While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

In total, the analysis revealed the detection of 200 malicious applications that hide code from dangerous malware variants, capable of putting users of the affected devices in serious trouble.

Simple tools, complex issues

One of the main threats identified is Facestealer, a spyware variant capable of stealing Facebook access credentials, allowing subsequent phishing campaigns, social engineering, and invasive advertising. Facestealer is constantly updated and there are multiple versions, making it easy for them to get into the Play Store.

Daily Fitness OL is described as a fitness tool, offering exercise routines and demonstration videos. Although there doesn’t seem to be anything wrong with this app, an in-depth analysis shows that the app’s code hides a load of The Facestealer spyware.

When a user opens this app, a request is sent to hxxps://sufen168.space/config to download their encrypted settings. This setting sends the user a message requesting to log in to Facebook, after which the app launches a WebView to load a malicious URL. Subsequently, a snippet of JavaScript code is injected into the loaded website, allowing the theft of the user’s credentials.

Once the user logs into their Facebook account, the app collects the cookies and the spyware encrypts the collected information to send it to a remote server.

Other malicious apps, such as Enjoy Photo Editor or Panorama Camera, also hide Facestealer loads and have a very similar attack process, although they may vary in some stages or methods.

Risk for crypto investors

Experts have also identified more than 40 fraudulent cryptocurrency apps disguised as legitimate tools, even taking their image or using similar names. The developers of these tools seek to get affected users to buy supposed Premium versions at high costs with fake ads.

Tools like “Cryptomining Farm Your Own Coin” do not demonstrate invasive behaviors even in test environments, so they effectively evade security mechanisms in the Play Store. However, when trying to connect a Bitcoin wallet to this application, a message appears asking the user to enter their private keys, a clear red flag alerting that something’s wrong.

A sample of the code was developed using Kodular, a free online suite for mobile app development. Trend Micro notes that most fake cryptocurrency apps use the same framework.

The analyzed app only loads a website and does not even have capabilities to simulate mining processes or cryptocurrency transactions.

The uploaded website mentions users who can participate in a cloud mining project in order to lure them to the true start of the attack. Next, threat actors ask users to link a digital wallet to this website, in an attempt to collect private keys, which are further processed with no encryption at all.

Although the malicious applications were reported to Google and have already been removed from the official store, the researchers believe that the company must considerably improve security measures in the Play Store, as many developers of malicious applications continue to find methods to evade the security of the app repository, putting millions of users at risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post More than 200 apps on Play Store with millions of downloads are stealing users’ passwords and sensitive information appeared first on Information Security Newspaper | Hacking News.

GO Keyboard – Emojis & Themes is described as an app for keyboard customization, with more than 1,000 themes, emojis and fonts for the user to add to their devices. In its Google Play Store profile, it can be seen that the app has more than 100 million downloads and even assure its users that their confidential information will never be collected, something that we could already doubt.

Since the app is still on the Play Store, any Android user might assume that this is a reliable tool. Unfortunately, sometimes unscrupulous developers manage to evade the security mechanisms of the application repository, either by hiding dangerous variants or, as in this case, by requesting highly invasive permissions on the affected systems.

According to Christl, the GO Keyboard code contains a total of 27 trackers, which allow collection data about certain characteristics of a smartphone or user activities, mainly for marketing purposes. Among the trackers used by GO Keyboard are Amazon Advertisement, Facebook Ads, Facebook Analytics and Google AdMob.

The app also contains code signed by myTarget, an advertising platform provided by Mail.Ru Group and including all major Russian-speaking social networks.

As if that were not enough, at the time of its installation GO Keyboard requests 27 permissions on the system, including access to the precise location of the device, execution of the service in the foreground, access to network connections, full access to the network, use of the device’s camera, audio recording, access, modification and deletion of the contents of the SD card, and prevent the device from sleeping. Specialists at Exodus, which detects whether mobile apps contain third-party tracking code, find it worrisome that a simple tool to customize a smartphone’s keyboard requests so many permissions on the affected systems.

These findings have already been shared with Google, although the app is still available on the Play Store and its developers don’t seem to have made any changes. In addition, there are hundreds of applications that maintain similar practices, accumulating millions of downloads and exposing users to all kinds of risks. As usual, the recommendation for Android users is to uninstall this app from their devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post GO Keyboard, an app with over 100 million downloads, has full access to the phone and contains tracking code from 20 companies, including Google, Facebook, Amazon and the Russian government appeared first on Information Security Newspaper | Hacking News.

The maximum bounty for successful reports through Google’s program is $1 million USD, applicable for remote code execution issues on the Titan M chip, used in Pixel devices. Via Twitter, Google detailed: “Vulnerabilities in Android 13 Beta discovered between 04/26/22 and 05/26/22 are eligible for a reward payment of up to $1.5 million USD for a full chain of remote code execution exploits on Titan M.”

