AMSTERDAM – BLACK HAT EUROPE – Researchers have found a way to trick Android users into executing potentially malicious applications by hiding them inside innocent-looking image files.

Axelle Apvrille, mobile/IoT malware analyst and researcher at Fortinet, and Ange Albertini, reverse engineer and author of Corkami.com, have created an application that can be used to encrypt an APK to make it look like a PNG image file.

 In a real attack leveraging this method, the attacker sends an application containing an image to the potential victim. When the app is launched, the victim only sees the harmless-looking image. In the background however, a malicious payload is installed onto the victim’s Android device.

 In order to hide the installation of the malicious payload, the attacker can leverage the DexClassLoader constructor, the experts said.

According to the researchers, the method works on Android 4.4.2 and prior versions of the operating system. Google developed a fix for the flaw back in June, but Apvrille told SecurityWeek in an interview that the fix is incomplete. The researchers have informed Google of this and the company is now working on a more efficient fix.

How does it work?

The attacker writes his malicious payload and encrypts it to make it look like a valid PNG image file. The encryption is done with AngeCryption, an application developed by the researchers.

Controlling AES encryption can be a difficult task, but AngeCryption is designed to encrypt the APK so that Android doesn’t see any difference. Furthermore, the resulting image looks normal to users, except for the fact that it’s 500Kb in size, which is a bit much for a small resolution image.

The final step is to create a wrapping APK in which the malicious PNG is inserted, and then decrypted and installed.

When Android APKs are written, they must end with an End of Central Directory (EOCD) marker. The researchers managed to add their specially crafted PNG file to the APK by appending it after the first EOCD and adding a second EOCD at the end.

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Malware

Researchers at Rapid7 have uncovered information disclosure issues in SNMP [Simple Network Management Protocol] on embedded devices that could cause them to leak authentication data.

The issues were reported last week as part of a talk at CarolinaCon. According to Rapid7‘s Deral Heiland, the problems were discovered in consumer-grade modems and a load balancer. The situation allows authentication data to be swiped by attackers via the read-only public SNMP community string. The problem was uncovered in the following devices: the Brocade ServerIron ADX 1016-2 PREM TrafficWork Version 12.500T40203 application load balancer; the Ambit U10C019 and Ubee DDW3611 series of cable modems; and the Netopia 3347 series of DSL modems.

“While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, the fact remains that these issues can be exploited to gain access to sensitive information,” blogged Heiland, senior security consultant at Rapid7. “In practice, the low-hanging fruit are often picked first. And with that, we have three new disclosures to discuss.”

“The first involves a Brocade load balancer (you might have one of these in your rack),” he noted. “The second and third involve some consumer-grade modems from Ambit (now Ubee) and Netopia (now Motorola). For the modem/routers, you might have one of these at a remote office, warehouse, guest wi-fi network, water treatment plant, etc. They are quite common in office and industrial environments where IT doesn’t have a strong presence. Shodan identifies 229,409 Ambit devices exposed to the internet, and 224,544 of the Netopia devices.”

Heiland uncovered the vulnerabilities with independent security researcher Matthew Kienow.

According to Heiland, the Brocade device stores username and passwords hashes within the SNMP MIB [Management Information Base] tables at the following OID Indexes:

• Username:            1.3.6.1.4.1.1991.1.1.2.9.2.1.1         
• Password hash:    1.3.6.1.4.1.1991.1.1.2.9.2.1.2

“The Brocade ServerIron load balancer has SNMP enabled by default,” he explained. “The community string “public” is configured by default. Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute force attack.”

The Ambit U10C019 and Ubee DDW3611 series of cable modems store the following information within the SNMP MIB tables at these OID [Object Identifier] Indexes:

 U10c019

• Username:             1.3.6.1.4.1.4684.2.17.1.2.1.1.97.100.109.105.110
• Password:              1.3.6.1.4.1.4684.2.17.1.1.1.2.97.100.109.105.110
• WEP Keys Index:   1.3.6.1.4.1.4684.2.14.2.5.1.2
• WPA PSK:             1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.6
• SSID:                     1.3.6.1.4.1.4684.2.14.1.2.0

DDW3611

• Username:            1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
• Password:            1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
• WEP Key Index:   1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12
• WPA PSK:           1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12
• SSID:                  1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12

SNMP is not enabled by default on these devices, blogged Heiland. However, a number of cable providers that utilize Ubee devices enable SNMP with the community string of “public” on the uplink side of the cable modem for remote management purposes, which makes it possible in those cases to enumerate this data over the Internet, he explained. 

In the case of the Netopia 3347 series of DSL modems, SNMP is enabled by default with the community string of ‘public’ on the internal interface. These devices store the following information with the SNMP MIB tables at the following OID indexes:

• WEP Keys Index:  1.3.6.1.4.1.304.1.3.1.26.1.15.1.3
• WPA PSK:             1.3.6.1.4.1.304.1.3.1.26.1.9.1.5.1
• SSID:                     1.3.6.1.4.1.304.1.3.1.26.1.9.1.2.1

“The DSL side is not enabled by default, but currently a number of DSL providers that still utilize the Netopia 3347 series devices enable SNMP with community string of public on the uplink side of the DSL for remote management purposes,” he blogged. 

This makes it possible to enumerate this data over the Internet, he explained. The modems that were tested are end-of-life, so it is unlikely that firmware updates will be released to address the defaults, he added.

“Of course, just because something is end-of-life doesn’t mean it disappears from the Internet — causal Shodan browsing attests to that,” he blogged. “Further, we cannot know if these configurations persist in current, supported offerings from the vendors, but you might want to check yours when you get a chance to download Metasploit.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Researchers have reportedly found a vulnerability in a security system embedded in Samsung’s Galaxy S4 smartphone that could allow an attacker to steal data.

Security researchers at Ben-Gurion University of the Negev in Israel uncovered vulnerabilities in Samsung’s KNOX security solution. The findings were first reported by the Wall Street Journal, which noted that KNOX is currently being reviewed by the U.S. Department of Defense and other government agencies for potential use. Aimed at Google Android devices, KNOX includes the ability to enforce the separation of information through containerization as well as a secure boot and kernel monitoring capabilities.

According to researchers at BGU’s Cyber Security Labs, the issue makes interception of data communications between the secure container and the external world – including file transfers and emails – relatively easy.

“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ‘hole’ exists and was left untouched,” Ph.D. student Mordechai Guri said in a statement. “The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands. We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately.”  

Guri, who is part of a team of BGU researchers that focus on mobile security and other cyber-issues, uncovered the vulnerability while performing an unrelated research task. According to BGU, KNOX’s secure container is supposed to ensure that all data and communications that take place within the secure container are protected. Even a malicious application should attack an area outside the secure container all the protected data should be inaccessible under all circumstances.

However, researchers found that that is not the case.

“To solve this weakness, Samsung may need to recall their devices or at least publish an over the air software fix immediately,” said Dudu Mimran, chief technology officer of the BGU labs, in the statement. “The weakness found may require Samsung to re-think a few aspects of their secure architecture in future models.”

Samsung did not respond to a request for comment from SecurityWeek. However, the company told the Wall Street Journal that it was investigating the matter, and that preliminary investigation has found that the researchers’ work seems to be based on a device that was not equipped with features that a corporate client would use alongside Knox.

“Rest assured, the core Knox architecture cannot be compromised or infiltrated by such malware,” the Samsung spokesperson told the Wall Street Journal.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities