21 Percent of Trustlook Users Are Victims of Identity Theft

Identity Theft continues to be a hot topic on consumers’ minds, according to a recent study from Trustlook Mobile Security, an innovator in next-generation mobile security solutions. The study, based on 438 responses to a survey sent to Trustlook’s user base in March 2016, revealed that a whopping 21 percent of the company’s user base has been victimized by identity theft.

Trustlook’s free identity check feature, named ID Check, was built in response to the increasing number of data breaches across the corporate world. These data breaches typically lead to full-fledged identity theft. According to the Privacy Rights Clearinghouse, over 900 individual data breaches by US companies and government agencies have occurred since January 2005, which together have involved over 200 million total records containing sensitive personal information.

With ID Check, Trustlook users know whether they have been a victim of any past data breaches, and are alerted if they are involved in future breaches. The feature is easily accessible from within the Trustlook Mobile Security application. Once one runs the ID Check feature, our secure servers constantly monitor the data breaches happening here at home and all over the globe to keep any vulnerabilities at bay. By referencing both international and local threats, Trustlook offers industry leading coverage with detection in mere minutes.

Trustlook’s ID Check feature comes at a perfect time and fills a growing need in the market. According to its study, 73 percent of users have never used a tool to monitor their identity, and 49 percent are not even aware that such identity-monitoring tools exist. With more retail and consumer-based companies becoming victims of hackers and phishing software, using Trustlook’s app as the frontrunner in mobile security could save a lot of heartache and headaches.

Download the Trustlook Mobile Security app.

Trustlook Protects 400M AirDroid and Solo Launcher Users

Trustlook has announced partnerships with leading mobile apps AirDroid and Solo Launcher. The Trustlook Mobile Security engine will be embedded within both apps, giving users the opportunity to benefit from Trustlook’s easy-to-use protection from malware and privacy threats.

AirDroid is one of the top apps in the Tools category. The app enables users to access and manage their Android phone or tablet from a computer or on the Web, wirelessly and for free. It lets users transfer files, sideload apps, and even send text messages without picking up their phone.

Solo Launcher is one of the top apps in the Personalization category. The app enables users to customize the interface on a device. It can also improve device performance by restoring memory, boosting speed and clearing storage. Its in-app-search and recommendation features are well recognized by users.

The demand for mobile threat protection has never been stronger. In the third quarter alone, 574,706 different malware strains were found, which is a 50 percent increase compared to the same period last year, according to global security firm G Data. The numbers are expected to grow significantly in 2016.

The partnerships with these lading apps emphasize Trustlook’s intention of making its award-winning security solutions available to Enterprises. Trustlook will announce OEM offerings and additional partnerships with top applications throughout 2016.

Download the Trustlook Mobile Security app.

A Collection of Ads Behind Your Favorite Game App With More Than 6 Million Downloads

– By Trustlook Research Team

A popular Chinese game with more than 6 million downloads secretly promotes other apps using a well-protected and widely used advertisement library.

Package name: com.xyz.ddz

Chinese App name: 欢乐逗地主

Download count: 6,000,000+

Icon:icon

Trustlook has discovered a serious adware intrusion within one of the most popular game apps in China. Immediately after installation, the app behaves normally, in which a user can play the game without restrictions or advertisements.After approximately 4 hours , various types of pop up large screen advertisements (i.e. adware) are displayed, even when the app is not in use.

The app is able to display this adware by importing two ad libraries. These libraries are implemented using native methods, including communicating with the Host App when prompted by the ad. These two ad libraries are widely used, but many anti-virus vendors are not able to detect them. All of the strings in these ad libraries are encrypted, and together these ad libraries adopt at least 8 methods to display ads, including:

  • To display the ad in the middle of the launcher
  • To display the installation notification (which can not be closed) in the middle of the launcher
  • To display the ad in the middle of the browser
  • To display the ad banner at the top of the browser
  • To display the ad banner at the bottom of the browser
  • To display the ad banner at the top of the input method
  • To display a floating ad banner with the Angry Bird icon
  • To dreate a promoted app icon in the launcher

One of the most popular implementations of this adware is an ad in the middle of the launcher. If you click the ad, then one of the following three APKs will be downloaded:

  • Qihoo mobile assistant APK (when you click the first Ad screen)
  • Qihoo browser APK (when you click the second Ad screen)
  • Jiuyou APK (when you click the third Ad screen)

ad1

 

ad2

 

After you have downloaded the APK file, a pop up window will notify you to install the downloaded APK file. If you click the Cancel button, every 30 minutes or when you attempt to unlock your phone, the same pop up window will be displayed asking if you would like to install the APK. And this pop up doesn’t have a “close” button or feature. It’s a never ending loop that creates a trap for the user.

qihoo_notify12

 

If you click the “Enter” button(which the app forces because there is no other option to bypass the action), it will pop up this window:

qihoo_notify2

 

When you open a browser, such as Google Chrome, the ads will be displayed at the top, bottom, or middle of the page. A message also shows up in the notification bar of your device.

browser1

browser2

browser3

browser4

 

And the ad displayed in the notification bar.

notify

Ad displayed in the browser:

browser5

 

browser6

 

If you click the banner ad that is displayed on the bottom of a browser window, the following window containing three app icons will appear.

8

 

In addition to the pop up ad displaying the three app icons, a floating banner icon, which is the same in appearance as the Angry bird icon below, will appear on your home screen.

9

 

If you click the Angry Birds icon, it will pop up a window with a list of apps, like this:

10

 

11

 

After the app has been installed for 5 hours, it will create a shortcut to the Qihoo mobile assistant on the launcher screen, no matter if you close the ad or not. Sometimes the ad will pop up suddenly and erratically. 

15

 

16

 

Unfortunately, this shortcut is not a real shortcut that points to the Qihoo mobile assistant app. Instead it points to the Qihoo mobile assistant APK file, which located in the sdcard in the path:

/sdcard/Download/oO_zziS7cMk=/uLRFttrgta+JdOk+ycQ

/0Mdf4fxaQpU1MNb+F6O3YquZI+c= The game didn’t install the Qihoo 360 app, but if you click this icon, it will begin to install the Qihoo mobile assistant app.

17

 

After further analysis of this app, we discovered that the advertisement function is implemented in this module: com.xyz.ddz.gauxsw.

pkg

Most strings are encrypted in the function of com.xyz.ddz.gauxsw.d.a.a.a():

19

 

The encryption routine first decodes the string (the first parameter of this function) in base64 format, then xor it with every byte in the second parameter (“7b120431-5374-40d1-84d6-624980271ac8”):

20 21

 

22

Trustlook created a tool to decrypt it, which revealed the following strings:

decrypt_

 

24

 

From the analysis we know that the ad is displayed by the com.yt.uulib and  youtou.ad.api SDK, which are two popular adware libraries.

These two ad libraries are able to display ads in two ways:

  • Floating banner
  • Fixed banner

We found that the app used the self-protect function to protect itself and to evade anti-virus vendors. It runs 3 processes (it runs one first, which then forks into two more). When you close any of them, it will restart and run the 3 processes again:

proc1

We also found that this app uses the native library to notify the main app to activate the the native library file. It is named daemon_exe, is a .so file, and placed in:

/data/data/com.xyz.ddz/files/jklm/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/IL2msjinFbNh3jOA/RwR-jYJzNcY=/vR48I2IAv5GNfwRrMoe0zA==/daemon_exe

The main app will check if the user’s phone is rooted. If it is, the main app will load the daemon_exe into system as the root user:

proc2

After the analysis of this native library file, we found that its main function is to communicate with the main app by local tcp connection (127.0.0.1:5037(0x13AD)) and then send the broadcast to it for waking up and displaying the ad.

proc4

system

 

After the execution, the native library will execute this command as the root user:

/system/bin/am broadcast -a com.uu.action.wakeup –es start_bc_send_id $ro.build.version.sdk(var)$ –include-stopped-packages –user 0

This command will send a broadcast, whose action is com.uu.action.wakeup and it will take the key-value string pair start_bc_send_id”:$ro.build.version.sdk(var)$ and the phone’s sdk num and the –include-stopped-packages as the parameter.