On the other hand, reports of data mining errors in Titan M could be rewarded with up to $750,000 USD during this special period, as opposed to the $500,000 usually paid to researchers.

Finally, code execution errors in Android components such as secure element, reliable execution environment and kernel could receive up to $375,000 USD. Just a month ago, Google announced that the rewards offered by eligible vulnerability reports from Google Nest and Fitbit would be doubled, with the tech giant still looking to incentivize ongoing collaboration with independent security specialists.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post You can earn 1.5 million dollar by finding vulnerabilities in Android 13 Beta appeared first on Information Security Newspaper | Hacking News.

In addition to this issue, an underlying vulnerability would allow a third-party application to be used to send data to arbitrary activity application components in the context of a pre-installed application. This opens up a large attack surface for third-party applications, allowing arbitrary Intent objects with embedded data to be sent to activities that appear to originate from the affected system itself. In other words, an unprivileged application can use an unprotected interface to send Intent objects and perform actions on its behalf.

What is this flaw?

Mobile apps are limited to their own context when you launch an activity app component through an Intent object. This flaw would allow local applications to indirectly use the context of a pre-installed application with the system’s User ID (UID) when initiating activities through a malicious Intent object.

The concept of an attacker-controlled Intent object refers to the pre-installed application affected by this vulnerability using the system UID to obtain an Intent object embedded within another Intent object sent from a malicious application, which will then execute an application activity component using the embedded Intent object. This can be conceptualized as “intent forwarding,” where the attacker controls the Intent object that sends a privileged process that would allow the start of non-exported application activity components (android:exported=”false”).

This condition allows third-party applications to control the contents of Intent objects sent by a pre-installed application running with the system UID. The affected pre-installed application that forwards the Intent objects it receives is a tool with a package name com.android.server.telecom, and apparently the problem in the application exists due to incorrect access control on a dynamically registered transmission receiver in com.android.server.telecom.

This does not seem to be a problem originated in Android Open Source Project (AOSP), because at the moment it only seems to affect some Samsung devices managing com.android.server.telecom files. A local application capable of exploiting the vulnerability can run in the background to initiate specific activities completely inadvertently.

By exploiting the vulnerability, the local application can use specific activities to gain additional capabilities programmatically through privilege escalation, including factory reset, installation of arbitrary applications, arbitrary application installing and uninstalling, and access to sensitive information.

Compromised devices

The following table contains a list of the affected Samsung Android devices. This table is not intended to be exhaustive, and has been put together only to show that researchers have verified that a variety of Android versions, models, and builds are vulnerable:

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Easy way to hack Samsung Galaxy phones with Android 9, 10, 11 or 12 via preinstalled application appeared first on Information Security Newspaper | Hacking News.

According to the Ukrainian Security Service (USS), the objective of the network was to destabilize the socio-political situation in several regions, thus curbing the resistance of the Ukrainian militia and facilitating the eventual Russian military occupation.

After a thorough investigation, SSU conducted five raids and confiscated all manner of electronic devices, including:

• 100 sets of GSM gateways
• Around 10,000 SIM cards from various mobile operators
• Laptops and desktops used to monitor and coordinate bot activity 

Containing cyberattacks against Ukrainian technological infrastructure has not been easy. Over the past month, the SSU’s official platforms have been disconnected multiple times and for periods of up to three days, in a sign that Ukraine’s government faces increasingly complex problems keeping its critical systems online.

In a report issued this weekend, Ukrainian cyber police confirmed the arrest of a man accused of compromising social media accounts using malicious websites in order to prey on well-meaning citizens for alleged fundraising.

Soon after, the SSU announced the detection of a phishing campaign allegedly operated by Kremlin-sponsored threat actors. In this campaign, social media users were tricked into visiting malicious websites from where they would be infected with the dangerous PseudoSteel malware, which allowed hackers to search for and extract potentially sensitive files remotely.

The maintenance of its computer systems is essential for Ukraine, as activities such as the mobilization of refugees and the reception of food depend heavily on this technology. This is a sign of how devastating a cyberwarfare campaign can be today, especially in a country already facing military conflict.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Ukrainian police shut down bot farms dedicated to spreading pro-Russian fake news appeared first on Information Security Newspaper | Hacking News.

Trinity College Dublin researcher Douglas Leith published a paper titled “What Data Do the Google Dialer and Messages Apps on Android Send to Google?” in which he discusses how these phone call and messaging apps communicate with Google Play Services and the Google Firebase Analytics service.

