Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Android Security. Show all posts

Threat Actors Distribute Around 400K Malicious Files Every-day to Attack Users


According to one of the latest reports, nearly 4,00,000 new malicious files were apparently distributed every day by threat actors in the year 2022, in order to deceive and attack online users. The report shows a significant 5 percent growth compared to the 2021 data of the same. 

An estimate shared by cybersecurity company Kaspersky reports that almost 3,80,000 of these malicious files were detected daily in 2021, and 122 million harmful files were detected in 2022, an increase of six million from the year before. 

“Considering how quickly the threat landscape is expanding its boundaries and the number of new devices appearing in users' daily lives, it's quite possible that next year we'll be detecting not 4,00,000 malicious files per day, but half a million,” says Vladimir Kuskov, head of anti-malware research, Kaspersky. 

"Even more dangerous is that, with the development of Malware-as-a-Service, any novice fraudster can now attack devices without any technical knowledge in programming," Kuskov continues. 

The research conducted by Kaspersky indicates that the estimated number of ransomwares detected every day grew by 181%, encrypting 9,500 files every day. This is in comparison to the year 2021.  

Kaspersky as well detected a 142 percent hike in the number of Downloaders, which are malware programs designed in order to install malicious and unwanted applications in a device. Windows, among all platforms, remained the most common platform used by threat actors that are affected by the threat families. 

Experts at Kaspersky, on the other hand, have detected 3,20,000 new malicious files that are responsible for attacks on Windows devices, in 2022, the report added.

Moreover, the Kaspersky experts have witnessed a 10 percent hike in the distribution of malicious files, attacking Android platforms and devices each day in the year 2022.  

Google: Two Major Pixel Vulnerabilities Patched

 

Google has published updates for Android 10, 11, 12, and 12L which include Pixel security patches. The Android Security Bulletin for May offers information about security flaws could affect Android devices. 
 
The Pixel Update Bulletin offers information about security flaws and functional enhancements for concerned Pixel devices. Google Pixel phones are "pure Android" devices. The two bulletins identify significant vulnerabilities as follows : 

  • CVE-2022-20120—Bootloader [Critical] The bootloader has a remote code execution (RCE) flaw. The bootloader on Android is a software program that loads the operating system every time users turn on the phone. It can only load software which has been signed by Google by default. If users unlock the bootloader, though, it will run whatever software you specify. The precise problem hasn't been revealed yet, but based on the scale of access required to exploit it, it may be very serious.
  • CVE-2022-20117— Titan-M[Critical] Titan M has an information disclosure (ID) flaw. Titan M is a security management chip designed specifically for Pixel phones to protect the most sensitive data and os version on the device. Titan M aids the bootloader in ensuring users running the correct Android version. . However, being able to steal data from the portion which is supposed to protect the most sensitive information does not look well. 
  • CVE-2021-35090: Qualcomm[Moderate] Qualcomm chips are the most extensively used in Android smartphones. 9.3 out of 10 for CVSS. Qualcomm has recognized this race condition in Kernel as a Time-of-check Time-of-use (TOC TOU). A potential hypervisor memory corruption owing to a TOC TOU race scenario when changing address mappings was also mentioned. A TOC TOU occurs whenever a resource is tested for a specific value, such as whether or not a file exists, and then the value alters before the asset is utilized, invalidating the check's results. When multiple threads have access to shared data and attempt to update it at the same time, a race condition occurs.
  • CVE-2022-20119 Display/Graphics[High] 
  • CVE-2022-20121 USCCDMService[High] 

The most serious of these issues, according to Google, is a highly secure vulnerability in the Framework component which might lead to local elevation of privilege (EoP) with user execution rights required, although the company does not specify which of the four candidates it is. 

All problems in these bulletins are addressed in security patch versions 2022-05-05 or later for Google and other Android devices. Check and update one Android version to discover how to check a device's security patch level. Experts advise all Android users to update to the most recent version. 

This week, the Pixel 3a and Pixel 3a XL series will acquire its final security updates. When it comes to support, they then reach the End-of-Life (EOL)

 'Dirty Pipe' Kernel Bug Enables Root Patched via Linux Distros

 

Dirty Pipe is a Linux local privilege escalation problem that has been found and publicly released, together with proof-of-concept vulnerability. The 'Dirty Pipe' vulnerability was responsibly disclosed by security researcher Max Kellermann, who indicated it impacts Linux Kernel 5.8 and later versions, as well as Android devices. 