From the manifest, we know that this broadcast could be received by com.xyz.ddz.gauxsw.a.e.a:

manifest

At the time of this release, the Trustlook Mobile Security app and Blue Frog Mobile Security app teams have detected the malicious behaviors of the sample being studied. 

 

 

Trustlook Integrates Adware Detection Feature

Just like malware, adware is becoming a significant problem for mobile users. Have you ever wondered how that mysterious icon ended up on your Android phone’s start screen? Or what about the annoying ads clogging your notification bar? You aren’t alone. Thousands of Android apps now include software that shoves marketing icons onto your phone’s start screen or pushes advertising into your notification bar–and many of the apps give you no warning about the ad invasion.

Android remains an adware magnet with tens of thousands of apps that collect information without the user’s knowledge. Such adware aggressively collects personal information from the mobile device it’s installed on, including things such as name, birth date, location, serial number, contacts, and browser bookmarks. Like malware, this data is often collected without users’ consent.

But fear not! Trustlook has just released an Adware detection feature in version 3.1.8. If Trustlook detects adware within any of your apps, you will be notified and will be able to uninstall the app if you choose.

Download the Trustlook Mobile Security app.

Trustlook Featured in eMarketer Report

Like adults, children are increasingly connected to the digital world. And while parents are granting them usage of these devices, they also want features on there that they can control.

According to December 2015 research from Trustlook, nearly two-thirds of parents in Canada, the UK and the US said they wanted a feature on their child’s mobile phone that would block websites, such as those about gambling and pornography. And 43% of respondents said that limiting time spent on applications such as social media was something they would like to control.

Knowing their child’s location, and monitoring their child’s incoming and outgoing calls and texts were other features that more than a third of parents wanted to control on their kid’s mobile phone. Just 14.1% of respondents said they didn’t want any features on their child’s mobile phone that they would control.

A majority of devices, like mobile, are gifted to children. A June 2015 study by the Harris Poll asked US parent internet users about the age at which their children first received consumer electronics or mobile devices. The survey found that the 8-to-11 age range was the most common for the majority of options.

eMarketer estimates that 11.0 million children under 12 in the US will own a mobile phone and use it at least monthly this year, as will 22.1 million 12- to 17-year-olds.

Download the Trustlook Mobile Security app.

4 Top Data Breach Trends

In 2015, the U.S. identity fraud victim count increased by 3% to 13.1 million, but the dollars stolen decreased by 6% to $15 billion, according to Javelin Strategy & Research’s 2016 Identity Fraud Study.

Javelin, based in Pleasanton, Calif., also found that the rise of EMV made a significant impact on fraudsters’ behavior, doubling the instances of new account fraud. In addition, many consumers who do not trust their financial institutions engaged in behavior that lowered their chances of discovering fraud.

The 2016 Identity Fraud Study pinpointed these four significant trends:

1. There were more identity fraud victims, but less money was stolen.

2. EMV led new account fraud incidents to double.

3. Consumer choices negatively impacted fraud detection.

4. U.S. consumer data was used in international fraud.

Read the complete report here.

Download the Trustlook Mobile Security app.

The Lie of “thunderous” speed – an Analysis of the Leidian OS and its Apps

– By Trustlook Research Team

You thought you installed an accelarating tool, when in fact a backdoor has sneaked into your mobile phone.

