Android Security
Return to Android, Android Security Bibliography, iOS Security Bibliography, macOS Security Bibliography, Android Security, Android Security Bibliography, Android Security Internals, Android Security Architecture Android Security Courses, Android DevSecOps - Android Security CI/CD, Functional Programming and Android Security, Android Security and Concurrency, Android Security and Data Science - Android Security and Databases, Android Security and Machine Learning, Android Security Glossary, Awesome Android Security, Android Security GitHub, Android Security Topics
navbar_android_security - Use this as a template: navbar_security
Mobile Phone (iOS / Android Attacks) Mobile phone usage by far exceeds any other computing device today. However, mobile phone users tend to be oblivious about cyber threats that they face. Therefore, it is quite easy for an attacker to compromise a large number of mobile phones since it is unlikely that the users will have installed any effective security tools. There have been quite a number of mobile phone attacks in the recent past that have been reported on both Android and iOS devices. The following is a list of a few of these attacks:
Exodus This spyware is said to have been the wake-up call for many mobile phone users on iOS devices. The spyware was initially effective against Android phones only but soon enough, an iOS variant came up. It was a big concern for years in the Google Play Store since there were several malicious apps that had the malware. Security experts faulted the ineffectiveness Google Play’s security filtering mechanism for new apps on the play store. However, in April 2019, the malware iPhone version was found. Since Apple’s store has more stringent security controls, it can catch apps that have malware even before they are loaded to the play store. However, Exodus managed to get to iPhone users through a less strict app distribution method. Instead of listing malicious apps on Apple’s play store, hackers distributed the apps as other developers do for user testing. Apple does not have to review and approve such apps but allows users to download and install them. The trick employed by the malicious actors behind Exodus was to create apps that resembled cellular carriers and this lured users looking for quick and easy customer service as marketed by the app. Some of the functionalities of the spyware was that it could collect user information, location, photos and chat messages. This would allow malicious actors to create new accounts with other people’s identities, an offense regarded to as identity theft.
The malware was planted inside a promotion and marketing app from local Italian cellphone providers , which was posted in Google Play store as the below screenshot:
Figure 49: The malware in Google Play Store Figure 49: The malware in Google Play Store Once it was installed, the promising gift box was appearing with one little ask, “Device Check” to give the Victim the right promotion, as the below screenshot
Figure 50: Malware offering a promotion to the mobile phone owner Figure 50: Malware offering a promotion to the mobile phone owner The Spyware then was collection some basic information like the EMIE code and phone number, sending it to the command and control (CC) server to verify the target and the infection. At the end beside the usage details , phone calls, photos , locations ,the microphone was used to record surroundings , taking screenshots, sending GPS coordination’s in 3gp format to the CC
SensorID In May 2019, researchers from Cambridge University uncovered an unconventional OS fingerprinting attack that could attack both iOS and Android devices. The attack could possibly track a user’s browser activities on a certain device for prolonged periods of time. The researchers said that it was impossible to defend either systems from the attack unless major changes were made by device manufacturers. The fingerprinting attack is a product of the mechanisms that manufacturers use to address sensor errors in phones. Most phones are currently fitted with accelerometers and gyroscopes. These sensors are not usually accurate when coming out of the assembly lines. A walk-around thus far has been for the manufacturers to measure these errors and calibrate the sensors to be accurate then encode this data into the device’s firmware. The calibration is unique to each device thus can be used as a unique identifier of a certain phone. This data, however, lies unprotected and is accessible by the websites visited and apps installed on a phone. All hackers need to do is read the data and create a unique id for a target’s phone. Unlike other fingerprinting hacks that are browser-specific, the sensorID cannot be defeated by factory resets, deleting cookies or switching browsers. This is what makes it particularly effective. There are fears that this vulnerability could already be exploited by state actors, hacking groups and ad companies. It was confirmed that at least 2000 websites rated as the most-visited by Alexa have a mechanism of reading this data. Some manufacturers have been showing concern with Apple releasing a patch to rectify this flaw since its devices were most susceptible. Android phones were less susceptible to the attack due to the different ways manufacturers provide this data to apps and websites. However, some phones such as the Pixel 2 and 3 were generally as susceptible as iPhones but there have not been any patches announced by the manufacturer. Unfortunately, owners of these phones cannot do anything to protect their devices.
iPhone hack by Cellebrite In 2016, an Israeli firm helped the FBI to unlock the iPhone of a San Bernardino bombing suspect. This was after Apple refused to create a walk around to enable the law enforcement agency to make unlimited trials at unlocking the phone. In July 2019, another Israeli company called Cellebrite took to Twitter to unveil a number of solutions they said would help law enforcement agencies to unlock and extract data from iOS and Android devices when doing investigations. The company explained that it found an exploitable weakness in Apple’s encryption that could allow it to crack passwords and extract data stored in all iPhones. Some of the data that the company said it could access is app data such as chats, emails and attachments, and previously deleted data. Cellebrite said that these services were only to help the law enforcement agencies to find incriminating evidence in suspect’s phones by using unconventional means. Please be aware that Cellebrite cannot control how their customers use their product, regardless of how they may want it to be used.
