now browsing by tag


Track Your Teen’s Online Activities by Installing Android Spyware | #predators | #childpredators | #kids | #parenting | #parenting | #kids

Explore how to track your child’s online activities using android spyware. We have come up with potential cyber dangers and an ultimate solution to survive in the internet world, which […] View full post on National Cyber Security

#mobilesecurity | #android | #iphone | Trusted Platform Module (TPM) Market Growth Insight Analysis 2020-2026 – Cole Reports | #cybersecurity | #informationsecurity

Source: National Cyber Security – Produced By Gregory Evans

The “Trusted Platform Module (TPM) Market” research report enhanced worldwide Coronavirus COVID19 impact analysis on the market size (Value, Production and Consumption), splits the breakdown (Data Status 2014-2020 and 6 Year Forecast From 2020 to 2026), by region, manufacturers, type and End User/application. This Trusted Platform Module (TPM) market report…

The post #mobilesecurity | #android | #iphone | Trusted Platform Module (TPM) Market Growth Insight Analysis 2020-2026 – Cole Reports appeared first on .

Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The post #mobilesecurity | #android | #iphone | Trusted Platform Module (TPM) Market Growth Insight Analysis 2020-2026 – Cole Reports | #cybersecurity | #informationsecurity appeared first on National Cyber Security.

View full post on National Cyber Security

#mobilesecurity | #android | #iphone | Israel to cease using mobile phone tracking to monitor Covid-19 patients | #cybersecurity | #informationsecurity

Source: National Cyber Security – Produced By Gregory Evans


The ministerial committee in charge of combating Covid-19 decided on Monday not to submit to a parliamentary vote a bill authorizing the continued use of phone surveillance technologies by the Israel Security Agency, also known as Shin Bet, to track suspected Covid-19 cases.   The bill is still…

The post #mobilesecurity | #android | #iphone | Israel to cease using mobile phone tracking to monitor Covid-19 patients appeared first on .


Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The post #mobilesecurity | #android | #iphone | Israel to cease using mobile phone tracking to monitor Covid-19 patients | #cybersecurity | #informationsecurity appeared first on National Cyber Security.

View full post on National Cyber Security

You Can Now Run Android on an iPhone With ‘Project Sandcastle’

Source: National Cyber Security – Produced By Gregory Evans

Not happy with your expensive iPhone and wondered if it’s possible to run any other operating system on your iPhone, maybe, how to install Android on an iPhone or Linux for iPhones?

Android phones can be rooted, and iPhones can be jailbroken to unlock new features, but so far, it’s been close to impossible to get Android running on iPhones, given the mobile device hardware constraints and software limitations.

However, it’s now possible to smoothly run Android on an iPhone—thanks to a new initiative, dubbed Project Sandcastle.

Undertaken by cybersecurity startup Corellium, Project Sandcastle is the consequence of a 13-year-long developmental effort to port Android to iOS and as well as demonstrate that Apple’s much-vaunted security barriers can indeed be compromised.

“Where sandboxes set limits and boundaries, sandcastles provide an opportunity to create something new from the limitless bounds of your imagination,” the project website says. “The iPhone restricts users to operate inside a sandbox. But when you buy an iPhone, you own the iPhone hardware.”

“Android for the iPhone gives you the freedom to run a different operating system on that hardware. Android for the iPhone has many exciting practical applications, from forensics research to dual-booting ephemeral devices to combatting e-waste.”

For now, only a handful of devices, the iPhone 7, the iPhone 7 Plus, and the iPod Touch, are capable of running a customized version of Android, which comes installed with OpenLauncher and the secure Signal messaging app.

Even then, there’re a lot of restrictions, including no support for audio output, cellular modem, Bluetooth, and camera, to name a few, as shown in the chart below.

All of this is only to say that Project Sandcastle is very much a work in progress.

The hack makes use of semi-tethered Checkra1n jailbreak to bypass restrictions, which is based on the checkm8 unpatchable bootrom exploit that makes it possible to gain deeper access to iOS.