CVE-2022-0847 is a weakness in the Linux kernel which was introduced in version 5.8 and resolved in versions 5.16.11, 5.15.25, and 5.10.102.

Kellerman discovered the flaw while investigating a bug that was causing one of his customer's web server access records to be corrupted. The vulnerability, according to Kellerman, is similar to the Dirty COW vulnerability (CVE-2016-5195), which was addressed in 2016.

A bug in the kernel's pipe handling code allows a user program to rewrite the information of the page cache, which ultimately makes its way into the file system, thanks to a refactoring error. It is identical to Dirty COW, but it is relatively easier to use. 

While using Linux, check for and install security updates from the distro. Wait for Google (and maybe your maker and/or carrier) to send you an update if you're using Android; because it runs a kernel older than 5.8, the current version of Android for the Google Pixel 6 and the Samsung Galaxy S22 is currently in jeopardy. 

Kellerman revealed a proof-of-concept (PoC) vulnerability as part of the Dirty Pipe disclosure which essentially allows users to inject their own content into sensitive read-only files, removing limitations or modifying settings to provide wider access than they would normally have. 

However, security researcher BLASTY disclosed an improved vulnerability today which makes gaining root privileges easier by altering the /usr/bin/su command to dump a root shell at /tmp/sh and then invoking the script. 

Starting on February 20th, 2022, the vulnerability was responsibly revealed to several Linux maintainers, including the Linux kernel security team and the Android Security Team. Despite the fact that the defect has been resolved in Linux kernels 5.16.11, 5.15.25, and 5.10.102, numerous servers continue to use outdated kernels, making the release of this vulnerability a major concern for server admins. 

Furthermore, due to the ease with which these vulnerabilities may be used to acquire root access, it will only be a matter of time before threat actors start exploiting the vulnerability in upcoming attacks. The malware had previously used the comparable Dirty COW vulnerability, which was more difficult to attack.  

This flaw is particularly concerning for web hosting companies that provide Linux shell access, as well as colleges that frequently provide shell access to multi-user Linux systems. It has been a difficult year for Linux, with a slew of high-profile privilege-escalation flaws exposed.

Thousands of University Wi-Fi Networks Dislcose Log-In Credentials

 

Multiple configuration vulnerabilities in a free Wi-Fi network used by several colleges can enable access to the usernames and passwords of students and teachers who connect to the system using Android and Windows devices, according to the findings by researchers. 

WizCase researchers lead by researcher Ata Hakçl evaluated 3,100 Eduroam setups at universities throughout Europe and discovered that more than half of them have vulnerabilities that threat actors might exploit. 

They noted that the risk of misconfiguration might spread to other companies throughout the world. Eduroam offers free Wi-Fi access at participating institutions. It provides log-in credentials to students, researchers, and faculty members, allowing them to access the internet across many universities by utilizing credentials from their own university. 

Researchers found vulnerabilities in the execution of the Extensible Authentication Protocol (EAP) used by Eduroam, which offers numerous levels of authentication when individuals connect to the network. Some of these authentication steps are not implemented properly in some colleges, causing security flaws.

Researchers wrote in a report posted Wednesday, “Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk.” 

“If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in the range of you.” 

WizCase evaluated several configuration guidelines and built a test environment with multiple attack scenarios for the study. Overall, their analysis indicated that in the majority of institutions with misconfigured networks, threat actors may establish an “evil twin”, Eduroam network that a user would mistake for the actual network, especially on Android devices. 

Referring to Eduroam's catalogue application that performs certificate checks, researchers stated, “This could result in these devices automatically sending their stored credentials in order to connect to the evil twin Wi-Fi network for users not using eduroamCAT.” 

Researchers emphasized that the issue is not due to any technical flaw in Eduroam's services or technology, but rather due to improper setup instructions provided by the institutions' own network administrators to those setting up access. 

Moreover, while each institution supplies resources and personnel to assist Eduroam functioning, researchers discovered that there is no centralized management for the network – either as a whole or at each university where the system is in place. This signifies that a minor misconfiguration may make it a target for hackers. 

Researchers narrowed down the issue further by dissecting the numerous consecutive steps of EAP authentication, discovering that inadequate implementation of the last level of this authentication, known as "Inner Authentication," is at the foundation of the problem. Inner Authentication is accomplished in one of two methods in EAP. 

One method is to utilize the Plain Authentication Protocol (PAP), which sends users' credentials to the authentication server in plaintext and relies on Outer Authentication to completely encrypt the traffic with a server certificate. 

The alternative method utilizes Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), which understands that there may be errors in the “Outer Authentication stage, and transfers the password in a hashed, non-plaintext form. 

Mismanaged Certificate Checks 
“When a network with the same Wi-Fi name appears, Android devices will not check whether this certificate is trustworthy or not, and will not even notify the user about the certificate before connecting,” they explained. 

Even an operating system that properly performs certificate checks can disclose data since many users do not understand what a certificate check implies and will permit the connection to proceed even if they get an alert concerning the certificate. 

According to the researchers, this indicates that the problem can arise on Windows as well if a system is misconfigured. iOS devices are not vulnerable to the vulnerability since they do not enable connections to EAP networks without first installing the EAP configuration file, which ensures the validity of the server-side certificate. 

As per the researchers, 2,100 of the 3,100 Eduroam participating university setups examined by WizCase are possibly impacted by the issue. 

According to the firm, it may be prevented by returning to the second technique of Inner Authentication. WizCase contacted Eduroam in December to share their results and received a response the same day. 

In accordance with WizCase, Eduroam officials stated that they are aware of “Eduroam identity providers who do not follow the requirements of the Eduroam policy and leave their own users unprotected,” agreeing with researchers that this conduct is “unacceptable.” It is unknown whether Eduroam contacted its customers to alert them about the issue.

Smishing Campaign: Roaming Mantis Attacks OS Android Systems With Malware

A smishing campaign which goes by the name Roaming Mantis is imitating a logistics firm to hack SMS messages and contact list of Android users from Asia since 2018. Last year, Roaming Mantis advanced its campaign impact by sending phishing URL messages and dynamic DNS services that attacked targets with duplicate Chrome extension "MoqHao." From the start of 2021, Mcafee Mobile Research Team has confirmed that the group is attacking users from Japan with the latest malware named SmsSpy. 

The corrupted code infects Android users that use either one of the two versions that depend upon variants of operating systems used by attacked systems. The phishing technique incorporated here shares similarities with earlier campaigns, still, the Roaming Mantis URL has the title "post" in composition. A different phishing message impersonates to be a Bitcoin handler and then takes the target to a malicious site (phishing) where the victim is requested to allow an unauthorized login attempt. 

McAfee reports, "During our investigation, we observed the phishing website hxxps://bitfiye[.]com redirect to hxxps://post.hygvv[.]com. The redirected URL contains the word “post” as well and follows the same format as the first screenshot. In this way, the actors behind the attack attempt to expand the variation of the SMS phishing campaign by redirecting from a domain that resembles a target company and service." Different malware, as a characteristic of the Malware distribution program, is sent which depends upon the Android OS variant that gained login to the phishing site. In Android OS 10 and later variants, malicious Google Play applications will get downloaded. In Android OS 9 and earlier variants, malicious Chrome applications will get downloaded. 

Because the infected code needs to be updated with each Android OS update, the malware actor targets more systems by spreading the malware that finds OS, instead of just trying to gain a small set with a single malware type. "The main purpose of this malware is to steal phone numbers and SMS messages from infected devices. After it runs, the malware pretends to be a Chrome or Google Play app that then requests the default messaging application to read the victim’s contacts and SMS messages," said McAfee.

Over 600 Million Users Download 25 'Fleeceware' Apps from the Play Store


Researchers at security firm Sophos has discovered a new set of Android apps present on the Google Play Store that contain fleeceware. Notably, these apps have been downloaded and installed by over 600 million unsuspecting Android users.

The term 'Fleeceware' was first coined in September 2019 by cybersecurity firm Sophos in aftermath of an investigation that led to a new kind of financial fraud on the authentic Google Play Store.

Fleeceware is a new addition to the cybersecurity ecosystem, referring to the exploitation of the trial period mechanism in Android apps which generally is provided before one is charged for the full version from his signed up account.

Normally, users who register for an Android app's trial period are required to cancel the same manually in order to avoid being charged. However, it's common among users to simply stop using the app by uninstalling it in case they don't like it. The action of uninstalling is read by the developers as trial period being canceled and hence it doesn't result in the due amount being charged from the user account.

The UK based, a cybersecurity company, Sophos told that it identified over two-dozen android apps containing fleeceware, these apps were charging somewhere around $100 and $240 per year for apps as basic and mainstream as barcode readers, calculators, and QR scanners.

Suspecting the unusually high number of downloads on these apps, analyst Jagadeesh Chandraiah says, it's likely that these apps have resorted to third-party pay-per-install services to raise up the download counts. He also suspects the five-star reviews being fake and bought in order to better the apps ranking on the Play store and hence lure a large number of users.

Warning the users in their report, Sophos told, "If you have an Android device and use the Google Play Store for apps, you should rigorously avoid installing these types of “free trial” apps that offer subscription-based charges after a short trial."

"If you do happen to have a free trial, make sure you understand that merely uninstalling the app does not cancel the trial period. Some publishers require you to send a specific email or follow other complicated instructions to end the free trial before you are charged, though you might just need to log into your Google Pay to cancel. Keep copies of all correspondence with the publisher, and be prepared to share that with Google if you end up disputing the charges." the report further read.

Researchers Found Android Apps on Google Play that Steal Personal Data of Victims and Pose Other Threats



Security researchers identified seven new malicious apps present on Google Play Store that infect devices with adware and malware while laying open the system's backdoor access which ensures a smooth installation of any new functionality that comes along with the application. Other threats include battery drainage and excessive consumption of mobile data.

In recent times, with the mobile malware penetrating its roots in the cyber world, there have been a number of new discoveries from security researchers where they warn of malicious android apps that request sketchy permissions and contain malware. Android platform's openness, flexibility, and excess control are the key factors which make it all the more attractive to the users and likewise, cybercriminals. As a downside, it also provides a more vulnerable space for criminals to exploit by posting adware infected apps to serve marketing interests and steal sensitive user data. These apps can take different forms and mostly, share a similar code structure which indicates a direct link between the developers.

These malicious apps are configured to download and consequently install APKs from a GitHub repository, hence attackers are handling the GitHub communication very sophisticatedly, as a part of which they effectively wait to bypass detection by security officers and malware detection agencies.

Attackers have embedded a GitHub URL within the malicious app code which sets the basis for evading Google Play protect scan. However, while security researchers somehow managed to unearth the configuration data of the malicious apps and related URLs, they were directed to Adware APK which is triggered right after the installation of the infected app. The APK halts for a timeframe of 10 minutes after being triggered to execute the malicious motives.

Here, the aforementioned malicious apps have been posted by three different developers as listed below:

iSoft LLC (Developer) – Alarm Clock, Calculator, Free Magnifying Glass
PumpApp (Developer) – Magnifying Glass, Super Bright LED Flashlight
LizotMitis (Developer) – Magnifier, Magnifying Glass with Flashlight, Super-bright Flashlight

As a security measure for the continuously expanding mobile malware, Google tied up with various mobile security companies that would assist them in detecting bad apps before they hit a download mark over million. Users who have already installed these dropper apps are recommended to uninstall them manually.

All it takes a WhatsApp call for the spyware to enter your phone


It’s been a day of high-profile security incidents. First there was news the popular WhatsApp messenger app was hacked. Updated versions of WhatsApp have been released, which you should install if you’re one of the more than one billion people who use the app.

WhatsApp has confirmed that a security flaw in the app let attackers install spy software on their targets' smartphones. The spyware install on a host phone via a WhatsApp call. The spyware deletes all WhatsApp call logs to become untraceable.

On Wednesday, chip-maker Intel confirmed that new problems discovered with some of its processors could reveal secret information to attacks.

What's scary about this spyware is that it can slip on any WhatsApp users' smartphone without giving the slightest clue that their devices have been infected. All it takes is a WhatsApp call.

The WhatsApp news was revealed first by the Financial Times, which says the bug was used in an attempt to access content on the phone of a UK-based human rights lawyer.