There have not been reports about the credibility of the security flaw that the company is said to be taking advantage of and whether the flaw will last. Another company called Grayscale had made similar claims in November 2018 but Apple quickly discovered the flaw they were exploiting and blocked the hack in its entirety.
Man-in-the-disk In August 2018, there were reports of a new type of attack that could crash Android phones. The attack was taking advantage of the insecure storage protocols that app developers are using and the general handling of external storage spaces by the Android OS. Since external storage media are regarded as shared resources in phones, Android does not cover them with the sandbox protection offered to internal storage. Data stored by an app in internal storage is only accessible by the app itself. However, this sandbox protection does not extend to external storage media such as SD cards. This means that any data on them is globally readable and writable. Nevertheless, external storage media are regularly accessed by apps.
The Android documentation states that when an app has to read data on an external storage media, developers should take caution and perform input validation as they would while reading data from an unreliable source. However, researchers analyzed several apps including those built by Google itself and found that these guidelines were not being followed. This exposed billions of Android users to the man-in-the-disk attack. This is where a threat actor can eavesdrop and manipulate sensitive information on external storage locations before it is read by the intended app. The attacker could also monitor how data is transferred between apps and external storage spaces and manipulate this data to cause undesired behavior in the app itself. This attack can be exploited for denial-of-service attacks where the attacker crashes a target’s app or phone. It can also be used to allow malicious actors to run malicious code by exploiting privileged contexts of the attacked applications. Lastly, attackers can also use it to perform covert installation of apps. For instance, it was observed that the Xiaomi browser downloads its latest versions to a user’s SD card before updating. Therefore, a hacker can simply switch the genuine browser apk with an illegitimate one and the app will initiate its installation. Xiaomi confirmed that it would rectify the flaw on their app. However, it is clear that OS vendors must develop better solutions for securing external storage spaces.
Spearphone (Loudspeaker data capture on Android) In July 2019, there was a revelation of a new Android attack that allowed hackers to eavesdrop on voice calls specifically when in the loudspeaker mode. The attack was ingenious and did not require a user to grant the hackers any permissions. The attack used a phone’s accelerometer which is a motion sensor and can be accessed by any app installed on a phone. The accelerometer can detect slight movements of a device such as a tilt or shake. When one receives a phone call and puts it on a loudspeaker mode, the phone’s reverberations can be reliably captured by the accelerometer. This data can be transferred to a remote location where it is processed using machine learning to reconstruct the incoming audio stream from a caller. In addition to voice calls, Spearphone can also spy on voice notes and multimedia contents played without headphones. Security researchers tested this security flaw and confirmed that it was possible to reconstruct voice played via a phone’s speaker and especially from voice assistants such as Google Assistant or Bixby. This revelation shows the lengths attackers are willing to go to obtain sensitive data from devices. There could potentially be many malicious apps that use this spying technique and it could be hard to detect them since many apps have permissions to access the accelerometer.
Tap n Ghost In June 2019, security researchers presented a potentially concerning Android attack that could be used to target NFC-enabled phones. The attack was initiated by booby-trapping surfaces that people regularly place their phones. These included restaurant tables and public charging stations. All the hackers had to do was to embed tiny NFC reader/writers and touchscreen disrupter. The first phase of the attack would begin where a user would place their phone on the rigged surfaces thus causing their device to connect to the NFC cards. A key feature of NFC is that it can open a specific site on a device’s browser without requiring a user’s intervention. The researchers crafted a malicious JavaScript website to be used to find more information about the phone. Again, this happens without the user’s knowledge. After visiting the website, the hacker can tell a few properties about the phone such as the model and OS version. This information is used to generate a specially-crafted NFC pop-up asking the user for permission to connect to a WiFi access point or a Bluetooth device. Many users will try to cancel such a request and this is why the second phase of the attack is important. Using the touchscreen disrupter, the hacker scatters touch events such that the cancel button becomes the connect button. The touchscreen disrupter works by generating an electric field on the screen that causes a touch event on a certain part of the screen to be registered elsewhere. Therefore, while the user thinks that they have disallowed the connection, they will have given permission for the device to connect to the WiFi access point. Once connected to the WiFi access point, hackers can carry out further attacks to try and steal sensitive data or plant malware to the device. The researchers that proved this attack called on device manufacturers to provide better security for NFC and also signal protection to prevent manipulation of touchscreens
iOS Implant Teardown Google Project Zero team has discovered that there were many web sites hacked which attracts iOS users a lot. Based on Google, those web sites where infected with Zero Days in use with watering hole attacks (as we discussed earlier). Simply visiting those sites was enough to get hacked. The Implant is focused to steal files and upload them to a web site which is under the hackers control. It’s capable of steaking Whats Up, Telegram, Apple iMessage and Google Hangout communications, e-mails send by the device, contacts, photos, it is also capable of track the victims via Real Time GPS in summary see everything which the victims are doing. Below is a screenshot no how Implant is stealing what’s up information. You can read more about Implant in the Further Reading section.