It was initially released last November and works on the iPhone 5s to iPhone X, running iOS 12.3 and newer versions.

install android on iphone

Jailbreaking — similar to rooting on Google’s Android — is a process to escalate privileges that allows iOS users to remove software restrictions imposed by Apple, thereby making it possible to bypass the company’s walled garden to add apps and other functions, including those from unofficial app stores.

The practice, it is to be noted, also voids your device’s warranty, as it’s a violation of Apple’s End User License Agreement that you agree to every time you purchase a new iPhone.

Furthermore, due to the inherent security risks involved, Apple has steadily imposed a hardware and software lockdown of its ecosystem and made it deliberately difficult to jailbreak devices.

Furthermore, jailbreaks tend to be very specific, and very much dependent on the phone and iOS version, in order for them to be successfully replicated.

The only problem is that Checkra1n is just a temporary jailbreak, and will get wiped out once the phone reboots.

While the jailbreak at first was only possible through macOS, it gained Linux support last month, opening up the possibility of performing a jailbreak via non-Apple devices.

Thus, using the checkra1n jailbreak exploit, the Correlium team found that it’s even possible to install a semi-working version of Android on an iPhone. The result is almost equivalent to running a temporary OS on your iPhone.

Correlium’s Project Sandcastle comes as Apple sued the company last year for alleged copyright infringement by selling iOS and device virtualization software, including virtual versions of iOS devices running what Apple calls unauthorized copies of iOS.

The development also follows Apple’s announcement last year that it will distribute special iPhones with root access that are less restrictive than their consumer counterparts for security research as part of a new iOS Security Research Device program.

While Project Sandcastle is a huge achievement, it goes without saying that jailbreaking and rooting devices come with their own risks.

The efforts are on to expand the project to the other iPhones included in the jailbreak. You can give the beta a shot by following the instructions here.

The Original Source Of This Story: Source link

The post You Can Now Run Android on an iPhone With ‘Project Sandcastle’ appeared first on National Cyber Security.

View full post on National Cyber Security

Data Encryption on Android with Jetpack Security

Source: National Cyber Security – Produced By Gregory Evans

Posted by Jon Markoff, Staff Developer Advocate, Android Security

Illustration by Virginia Poltrack

Have you ever tried to encrypt data in your app? As a developer, you want to keep data safe, and in the hands of the party intended to use. But if you’re like most Android developers, you don’t have a dedicated security team to help encrypt your app’s data properly. By searching the web to learn how to encrypt data, you might get answers that are several years out of date and provide incorrect examples.

The Jetpack Security (JetSec) crypto library provides abstractions for encrypting Files and SharedPreferences objects. The library promotes the use of the AndroidKeyStore while using safe and well-known cryptographic primitives. Using EncryptedFile and EncryptedSharedPreferences allows you to locally protect files that may contain sensitive data, API keys, OAuth tokens, and other types of secrets.

Why would you want to encrypt data in your app? Doesn’t Android, since 5.0, encrypt the contents of the user’s data partition by default? It certainly does, but there are some use cases where you may want an extra level of protection. If your app uses shared storage, you should encrypt the data. In the app home directory, your app should encrypt data if your app handles sensitive information including but not limited to personally identifiable information (PII), health records, financial details, or enterprise data. When possible, we recommend that you tie this information to biometrics for an extra level of protection.

Jetpack Security is based on Tink, an open-source, cross-platform security project from Google. Tink might be appropriate if you need general encryption, hybrid encryption, or something similar. Jetpack Security data structures are fully compatible with Tink.

Key Generation

Before we jump into encrypting your data, it’s important to understand how your encryption keys will be kept safe. Jetpack Security uses a master key, which encrypts all subkeys that are used for each cryptographic operation. JetSec provides a recommended default master key in the MasterKeys class. This class uses a basic AES256-GCM key which is generated and stored in the AndroidKeyStore. The AndroidKeyStore is a container which stores cryptographic keys in the TEE or StrongBox, making them hard to extract. Subkeys are stored in a configurable SharedPreferences object.