According to Leith, the data sent by Google Messages includes a hash of the text in the message, which allows linking the sender and receiver in an exchange of messages. In addition, the data sent by Google Dialer includes the time and duration of users’ calls, data that also allows linking the two numbers involved in a call.

“Google collects other records such as the timing and duration of interactions between its users without offering a way to decide that their information is not sent to the company’s servers,” the researcher adds.

Google Messages (com.google.android.apps.messaging) is installed on more than a billion Android phones and is included with devices from phone operators such as AT&T and T-Mobile, as well as being pre-installed on Huawei, Samsung and Xiaomi devices. Google Dialer or Phone by Google, (com.google.android.dialer), has a similar scope.

Pre-installed versions of these apps don’t have a privacy policy section to specify what user information will be collected, a move Google requires all third-party developers to adhere to. In addition, when requesting information about the data collected, Google did not confirm that the metrics identified by the researcher are being collected.

While Google Play Services explains that these apps collect user data, it simply points out that it is done for security reasons and for the improvement of some Google services. These arguments do not explain the collection of metadata from messages and phone calls.

The researcher concluded his report by listing some of the measures that Google has committed to implement to change this situation, including:

• Review the app’s onboarding flow to notify users that they are using a Google app
• Stop the collection of the sender’s phone number by the CARRIER_SERVICES log source, the 5 SIM ICCID and a message text hash sent/received by Google Messages
• Stop logging call-related events in Firebase Analytics from Google Dialer and Messages

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Do not use Google Dialer and Messages; these apps send your call logs, contacts, and call timing data to Google appeared first on Information Security Newspaper | Hacking News.

Threat actors could also exploit flaws to degrade security protocols on affected devices in order to make them vulnerable to other hacking variants, impacting models from Galaxy S8 to the recently released Galaxy S21.

Experts begin by explaining that today’s smartphones control all kinds of confidential messages, cryptographic keys, authentication methods, mobile payments and other functions based on various technological implementations. The reported flaws mainly affect devices that use ARM’s TrustZone technology, the hardware support for Android smartphones that allows creating a reliable execution environment for the implementation of advanced security features.

TrustZone divides a phone into two parts: 

• Normal World: Running regular tasks, such as Android OS
• Secure World: Management of the security subsystem and space for sensitive device resources. This segment is only accessible to trusted applications with sensitive security features, including encryption

Samsung made some serious mistakes in designing the way its smartphones encrypt material stored in TrustZone, employing a single key and allowing IV reuse, in what they see as a design that allows for a trivial decryption process for some potential attackers. The report also specifies that Samsung employs AES-GCM on its devices, a reliable encryption algorithm but is implemented incorrectly, as this algorithm requires a random dataset for each new encryption operation, something that does not happen on Galaxy devices.

During testing, exploiting these bugs made it possible to extract information from the Safe World in TrustZone, which Samsung devices should identify as confidential and which should be protected with a reliable encryption algorithm.

This attack not only allows information to be extracted from TrustZone, but also allowed researchers to evade security standards such as FIDO2, exposing hundreds to hundreds of millions of people who have used these smartphones over the past five years. The researchers tried to contact Samsung to come up with a more accurate estimate.

In this regard, the company issued a patch for this security issue, tracked as CVE-2021-25444. The problem lies with Keymaster Trusted Applications, which performs cryptographic operations on secure world through some hardware components. Subsequently, the company issued a patch to address CVE-2021-25490, whose exploitation would allow a degradation attack to be deployed on the affected devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Don’t use any Samsung smartphone launched from 2017 till 2021 (including S21): Flawed encryption could expose your confidential data appeared first on Information Security Newspaper | Hacking News.

Although the company has not revealed extensive details about this flaw, it is mentioned that the error relates to Android’s wireless NFC code, which contains additional verification to make sure that a size parameter is not too large. Google may not want to share information about the failure due to the potential exploitation.

In addition to this flaw, Google addressed five high-severity vulnerabilities in android’s System component, including privilege escalation bugs in Android 11 and 12, and a denial of service (DoS) flaw in Android 10 and 11.

The System component isn’t the only Android implementation affected by the vulnerabilities. The report also points to the finding of five severe errors in the Android Framework component whose exploitation would allow high privileges to be obtained on vulnerable systems; these flaws could be chained with other bugs for additional attacks.

These flaws were addressed in update package 2022-02-01. An additional set of patches, issued this week, address a high-severity bug in System, one flaw in Amlogic’s Fastboot component, five bugs in MediaTek’s code, three in Unisoc code, and 10 high-severity flaws in Qualcomm’s code. Users should only apply these updates if their devices have these chipsets.

