A Glance at the "Anywhere Door", Another Wormhole on the 360 Browser

Screen Shot 2015-11-24 at 1.21.44 AM

 

The 360 browser is a popular browser on both the PC and mobile platforms in the Chinese market. It is known for its security, and has a total download number of more than 460 million on the 360 market, Tencent market and Wandoujia.com combined.

24 hours ago, a new vulnerability of the 360 browser was posted on Wooyun.org [1] (a popular vulnerability disclosure platform in China). After careful analysis of the 360 safe browser (com.qihoo.expressbrowser), another critical vulnerability “Anywhere Door” was found.

Like the “Wormhole” and “DimensionDoor”, the Anywhere Door is triggered on a customized HTTP service. We noticed that HTTP service will not be shutdown even after the app is patched. To stop this service, users need to manually disable it in the system settings, or reboot the phone.

Qihoo pushed the update 6.9.9.71 beta on Nov 23 to address this bug. According to our tests, the previous versions before Nov 23, such as 6.9.9.70 beta, are vulnerable. If you are using the 360 browser, and haven’t updated it after Nov 23, please make sure to update it to 6.9.9.71 beta or newer, then restart your phone.

What can this vulnerability do?

This vulnerability could lead to remote code execution on any Android phone with a 360 browser installed. Keywords: Remote, Silence, Flexible.

For rooted phones: the attacker can do pretty much everything, such as install APKs from the Internet in the background, access emails & SMS, monitor the camera and microphone. It is more flexible than the “DimensionDoor”. If the user has installed a root management tool such as SuperSU, the confirmation dialog will be popped up in the name of the 360 browser, which is likely to be trusted by users.

Screenshot_2015-11-24-00-34-29

For unrooted phones: the attacker could share the permissions of the 360 browser, such as sending and accessing SMS, reading the call logs, accessing browser history, and monitoring the camera and microphone.

Screenshot_2015-11-24-00-36-15Screenshot_2015-11-24-00-36-22

As of today, Nov 23, most of the users have not upgraded their 360 browser to the latest version. The detailed analysis and exploitation code will be released in a later blog, after users have had a chance to protect themselves.

We made a PoC video for this vulnerability. In this demo, we triggered it remotely on a rooted phone, and replaced the genuine banking app with an arbitrary app.

http://v.qq.com/iframe/player.html?vid=i0174pddb38&tiny=0&auto=0

This blog will be updated soon with more details and exploitation simulations. Stay tuned!

Reference:
[1] http://www.wooyun.org/bugs/wooyun-2015-0155003

请别揣着明白装糊涂 — 关于360手机助手回应虫洞漏洞“Dimension Door(异次元之门)”的回应

几天前,360手机助手被Google Play下架了:

Screen Shot 2015-11-18 at 12.01.45 AM

这就是说,Google Play认为,360手机助手存在违反规定的行为,比如安全问题,或者不按套路出牌的更新/加载代码等行为。这也意味着,除中国大陆外,安卓机基本不能从官方渠道下载360手机助手。

我们分析了Google Play下架前的版本以及相应的国内版本,进而发现了“DimensionDoor(异次元之门)”,一个和Wormhole危害相当的漏洞。

该漏洞在360手机助手3.4.70(10月15日发布)及以下版本均受影响。在漏洞被发现当天(美国西部时间11月18日晚)只有官网上能下载暂未发现受漏洞影响的3.5.0 beta版本。而直到现在(美西时间11月20日晚8点)360手机助手在部分手机上仍只能自动更新到3.4.70版。(见文后视频)

“异次元之门”漏洞是什么?

