Insecure UC Browser 'Feature' Lets Hackers Hijack Android Phones Remotely

uc browser android hacking

Beware! If you are using UC Browser on your smartphones, you should consider uninstalling it immediately.

Why? Because the China-made UC Browser contains a “questionable” ability that could be exploited by remote attackers to automatically download and execute code on your Android devices.

Developed by Alibaba-owned UCWeb, UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than 500 million users worldwide.

According to a new report published today by Dr. Web firm, since at least 2016, UC Browser for Android has a “hidden” feature that allows the company to anytime download new libraries and modules from its servers and install them on users’ mobile devices.

Pushing Malicious UC Browser Plug-ins Using MiTM Attack

What’s worrisome? It turns out that the reported feature downloads new plugins from the company server over insecure HTTP protocol instead of encrypted HTTPS protocol, thus allowing remote attackers to perform man-in-the-middle (MiTM) attacks and push malicious modules to targeted devices.

uc browser hack

“Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification,” the researchers say.

“Thus, to perform an MITM attack, cybercriminals will only need to hook the server response from http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb, replace the link to the downloadable plug-in and the values of attributes to be verified, i.e., MD5 of the archive, its size, and the plug-in size. As a result, the browser will access a malicious server to download and launch a Trojan module.”

[embedded content]

In a PoC video shared by Dr. Web, researchers demonstrated how they were able to replace a plugin to view PDF documents with a malicious code using an MiTM attack, forcing the UC Browser into compiling a new text message, instead of opening the file.

“Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions,” researchers explain.

“For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.”

UC Browser Violates Google Play Store Policies

Since the ability allows UCWeb to download and execute arbitrary code on users’ devices without reinstalling a full new version of UC Browser app, it also violates the Play Store policy by bypassing Google servers.

“This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources,” the researchers say.

“These rules were applied to prevent the distribution of modular trojans that download and launch malicious plugins.”

This dangerous feature has been found in both UC Browser as well as UC Browser Mini, with all version affected including the latest version of the browsers released to this date.

Dr. Web responsibly reported their findings to the developer of both UC Browser and UC Browser Mini, but they refused even to provide a comment on the matter. It then reported the issue to Google.

At the time of writing, UC Browser and UC Browser Mini are “still available and can download new components, bypassing Google Play servers,” researchers say.

Such a feature can be abused in supply chain attack scenarios where company’s server get compromised, allowing attackers to push malicious updates to a large number of users at once—just like we recently saw in ASUS supply chain attack that compromised over 1 million computers.

So, users are left with just one choice to make… get rid of it until the company patches the issue.

Let’s block ads! (Why?)

Link to original source

Severe Flaws in SHAREit Android App Let Hackers Steal Your Files

Shareit android hack

Security researchers have discovered two high-severity vulnerabilities in the SHAREit Android app that could allow attackers to bypass device authentication mechanism and steal files containing sensitive from a victim’s device.

With over 1.5 billion users worldwide, SHAREit is a popular file sharing application for Android, iOS, Windows and Mac that has been designed to help people share video, music, files, and apps across various devices.

With more than 500 million users, the SHAREit Android app was found vulnerable to a file transfer application’s authentication bypass flaw and an arbitrary file download vulnerability, according to a blog post RedForce researchers shared with The Hacker News.

The vulnerabilities were initially discovered over a year back in December 2017 and fixed in March 2018, but the researchers decided not to disclose their details until Monday “given the impact of the vulnerability, its big attack surface and ease of exploitation.”

“We wanted to give as many people as we can the time to update and patch their devices before disclosing such critical vulnerability,” said Abdulrahman Nour, a security engineer at RedForce.

How Does SHAREit Transfer Files?

SHAREit server hosts multiple services via different ports on a device, but the researchers analyzed two designated services including Command Channel (runs on Port 55283) and Download Channel (runs on Port 2999).

Command Channel is a regular TCP channel where app exchanges messages with other SHAREit instances running on other devices using raw socket connections, including device identification, handling file transmission requests, and checking connection health.