That has left many of its 1.5 billion users wondering how safe the "simple and secure" messaging app really is. How trustworthy are apps and devices?

No. Messages on WhatsApp are end-to-end encrypted, meaning they are scrambled when they leave the sender's device. The messages can be decrypted by the recipient's device only.

WhatsApp is arguably one of the most popular social messaging apps in the world. In the recent times, the Facebook-owned social messaging app has been under fire owing to the rampant spread of misinformation on its platform. But never has the app been under seige by a malware. That is until now.

WhatsApp has rolled out an update to its servers. It has also rolled out a security patch on to its Android and iOS apps to safeguard your phone data. Software patches have been released by several vendors, including Microsoft. You should install security updates from vendors promptly, including these.

Qualcomm Chip Security Flaw Poses Risk to App Account Security



Qualcomm technology which was manufactured to safely store private cryptographic keys has been found to be plagued with a security bug. The bug has been found in Qualcomm chipsets and is said to be paving way for Android malware which can potentially steal access to victims' online accounts.

The implemention of the technology should be such that even if the Android's OS has been exploited, the Qualcomm Secure Execution Environment, also known as QSEE should be beyond the reach of exploit and hence, unassailable. However, due to some imperfections in the implementation, such is not the case.

One can go about manipulating the system and leaking the private stored keys into the QSEE, as per a researcher with cybersecurity firm NCC Group, Keegan Ryan.

Ryan documented the vulnerability and came out with a conclusion that the flaw could bave been used by a hacker to exploit the way mobile apps let users sign in on smartphones. After entering the password, a cryptographic key pair would be generated by the app, which can be employed to make sure that all login attempts in the future are from the same device.

Referenced from the statements given by Ryan to PCMag,
"However, if an attacker uses this vulnerability to steal the key pair, the attacker can impersonate the user's device from anywhere in the world, and the user cannot stop it by powering down or destroying their device,"

"The attacker can run the malware one time, and extract the key. They now have permanent and unrestricted ability to create (authentication) signatures," he further added.

The patch is expected to roll out in April itself along with Android's security update.






Google’s security program has caught issues in 1 million apps in 5 years

Security is a common concern when it comes to smartphones and it has always been especially important for Android. Google has done a lot over the years to change Android’s reputation and improve security. Monthly Android security patches are just one part of the puzzle. Five years ago, the company launched the Application Security Improvement Program. Recently, they shared some of the success they’ve had.

First, a little information on the program. When an app is submitted to the Play Store, it gets scanned to detect a variety of vulnerabilities. If something is found, the app gets flagged and the developer is notified (above). Diagnosis is provided to help get the app back in good standing. Google doesn’t distribute those apps to Android users until the issues are resolved.

Google likens the process to a doctor performing a routine physical.

Google recently offered an update on its Application Security Improvement Program. First launched five years ago, the program has now helped more than 300,000 developers fix more than 1 million apps on Google Play. In 2018 alone, it resulted in over 30,000 developers fixing over 75,000 apps.

In the same year, Google says it deployed the following six additional security vulnerability classes:

▬ SQL Injection

▬ File-based Cross-Site Scripting

▬ Cross-App Scripting

▬ Leaked Third-Party Credentials

▬ Scheme Hijacking

▬ JavaScript Interface Injection

The list is always growing as Google continues to monitor and improve the capabilities of the program.

Google originally created the Application Security Improvement Program to harden Android apps. The goal was simple: help Android developers build apps without known vulnerabilities, thus improving the overall ecosystem.

Google understands that developers can make mistakes sometimes and they hope to help catch those issues for years to come. Security will continue to be a big talking point as technology evolves. It’s important for users to be able to trust the apps on their phones.

Threatening Frailty in the Indian Mobile Security



Compromising your phones has become quite an easy task for the hackers these days as it is convenient for them to do so without much hard work .There are numerous ways already available like the hackers can change passwords and get access to confidential corporate and private data on your phone or better yet they can either install malicious code on your phone that allows them to read your messages, access your photos or could even turn on your microphone.

In other words, once hackers access your device, they can easily use your microphone or camera to record you, and thanks to GPS, they’ll even get to know your location.

In case of companies that make operating systems (OS) for mobile phones, they are used to plugging known vulnerabilities and loopholes by periodically updating their operating systems and release newer versions of it by even issuing security patches.

But in the case of Android, there exists a unique problem. Android being a foundational OS releases an update or a security patch and it’s unclear who is responsible for updating the OS that’s actually running on the device.

There are hundreds of companies that are currently making Android based devices and selling more than 60,000 models worldwide. It’s a complex ecosystem, with no one quite tracking the updates and vulnerabilities.

A third of the Android phones in India are running a version of the OS released in March 2015 or before. This leaves now some 300 million smart phone users in India potentially vulnerable.
Nobody presently knows how they are utilizing the internet and what applications are being installed on these devices. They are additionally liable to be less attentive about imparting information to application developers. Most terms and conditions that users consent to have a tendency to be in English. And that in itself is reasonable enough for assuming that numerous Indian mobile users are consenting to things without quite understanding what they are consenting to.

Saket Modi, the CEO of Lucideus Tech as well as a well-known ethical hacker says,
“It is relatively harder to install malware on Apple’s iPhones as to install a hacking app on an iPhone, you need the unique device identifier — a sequence of 40 letters and numbers, which can only be accessed by connecting the phone to a computer via Apple’s iTunes software. It is far easier however to install an app from an unknown source on an Android phone than on an iPhone,”

According to data aggregated by Lucideus, Android (all versions combined) has 1,855 known vulnerabilities, compared with 1,495 for iOS.

The Outdated privacy laws in India add to the troubles of mobile phone users. Shiv Putcha, founder of telecom consultancy Mandala Insights says..

 “In India, the regulations are weak at best, you don’t have a privacy law, no regulations around data storage or access to private data. If they (mobile phone makers and service providers) aren’t storing data here, how can we be sure how secure our data is?”

Nevertheless the government though did respond to this issue by highlighting the need for a strong data protection law, along the lines of the General Data Protection Regulation (GDPR) in the EU, and has even set up a committee to look into it.


Although according to Google, in 2017, India still ranks third in the highest percentage of phones with potentially harmful applications (PHAs) among the major Android markets, with 1% of the total Android phones in the country affected, though the figure had dropped by a third from 2016 but Google still says that devices that install apps from outside the Google Play app store are nine times more likely to have PHAs.





BlackBerry to launch Android phones



Isn’t it too late to launch an Android smartphone now, for a company like BlackBerry?

BlackBerry, a global leader in mobile communication which was introduced in 1999, is all set to launch an Android smartphone. Many people had already assumed few months ago that the company was planning to build the smartphones when the keyboard of the new Android phone was leaked.

During that time, it was said that the new phone would be named the BlackBerry Venice, and would come with a BlackBerry-esque sliding keyboard (H/T evleaks).

If the initials leaks were true, then the new BlackBerry Android phone would be a slider and would be touchscreen with a slide-out keyboard.

Now, it would be a great challenge for the BlackBerry to stand out among other giant Android phone companies. It seems the company has to do a lot of struggle to be the favorite.

It is said that people might love BlackBerry hardware but many people do not like its software. Hope the new phone will meet people expectations.

According to the second quarter financial results of the company, it plans to launch a flagship handheld device that will run on the Android operating system with BlackBerry security.

As per a news report published in Venturebeat, it is “focused on making faster progress to achieve profitability in our handset business,” before finally confirming the launch of “Priv,” a name that was first rumored earlier this week.

“I am confirming our plans to launch Priv, an Android device named after BlackBerry’s heritage and core mission of protecting our customers’ privacy,” John Chen, CEO of the BlackBerry told Venturebeat. “Priv combines the best of BlackBerry security and productivity with the expansive mobile application ecosystem available on the Android platform.”

The report suggested that the new Android phone would launch in November.


At the meantime, the company has also confirmed that it would continue working on BlackBerry 10, and said platform updates would be made available next March.

Beware of setting fingerprints screen lock on your Smartphone as it can easy hack



When we have to set lock screen feature on our Smartphone, we usually go with a fingerprint scanner in our Smartphone. We think that the fingerprint scanner is very safe and sound.


However, researchers from FireEye, a security firm, have found a way to break the fingerprints from Android phones such as Samsung Galaxy S5 and HTC One Max.