Leidian OS was recently promoted by the Qihoo 360 security tool. It claimed that if you flash Leidian OS into your mobile phone, the phone will run 30% faster and will save more battery life.

We analyzed Leidian OS and its installation process, and found that the Leidian OS actually contains a backdoor function which flashes a customized recovery image into the mobile phone using the fastboot tool. It also uninstalls system updates from other security apps (most of which are pre-installed apps by mobile phone vendors) according to a predefined blacklist and whitelist. The uninstallation of these apps will expose the mobile phone to security vulnerabilities.

Leidian OS also installs the Leidian App market, Leidian browser, Leidian assistance, Leidian acceleration and the 360 security tool without the user’s consent. Moreover, it modifies the system’s certificate to install apps in the /system directory and to get the SYSTEM privilege. As a consequence, it can execute critical operations and hook important functions to monitor system activities. It also leverages Qihoo360’s root tool to get the root access. Last but not least, the Qihoo360 security tool doesn’t give a clear notification to users when the Leidian OS is being flashed. Instead, it just tells the user to “experience a much faster mobile phone” by making a simple click in Fig. 1. It doesn’t specify the risk to the user after the process. All these actions make the user more exposed to an unsecure environment.

After our analysis, we found that Leidian OS is developed by two companies called “KuRuiMeng” and “CHIMA”, which are subsidiaries of Qihoo360. Leidian OS has embedded several modules of the Qihoo360 mobile security tool as well.

Below is the detailed analysis, along with the steps to install the Leidian OS.

As shown in Fig. 1 and 2, by installing the latest Qihoo360 security tool in the Windows version and clicking “more” in the lower right corner to get more tools, you will find “Leidian OS” to open the installation window.

 

 

Fig.1 – The entrance to the Leidian OS in Qihoo360 security tool – Step 1. 

Fig.2 – The entrance to the Leidian OS in Qihoo360 security tool – Step 2. 

3

Fig.3 – The installation window of the Leidian OS in Qihoo360 security tool

 

When clicking the green “experience instantly” button in Fig. 3 above, the Qihoo360 security tool begins to download the related files and applications, which are saved in

 C:\Documents and Settings\Administrator\Application Data\CleanAndroid.

 

4

Fig.4 – Begin to install the Leidian OS to the mobile phone

By monitoring the downloading process, we found that these files were downloaded by the360CleanHelper.exe process.

We also found the related JSON file containing the downloading information as shown in Fig. 5 and the json file in Table 1.

5

Fig.5 –  360CleanHelper.exe drops the Leidian OS installation files

dl_info_json

 

Table.1 – The JSON file containing the downloading information.

6

Fig.6 – Downloading information of the Flash tool

7

Fig.7 – The flash tool package

8

Fig.8 – The flash tool package in the Cleandroid directory

9

Fig.9 – Files in “tools” directory of the “Cleandroid” directory

From the tools package info we see that the Leidian OS is installed by flashing the recovery.img into the

phone with the fastboot tool. Then it uses an “adb” tool to install apks into the phone. According to the

JSON file in Table 1 the download address is dl.so.keniub.com. By monitoring the ip (101.199.109.90)

and querying its DNS info we find that the download server is hosted by Qihoo360. From the

Leidian OS’s customer service webpage

(http://leidianos.com/privacy.html) we find that the company’s address is same with that of Qihoo360,

which further reveals the development and operational relationship of Leidian OS and Qihoo360.

10

Fig.10 – The download address of the Leidian OS

11

Fig.11 – The DNS query info of the download address

As shown in Fig. 9, the details of the files in the CleanAndroid directory are explained as follows:

  • ChiMaster.zip contains an apk file, which is used for auto-starting after the boot process and to start some important services.
  • com.chima.customizationassist contains a file called Hurricane.apk.
    • It’s used for uninstalling or disabling some apps according to a blacklist and a whitelist.
  • com.leidianos.osspecial.zip contains an App which realizes a custom App loader.
    • It uses this tool to automatically capture the WeChat bonus in WeChat chat groups.
    • This feature is popular and is used to attract more users to install Leidian OS.
    • But it will make the WeChat App unsecure, resulting in the possible disclosure of the WeChat username and password.
  • leidianLauncher.zip displays the UI of the Leidian OS and starts some apps.
  • leidianProvider.zip uninstalls some system apps according to a blacklist and a whitelist.
  • donghua.zip displays animation after the mobile phone is booted.
  • netd.zip is for network management and the firewall function.
  • update.zip contains a dexdump tool to parse the dex files.
  • UpdateCentre.zip is for rooting the mobile phone and hooking some important functions.

Here we explain the certificate of the attached files:

leidianLauncher.apk file’s certificate is shown in Fig. 12:

12

Fig.12 Certificate of the leidianLauncher.apk file

chima.apk file’s certificate is shown in Fig. 13:

13

Fig.13 Certificate of the chima.apk file

As shown in Fig. 12 and Fig. 13, they are developed by KuRuiMeng and CHIMA, which are subsidiaries of Qihoo360.

Below is the analysis to three important Apps (ChiMa.apk,updateCenter.apk,Hurricane.apk).

1. ChiMa.app

 

The package name is com.chima.vulcan. It is installed in the /system directory in the user’s phone and has the same

certificate with the OS so it can get the system privilege as shown in Fig. 14. Therefore, it will start after the mobile

phone starts. It collects user’s information, including IMEI/Serial Number/operator/gender/location/CPU info/running

processes list, etc.

14

Fig.14 – The SYSTEM uid owned by the Chima.apk

This App drops a file called libchimahelper.so in its assets directory, and it hooks three important functions:

bindService, startService, getContentProvider in dalvik layer (as shown in Fig. 15). This allows it to monitor

and control some communications between the components in the system.

15

Fig.15 – The hooking to bindService function in chima.apk

The App also implements many sensitive remote execution commands, such as installing Apps remotely,

disabling Components remotely, etc. The command list is shown in Fig. 16.

16

Fig.16 – Some remote execution commands in the Chima.apk

As shown in Fig. 17, we found that multiple function calls in this app are implemented by reflection.

The method is often used by malware for evasion purposes in anti-virus detection.

17

Fig. 17 – Reflection calling to some functions used in Chima.apk

2. updateCerter.apk 

 

The app is for rooting and hooking the system (as shown in Fig. 18). It allows for full control of the mobile phone.

18

Fig. 18 – The hooking to many functions in the updateCerter.apk file

The app also hooks the native functions, as shown in Fig. 19.

19

Fig.19 – The hooking to the native functions

Root module RootMan is located in com.qihoo.permmgr.RootMan package. After our verification we found that

this module is the same as that in Qihoo360’s root tool (in the name of “360 Root By One Click”).

By concatenating the strings of different mobile phone models and related info, we send them to Qihoo360’s

server as shown in Fig. 20. Then we got different root exploits to execute as shown in Fig. 21.

20

Fig.20 – Concatenation of a special URL for downloading respective root exploits using specific phone models

21

Fig.21 – Execution of the root exploit in updateCentre

3. Hurricane.apk 

 

The app is for uninstalling the apps in a user’s mobile phone according to a list, including most of the mobile

phone vendors’ updates and security applications. After this uninstallation process, a user’s mobile phone

will be less secure. The uninstallation App list is as follows:

com.aliyun.fota
com.tencent.nanji.updater
com.yulong.android.ota.client
com.facebook.katana
com.bbk.updater
com.android.guanli
com.lenovo.safecenter
com.dxkj.xsb
com.smartisanos.updater
com.android.ota
com.nokia.update
com.adups.fota
gn.com.android.update
com.lge.update
cn.nubia.systemupdate
com.android.update
com.android.GioneeSysUpdate
com.lenovo.safecenterpad
com.huawei.systemmanager
com.htc.UpgradeSetup
com.lenovo.ota
com.meizu.flyme.update
com.yulong.android.seccenter
com.icoolme.android.upgrade
com.zte.zdm
com.zxly.assist
com.mediatek.GoogleOta
com.tianqi2345
com.oppo.trafficmonitor
com.huawei.android.hwouc
com.android.jrdfota
com.yunos.securityagent
com.htc.updater
com.aurora.netmanage
com.hmct.updater
com.qualcomm.update
com.browser2345
com.android.activate
com.mgyun.shua.su
com.android.provision.system
com.newbee.datausage
com.oppo.safe
com.oppo.virusdetect
com.iqoo.secure
com.sec.android.fwupgrade
com.romjd.android
com.hisense.updater
com.oppo.ota
com.yulong.android.ota
com.wsdm
com.ahong.update
com.sec.android.fotaclient
com.policydm

com.lenovo.safecenter.plugin

Com.wssyncmldm

Suggestions: Go to your mobile phone vendor’s official website to find the correct recovery image file and reflash your mobile phone if Leidian OS has been installed.

“虫洞”第三弹:360浏览器“任意门”远程代码执行漏洞分析

 

“这不是bug,是功能。” -程序员常说

“这不是漏洞,是后门。” -黑客们常说

The door at the beach

 

Trustlook在之前的一篇Blog已经demo过360浏览器上的新“虫洞”漏洞,这次将公布一些细节。

360浏览器安卓版不用多介绍了,在360,腾讯和豌豆荚上的下载量加起来超过4.6亿。这次的“任意门”漏洞威力要大过百度“虫洞”及360手机助手“异次元之门”:攻击者并非受限于几个远程控制功能,而是可以执行任意指令。在root过的手机上,可以毫无问题的远程静默安装及卸载app。如果做成蠕虫,批量扫描3G/4G网络,并自动攻击传播,后果不堪设想。

Screen Shot 2015-11-24 at 1.21.44 AM
漏洞的演示视频如下:

受影响的安卓版360浏览器版本为6.9.9.70 beta及以下。在11月23日,有白帽子将漏洞发到了乌云(http://www.wooyun.org/bugs/wooyun-2015-0155003),24小时内Trustlook发布了漏洞的demo(http://blog.trustlook.com/2015/11/24/a-glance-at-the-wormhole-on-360-browser/)。360在同一天更新了修复漏洞的6.9.9.71 beta。鉴于此漏洞的巨大危害,我们没有马上公布漏洞利用细节,给了用户更多时间修补。

360浏览器在卸载的时候会弹出一个“用户调查”,询问用户卸载原因。这个功能是在一个叫um.3(UninstallManager的缩写)的so文件里实现的。这个库文件会开启一个独立进程,在收到卸载的消息后,会使用”am start”命令开启浏览器,显示“卸载调查”网页。

image3
um.3从asset中被释放出来

image2
um.3会占有一个独立进程

um.3的进程间通信机制是用一个自定义的HTTP server实现的。如同所有的虫洞漏洞一样,成了万恶之源。这个server会监听手机的6587端口,允许所有地址连接。但它支持的功能很简单:1. 查看版本 2. 开启浏览器

image1
um.3会在第一次启动后监听6587端口

比如,弹出那个“卸载调查”的时候,执行的命令如下:

/data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n com.android.browser/.BrowserActivity -a android.intent.action.VIEW -d http://serv.mse.360.cn/whyuninstall?Mid=95767669835b2b90bc459ee68d1ea6a7\\&Wid=81e188a23869a898d1343eaa20c11495
\\&Verc=6.9.9.14\\&Mdl=iPhone\\&Osver=4.2.1\\&Net=WIFI\\&Chl=h986596
–user 0

但程序员在这里犯了很要命的错误。

1. 命令使用system函数执行,对命令本身没有任何过滤。

2. 弹出网页的url是作为命令的一部分传进去的,而这个url是远程可控的,直接来自远程请求的GET参数。

只要攻击者利用分号将前一条命令分隔开,后面写的所有恶意指令都会被360浏览器忠实的执行。。。

为了搞清楚这个HTTP server的一些逻辑,我们用IDA Pro/HexRay把um.3逆向成了C代码,并加了注释。关键的函数有两个:sub_9018和sub_9078,分别用来解析URL参数,和实现HTTP server逻辑。有兴趣的读者可以点开大图看。

Untitled drawing (9)
简而言之,出现问题的命令是这样的:

am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d %s -e from %s

其中GET参数”u”的值会被带进第一个%s,而GET参数”t”必须为”1”。

只要一行代码,发送一条request,就可以在一台装了360浏览器的手机上远程执行任意代码:

curl -X http://[target IP]:6587/t=1&u=www.trustlook.com;echo 1>/sdcard/lol.txt;

执行,你会发现目标手机的sd卡下面多了一个lol.txt。更复杂的攻击功能,就靠你的想象力了;-)

Screen Shot 2015-12-10 at 6.23.14 PM
命令执行成功你会看到这条返回

对于非root手机,攻击者会有和360浏览器相同的权限。包括发送和访问短信,读取通话记录,访问浏览记录,监控摄像头和麦克风。。。
Screenshot_2015-11-24-00-36-15Screenshot_2015-11-24-00-36-22

对于root手机,攻击者就天高任鸟飞了,比如静默卸载和静默安装。即便用户装了”SuperSU”等root管理软件,请求root权限的进程也会显示为“360浏览器”,相信数字公司的用户也是见怪不怪啦,骗得信任很容易。

Screenshot_2015-11-24-00-34-29
最后,Trustlook建议广大用户确保自己已升级到了6.9.9.71及以上版本。

Analysis of the “Anywhere Door” Vulnerability on the 360 Browser

 

“It’s not a bug. It’s a feature.” – A developer’s quote

“It’s not a vulnerability. It’s a backdoor.” – A hacker’s quote

The door at the beach

 

We first introduced “Anywhere Door” (in Chinese: “任意门”) in this previous article. “Anywhere Door” is a new Wormhole vulnerability that affects versions of the 360 Browser prior to 6.9.9.70 beta. By sending a certain crafted HTTP request, a remote attacker can execute an arbitrary shell command on the target phone, with the privilege of the 360 Browser app. If the phone is rooted, the attacker can do anything on the root user’s device, such as install and remove apps.

In this article, we will disclose more details of this vulnerability.

Like all the Wormhole vulnerabilities that have come before it, “Anywhere Door” is triggered on a customized HTTP server, on the port 6587. The server is used for cross-process communications, and contains a few APIs, such as popping-up a browser window. The purpose of this API is to display an “uninstall survey” when the main app is being removed. And the server logic is implemented by a native library (.so file) called um.3 (UninstallManager we guess?)

image1

Port 6587 will be opened upon the first launch of the 360 browser

image2

The HTTP server in um.3 is running in an independent process

image3

The um.3 will be copied from the assets folder to so_libs folder

When handling the “launch browser” request, we found the um.3 directly executes a shell command to launch the browser process. For example, when popping up the “uninstall survey”, the command is goes like this:

/data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n com.android.browser/.BrowserActivity -a android.intent.action.VIEW -d http://serv.mse.360.cn/whyuninstall?Mid=95767669835b2b90bc459ee68d1ea6a7\\&Wid=81e188a23869a898d1343eaa20c11495
\\&Verc=6.9.9.14\\&Mdl=iPhone\\&Osver=4.2.1\\&Net=WIFI\\&Chl=h986596
–user 0

There is a critical vulnerability in this design: the url, which is part of the shell command, is controllable by a HTTP GET parameter. And the entire command is executed via system() without any filtering, causing a remote command injection vulnerability. A remote attacker could use “;” to close the original “am start” command, add any malicious commands after the “;”, and have those commands executed by the 360 browser on the target phone.

We reverse engineered the um.3 using IDA Pro/HexRay. The critical code is mainly in 2 functions: sub_9018 and sub_9078, which are used for handling HTTP server logic and GET parameter parsing. The code logic is explained in the comments in the following figure (click for enlarged image):

Untitled drawing (9)

From the reversed C code, we can see that the raw command to be executed is:

am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d %s -e from %s

And the value of GET parameter “u” will be filled in the first “%s” (while the “t” value must be set to “1”). To exploit it, all an attacker needs to do is simply send the following request:

curl -X http://[target IP]:6587/t=1&u=www.trustlook.com;echo 1>/sdcard/lol.txt;

After that, the attacker will find a lol.txt generated in the sdcard folder.

By default, the attacker could share the privileges of the 360 browser, such as sending and accessing SMS messages, reading the call logs, accessing browser history, and monitoring the camera and microphone.

If you are targeting a rooted phone, you can do almost anything. For instance, silently replacing the user’s banking app with a phishing app (as shown in the following video). Even if the user has installed a root management tool like SuperSU, the confirmation dialog will appear in the name of the 360 browser, which is likely to be trusted by the user.

Reference:
[1] http://www.wooyun.org/bugs/wooyun-2015-0155003

A Glance at the “Anywhere Door”, Another Wormhole on the 360 Browser

Screen Shot 2015-11-24 at 1.21.44 AM

 

The 360 browser is a popular browser on both the PC and mobile platforms in the Chinese market. It is known for its security, and has a total download number of more than 460 million on the 360 market, Tencent market and Wandoujia.com combined.

24 hours ago, a new vulnerability of the 360 browser was posted on Wooyun.org [1] (a popular vulnerability disclosure platform in China). After careful analysis of the 360 safe browser (com.qihoo.expressbrowser), another critical vulnerability “Anywhere Door” was found.

Like the “Wormhole” and “DimensionDoor”, the Anywhere Door is triggered on a customized HTTP service. We noticed that HTTP service will not be shutdown even after the app is patched. To stop this service, users need to manually disable it in the system settings, or reboot the phone.

Qihoo pushed the update 6.9.9.71 beta on Nov 23 to address this bug. According to our tests, the previous versions before Nov 23, such as 6.9.9.70 beta, are vulnerable. If you are using the 360 browser, and haven’t updated it after Nov 23, please make sure to update it to 6.9.9.71 beta or newer, then restart your phone.

What can this vulnerability do?

This vulnerability could lead to remote code execution on any Android phone with a 360 browser installed. Keywords: Remote, Silence, Flexible.

For rooted phones: the attacker can do pretty much everything, such as install APKs from the Internet in the background, access emails & SMS, monitor the camera and microphone. It is more flexible than the “DimensionDoor”. If the user has installed a root management tool such as SuperSU, the confirmation dialog will be popped up in the name of the 360 browser, which is likely to be trusted by users.

Screenshot_2015-11-24-00-34-29

For unrooted phones: the attacker could share the permissions of the 360 browser, such as sending and accessing SMS, reading the call logs, accessing browser history, and monitoring the camera and microphone.

Screenshot_2015-11-24-00-36-15Screenshot_2015-11-24-00-36-22

As of today, Nov 23, most of the users have not upgraded their 360 browser to the latest version. The detailed analysis and exploitation code will be released in a later blog, after users have had a chance to protect themselves.

We made a PoC video for this vulnerability. In this demo, we triggered it remotely on a rooted phone, and replaced the genuine banking app with an arbitrary app.

This blog will be updated soon with more details and exploitation simulations. Stay tuned!

Reference:
[1] http://www.wooyun.org/bugs/wooyun-2015-0155003