Connect with us

Technology

A Malware Can Bypass ‘2FA’ In ‘Android’ Phones, Researchers Found

It runs through an app impersonating a Turkish crypto exchange app.

Published

on

Researchers found the first ever malware to bypass Google's new 2FA policy.
The malware is impersonating a Turking crypto exchange. Photo: Eduardo Woo | Flickr | CC BY 2.0

A few weeks after Google confirmed that there is a malware that has been pre-installed in some low-end Android devices, a team of researchers have found that there is a malware that can be downloaded from Google Play Store and can by-pass sophisticated security firewalls.

The cybersecurity researchers from We Live Security by ESET found that specific applications downloadable from the Google Play Store can circumvent Google’s new restriction and bypass two-function authentication to access one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions. Evidence also revealed that malware could even access OTP’s from some emails.

In March 2019, Google restricted SMS and Call Log permissions in Android apps, a move that helps prevent credential-stealing apps from having the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.

Two-factor authentication adds a layer of security for users where the system would not allow access to service just by inputting log-in credentials. The 2FA sends a one-time password via email or SMS to the owner of the device to validate whether login is authentic and legitimate.

First malware to sidestep Google’s SMS restrictions

Now, malware has found a way to circumvent Google’s security features. According to the researchers, the app impersonates a cryptocurrency exchange from Turkey, BtcTurk, and phish login credentials to the service.

“Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening,” wrote the researcher in a security warning post.

They also added that this is the first documented malware to circumvent the new SMS restrictions.

There are different apps available in the Google Play Store that house this malware. The first is BTCTurk Pro Beta” under the developer name “BTCTurk Pro Beta,” which already has 50 downloads before the team reported the security threat to Google.

Photo: We Live Security by ESET

The second app was uploaded on June 11, 2019, as “BtcTurk Pro Beta” under the developer name “BtSoft.” While the first two apps analyzed by the researchers appear to have the same guise, the team believes that they came from two different attackers.

The malware is evolving

However, amidst the reports made by the team, the attackers seemed to be very persistent in their operations. “After this second app was removed, the same attackers uploaded another app with identical functionality, this time named “BTCTURK PRO” and using the same developer name, icon and screenshots. We reported the app on June 13, 2019,” said the researchers.

The team suspects that the attacks have been evolving as similar apps were observed and reported a few weeks back.

“Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks (kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but cannot dismiss and silence notifications.”

Photo: We Live Security by ESET

Analysis reveals that Kioneks was developed by the same attackers owning the BTCTurk Pro Beta” app, and shows that the cybercriminals are perfecting their malware.

“This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages,” they added.

Google confirmed malware was pre-installed in some devices

The announcement of this exploit came a few days after Google confirmed that some low-end Android devices come with pre-installed malware. In a press release, Google, for the first time in history, has discussed in detail the malware that is called Triada, which the tech company has confirmed have been pre-installed in several low-end Android devices including Cherry Mobile, Leagoo, and Doogee. The malware, which was first discovered and published by Kaspersky Lab back in 2016 have been pre-installed in the affected devices, meaning, the malware already existed in the device even before someone buys it.

It was believed previously that the malware was added and installed to the affected devices at some point in the supply chain process. Now, Google has revealed that cybercriminals indeed managed to compromise Android smartphones and installed a backdoor while the supply chain process of the phones was underway.

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama.

Technology

Google Hits Back: ‘We Do Not Work With The Chinese Military’

Google denies all allegation made by Peter Thiel.

Published

on

Photo: Travis Wise | Flickr | CC BY 2.0

When White House Adviser and Facebook Board Member Peter Thiel suggested that Google should be investigated for its “treasonous” behavior, and for working with the Chinese military, President Donald Trump agreed.

But now, Google hits back to the allegations that the San Francisco-based tech superpower is working with China and its army. “As we have said before, we do not work with the Chinese military,” Google said in a statement shared with The Independent.

Earlier today, President Trump affirmatively responded to Thiel’s suggestion that the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA) should investigate Google for its refusal to work with the US Department of Defense, and over the accusation that the company has a relationship with its Asian counterpart.

In a Twitter storm, President Trump praised Peter Thiel, saying that he is a “great and brilliant guy who knows this subject better than anyone.” The American chief-of-staff also echoed the sentiments of Thiel and pronounced that the “Trump Administration will investigate.”

The allegations made by Thiel stems from a previous deal that Google backed out from. In 2018, Google decided to withdraw from a contract between the tech superpower and the U.S. Department of Defense for the development of artificial intelligence (AI) technology citing that the projects have specific ethical issues that they cannot be involved in.

Thiel questions “how many foreign intelligence agencies have infiltrated your Manhattan Project for AI.” Furthermore, he also asked whether or not Google’s senior executives consider the possibility that the company has been infiltrated by foreign intelligence.

The “billionaire and tech businessman,” Thiel further questions if Google chose to work with the Chinese military instead of the US Department of Defense since “they are making the sort of bad, short-term rationalistic [decision] that if the technology doesn’t go out the front door, it gets stolen out the backdoor anyway?”

According to Axios’ report, there are no public documents that stipulate any infiltration by foreign intelligence of Google. However, they said that Thiel owns a company called Palantir, which works with the Trump Administration, and has access to millions worth of government data, including American private information. Nonetheless, it is still unclear if Thiel’s assertions are motivated by any personal and classified knowledge he drew from his relationship with the White House.

Trump vs. Google

Google and the White House having a beef against each other is not new. In fact, only recently, an exposé by the independent investigative journalist group, Project Veritas, alleges that several Google executives and senior employees have a political bias against President Trump and his administration.

A video released by Project Veritas, which has since been removed from the platform by Youtube, shows a senior employee at the company appearing to admit that the company plans to interfere in the next presidential election to stop Donald Trump.

The video is still available in the Project Veritas website and featured undercover footage of a top Google employee, Jen Gennai, who preaches that the company, Google, should not be broken up since they still need to stop the re-election of the President and only them can prevent the “next Trump situation.”

“Elizabeth Warren is saying we should break up Google. And like, I love her but she’s very misguided, like that will not make it better it will make it worse, because all these smaller companies who don’t have the same resources that we do will be charged with preventing the next Trump situation, it’s like a small company cannot do that,” the video revealed appearing to be said by Gennai.

In the same video, Gennai also appears to declare that Trump’s victory in the 2016 elections “screwed us (Google).”

“We all got screwed over in 2016; again it wasn’t just us, it was, the people got screwed over, the news media got screwed over, like, everybody got screwed over, so we’re rapidly like, happened there and how do we prevent it from happening again,” she added.

“We’re also training our algorithms, like, if 2016 happened again, would we have, would the outcome be different?”

Continue Reading

Technology

FCC Comm Geoffrey Starks Is Disappointed With How Carriers Move To Block Robocall By Default

Published

on

Photo: FCC Website

A month after the Federal Communication Commission voted to allow telecom carriers and service providers to block spam calls and other forms of robocalls by default, the regulating body seems to be very disappointed with how telecom companies responded to the regulation.

In June, FCC Commissioner Geoffrey Starks sent letters to major telecom providers in the US to expedite their implementation of the new ruling and to come up with policies and features that would, once and for all, address the growing problem of robocalls in the U.S.

Today, the disappointed Commission published the responses of major telecom carriers to his letter and his public reply to how slow the said companies are implementing necessary improvements in their system.

“I appreciate the timely responses to my letters. Transparency is critical to good policymaking, so I am publicly releasing the complete responses of the carriers – so that everyone can read their responses in their own words. Despite historically clamoring for new tools, it does not appear that all providers have acted with haste to deploy opt-out robocall blocking services,” said Commissioner Geoffrey Starks.

“The Commission spoke clearly: we expect opt-out call blocking services to be offered to consumers for free. Reviewing the substance of these responses, by and large, carriers’ plans for these services are far from clear,” he lamented.

In June 2019, Commissioner Starks voted on a Declaratory Ruling and Third Further Notice of Proposed Rulemaking that clarified that voice service providers could, without violating Commission rules, deploy call blocking offered to consumers by default on an informed opt-out basis. The action expressed the Commission’s expectation that these services would be offered to consumers for free and, at Commissioner Starks’ request, directed Commission staff to prepare reports on the state of deployment of robocall blocking tools, including whether fees are being charged for the services.

“The reports will be submitted to the Commission no later than 12 months, for the first report, and 24 months, for the second report, after the publication of the item in the Federal Register. Following the delivery of the first report, the Commission will assess whether consumers are being charged and if so, will seek comment on rules requiring providers that offer these services to do so for free,” says the statement from Commissioner Starks.

Furthermore, the Further Notice of Proposed Rulemaking would propose a safe harbor for providers that implement network-wide blocking of calls that fail caller authentication under the SHAKEN/STIR framework once it is implemented.