“Fingerprints last for a life, once leaked; they are leaked for the rest of your life. Moreover, fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if the attacker can remotely harvest fingerprints in a large scale,” the researchers said in the PDF report.

The research team, which includes Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei, has found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in an open "world readable" folder.

The researchers have provided detail information about the problems of existing designs, including the confused authorization attack that enables malware to bypass pay authorizations protected by fingerprints, insecure fingerprint data storage, fingerprint sensor, and pre embedded fingerprint backdoor.

However, the team reported the flaw to the companies concerned and was patched.

As per the news reports, the research team had also identified another attack that affects other Android phones where malware can circumvent protections in the operating system to access the fingerprint hardware directly.

The researchers have suggested, “To avoid being attacked by malware or being exploited for remote code execution, we suggest normal users to choose mobile device vendors with timely patching/upgrading to the latest version (e.g.'Android'Lollipop), and always keep your device up to date.”



Google offers Refunds to users scammed by fake "Virus Shield" app

Google is trying to maintain its reputation by offering refunds to those android users who were scammed by a fake antivirus app "Virus Shield".

Earlier this month, Android Police uncovered a fake virus scanner which was hosted in Google's Play Store that did nothing other than changing the icon and led the users into believing their devices are safe.

This fake paid app($3.99) was downloaded by more than 10,000 users before Google and others became aware of the true nature of this app.  In fact, this app reached number one position in the Top Paid apps list.

However, the developer of this app told the Guardian that one of their developers mistakenly uploaded the wrong version of "Virus Shield" application.  At the time, he also promised to refund users who bought their app.

But, Google seems to have decided not to lose thousands of users who are unhappy about the lax security mechanism which allowed such fake apps to be published.

According to Android Police report, Google is not only issuing refunds to purchasers but also offering them $5 promotional credit using which you can buy apps, books and music in Google Play store.

Android Vulnerability allows hackers to Turn Legitimate Application into Virus

All Android applications contain a signature which helps the Android to determine if the app is legitimate and to make sure the apk hasn't been tampered with or modified.

Security Researchers from BlueBox Labs have uncovered a new security flaw in Android that allows hacker to modify the application's code without breaking the application's cryptographic signature.

It can be exploited by cyber criminals to turn the legitimate applications into Malicious apps.

Exploited HTC Phone. - Image Credits: BlueBox

In a blog post, Jeff Forristal, Bluebox CTO, noted that the security flaw is particularly dangerous if hackers managed to exploit the application developed by the device manufacturers.

He also pointed out that turning the apps from the device manufacturer into Malware will grant the app full access to Android system that allows hackers to gain access to email , Messages, documents, passwords and more sensitive data.

Security Alert: Linux Kernel Privilege escalation exploit affects Android platform


Android Operating System is based on the Linux, means the vulnerabilities affecting Linux kernel have the possibility of being exploited in the Android platform.

It appears the recently discovered Linux local kernel privilege escalation vulnerability (CVE-2013-2094) is affecting the Android operating system.

According to Symantec researchers, the exploit for the kernel vulnerability has now been modified to work on Android platform. The security flaw allows hacker to gain complete control of the infected devices.

The researchers have warned that malware will take advantage of this exploit to access data from other apps, prevent users from uninstalling the malware, and allows them to send premium rate SMS.

We are not sure how much time Google will take to patch the bug. So, users are advised to download the apps only from trusted marketplaces.

Inbuilt Malware Scanner for Android 4.2 Jelly bean



The number of malware attacks on Android smartphones is increasing day in day out.  Google has been taking some steps to protect their users in recent months.  Now they are implementing a powerful new security features to android OS - an inbuilt malware scanner that scans app for malicious code.

Whenever you install an app from a source other than the Play Store -- including a third-party app market like Amazon's app store, Android pops up a box asking if you want such applications to be checked for "harmful behavior."

If user don't want to display a pop-up whenever installing new app, there is "checkbox" in the security section of the 4.2 system settings that lets you turn the service on or off at any point.

"We have a catalog of 700,000 applications in the Play Store, and beyond that, we're always scanning stuff on the Web in terms of APKs that are appearing," Lockheimer says. "We have a pretty good understanding of the app ecosystem now, whether something's in the Play Store or not."