    1. 为了实现跨应用通信,360手机助手开启了一个自定制的http服务,该服务会监听手机的38517端口,并且允许远程IP连接
    2. 这个http服务会接受一些通过HTTP GET发送的指令并解析执行,但缺少对发送者的身份验证,因此本质如同一个后门。其中最可能构成安全隐患的指令有两项:
      a. 下载远程apk并自动安装,无需任何用户交互(会弹出应用界面)
      b. 通过包名查看某个应用是否已安装

Screen Shot 2015-11-20 at 4.54.59 PM

 

  1. a功能有对下载域名的白名单判断,但我们发现可以通过360的CDN域名shouji.360tpcdn.com作为下载url并绕过该限制。由于360应用市场(包括雷电手机搜索)使用了此CDN作为分发服务器,因此攻击者可以先将app传到360应用市场,获取下载url,再远程安装到受害者手机。
  2. 可能的安全威胁:

    a. 黑客可以把任意app伪装成流行应用或应用更新等有欺骗性的内容,大量扫描同3G/4G网段的IP并且远程自动安装
    b. 黑客可以远程扫描用户手机上的应用安装信息,造成隐私泄露。

本来一个纯技术讨论的事情应该到此为止了。发现这个问题8小时内(美西时间11月17日晚),我们发布了一篇分析报告(
https://blog.trustlook.com/2015/11/18/yet-another-wormhole-vulnerability-meet-the-dimensiondoor/)。指出了漏洞原理,并附带了PoC视频。Trustlook并非针对任何软件厂商,我们只是做了一个安全公司该做的事情,就事论事罢了。
——————————————————————————————————
岂料风云突变。

北京时间11月19日

E安全团队翻译了上述Trustlook博客文章,并投稿在Freebuf上。随后Freebuf发布了360针对此分析报告的官方回应(http://www.freebuf.com/vuls/86222.html):

  1. 文中分析的3.1.55是360手机助手2014年的老版本,目前官方正式版和beta版均不存在远程端口安全风险。
  2. 360手机助手的APK下载会弹出助手下载页面,是具有界面交互的正常功能,整个过程用户有明确感知,与百度系产品被利用静默无提示安装任意应用的虫洞漏洞有本质区别。本文演示视频也证明了这一点,“dimensiondoor”的定义不妥。
  3. 文中提到打开任意网页的问题实际是不存在的。360手机助手对打开的url有着严格限制,只能打开360域名的网页。文中根据逆向分析猜测,与真实的产品功能逻辑相差甚远。

 

对此我们的回应如下(Freebuf并没有发布Trustlook的回应,只发布了360的回应):

    1. 3.1.55是我们经手的第一个样本,并被提及在第一版分析报告中。但绝非只有所谓“2014年版本”有漏洞。3.4.70及以前的版本,都受此漏洞影响。具体受影响的用户数未知,考虑到360应用商店上2.5亿、应用宝上1.1亿、豌豆荚1.6亿的下载量,很可能国内受影响用户达到亿级,总量超过Wormhole漏洞。
    2. “360手机助手的APK下载会弹出助手下载页面,是具有界面交互的正常功能,整个过程用户有明确感知”。一个安全大厂,面对几亿用户和产品漏洞的事实,说出这种话是不负责任的。我相信360一定知道这个http server(simpleHttpServer)是以后台service运行的,就算用户的手机处于待机状态,执行远程安装命令后手机都会远程安装并执行(见视频),待机状态用户根本不会关注到这个过程。另外攻击者也可以把恶意apk伪装成软件更新等有欺骗性的内容,并弹出自动安装。更有趣的是,app在下载栏的名称是可以由攻击者随意修改的。

请看以下demo视频:

http://static.video.qq.com/TPout.swf?vid=b0173kaeam9&auto=0

  1. 浏览器能开启的URL,以及下载安装的URL存在过滤,这些我们都分析到了并非猜测。而我们的分析中也已提及:360自己的CDN域名shouji.360tpcdn.com是在白名单里的。而360应用市场里的应用,都会通过这个域名来分发。所以任何应用只要上传到360应用市场,都可以利用这个漏洞远程安装到手机。
  2. 360手机助手被Google Play下架前的版本是2.2.012(国内外使用了两套版本计数),也是一个有漏洞的版本,并非360和Freebuf声称的“躺枪”。

——————————————————————————————————

随即,Freebuf上关于漏洞演示的视频被删掉(并非Freebuf团队所为)。Freebuf由于某种不可抗力也不再发布Trustlook的回应与回复。接下来,一些中心思想如“Trustlook一个海外小公司想通过“炒360冷饭”来博取眼球”的公关稿开始散布。