“Allowing call blocking by default could be a big benefit for consumers who are sick and tired of robocalls. By making it clear that such call blocking is allowed, the FCC will give voice service providers the legal certainty they need to block unwanted calls from the outset so that consumers never have to get them,” said Chairman Pai. “And, if this decision is adopted, I strongly encourage carriers to begin providing these services by default—for free—to their current and future customers. I hope my colleagues will join me in supporting this latest attack on unwanted robocalls and spoofing.”

In response to that order, Commissioner Starks asked 14 telecoms to inform the Commission of their plans to offer free robocall-blocking services by default.

Unwanted calls, including illegal robocalls, are the top consumer complaint at the FCC, with more than 200,000 received annually. Some private analyses estimate that U.S. consumers received approximately 2.4 billion robocalls per month in 2016. Advancements in technology make it cheap and easy to make robocalls and to “spoof” Caller ID information to hide the caller’s true identity.

Last week, telecom giant AT&T announced that they are blocking fraud robocalls by default with no extra charge. However, succeeding and more accurate blocking features comes with a $4 monthly price tag.

The new anti-robocalling feature is an expansion of the already existing AT&T program called Call Protect and will start rolling out for new AT&T Mobility consumer lines will come with the anti-robocall service. Millions of existing AT&T customers also will have it automatically added to their accounts over the coming months.

Other telecom companies also said they have made progress in relation to the FCC order but Commissioner Sparks’ message tells us that they are not doing the best that they can.

Continue Reading

Technology

Meet ‘Agent Smith’: The New Wave Of Android Malware

It has already affected 25 million Android users globally.

Published

on

Photo: rick | Flickr | CC BY 2.0

Android OS is known to be one of the most vulnerable. With its customization feature and its wide array of compatible apps, malware and other malicious codes can run through Android devices with relative ease. And this is highlighted by reports claiming that a new wave of Android malware is creeping through Android devices through malicious apps.

The malware, known as Agent Smith, has already affected more than 25 million Android users around the world. The sneaky malware, as explained by IT security company Check Point, “disguised as a Google-related application, and exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions without users’ knowledge or interaction.”

While the researchers said that there is no evidence found that Agent Smith collects unauthorized data, the persistence of malware in a device is enough for some threat actors to exploit the Android vulnerability it creates.

According to the researchers, Android users will go unaware that Agent Smith malware has already infected their devices because there is no direct download for it. Instead, the malware code comes after downloading games and other apps from a third-party marketplace.

The comprehensive research on Agent Smith Malware was conducted by Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, and Andrey Polkovnichenko from CheckPoint. According to the researchers, the malware strain works in three different phases.

Agent Smith attack flow. Photo: Check Point

The first phase involves a dropper app that lures victims to install itself voluntarily. The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files. Dropper variants are usually barely functioning photo utility, games, or sex-related apps. “The dropper automatically decrypts and installs its core malware APK, which later conducts malicious patching and app updates. The core malware is usually disguised as Google Updater, Google Update for U, or “com.google.vending.” The core malware’s icon is hidden,” they said.

“The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update,” they added.

The “core” module contacts the C&C server, trying to get a fresh list of applications to search for, or if that fails, use a default app list:

  • WhatsApp
  • lenovo.anyshare.gps
  • mxtech.videoplayer.ad
  • jio.jioplay.tv
  • jio.media.jiobeats
  • jiochat.jiochatapp
  • jio.join
  • good.gamecollection
  • opera.mini.native
  • startv.hotstar
  • meitu.beautyplusme
  • domobile.applock
  • touchtype.swiftkey
  • flipkart.android
  • cn.xender
  • eterno
  • truecaller

According to researchers, the dropper app can be downloaded and is proliferated by a third-party app marketplace called 9Apps”, a UC team backed store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users.

They also revealed that the malware seems to target mainly Indian users. However, reports from the US, Australia, and other regions show that the persistence of the malware is rather global.

“Agent Smith” droppers show a very greedy infection tactic. It’s not enough for this malware family to swap just one innocent application with an infected double. It does so for every app on the device as long as the package names are on its prey list,” the researchers explained.

“Over time, this campaign will also infect the same device, repeatedly, with the latest malicious patches. This leads us to estimate there to be over 2.8 billion infections in total, on around 25 Million unique devices, meaning that on average, each victim would have suffered roughly 112 swaps of innocent applications.”

The researchers said that while Agent Smith primarily exploits users by using financial ads, it has a plethora of implications, especially on how users are not usually aware that their devices are already infected. In the end, they said that fighting malicious actors in the Android ecosystem is a community effort.

“The “Agent Smith” campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time,” the researchers concluded.

Continue Reading

Trending