Critical Vulnerability: AWS Credential Disclosure

man breaking window 

This is NOT an April Fools joke 

Trustlook Security team has discovered a critical AWS credential leaking vulnerability on many mobile applications. Due to a bad security practice, some developers, including a few large vendors, have embedded AWS credentials into their mobile applications, which allows attackers to gain access of the Amazon cloud infrastructure.

In the initial scan on cached apps in Trustlook’s cloud platform, we have found more than 50 android applications, including some very popular ones, are impacted by this critical vulnerability. As our research team is still working with the vendors to fix this vulnerability, more detailed information will be published as soon as we ensured no one would be harmed.

As for the impact, attackers can almost do anything on behalf of the developer’s AWS account, including:

1) Start or shut down existing Amazon EC2 virtual machines
2) Add or delete existing Amazon S3 storage database
3) Add or modify Amazon SNS and SQS information
4) All other Amazon services

A victim’s true story: http://goo.gl/fu0NPB The attacker compromised his AWS account, opened some extra large instances to mine bitcoin.

We reasonably believe that some of the vendors’ backend data has already been leaked.

 

Some of the scanning results:

Cloud Storage App, 10M – 50M installations:

Screen Shot 2014-03-29 at 11.21.21 AM

 

Reading and Music app, 10M – 50M installations – Yes, they tried to hide the AccessKey pair in a library file and dynamically load it. But can still be reversed:

Screen Shot 2014-03-31 at 6.27.13 PM

 

Popular Social App that everyone knows, encoded the key, but can be easily decoded:

Screen Shot 2014-04-02 at 4.35.44 PM

 

A glance of the list:

Screen Shot 2014-04-01 at 4.24.06 PM

 

PS:

To developers: It’s always a bad idea to hardcode the AWS credentials into your app. Because anything you put into the code/resource could be easily reversed from compiled APK file. If you really need that functionality, the “Temporary Security Credentials” is a good alternative. (http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html)

Dendroid: Android Trojan Being Commercialized

Today we talk about Dendroid, an remote access tool (RAT) first discovered by researchers from Symantec. (http://www.symantec.com/connect/blogs/android-rats-branch-out-dendroid).

Screen Shot 2014-03-20 at 1.10.07 AM

Screen Shot 2014-03-20 at 1.21.05 AM

As an Android trojan, Dendroid raised the bar on malware commercialization: $300 for lifetime update; 7/24 customer support; Bitcoin and Litecoin payment accepted – buyers have no worry on personal identity disclosure; “app-repacking” service supported – you can customize your trojan, bind it on a normal app for disguising. This trojan even sneak past Google’s automatic malware scanner within the Google Play Store, and later been removed by Google.

f9faab60a3f1680dcd0b2f98ae1215cb

If you unfortunately downloaded and opened it, your phone would become a part of hacker’s botnet. Dendroid will continuously listening the commands sent from C&C (command and control) server, and execute any command that hacker given. Dendroid supports a large set of commands, includes spying on the camera, recording phone conversations and SMS, or even launching a DDoS attack as part of the bonnet:

  • mediavolumeup
  • mediavolumedown
  • ringervolumeup
  • ringervolumedown
  • screenon
  • recordcalls
  • intercept
  • blocksms
  • recordaudio
  • takevideo
  • takephoto
  • settimeout
  • sendtext
  • sendcontacts
  • callnumber
  • deletecalllognumber
  • openwebpage
  • updateapp
  • promptupdate
  • promptuninstall
  • uploadfiles
  • changedirectory
  • deletefiles
  • getbrowserhistory
  • getbrowserbookmarks
  • getcallhistory
  • getcontacts
  • getinboxsms
  • getsentsms
  • deletesms
  • getuseraccounts
  • getinstalledapps
  • httpflood
  • openapp
  • opendialog
  • uploadpictures
  • setbackupurl
  • transferbot

Dendroid’s poorly written code on receiving commands:
Screen Shot 2014-03-20 at 1.01.14 AM

Camera recording:
Screen Shot 2014-03-20 at 1.01.49 AM

For self protection, Dendroid will loop checking whether its service is alive. Also, it could detect whether it’s in a sand-box (if so, it will self-terminate), to delay the time it being analyzed, making it survive longer on some App market with simple sand-box based detection. And don’t worry, Trustlook don’t use emulator to build sand-box, we use real phones. Trustlook Antivirus can now detect Dendroid perfectly.

Screen Shot 2014-03-20 at 2.03.21 AM

Dendroid might not be the best on remote controlling capability, but it’s so far the most popular and commercialized one, indicating the underground Android malware market is growing. Driven by huge number of potential targets and profit, this kind of malwares will more frequently appear in near future we believe. Trustlook will keep an eye on those new threats, and sharing our latest update with you.

Screenshot_2014-03-19-18-55-05

Backdoor Found In Android Samsung Galaxy Devices

bigbrother-200x300

Developers working on the Replicant OS Project has claimed to uncover a backdoor into the device’s file-system for several Samsung Galaxy mobile devices using the stock Android image. In particular, the proprietary software that is in charge of handling the communications with the modem, which supports a set of requests based on IPC protocol, called RFS commands. By sending certain crafted commands, the phone’s storage (/sdcard) could be accessed remotely, causing sensitive data leak.

A list of Samsung devices including Galaxy S 3 and Galaxy Note 2 are affected.

The original paper could be found here: http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor .

Vulnerability Alert: Indeed app remote code execution vulnerability

Trustlook security research team have discovered the webview remote code execution vulnerability on the Indeed job search app, which is among the most popular job seeking apps with 10 million – 50 million installations.

Here is a Prove-of-Concept video:

This vulnerability affects the latest version on Indeed Job Search app. When a user opens the app under a compromised network, attackers could execute arbitrary code on the client phone by insert a small piece of Javascript in the HTTP traffic. For the rooted phones, attackers can do almost anything from remote, such as installing a APK from internet. Even on an unrooted phone, a successful exploitation could gain attacker access to the SD card and sensitive information.

We strongly recommend the users to open this app under a trusted network, before the vendor officially release a patch.

————-
Jan 16: Vulnerability discovered on routined scanning on Google Play
Jan 16: Marked as “risky app” on Trustlook Antivirus.
Feb 12: Contacted vendor
Mar 6: No response from vendor. Disclose.