Budget Android devices were found harboring another cybersecurity risk, this time with an Android backdoor that could allow an attacker to gain root access.

Researchers at AnubisNetworks said the flaw, located in the firmware from Chinese company Ragentek Group, could affect as many as three million devices and allow for man-in-the-middle attacks. Although the issue affects a similar set of low-cost hardware, including smartphones from BLU, and the vulnerability is related to the over-the-air (OTA) update mechanism in firmware built by a Chinese company, AnubisNetworks said this Android backdoor is unrelated to the spyware found last week. According to AnubisNetworks, this flaw "appears to be an insecure implementation of an OTA mechanism for device updates associated to the software company, Ragentek Group, in China."

"All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol," researchers wrote in a blog post. "One of these commands allows for the execution of system commands. This issue affected devices out of the box."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity the Android backdoor should not be underestimated.

"Considering that a man-in-the-middle attack could potentially alter the firmware of an Android device, potentially enabling him to gain unfettered root access, this is a pretty bad hiccup," Arsene said. "Not relying on code-signing to authenticate legitimate apps, not encrypting over-the-air communication, and hardcoding unregistered domains are a full recipe for security failure."

AnubisNetworks said it "observed over 2.8 million distinct devices, across roughly 55 reported device models" but there could be more smartphone models affected. One device, the BLU Studio G, could be purchased in retail stores in the U.S., but most other vulnerable devices came from manufacturers targeting developing regions outside of the U.S.

Arsene said recent events should make enterprises looking towards budget devices to consider the security implications.

"While most enterprises usually opt for mid-range or high-end devices for employees, recent findings regarding budget phones should probably have companies on their toes," Arsene said. "Not because they could also be using some of these devices, but because of the nature of the vulnerability and the lack of control when it comes to fully managing Android devices. In light of recent events regarding budgets phones, it seems that users worried about security should probably think twice when going for really low budget devices."

Next Steps

Learn more about the Pork Explosion Android backdoor vulnerability.

Find out about Android Stagefright and its effect on 1.4 billion Android devices.

Get info on why risk management is key to smartphone security issues.

SearchSecurity: Security Wire Daily News

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Backdoor Found in Firmware of Some Android Devices

November 21, 2016 , 3:20 pm

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am

Threatpost | The first stop for security news

If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.

Android smartphones backdoor

A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.

This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.

Among these mobile devices are also some BLU smartphones.

The origin of the vulnerability (CVE-2016-6564)

Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.

This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.

For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.

Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.

But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).

MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.

Is this a deliberate backdoor/rootkit?

It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.

“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.

But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.

How to protect yourself?

If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.

So far, only BLU has released such an update, but the fix has not yet been checked.

A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).

Help Net Security

Fortinet researcher Kai Lu warns of a fake email app that is capable of stealing login credentials from 15 different mobile banking apps for German banks.

android banking malware masquerading

“Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials,” he explains.

“There is a different customized login screen for each bank targeted by this malware.”

The malware hides the icon from the launcher once the malware is up and running, and victims might be tricked into believing that they have somehow failed to install the app.

But, in the background, the malware tries to prevent some 30 different anti-virus mobile apps from launching, collects information about the device (as well as the “installed app” list) and sends it to the C&C server, and waits for further instructions.

It can be made to intercept incoming SMS messages, send out mass text messages, update the targeted app list, set a new password for the device, and more.

At the moment, it does not pop overlays to steal credit card info (e.g. when the Google Play or PayPal app is started), but that can soon change.

The researcher says that to remove the app, victims must first disable the malware’s device administrator rights in Settings > Security > Device administrators > Device Admin > Deactivate, then uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’. Tech-unsavvy users might want to ask for help with that last step from friends and family who know how to do that.

Lu also recently analyzed another piece of malware that masquerades as an unnamed German mobile banking app. This one also targets five banks in Austria, as well as Google Play (asks users to input credit card info when they start the app).

This particular malware also comes in the form of a fake Flash Player app, and is after credit card info of users of several popular social media apps (Instagram, Skype, WhatsApp, Facebook, etc.).