Users of Google Pixel devices will be the first to receive these updates to download and install, although the rest of the manufacturers will not have to wait too long to access the patches. Users should stay on top of each new update, as the company doesn’t usually send notifications for installation, a process that’s not without criticism of Android.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical remote code execution vulnerability in Android 12 affects millions of smartphones appeared first on Information Security Newspaper | Hacking News.

According to the report, the investigative agency resorted to the so-called “geofence warrant” to force Google to hand over information about devices using its popular mobile operating system, located in the area at the time of the attack.

During the investigation of the incident, an officer stated that it all began at almost midnight, when two unidentified suspects caused intentional damage to the building using homemade explosives: “Based on this information, we believe there is probable cause to seek information in Google’s possession and related to devices located near the scene of the incident.”

In the order, Google is required to hand over location history data, including GPS data and information related to visible WiFi points and Bluetooth packets transmitted from these devices to Google, determining the devices within reach of the investigation using the coordinates, date and times provided by the FBI.

For obvious reasons, privacy activists expressed concern, believing that Google should not be able to hand over these confidential records to law enforcement without a clear case and as an attempt to locate potential suspects.

These kinds of measures can cause anyone located around a crime scene to be considered a suspect; if your mobile device shows any indication of this, the authorities can send you a subpoena and even request full access to the information stored on your smartphone.

A Google spokesperson said, “As with any other legal request, we have a rigorous process that is designed to protect the privacy of our users while supporting the important work of law enforcement,” though it has not been confirmed whether the FBI will have access to the desired information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post “Geofence warrant” allows police to obtain location data from Google users near crime scenes and arrest them appeared first on Information Security Newspaper | Hacking News.

A recent McAfee report points to the detection of a malicious campaign identified as Brazilian Remote Access Tool Android (BRATA), which combines an advanced malware variant and social engineering to infect thousands of devices, in addition to receiving constant maintenance from its developers.

As the name suggests, this malware variant specifically targeted Android users in Brazil using malicious apps available on Google Play, although in recent times it has been detected attacking users in the United States and Spain. The malicious payload is hidden in a supposed security scanner app that, when installed, asked users to install critical updates for other applications on the system, such as WhatsApp, Chrome or non-existent PDF readers on the target system.

If the target user falls into the trap, the infection is completed and begins to collect information from the target system, taking screenshots and intercepting passwords, patterns, keyboard logs and even recording the screen of the affected device, performing detailed monitoring of the compromised user. Among the main features of BRATA are:

• Hide and show incoming calls, reducing the volume of the device to zero and darkening the screen to the maximum
• Granting permissions on the system without the user’s knowledge
• Disabling the Google Play Store and Google Play Protect
• Self-destruction

As if this were not enough, the latest update of this campaign contains new features, such as phishing capabilities, malware and banking Trojans that make BRATA one of the most dangerous security threats today. In a recently detected case, the malware was able to show the affected user fake URLs of financial institutions, making it easier to steal the victim’s sensitive banking information.

McAfee notes that social engineering methods continue to work as they take advantage of the fact that people trust banking institutions. In successful phishing attacks, people hand over the keys to the cybercriminals instead of the cybercriminals having to steal them themselves.

To prevent these kinds of infections, experts recommend That Android users never install applications from unofficial sources, as this is the main method employed by cybercriminals to deliver malware on mobile devices. About malicious apps that manage to sneak into Google Play, specialists recommend checking the information of developers before installing the tool in question.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This android malware deletes all phone data after stealing your money or information appeared first on Information Security Newspaper | Hacking News.

In announcing this move, former Justice Secretary Humza Yousaf mentioned that £2.7 million was authorized for the purchase of 7,500 allegedly hacking-proof phones. However, some prisoners discovered an effective method to release the restricted functions of these devices a few hours after they were handed over. At the moment it is unknown what method the prisoners used to hack these devices.  

A source in Scotland’s prison service says hundreds of prisoners used this hacked equipment to operate illicit activities, including drug sales and extortion, in complicity with individuals outside the prisons. It was also reported that some gangs inside the prisons managed to steal the devices that were given to other inmates, as the program did not include prisoners considered dangerous.

To make the problem more serious, prison officials say it’s impossible to detect with the naked eye which devices have been tampered with by hackers, so prisons must invest considerable resources to find those phones capable of making unauthorized calls abroad, so the problem can’t be addressed in a matter of a few days.

For now, it has been decided that access to these phones will be revoked for inmates who misuse the devices, in addition to stricter measures to prevent the smuggling of new devices into prisons. These permits may be revoked for one month, two months or permanently.

Despite these measures, some congressmen have requested that the use of these devices be eliminated completely, as they believe that they only cause more problems than they solve and there is no way that the prison administration can guarantee their correct use.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Thousands of hack-proof secure cell phones confiscated from Scotland prisons appeared first on Information Security Newspaper | Hacking News.