security risk to people using apps whose developers don’t react quickly. Furthermore, many people might be under the impression that upgrading their OS will help (iOS 8.2 mentioned protection from FREAK as one of the reasons to upgrade). However, with 771 of the top 14,000 apps in the iOS App Store still vulnerable – this isn’t the case.

Why is this significant?

The paragraph above contains our main bottom line here. Despite being a major security problem, many big app developers (a large percentage of the vulnerable apps have over 1 million downloads) have neglected to act and by doing so are leaving their users vulnerable. These events also highlight just how many components can affect device security – the OS, the app and/or the app’s server can all leave the user in danger.

Researchers Find 13 new Android Adware Apps on Google Play Store

Despite the fact Google has changed the way apps are vetted onto the Play Store (Google now uses in-house experts) aggressive adware is still finding its way to get in amongst the legitimate apps.

Researchers have 13 examples of adware and malware-like apps on Google Play in recent weeks which vary in their severity. 12 of the 13 cases involved a strain of malware named ‘NotFunny’ which poses as a variety of apps including Facebook and other utility widgets to attract interest before hiding its icon from anyone who installs it.

A second and more rare example was ‘HideIcon’ which poses as a card game and then, as its name suggests, hides its icons from the user as a ploy to push more ads. Not only does it have no embedded terms of service (a serious infringement of Google rules) but was apparently removed from Play by Google several times before sneaking back on.

Why is this significant?

We often mention “Sticking to official app sources” as one of our go-to methods of keeping your device safe. We still stand by this recommendation, however, the story above proves that even that can’t guarantee the safety of your mobile device these days. Threat actors are becoming increasingly sophisticated and during this time it might be “mere” adware. Next time it could be an mRAT (Mobile Remote Access Trojan) that makes its way onto the official app store.

Researchers Identify Potential iOS “Bruteforce” Vulnerability

When your iPhone is locked, it’s usually regarded as being relatively secure – in all fairness, if you don’t know the password then after a certain amount of tries, the device practically self-combust. Sadly, it seems there is a way past this.

There is a new piece of hardware that is apparently doing the rounds amongst phone repair people which automates the tedious business of “brute forcing” entry – that is to say, trying every possible PIN combination.

It works by opening up the phone and connecting via USB, thus enabling multiple combinations to be attempted before quickly rebooting the phone, wiping the temporary memory and starting again. This means that if someone has around 111 hours to spare, they will eventually get into the device.

Why is this significant?

While this isn’t an example of a major risk to large enterprises (if someone is stealing your devices then mobile security isn’t your only problem), there are several things to be learned from this. Here we have a theoretically foolproof security solution that has just been essentially made redundant. This is happening increasingly more often throughout the mobile security ecosphere, and we’d recommend keeping that in mind.