Help Net Security

The insecure implementation of the OTA (Over-the-air) update mechanism used by numerous Android phone models exposes nearly 3 million phones to Man-in-the-Middle (MitM) attacks and allows adversaries to execute arbitrary commands with root privileges.

The vulnerable OTA update mechanism is associated with Chinese software company Ragentek Group, which didn’t use an encrypted channel for transactions from the binary to the third-party endpoint. According to security researchers at AnubisNetworks, this bug not only exposes user-specific information to attackers, but also creates a rootkit, allowing an adversary to issue commands that could be executed on affected systems.

Android OTA Updates The code from Ragentek contains a privileged binary for OTA update checks as well as multiple techniques to hide its execution. Located at /system/bin/debugs, the binary runs with root privileges and communicates over unencrypted channels with three hosts. Responses from the remote server include functionalities to execute arbitrary commands as root, install apps, or update configurations.

The issue, tracked as CVE-2016-6564, is that a remote, unauthenticated attacker capable of performing a MitM attack could replace the server responses with their own and execute arbitrary commands as root on the affected devices.

Similar to the issue found in Android devices running firmware coming from Shanghai ADUPS Technology Co. Ltd., the bug in Ragentek’s Android OTA update mechanism is included out of the box. The two issues aren’t related, but they are similar to a certain point, as both allow for code execution on smartphones. The ADUPS firmware was found to siphon user and device information in addition to allowing the remote installation of apps.

The CERT advisory associated with this vulnerability reveals that multiple smartphones from BLU Products are affected, along with over a dozen devices from other vendors, namely Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. BLU is said to have already issued a software update to resolve the issue, but the remaining devices might still be affected.

While analyzing the bug, AnubisNetworks discovered that the unencrypted data transmission starts soon after starting the first-use setup process, and that the inspected device, a BLU Studio G, attempted to contact three pre-configured domains. Two of them were unregistered and the researchers acquired them, which provided them with visibility into the population of affected devices.

This also provided security researchers with the ability to check the type of commands that are supported in the vulnerable setup. One of the interesting findings was that an explicit check was created to mask the fact that “/system/bin/debugsrun” and “/system/bin/debugs” were running. Their presence would be hidden or skipped in the user output, the researchers also say.

Deeper analysis revealed that the Java framework too has been modified to hide references to this process. The researchers found a modified next() method in the core java.util.Scanner class to exclude references to the aforementioned binary names and say that the nextInt() method was modified to always return a pid of 10008 for the processes. What’s more, the local sqlite database that the binary logged events, stored system and user information and fetched from, was located at /system/bin/unint8int, the researchers reveal.

Although the researchers have no explanation on why the author of the process attempted to purposely hide the presence of both the process and local database on the device, they do say that the attempt wasn’t a comprehensive one.

Overall, over 2.8 million distinct devices, across around 55 reported device models, were observed connecting to the researchers’ sinkholes. Interestingly enough, some of the provided device models couldn’t be linked to real world devices, and the security researchers included all of them in an “Others” category.

Related: Backdoor in Some Android Phones Sends Data to Server in China

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Android spyware secretly collecting user data was found preinstalled on a budget smartphone sold through various retailers and although the company responsible claimed it was standard data collection, one expert said this software went overboard.

Researchers at Kryptowire, a mobile security firm jumpstarted by the Defense Advanced Research Projects Agency and the Department of Homeland Security, based in Fairfax, Va., said they first came across the mobile spyware on a $ 59 BLU R1 HD smartphone bought from Amazon. The Android spyware "collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent" under the guise of offering better spam filtering.

"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. The firmware could target specific users and text messages matching remotely defined keywords," Kryptowire wrote in a blog post. "The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity there are less invasive ways to provide spam filtering.

"Filtering out spam messages and calls is a nice to have feature, but there are other technical approaches towards doing it besides forwarding full text messages and contact details, infringing on users privacy," Arsene said. "That's why metadata and message fingerprinting technologies exist, so that users' personal data is never sent as-it-is, protecting their privacy."

The company behind this firmware and to whom the user data was sent was Shanghai ADUPS Technology Co. Ltd., commonly known as ADUPS, which provides professional firmware over-the-air (FOTA) update services for smartphones. According to the ADUPS website, the company has 700 million active users wordwide.