Primarily, we use the AES256_GCM_SPEC specification in Jetpack Security, which is recommended for general use cases. AES256-GCM is symmetric and generally fast on modern devices.

val keyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)

For apps that require more configuration, or handle very sensitive data, it’s recommended to build your KeyGenParameterSpec, choosing options that make sense for your use. Time-bound keys with BiometricPrompt can provide an extra level of protection against rooted or compromised devices.

Important options:

  • userAuthenticationRequired() and userAuthenticationValiditySeconds() can be used to create a time-bound key. Time-bound keys require authorization using BiometricPrompt for both encryption and decryption of symmetric keys.
  • unlockedDeviceRequired() sets a flag that helps ensure key access cannot happen if the device is not unlocked. This flag is available on Android Pie and higher.
  • Use setIsStrongBoxBacked(), to run crypto operations on a stronger separate chip. This has a slight performance impact, but is more secure. It’s available on some devices that run Android Pie or higher.

Note: If your app needs to encrypt data in the background, you should not use time-bound keys or require that the device is unlocked, as you will not be able to accomplish this without a user present.

// Custom Advanced Master Key
val advancedSpec = KeyGenParameterSpec.Builder(
    KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
).apply {
    setUserAuthenticationValidityDurationSeconds(15) // must be larger than 0
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {

val advancedKeyAlias = MasterKeys.getOrCreate(advancedSpec)

Unlocking time-bound keys

You must use BiometricPrompt to authorize the device if your key was created with the following options:

  • userAuthenticationRequired is true
  • userAuthenticationValiditySeconds > 0

After the user authenticates, the keys are unlocked for the amount of time set in the validity seconds field. The AndroidKeystore does not have an API to query key settings, so your app must keep track of these settings. You should build your BiometricPrompt instance in the onCreate() method of the activity where you present the dialog to the user.

BiometricPrompt code to unlock time-bound keys

// Activity.onCreate

val promptInfo = PromptInfo.Builder()
    .setDescription("Would you like to unlock this key?")

val biometricPrompt = BiometricPrompt(
    this, // Activity

private val authenticationCallback = object : AuthenticationCallback() {
        override fun onAuthenticationSucceeded(
            result: AuthenticationResult
        ) {
            // Unlocked -- do work here.
        override fun onAuthenticationError(
            errorCode: Int, errString: CharSequence
        ) {
            super.onAuthenticationError(errorCode, errString)
            // Handle error.

To use:

Encrypt Files

Jetpack Security includes an EncryptedFile class, which removes the challenges of encrypting file data. Similar to File, EncryptedFile provides a FileInputStream object for reading and a FileOutputStream object for writing. Files are encrypted using Streaming AEAD, which follows the OAE2 definition. The data is divided into chunks and encrypted using AES256-GCM in such a way that it’s not possible to reorder.

val secretFile = File(filesDir, "super_secret")
val encryptedFile = EncryptedFile.Builder(
    .setKeysetAlias("file_key") // optional
    .setKeysetPrefName("secret_shared_prefs") // optional

encryptedFile.openFileOutput().use { outputStream ->
    // Write data to your encrypted file

encryptedFile.openFileInput().use { inputStream ->
    // Read data from your encrypted file

Encrypt SharedPreferences

If your application needs to save Key-value pairs – such as API keys – JetSec provides the EncryptedSharedPreferences class, which uses the same SharedPreferences interface that you’re used to.

Both keys and values are encrypted. Keys are encrypted using AES256-SIV-CMAC, which provides a deterministic cipher text; values are encrypted with AES256-GCM and are bound to the encrypted key. This scheme allows the key data to be encrypted safely, while still allowing lookups.

).edit {
    // Update secret values

More Resources

FileLocker is a sample app on the Android Security GitHub samples page. It’s a great example of how to use File encryption using Jetpack Security.

Happy Encrypting!

Source link

The post Data Encryption on Android with Jetpack Security appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | The ProtonVPN Android app is now available on GitHub

Source: National Cyber Security – Produced By Gregory Evans

The ProtonVPN APK is now available to download on GitHub. This makes it easy to download and install ProtonVPN on your Android device even in authoritarian countries where our website is blocked. 

Download ProtonVPN APK on GitHub

Countries including China, Russia, and Iran often block the Google Play Store and our website. However, they rarely block GitHub, a well-known and trusted open source repository. Going forward, all our Android updates will also be shared on GitHub. Making our app open source and placing it on GitHub helps ensure you will be able to access ProtonVPN no matter where you are.

If the Play Store is available in your country, it remains the easiest way to download the ProtonVPN app. You can find links to all our apps on the ProtonVPN download page.

What is an APK?

APK stands for Android Package file. As the name suggests, it contains the code of an app that was designed to run on the Android operating system. Most people never come into contact with APKs because they install all their apps via the Google Play Store, which handles the app installation process automatically.

How to install an APK

When you download an APK, your Android will automatically recognize it, which means you should be able to open it simply by tapping on the icon. However, just like running an unknown .EXE file can put your computer at risk, installing an unknown APK file can compromise your Android device. You should only install APK files from verified, trusted sources. 

For this reason, most Android devices will not let you install downloaded APKs by default. 

Here’s how to bypass this default setting. Note: The titles of these menus and options may vary slightly, depending on your device.

  1. Go to Settings and tap on Security
  2. In the Android Security Settings menu, you will see an option that says Unknown Sources with a checkbox next to it. If it is empty, that means your device will not execute an APK that did not come from the Play Store. Tap the empty box to allow unknown APKs. 
  3. Your device will then show you a disclaimer that you alone are responsible for any damage an APK does to your device. Tap OK

Once this is done, you are ready to install the ProtonVPN APK. Once you download it on your device, you can find the APK file in your Download folder. Once you find the ProtonVPN APK, simply tap it to begin the installation process.

More transparent, more resistant to censorship

Maintaining our apps as open source software is a priority for us. By conducting an independent audit and sharing our code, we are shining a light on how our apps work so that users can verify it for themselves. 

Serving people who live under repressive regimes is a crucial aspect of our mission. In the coming year, we plan to add new features that will help users sign in and use our app even if their government is blocking our services. We also plan to add more of our apps to GitHub, as well as to other app repositories (including F-Droid), to make our service even more widely available — and harder to block.

Thank you for supporting our mission.

Best Regards,
The ProtonVPN Team

You can follow us on social media to stay up to date on the latest ProtonVPN releases:

Twitter | Facebook | Reddit | Instagram
To get a free ProtonMail encrypted email account, visit:

The post The ProtonVPN Android app is now available on GitHub appeared first on ProtonVPN Blog.

*** This is a Security Bloggers Network syndicated blog from ProtonVPN Blog authored by Richie Koch. Read the original post at:

Source link

The post #cybersecurity | #hackerspace |<p> The ProtonVPN Android app is now available on GitHub <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Android Malware for Mobile Ad Fraud Spiked Sharply …

Source: National Cyber Security – Produced By Gregory Evans

Some 93% of all mobile transactions across 20 countries were blocked as fraudulent, Upstream says.

Criminal groups are increasingly targeting users of Android mobile devices with malware for conducting ad fraud on a massive scale.

Mobile security vendor Upstream this week said that in 2019 it identified as many as 98,000 malicious Android apps and 43 million infected Android devices across the 20 countries where mobile operators currently use its technology. The numbers are up sharply from 2018 when Upstream recorded some 63,000 apps and 30 million infected devices.

A startling 32% of the top 100 most active malicious Android apps that Upstream blocked in 2019 were available for download on Google’s Google Play mobile app stores. Many of them still are, according to Upstream. Another 19% of the most worst-offending malicious Android apps were also on Google Play but have been removed, the vendor noted.

More than nine out of 10 — or 1.6 billion of the 1.71 billion mobile transactions that Upstream’s security platform processed last year — were blocked for being fraudulent. If those transactions had been allowed, the total cost to end users in fraudulent charges would have topped $2.1 billion, Upstream said in a report. In Egypt, 99% of the mobile transactions that Upstream’s platform handled were fraudulent.

Android is the most targeted mobile OS because of how widely it is used and also because the operating system is open and therefore more vulnerable, says Dimitris Maniatis, CEO at Upstream. 

Android is a favorite playground for bad actors, especially in the case of low-end devices, he says. “Users should have a heightened awareness of any preinstalled apps that come bundled with their device and pay attention to the mobile data usage by each,” Maniatis says. “Organizations should have measures in place to check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.”

Upstream’s analysis of 2019 data shows that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Some 23% of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment/lifestyle and shopping apps, communications and social apps, and music and audio and video players.

The top most downloaded malicious Android apps in 2019, according to Upstream, were Ai.type (an emoji keyboard), video downloader Snaptube, file-sharing app 4shared, video streaming and downloading app VidMate, and weather app The top five apps alone have been downloaded some 700 million times. The top 100 malicious Android apps combined have been downloaded more than 8 billion times, Maniatis says.

In the US, the worst offenders, according to Upstream, were Free Messages, Video, Chat,Text for Messenger Plus; GPS Speedometer; QVideo, EasyScanner; and WhoUnfriendedMe.

A Stealthy Menace
In many cases, malicious apps do the function they are purportedly designed to do. For example, a weather app might forecast weather but in the background also carry out a variety of malicious activity without the user knowing a thing.

Malware for mobile ad fraud can visit websites and view and click on banner ads, make purchases, mimic a real user going through a subscription process, or deliver bogus ads to the device without the user being aware of the activity. The goal is to generate revenue for the malware author in different ways, including via payouts for fraudulent traffic and ad clicks.

Often such rogue apps can remain on a device for a long time because the malicious activity is only happening in the background. In some cases, the apps change their name after being downloaded or don’t have an icon to locate them easily.

“Losses from online, mobile, and in-app advertising reached $42 billion in 2019 and are expected to reach $100 billion by 2023, according to Juniper research published last May,” Maniatis says. “Considering that fraudsters operate at scale and can simultaneously target millions, tens of millions, or even hundreds of millions of devices in one hit, the means to stop them in their tracks need to likewise operate at scale.”

A vast majority of the victims are users of Android phones, especially in countries including Brazil, Egypt, Indonesia, South Africa, and Ethiopia.

While detecting malicious mobile apps can be difficult, there are often some indicators — like a constantly drained battery, an overheated device, or high data charges. User ratings and reviews are also sometimes a good indicator of an apps quality, though not always.

The most downloaded malicious Android apps, for instance, all had good reviews and high rating, but only because of a carpet bombing of fake reviews, says Maniatis. “The only way to get around this currently is to scroll enough and see genuine negative reviews from real users,” he says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Source link

The post Android Malware for Mobile Ad Fraud Spiked Sharply … appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Security lifeline: WhatsApp to pull support for older Android and iOS devices next month

Source: National Cyber Security – Produced By Gregory Evans

Upgrade or be left behind

ANALYSIS Millions of smartphone users may have a little less mobile security next month, after WhatsApp withdraws its support for older versions of Android and iPhone operating systems.

Devices running on iOS 8 and earlier, or Android versions 2.3.7 and earlier, will no longer receive updates from the free messaging service, with app features expected to deprecate on these systems from February 1.

“WhatsApp for iPhone requires iOS 9 or later,” WhatsApp said in a recent statement on its website.

“On iOS 8, you can no longer create new accounts or reverify existing accounts.

“If WhatsApp is currently active on your iOS 8 device, you’ll be able to use it until February 1, 2020.”

According to the UK’s National Cyber Security Centre, a security vulnerability is much more likely to be exploited on end-of-life devices that run unsupported software.