Trustlook并没有任何兴趣来“炒”360的“冷饭”,因为一点都不好吃,我们也不饿,不需要您的赏赐。反倒是坐在“国内安全头把交椅”上的360不惜通过一些渠道来黑我们这么一个小公司,揣着明白装糊涂,实在是不太好看。

最后,我们建议使用360手机助手的用户确保自己已升级到3.5.0或以上版本,你们的安全是我们这支小团队最终的诉求。

Hackers don’t need root exploits

Authors: Mengmeng Li, Tianfang Guo, Jinjian Zhai

lightsabers-clash-850x560

“Root as a Service”

RaaS – Root as a Service is a phrase used to describe the methodology of malware launching a root exploit with server side support, in which the client side will dynamically request exploits specified for its hardware and OS version from the server. This implementation gives more confidentiality and upgrade flexibility to the exploits.

In recent months, an increasing number of RaaS malwares have been reviewed, such as “GhostPush” and “Kemoge”. These malwares are capable of downloading root exploits from their command & control server, and rooting the victim’s phone. They then take advantage of the root privilege to install 3rd party apps, and remove antivirus apps which prevents them from being uninstalled.

image02
RaaS: the attack procedure

Using similar root exploits, the root tool (PC or Android based), on the other hand, becomes a necessity for some Android users who want to have total control of their phones. Driven by user demand, even the largest players in the industry have published their own root tools, which are designed to be used as easily as one-click ordering. Those vendors have certainly considered the safety of their root exploits, and have utilized protection mechanisms – such as anti-debugging and data-encryption, to protect their exploit binaries.

On the ACM-CCS conference, researchers from University of California, Riverside published a paper “Android Root and its Providers:A Double-Edged Sword” about the analysis of popular root tools. According to the paper, most of the exploits from rooting tools could be extracted and reverse engineered. And those tools are like double edged swords – once the exploits are leaked, no one can guarantee they will not be used for evil purposes.

After reading this paper, we decided to further explore a possibility: with the root vendors exposing their backend APIs, is it doable to forge the client side requests, abuse the vendors’ service, and root someone’s phone in the background (say, make a “root SDK” that can be integrated into malwares) without preparing a single root exploit?

Case study

We started with a popular root tool A. Because this tool has utilized strong code obfuscation, we did our analysis by dynamic execution in our sandbox, and analyzed the events after the large “Root” button was clicked.

Its RaaS implementation is quite clear:

  • Upload user’s device info to the server, such as phone type, OS build info, and kernel version.
  • The server will respond a JSON, containing the download link of a “root solution”, usually a native library
  • The app will then download the library file, load it, and let the root exploit do its job
  • Remove all the downloaded config files and exploits

Initial Request to the root server with phone info:

image03

The returned JSON file is encrypted by the AES algorithm. However, the decryption algorithm and key are all implemented locally. It cannot hide from our dynamic analysis:

image00

The decrypted JSON looks like this:

image07

Using the download link from the JSON file, the real exploit will be downloaded and renamed with an unpredictable number, and stored in the app’s private folder.

image05

The last step is to load the library and trigger the exploit:

image04

The exploit library file has been modified with some anti-debugging mechanisms, such as corrupting its Section Header Table and adding overlapping instructions. However, those efforts only added difficulties on static and dynamic analysis, not loading and execution. We can launch the exploit by loading this library, execute its entrance function and root the target phone.

image06
image08
Corrupted ELF header prevents static analysis. But can be easily repaired

Another rooting tool, B, used a similar architecture as A, and also proved vulnerable against forging requests. Its configure file downloaded from the server has not been encrypted:

image01

The jar file in the figure (…1111.jar) is a compressed file containing some tools for rooting as shown in the figure below:

image09

The root tool B will drop the corresponding root exploit and the related tools in a directory named by a three digit number. It is possible for an attacker to exhaust all the possible device info combinations to steal all the exploits from that vendor.

The dropped exploit is not protected and can be decompiled easily. We learned the way it works, how it exploits the Android system, and the corresponding CVE or non-CVE vulnerabilities involved. More detailed analysis will be included in a later blog post.