ADUPS said BLU objected to the Android spyware collecting data without user consent in June 2016 and "ADUPS took immediate measures to disable that functionality on BLU phones." There was no comment on the use of this firmware on other Android devices, but ADUPS assured customers that "no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a BLU phone during that short period was deleted."

Arsene said the speed of the fix was commendable.

"From a technical perspective, declaring to have disabled the feature and removed all collected data in such a short time is commendable," Arsene said. "This means they knew what the problem was and how to quickly fix it."

ADUPS said in a statement that it takes "user privacy very seriously" and claimed the software in question was designed to help eliminate spam.

"In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution for ADUPS FOTA application," ADUPS wrote in a blog post. "The customized version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience. ADUPS FOTA application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."

Arsene said data collection in general is not uncommon and can help to accurately deliver updates to specific devices in case security issues arise."

"However, users should always be notified when such information is being collected, as some might want to opt out and dismiss such features," Arsene said. "It's mandatory for any software provider to inform its customers in regards to what type if information they're collecting -- whether for marketing, commercial or for offering various functionalities. The fact that such a disclaimer was missing is a big deal as it borders [on] espionage malware practices."

Next Steps

Learn more about China targeting Hong Kong protestors with Android spyware.

Find out about Android spyware possibly linked to the Hacking Team.

Get info on the danger of dormant Android permissions. 

SearchSecurity: Security Wire Daily News

Acting on a piece of malware provided by a victim, researchers discovered a new type of Android spyware capable of recording audio and video, turning GPS on or off, and stealing or modifying data on the phone.

While the researchers at first believed the malware originated from the notorious Italian surveillance software vendor Hacking Team, the source of the new Android spyware software may be another Italian company that provides spyware to government agencies.

"There really isn't much going on outside of the run-of-the-mill, boring, commercial spyware junk," according to researchers at the Oakland, Calif. based security firm Red Naga, LLC. They found the suspicious software appeared to be "an app requesting almost every permission possible, claims to be an Android update, and purports to have something to do with Vodaphone APNs [access point names]."

Red Naga's researcher Tim Strazzere wrote he suspected Hacking Team was the source for the spyware, citing two IP addresses that had previously been linked to Hacking Team as well as the use of Italian language in the malware code. However, Motherboard reported the source was more likely Raxir srl, a Naples, Italy-based intelligence software startup, in large part because "Raxir" is listed as the organization linked to the certificate.

Red Naga wrote the Android spyware "has the normal abilities of most spyware," including code to automatically remove itself from the launcher after it runs once, persistence on the victim device, ability to go silent when the victim uses the device, surreptitiously record audio and video and execute further exploits downloaded through the command and control network. The spyware also turns on virtually all permissions, giving the attacker access to call logs, contacts, network connections, messaging and more.

While the Red Naga researchers were provided the malware sample by a targeted victim employed by an unnamed government, who asked to remain anonymous, they did find evidence that the Android spyware software has been used elsewhere. "While we cannot release these files due to an agreement with our contact and an ongoing criminal investigation, we have been able to find several similar files in the wild through other public feeds which closely resemble the sample we were provided. The functionality hardly changes between versions and the obfuscation is the same. Since these other samples are already publicly available, we feel comfortable talking about this threat."

Hacking Team last year suffered a major data breach in which attackers released a 400 GB trove of data that included internal documents, source code and zero-day vulnerabilities that the company used to spread its surveillance software. The breach shed light on how government agencies from numerous countries, including the United States, had purchased spyware and digital surveillance tools from Hacking Team. 

Next Steps

Find out more about the top five mobile spyware misconceptions.

Learn about how command and control servers control malware, remotely.

Read about how to remove malware that reinstalls itself from Android devices.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Researcher Tim Strazzere, with help of his colleagues, analyzed the sample received practically directly from the target (who wished to remain anonymous), and discovered that the spyware:

  • Asks for practically every permission
  • Can hide itself from the launcher, ensure persistence, mute all audio on the device, turn the GPS on and off, take screenshots or record what can be seen on the screen, record video and audio, reply to or forward messages, lay low while the user is using the device, executed code, exfiltrate data, and so on.
  • Likely masquerades as an update for a Google service, as the target is shown phrases such as “Servizi Google” (Google Service) and “Aggiornamento effettuato con successo” (Successful Update).