The damage that these issues can cause also increases, with attackers finding an easy target in technology where the only fix available is to upgrade to patch supported hardware or operating system.

The general functionality of the retired product tends to break, as well.

“We don’t explicitly restrict the use of jailbroken or unlocked devices,” WhatsApp said.

“However, because these modifications might affect the functionality of your device, we can’t provide support for devices using modified versions of the iPhone’s operating system.”

There is no industry standard as to when to end support for dated versions of an app or software. The decision is largely decided in the boardrooms of tech conglomerates, and generally viewed as a balancing act between consumer market share, cost, and security.

In order to keep on top of the software lifecycle, consumers are often required to upgrade their hardware. In the case of Apple, iOS 13 – the latest version of its mobile OS – is only compatible with the iPhone 6S and above.

At the other end of the spectrum, iOS 8, Apple’s eighth major operating system released in 2014, receives only minimal third-party application support.

“Of course Apple wants us to upgrade to their latest and greatest iPhones and MacBooks,” Patrick Wardle, Mac security expert and creator of the infosec blog and security toolkit site Objective-See, told The Daily Swig last year.

“But from a security point of view (versus just a consumer/marketing point of view), there is no denying that the latest version of their software and hardware (for example devices) are often far more secure than their predecessors,” Wardle said.

“Users should really upgrade to newer versions,” he added.

Read the latest mobile security news and breaches

This is an ongoing game for consumers, and indeed businesses, to have a healthy level of security and rid themselves of, what is known in the industry, as technical debt – the migration away from Windows 7 is one example.

Affordability can outweigh the guarantee of vendor support, however, which illustrates the reality of many individuals who lose the security guarantee that comes alongside regular patches on compatible hardware.

While there are no official statistics related to the version types of mobile ownership, Angela Siefer, executive director of the US non-profit National Digital Inclusion Alliance (NDIA), says it’s safe to assume that those in low income brackets are less likely to be using the latest devices.

The most vulnerable populations are put at even more risk, she says.

“The situation with WhatsApp is definitely alarming, but it’s also not surprising,” Siefer told The Daily Swig.

“As technology keeps innovating there is going to continue to be people left behind, and society needs to figure out how to support those folks as technology moves forward.”

The NDIA works to address affordability issues related to internet access and ownership of digital devices. Part of that mandate is education, where security, in particular, needs to move outside the tech industry bubble in order to reach individuals who may not realize that their software needs fixes.

“They’re [consumers] not reading tech blogs, they’re probably not reading anything about WhatsApp, they’re just frustrated because now it [WhatsApp] doesn’t work anymore,” Siefer said.

There are certain cases where tech companies or software vendors provide extended support for their products, whether in full due to their popularity or through open sourcing specific applications, as the case with the iPhone.

But these third-party applications fall few and far between, and some, including Paul Roberts, founder of the right to repair infosec group Securepairs, believing legislation should compel companies to release unsuppoprted software into the public domain.

“So, in the context of WhatsApp, open source discontinued versions of the app and put it on GitHub,” Roberts told The Daily Swig.

“That way, technically minded users can pick up where the company left off: making a ‘public’ version of the app that will continue to work on older phones and tablets.”

WhatsApp deciding to make versions of iOS and Android obsolete follows a move to end its support for all Windows phones at the beginning of the year, similar to one taken by parent company Facebook in April 2019, which sunset Facebook, Messenger, and Instagram apps for users of the limited Microsoft smartphone.

WhatsApp is currently one of the most popular chat apps for smartphones operated in 2017 by an approximate 1.5 billion consumers across the globe.

The company did not reply to The Daily Swig’s request for comment about how many people use its service on the soon-to-be out-of-date operating system, but as Facebook, and other tech giants, continue to gain a foothold in emerging markets, consumer desire to hold onto older devices may drive the industry to rethink the end-of-life ecosystem.

RELATED Apple pulls U-turn on right to repair

Source link

The post #nationalcybersecuritymonth | Security lifeline: WhatsApp to pull support for older Android and iOS devices next month appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Two information-disclosing bugs found in Twitter Android

Source: National Cyber Security – Produced By Gregory Evans In the span of five days, reports of two Twitter Android app vulnerabilities have surfaced: one that could cause attackers to view nonpublic account information or control accounts, and another that reportedly allowed a researcher to look up details on 17 million accounts. In a Dec. […] View full post on

New Flaw Lets Rogue Android Apps Access Camera Without Permission

Source: National Cyber Security – Produced By Gregory Evans

hacking android camera apps

An alarming security vulnerability has been discovered in several models of Android smartphones manufactured by Google, Samsung, and others that could allow malicious apps to secretly take pictures and record videos — even when they don’t have specific device permissions to do so.

You must already know that the security model of the Android mobile operating system is primarily based on device permissions where each app needs to explicitly define which services, device capabilities, or user information it wants to access.

However, researchers at Checkmarx discovered that a vulnerability, tracked as CVE-2019-2234, in pre-installed camera apps on millions of devices could be leveraged by attackers to bypass such restrictions and access device camera and microphone without any permissions to do so.

How Can Attackers Exploit the Camera App Vulnerability?

The attack scenario involves a rogue app that only needs access to device storage (i.e., SD card), which is one of the most common requested permissions and does not raise any suspicion.

According to researchers, by merely manipulating specific “actions and intents,” a malicious app can trick vulnerable camera apps into performing actions on behalf of the attacker, who can then steal photos and videos from the device storage after being taken.

Since smartphone camera apps already have access to required permissions, the flaw could allow attackers to indirectly and surreptitiously take photos, record videos, eavesdrop on conversations, and track location — even if the phone is locked, the screen is off, or the app is closed.

“After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so,” Checkmarx wrote in a blog post published today.

“Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.”

To demonstrate the risk of the vulnerability for Android users, the researchers created a proof-of-concept rogue app masqueraded as an innocent weather app that only asks for the basic storage permission.

The PoC app came in two parts — the client app running on an Android device and an attacker’s controlled command-and-control (C&C) server that the app creates a persistent connection to so that closing the app did not terminate the server connection.

The malicious app designed by the researchers was able to perform a long list of malicious tasks, including:

  • Making the camera app on the victim’s phone to take photos and record videos and then upload (retrieve) it to the C&C server.
  • Pulling GPS metadata embedded into photos and videos stored on the phone to locate the user.
  • Waiting for a voice call and automatically recording audio from both sides of the conversation and video from the victim’s side.
  • Operating in stealth mode while taking photos and recording videos, so no camera shutter sounds for alerting the user.

The malicious app implemented the wait for a voice call option via the phone’s proximity sensor that can sense when the phone is held to the victim’s ear.

Web Application Firewall

Researchers have also published a video of successfully exploiting the vulnerabilities on Google Pixel 2 XL and Pixel 3 and confirmed that the vulnerabilities were relevant to all Google phone models.

Vulnerability Disclosure and Patch Availability

The Checkmarx research team responsibly reported their findings to Google in early July with the PoC app and a video demonstrating an attack scenario.

Google confirmed and addressed the vulnerability in its Pixel line of devices with a camera update that became available in July, and contacted other Android-based smartphone OEMs in late August to inform them about the issue, which the company rated as “High” in severity.

However, Google did not disclose the names of the affected manufacturers and models.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” Google said.

“The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

Also Read: Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions

Checkmarx also reported the vulnerability to Samsung that affected its Camera app. Samsung confirmed and fixed the issue in late August, although it wasn’t revealed when the company patched the flaw.

“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly,” Samsung said.

To protect yourself from attacks surrounding this vulnerability, ensure you are running the latest version of the camera app on your Android smartphone.

Besides this, you are also recommended to run the latest version of the Android operating system and regularly update apps installed on your phone.

The Original Source Of This Story: Source link

The post New Flaw Lets Rogue Android Apps Access Camera Without Permission appeared first on National Cyber Security.

View full post on National Cyber Security