Conclusion

The root tool is a double edged sword. Although the vendors tried their best to prevent the exploits being abused, the nature of RaaS makes it difficult to detect whether the client request is forged, nor can the vendors protect their exploits from being abused by someone else. As long as their “root service” is enabled, the possibility of their backend being abused by hackers exists.

We have more research on rooting tools coming up. Stay tuned!

How apps track your location without asking for permission

Security video surveillance

It’s common sense for Android users to check the permission list before installing an app. If the app asks for access to SMS, your contacts list or location, you know it may disclose your privacy. What if a game app only asked for the wifi_status permission? You might install it with ease – and unknowingly have enabled 3rd parties to track your location!

The Android LocationManager was considered to be the only way to acquire the location data, and required a user’s approval on the ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. However, researchers at the Technical University of Denmark have discovered a covert channel to locate and track a user without permission by using the latent location signal disclosed by wifi scanning.

Android has opened wifi status data to developers. The only permission needed for developers is ACCESS_WIFI_STATE, which is common and considered low risk (vs.  privacy-sensitive ACCESS_COARSE_LOCATION). Information now accessible to an Android developer includes:

  • Scanned SSID list
  • Scanned BSSID list
  • Signal strength for scanned list
  • IP Address for connected AP

 

Note that these metrics are accessible even with system wifi and location disabled!  The code can be found here.

A phone can be easily tracked  with the BSSID and signal strength data.

What is BSSID?

BSSID is short for basic service set identification, which is the “MAC address” of the wireless access point. It is  generated by combining the 24 bit Organization Unique Identifier. In short, BSSID is the unique fingerprint for a wifi access point, unlike the SSID which is human readable and can be duplicated.

If we can acquire a list of nearby BSSIDs, while having the wifi Access Points’ (AP) locations, we could locate the user in a small area – as most of the wifi APs are stable and cannot broadcast further than 100m (research shows only 5% of them are mobile APs such as personal devices). Also, by using the real-time signal strength data, we will be able to estimate the user’s moving track.

Next question: How many BSSIDs have known locations? Many, if not most are available, through a variety of services, through API queries. The website wigle.net claims to have 195,741,189 wifi hotspots’ location data:

Screen Shot 2015-06-02 at 6.13.30 PMScreen Shot 2015-06-02 at 6.11.06 PMScreen Shot 2015-06-02 at 6.12.18 PM

 

Living in the civilized world, could you escape such a web?

In the original paper, “Tracking Human Mobility using WiFi signalsz”, the authors highlight  an example of following a user’s movement,  tracking between home, 2 offices and a market, using the data from only 8 wifi access points:

Screen Shot 2015-06-02 at 6.22.15 PM

 

They also published a PoC app”WiFi Watchdog” on Google Play, I tried it and it was surprisingly accurate even though this app was granted no location permissions!

wifi

 

The same method also applies to iOS, which has greater user location data privacy protection.  Nonetheless, iOS still allows acquiring the current connected wifi BSSID.

ios-permission-prompt

 

A user can deny the location requests on an iOS device at will. However, an app using wifi BSSID can still get a user’s static location without asking.

Our research team is working on coverage of this covert channel privacy violation. Stay tuned for our update!

Reference:

[1] http://arxiv.org/pdf/1505.06311v1.pdf

[2] http://en.wikipedia.org/wiki/Service_set_(802.11_network)#Basic_service_set_identification_.28BSSID.29

Visual Identity Change Announcement

 

Dear Customers,

We are delighted to announce this month’s launch of Trustlook’s new Visual Identity Program, marking the next stage our corporate growth. The Visual Identity program will focus on providing a higher level integration of our vision, product and company culture. It will serve to unify and promote Trustlook’s distinct brand in mobile security industry as well as present an image of trust and reliability to worldwide customers. The new identity includes fresh designs for the company logo, app icon, customer website (my.trustlook.com) and official website(www.trustlook.com). The implementation of these visual identity changes will be phased in during the month of May and will be in full effect by June 1st, 2015.

M4_NewBranding_Launching-01

 

  • Company Logo

 

  1. The new Trustlook logo design is simple, yet bold. It abandons the previously used “shield” figure and uses a modern red color with a refreshing shape to represent the magnitude of Trustlook brand.
  2. The spiral figure mimics the sharp “lightning” shape that represents the app’s ease of use and our quick response to 0 day malware – we are the only mobile security vendor that provides real-time malware detection.
  3. The spiral figure also mimics the image of DNA. It brings a fresh and unique feeling, which represents Trustlook as new blood in the mobile security industry.
  4. The new spiral logo also relates to the trilateral effort required to meet the three qualifications of trust: ability, integrity and benevolence, as well as the 360-degree approach we embrace as a company.
  5. ** The interim app icon is used temporarily and will be replaced by the new icon after we release our latest version.

 

 

  • App Icon

 

  1. Consistent with Trustlook’s brand image, the new app icon design is based on the new company logo, placed properly to visually balance composition and size. It is vivid and easily recognized in Google Play store as well as on mobile device screens.
  2. The outer circle of the icon, evocative of a scanning process gauge, highlights our app’s main feature – Scanning Malware for Detection on your devices.
  3. The color blue expresses a feeling of trust, reliability, safety, stabilization, and peace. The icon is also a symbol of these promises and just one of many exciting new developments to come.

 

Screen Shot 2015-05-04 at 3.33.10 PM

 

Screen Shot 2015-05-04 at 3.33.56 PM

 

 

  • Customer Website & Official Website

Based on the new company logo, we have redesigned the firms websites, www.trustlook.com and my.trustlook.com,  Customers seeking Trustlook Antivirus & Mobile Security for their security needs, and business partners who want to find out more about our organization will continue to find our technology platform, news and blogs. The same value and messages we share as a new innovative company are now  presented in crisp, clear and elegant format.  Listening carefully to your input has help us make my.trustlook.com, a more organized and informative interface, helping customers better and more easily manage their mobile devices online.

 

home_trustlook-website_0316

 

 

This new VI program marks a new era in Trustlook’s evolution. It provides us the opportunity to remind our users, partners and investors of the value and impact of our mission;  to become “your mobile security guardian for a Zero Day World”. We believe the new brand design will improve our unique identity around the world.

Let us know what you think!

 

Best regards,

Trustlook Team

 

 

Privacy Defense Battle from Google Play Apps

Background_Privacy

Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

Reference
[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html

Trustlook Antivirus & Mobile Security Ranked Top In AV-TEST With Best Score

Achieving 99.9% Malware Detection Rate, Zero False Alerts and Usability & Protection Score of 6.0/6.0 in March 2015 Benchmark Testing

av-test-results-march-2015

Trustlook earned a top score in AV-TEST benchmark testing in March 2015 with its popular Android security application Trustlook Antivirus & Mobile Security (http://bit.ly/1xeqTz2). After analyzing a comprehensive set of 3077 malicious apps and 2784 legitimate apps and software, Trustlook joined the winners circle again with a 99.9% detection rate, zero false alerts and full marks of 6.0/6.0 in all categories.

 

AV-Test benchmark testing continues to demonstrate a need for mobile security on smartphones, evaluating products for protection, performance and usability. Trustlook Antivirus & Mobile Security demonstrated the strength of its malware detection engine with full scores in all categories, without impacting the performance of the mobile device or its battery.

 

“Accurate, real time malware detection is key to protecting every mobile device user,” commented Allan Zhang, Trustlook CEO. “We make every effort to discover potential risks in phones as well as improve the user’s experience. Thanks to our automated malware analysis platform, Trustlook quickly delivers more accurate and comprehensive app analysis reports.”

 

Trustlook provides a quick security response to data breaches and malware exploits through comprehensive behavioral analysis, closing the vulnerability gap between the time of malware detection and when a device is compromised.Recently, Trustlook recognized the “Fake Amazon Giftcard” malware in 2 minutes, while 81% of antivirus programs missed it even after 24 hours.

About AV-TEST

AV-TEST GmbH is an independent supplier of services in the fields of IT Security and Antivirus Research, focusing on the detection and analysis of the latest malicious software and its use in comprehensive comparative testing of security products. please visit http://www.av-test.org/