Taking Photos Without Notifications: Bug or Feature?

Openness often brings about security risks. Several days ago, Szymon Sidor has published a blog that proved it possible to take a photo or video on Android without displaying any notifications. A malware can send the photos over the internet to the C&C server and spy on the victim. This is shown in the Proof-of-Concept below:

Taking photos without giving the preview UI is not recommended by Android, but it’s doable. It seems like a feature rather than a bug. Actually, lots of existing Android apps have already implemented this feature – take the “Find my Phone” app as an example. It can take photos using the front camera without giving any notifications, intended to snap the thief’s face once your phone is stolen.

According to our test, there are at least 3 ways of hiding the preview UI:

  • Set the preview UI size small enough (e.g. 1×1 pixel)
  • Set the preview UI margin large enough that it exceeds the visible screen area
  • Create the preview UI by using new() and not setting its position/size

We also made a Proof-of-Concept app, which could turn your phone into a spy camera, to demonstrate how easy it is to turn a feature into a malware.

Although not every backend snapping is malicious, it’s suspicious behavior. Trustlook Platform will log all the backend camera activities:

Screen Shot 2014-05-29 at 8.32.06 PM

Screen Shot 2014-05-29 at 8.34.15 PM

The PoC code can be found at: https://github.com/hex1337/spycamera.

Android Ransomwares – A True Threat or Bluffing?

What is a Ransomware?

When talking about the cybercrime industry, “business model” is often more important than technology itself. Ransomware is a kind of malware that restricts access to users’ system or data, and blackmails the victim for money to get the restriction removed. One of the most well-known(and profitable) ransomware on PC was Cryptolocker. Emerged in Eastern Europe and grown internationally at the end of 2013, Cryptolocker could encrypt the victim’s hard drive, and ask for 400 USD or equivalent value of Euro/BTC for the private key to decrypt. ZDNet once traced the four Bitcoin wallets used for receiving ransom, it shows a income of 41,928 BTC between October 15 and December 18, worth US$27 million at that time.[1]

cryptolocker

Ransomwares on Android

While initially popular on PC, the ransomware scams has begun to cross-platform to Android. In this article, we will discuss 2 Android ransomwares our platform intercepted. The “Fakedefender” and “BaDoink”. Comparing to their PC version. Both technical standard and threat level is significantly lower, and mostly rely on social engineering for money scam.

Screen Shot 2014-05-19 at 10.15.10 PM

  • Name: Fakedefender (Trojan.FakeAV.D)
  • Package: com.avastmenow
  • MD5: E790C4295B8ADB23D090BAE5D6EB786A

Fakedefender is a very simple app, which only contains basic UI, and technically harmless to your phone. It pretended to be a pornography app, and an “antivirus” window (disguised as Avast) will suddenly pop up. Afterwards the following screen will be displayed, telling you that your phone has been locked and you need to pay $300 via MoneyPak to get it “unlocked”.

Screen Shot 2014-05-19 at 10.15.30 PM

  • Name: BaDoink (Trojan.Koler.A)
  • Package: com.android
  • MD5: FB14553DE1F41E3FCDC8F68FD9EED831 / 67bde6039310b4bb9ccd9fcf2a721a45

Have you ever watched child porn? FBI is coming for you! The Trojan.Koler.A blackmails the user in a more professional way: It shows your IP and location, threats the you to be put in prison for 5-11 years due to downloading child porn – unless you pay a $300 fine. Moreover, it will keeps poping up the warning screen every minute, and hook the receivers to pop the warning screen every time you unlock the phone.

sc_1

Threat or Bluffing?

Strictly speaking, those 2 examples are not “ransomware”, but scam apps. Because they cannot deal actual damage to the user’s data or phone. They scam money purely by social engineering. This is not only due to the malware developer’s technical skills, but also the design of Android. On Windows, every application would have full access of the entire storage by default, including the user’s personal data and system files. However, the Android apps’ permission is much more restricted. It’s storage access is limited to the app’s folder by default.

Let’s think from the attacker’s perspective: Is it possible to make a Android ransomware like PC Cryptolocker? The answer is yes. It is still doable for an Android developer to make an ransomware that can actually damage your phone or data to force you pay ransom.

Firstly, every app could access the SD card by applying the permission android.permission.WRITE_EXTERNAL_STORAGE. The attacker could write an app to encrypt the victim’s SD card, which may contain important data, and blackmail the user just like Cryptolocker does.

Second, there is an Android feature that can grant developer a higher privilege – the Device Admin APIs. It’s a powerful tool used by enterprises applications, which could change the phone’s passcode, encrypt the storage and even wipe out all data from the phone. To enable the device admin APIs, all a malware developer needs to do is to try attracting user to click “allow” on the permission screen.

device-admin-activate-prompt

Think about it, most users don’t know what is device admin, what can it do and how to disable it. Some users are getting used to click “allow” on all permission screens, especially when the ransomware is disguised into another trusted app. After the user clicked “allow”, the question would become: would you pay a few hundred bucks to save your phone data from being wiped out (or the passcode to re-access your phone)?

Third, for the rooted phones, the ransomware would have privilege to deal enough damage. Also, the ransomware might exploit vulnerabilities like “master key vulnerability” to escalate its privilege to a system app.

In conclusion, although the existing Android “ranspmwares” can be rather called a bluffing, the possibility of making a real “Android Cryptolocker” still exists, despite of the Android’s sandbox architecture. Trustlook Antivirus can now perfectly detect the ransomwares mentioned in this article.

———-

[1] CryptoLocker’s crimewave: A trail of millions in laundered Bitcoin http://www.zdnet.com/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin-7000024579/

Security Vulnerability on Audible Android App

Trustlook security team has decided to disclose a vulnerability we discovered on Audible, an Amazon App.

2
Screen Shot 2014-05-05 at 2.08.24 PM

Audible is a popular audio book App with 10M-50M installs. When accessing the backend server on AWS, Audible improperly handles the access method. The AWS credentials with the root privilege has been hardcoded inside the binary code of a library file. An attacker could extract the keys by reverse engineering, and gain access of Audible’s cloud infrastructure, do anything on behalf of the developer’s AWS account, including:

  • Create or shut down Amazon EC2 hosts
  • Add or delete Amazon S3 storage servers
  • Manipulate SNS and SQS services
  • Other features supported by AWS API: access backup volumes/snapshots, change security groups, etc…

 

Screen Shot 2014-05-05 at 2.54.33 PM

The possibility that unauthorized access and data leak has already happened on Audible’s cloud server cannot be excluded.

After the initial reporting, Trustlook has been actively contact Audible to fix this issue. On April 22, Audible has patched this vulnerability in a new release.

———

Timeline:

Mar 29  Vulnerability discovered
Apr 4  Vulnerability reported to Audible
Apr 17  Contact established
Apr 17  Audible claims a fix was in place, pending on releasing
Apr 22  Fixed version released on Google Play
May 5  Disclose

audible