Download Channel is the SHAREit application’s own HTTP server implementation which is mainly used by other clients to download shared files.

According to the researchers, when you use the SHAREit Android app to send a file to the other device, a regular file transfer session starts with a regular device identification, then the ‘sender’ sends a control message to the ‘receiver,’ indicating that you have a file to share.

Once the ‘receiver’ verifies that the file is not duplicate, it goes to Download Channel and fetches the sent file using information from the previous control message.

Hackers Can Access Your Files Using SHAREit Flaws

However, researchers discovered that when a user with no valid session tries to fetch a non-existing page, instead of a regular 404 page, the SHAREit app responds with a 200 status code empty page and adds the user into recognized devices, eventually authenticating an unauthorized user.

According to the researchers, a fully functional proof-of-concept exploit for this SHAREit flaw would be as simple as curl http://shareit_sender_ip:2999/DontExist, making it the weirdest and simplest authentication bypass ever.

[embedded content]

Researchers also found that when a download request is initiated, SHAREit client sends a GET request to the sender’s HTTP server, which looks like the following URL:

http://shareit_sender_ip:2999/download?metadatatype=photo&metadataid=1337&filetype=thumbnail&msgid=c60088c13d6

Since the SHAREit app fails to validate the ‘msgid’ parameter—a unique identifier generated for each request when the sender initiates a download—this enables a malicious client with a valid session to download any resource by directly referencing its identifier.

The flaws could be exploited by an attacker on a shared WiFi network, and unfortunately vulnerable SHAREit versions create an easily distinguished open Wi-Fi hotspot which one can use not only to intercept traffic (since it uses HTTP) between the two devices, but also to exploit the discovered vulnerabilities and have unrestricted access to vulnerable device storage.

Since exploitation simply involves sending a curl command referencing the path of the target file, one should know the exact location of the file one would like to retrieve.

To overcome this, researchers started looking for files with known paths that are already publicly available, including SHAREit History and SHAREit MediaStore Database, which may contain interesting information.

“There are other files that contain juicy information such as user’s Facebook token, Amazon Web Service user’s key, auto-fill data and cookies of websites visited using SHAREit webview and even the plaintext of user’s original hotspot (the application stores it to reset the hotspot settings to original values) and much more,” researchers said.

Using their proof-of-concept exploit dubbed DUMPit!, the researchers managed to download nearly 3000 unique files having around 2GBs in less than 8 minutes of file transfer session.

The team contacted the SHAREit Team multiple times over multiple platforms in early January 2018 but got no response until early February when the researchers warned the company to release the vulnerability details to the public after 30 days.

The SHAREit team silently patched the vulnerabilities in March 2018, without providing researchers with exact patched versions of the Android app, vulnerability CVE IDs or any comments for the public disclosure.

“Communication with SHAREit team was not a good experience at all; Not only they took too long to respond to our messages, they also were not cooperative in any means, and we did not feel that our work or efforts were appreciated at all,” researchers said.

After giving enough time to users to update their SHAREit app, researchers have now released technical details of the vulnerabilities, along with the PoC exploit, DUMBit!, which can be downloaded from the GitHub website.

The vulnerabilities affect the SHAREit for Android application <= version 4.0.38. If you haven't yet, you should update your SHAREit app from Google Play Store as soon as possible.

Let’s block ads! (Why?)

Link to original source

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

android play store malware

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users.

The malware, described as a “Clipper,” masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post.

Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out.

The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency.

To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node.

Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores.

However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker’s own address via the clipboard.

[embedded content]

As a result, users who intended to transfer funds into a cryptocurrency wallet of their choice would instead make a deposit into the attacker’s wallet address pasted by the malicious app.

“Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” Stefanko said.

“Android Clipper targeted Bitcoin and Ethereum cryptocurrency addresses when being copied in to clipboard and replaced them with the attacker’s wallet address. Once this transaction is sent, it can not be canceled.”