What made him think that this might be the work of Hacking Team is the fact that the spyware contacts two IP address located in an address space used by previously known HackingTeam families.

The use of Italian in encrypted strings and SSL certificates is another circumstantial piece of evidence that seemed to point in that direction.

But two former Hacking Team employees and Citizen Lab researcher Bill Marczak believe that particular company was not involved in the creation of this malware.

The former analyzed the code and found it nothing like spyware samples developed by Hacking Team. The latter told Motherboard that the spyware’s infrastructure isn’t linked to Hacking Team’s – and he should know, as he’s been tracking it for a while.

But a mention in the SSL certificate used by one of the servers contains a string that might point to the right source: “Raxir”.


Raxir is the name of an Italian company, started in 2013 and housed at tech incubator “Citta’ Della Scienza” in Naples, Italy.

According to this description, the company develops software for investigations and intelligence gathering, its software can only be used by government and law enforcement agencies.

Currently, it is only being used by those entities in Italy, as well as by the Second University of Naples (“Seconda Università degli Studi di Napoli”), but the “company has ties with Germany, and would like to reach foreign markets, and especially emerging economies/countries.”

According to Marczak’s findings – a server whose digital certificate contains the string “ProcuraNapoliRaxirSrv” – it seems that Raxir’s products are being used by the Naples’ office of the prosecutor.

Both Hacking Team and Raxir did not answer Motherboard’s request for comment on the matter.

Help Net Security

Android malware is becoming more resilient courtesy of newly adopted techniques that also allow malicious programs to avoid detection, Symantec reveals.

The mobile ecosystem is constantly expanding and becoming more feature-rich, and so is the mobile threat landscape. Most recently, a large number of malware families targeting the Android operating system were observed incorporating new techniques that allow them to both evade detection and maintain their presence on infected device even after being discovered.

One of these techniques is packing, which Android malware has been leveraging more freqently in recent months, Symantec’s security researchers explain. According to the Security firm, the amount of packed Android malware has increased from 10% to 25% in the nine months between December 2015 and August 2016.

Another trending technique among Android malware authors is the use of MultiDex malicious applications, which are programs that use two Dalvik Executable (DEX) files to deliver the final payload. Android apps usually contain executable code within DEX files, but typical Android programs have a single DEX file. Detection focuses on a single DEX file as well, and splitting the payload between two DEX files allows malware authors to evade detection in one simple move.

According to Symantec, malware authors are also creating Instant Run-based malware, or malicious programs that leverage the Instant Run feature released with Android Studio 2.0. The feature was designed to help developers quickly deploy updates to a debug application, all through simply pushing these updates in the form of .zip files.

To leverage this technique, malware authors are packing the malware payload portion of their app in code fragments that are hidden in the .zip file. The good news is that this technique can be used only on Android Lollipop and later SDK levels, and that it applies only to debug-version apps installed via sideloading. Applications distributed via Google Play are safe from it.

Recently, Android malware families also began using “strange” values in the application manifest file (AndroidManifest.xml) and in the compiled resources file (resources.arsc), yet another attempt to hide the malicious code from scanners. The use of inaccurate size values and magic values in headers can fool detection tools. Malware authors might also insert junk data into the string pool and at the end of files, or mismatch XML namespaces to hinder detection.

Symantec’s researchers also explain that, while malware that gains root privileges on the infected device is typically difficult to remove, a newly employed technique is being used to further lock the malware installation. The method leverages Android’s Linux roots in the process, in particular the chattr Linux command, which makes files immutable.

Basically, when the command is used on a file, it prevents the file from being deleted, even with root privileges. Now, malware authors have included the chattr utility, encrypted, into their malicious application, and are leveraging it “to copy and lock the payload APK into the system folder, further confusing attempts at removal,” Symantec explains.

To stay protected from these types of threats, users are advised to keep their apps and operating system updated at all times and to install programs only from trusted sources, such as Google Play. Moreover, users should install a mobile security application and should back up important data frequently, to ensure they don’t lose valuable information in the event of malware compromise.