Stefanko spotted the malicious MetaMask app, which he believes was the first Android Trojan Clipper to be discovered on Play Store, shortly after its introduction to the app store on February 1.

Google took down the malicious app almost immediately after being notified by the researcher.

While the bitcoin price has been dropped steadily since hitting its all-time high in December 2017, there is no reduction (in fact rise) in the cryptocurrency scandals, thefts, and scams that continue to plague the industry.

Just last week, The Hacker News reported how customers of the largest Canadian bitcoin exchange QuadrigaCX lost $145 million in cryptocurrency after the sudden death of its owner who was the only one with access to the company’s cold (offline) storage wallets. However, some users and researchers are suggesting the incident could be an exit scam.

Let’s block ads! (Why?)

Link to original source

Android Phones Can Get Hacked Just by Looking at a PNG Image

android mobile hack with image

Using an Android device?

Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps.

Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three newly-discovered critical vulnerabilities that affect millions of devices running recent versions of Google’s mobile operating system, ranging from Android 7.0 Nougat to its current Android 9.0 Pie.

The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, have been patched in Android Open Source Project (AOSP) by Google as part of its February Android Security Updates.

However, since not every handset manufacturer rolls out security patches every month, it’s difficult to determine if your Android device will get these security patches anytime sooner.

Although Google engineers have not yet revealed any technical details explaining the vulnerabilities, the updates mention fixing “heap buffer overflow flaw,” “errors in SkPngCodec,” and bugs in some components that render PNG images.

According to the advisory, one of the three vulnerabilities, which Google considered to be the most severe one, could allow a maliciously crafted Portable Network Graphics (.PNG) image file to execute arbitrary code on the vulnerable Android devices.

As Google says, “the most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.”

A remote attacker can exploit this vulnerability just by tricking users into opening a maliciously crafted PNG image file (which is impossible to spot with the naked eye) on their Android devices sent through a mobile message service or an email app.

Including these three flaws, Google has patched a total of 42 security vulnerabilities in its mobile operating system, 11 of which are rated critical, 30 high and one moderate in severity.

The technology giant stressed that it has no reports of active exploitation or in the wild abuse of any of the vulnerabilities listed in its February security bulletin.

Google said it has notified its Android partners of all vulnerabilities a month before publication, adding that “source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours.”

Let’s block ads! (Why?)

Link to original source

Google Makes 2 Years of Android Security Updates Mandatory for Device Makers

android security updates oem

When it comes to security updates, Android is a real mess.

Even after Google timely rolls out security patches for its Android platform, a major part of the Android ecosystem remains exposed to hackers because device manufacturers do not deliver patches regularly and on a timely basis to their customers.

To deal with this issue, Google at its I/O Developer Conference May 2018 revealed the company’s plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly.

Now, a leaked, unverified copy of a new contract between Google and OEMs obtained by The Verge reveals some terms of the agreement that device manufacturers have to comply with or otherwise they have to lose their Google certification for upcoming Android devices.

Google’s New Terms for Android Security Updates

According to the leaked contract, Android OEMs will now be required to regularly roll out security updates for popular devices—launched after January 31st, 2018 and activated by more than 100,000 users—for at least two years.

The Android device makers are mandated to release “at least four security updates” in the first year following a smartphone’s launch, but for the second year, the number of updates is unspecified.

Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days.

In other words, the minimum requirement of the contract is a security patch update every quarter.

A Google spokesperson says that the 90-day requirement is “a minimum security hygiene requirement” and that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”

As of now, the authenticity of the new Android partner contract is not verified, but the new changes made by Google will definitely have a massive impact on the overall state of Android security and benefit millions of Android users.

In separate news, Google last week announced its plans to charge a licensing fee to European Android phone manufacturers who want to include the Play Store, Gmail, YouTube, Maps, and Chrome on their Android handsets, that otherwise come free with Android OS.

You can read more about it in our previous article published here.

Let’s block ads! (Why?)

Link to original source