Related: Xiny Android Trojans Can Infect System Processes

Related: Android Botnet Uses Twitter for Receiving Commands

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Google this week launched the Project Zero Prize, a hacking competition with a $ 200,000 first prize to tighten Android security.

The goal for participants is to come up with an exploit that allows remote code execution on multiple Android devices, knowing only the phone number and email address of the device. The motivation for the contest, according to the announcement post by Google Project Zero security researcher Natalie Silvanovich, is to learn more about how attacks against Android devices are discovered and carried out.

"So why are we doing yet another hacking contest? Our main motivation is to gain information about how these bugs and exploits work," wrote Silvanovich on the Project Zero blog. "There are often rumors of remote Android exploits, but it's fairly rare to see one in action. We're hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs."

In the contest announcement, Google Project Zero stated the contest would be different from other hacking contests, where participants would save up bugs and exploits to build an exploit chain, and then submit their finished work. Instead, competitors are expected to submit all their bugs in the Android issue tracker, after which they can be submitted by the participant at any time during the six-month contest.

The catch, Silvanovich wrote, is that "[o]nly the first person to file a bug can use it as a part of their submission, so file early and file often. Of course, any bugs that don't end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended."

In addition, Silvanovich said Project Zero will publicly share all of the vulnerabilities and exploits submitted for the competition. "Participants will submit a full description of how their exploit works with their submission, which will eventually be published on the Project Zero blog," she wrote. "Every vulnerability and exploit technique used in each winning submission will be made public."

In addition to the top prize of $ 200,000 for the first winning entry, the second winning entry will garner $ 100,000 and at least $ 50,000 will be awarded by Android Security Rewards to additional winning entries.

In other news

  • The White House appointed Brigadier General (retired) Gregory Touhill as the first Federal CISO. Touhill is currently deputy assistant secretary of cybersecurity and communications in the Office of Cybersecurity and Communications at the Department of Homeland Security. "In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies." The appointment was made as part of the Cybersecurity National Action Plan, introduced in February by President Obama, a plan "that takes a series of short-term and long-term actions to improve our cybersecurity posture within the federal government and across the country." The announcement of the appointment was posted by Tony Scott, the federal chief technology officer, and J. Michael Daniel, special assistant to the president and White House cybersecurity coordinator. Touhill's appointment comes on the heels of several high-profile government hacks, such as the OPM breach, and unflattering oversight reports on inadequate cybersecurity practices in agencies such as the FDIC.
  • Two Israeli citizens, Itay Huri and Yarden Bidani, have been arrested by Israeli police and charged with running a massive DDoS operation, investigative reporter Brian Krebs reported. The two young men, both age 18, had been running the vDOS booter service, until this summer when the service was hacked, revealing that it netted at least $ 600,000 over the past two years -- and possibly much more, as vDOS began operations in September 2012. Krebs broke the story at approximately the same time the two were arrested in Israel in connection with an investigation by the FBI. Krebs reported that the two earned the money for helping their customers execute more than 150,000 DDoS attacks, and Krebs speculated that the vDOS operation may have been responsible for a majority of DDoS attacks over the past few years.
  • As CIA director John Brennan warned that the U.S. should be wary of Russia's hacking capabilities and activities on CBS's Face the Nation Sunday. Politico reported Democratic Party state officials and parties were warned hackers were targeting them. The website obtained a copy of the email, titled "Security Alert: Please Do Not Search Wikileaks!" sent by the Association of State Democratic Chairs to its members. Recipients were warned against visiting the Wikileaks site because of concerns over the potential for being infected by malware transmitted through content on the website. Meanwhile, Brennan warned that "Russia has exceptionally capable and sophisticated cyber capabilities in terms of collection, as well as whatever else it might want to do in that cybersphere." Brennan continued: "Their intelligence services are quite active around the world, and this is something we have to make sure we're on guard for, not just for our national security purposes but also for making sure that our system of government here is going to be preserved."

Next Steps

Find out four top tips for better security with Android.

Learn more about Android Nougat security features.

Read about why the human element is a key issue for information security.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News