Figure 55: Displays how the chat from WhatsApp can be sent out Figure 55: Displays how the chat from WhatsApp can be sent out Red and Blue Team Tools for Mobile Devices In this section we will cover some tools which can be used by Security teams, regardless of their colour (Red, Blue, Purple) Lets start :
Snoopdroid Snoopdroid is a Python utility which can extract all Android applications installed on an Android device connected to your computer through USB debugging, which can help you to look them up in VirusTotal and Koodous to identify any potential malicious applications.
Figure 51: Snoopdroid Figure 51: Snoopdroid You can download it from https://github.com/botherder/snoopdigg/blob/master/README.md
Androguard Androguard is a reverse-engineering tool for Android devices which is also written in Python, which will help you perform static code analysis and diagnose the installed applications against malware. It comes with other useful features like “diff” which can , measure the efficiency of various obfuscators, such as ProGuard and DexGuard.It has also the ability to tell if the phone has been rooted.
Androgurad diff will give you the possibility compare the same applications to see if it has any modifications.
Figure 52: Androguard checking if the applications has any modifications Figure 52: Androguard checking if the applications has any modifications You can download the tool here : https://github.com/androguard/androguard
Frida Frida is a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers which allows us to hood in to applications runtime to inject scripts, view or modify of the request and response run time. Frida supports also jailbroken iOS devices as well. Please be aware like most of the IOS Red / Blue team tools it does not support the very latest IOS release in the time we were writing this book. Frida has an option to bypass the detection of jailbreak . Below is a screenshot form a Jailbroken device, which was able to fool the jailbreak detector
Figure 53: Frida Jailbreak check result Figure 53: Frida Jailbreak check result You can download Frida and learn more about it in their web site: https://www.frida.re/docs/ios/
Cycript Cycript is designed to allows developers to explore and modify running applications Android or IOS devices, as well as Linux and Mac OS X operating systems. It also can access Java, without injection. Its based on Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.
Figure 54: Cycript options in a Mac OS Figure 54: Cycript options in a Mac OS To get access to: cycript: www.Cycript.org
In this section we covered some mobile attack and defence tools, which brings us also to the end of this chapter.
Summary Armed with enough information from the reconnaissance phase, hackers will have an easier time finding the right attacks to use to compromise systems. This chapter has looked at several methods that hackers are utilizing to attack computing devices. In many instances, vulnerabilities have been primarily targeted to allow hackers to breach into otherwise secured systems. Zero day vulnerabilities have been particularly effective against many targets. These are vulnerabilities that have no existing patches thus making it significantly hard for any targeted system to be secured. There has been an alarming number of zero day vulnerabilities discovered due to the efforts of security researchers, hackers and state agencies to discover exploitable flaws in systems. This chapter has looked at the WhatsApp vulnerability of May, 2019 that allowed hackers to install spyware on devices using a simple voice call. All the hackers had to do was to manipulate data packets to carry the spyware to a recipient’s device. Another zero day vulnerability was observed in Google Chrome and it allowed hackers to exploit a buffer overflow, escape the sandbox environment and execute arbitrary code on the device. The chapter has also highlighted a Windows 10 privilege escalation zero-day vulnerability. The vulnerability involved the exploitation of the Windows Task Scheduler to give hackers admin-level privileges. Another related vulnerability has been discussed and it exploited a null pointer reference to give hackers admin-level privileges on a system.
A lot more focus has been paid to mobile phones. While they are the most widespread computing devices, they happen to be the least secured. This gives hackers a large number of easily exploitable targets. While malicious actors had previously been primarily focusing majorly on computers, it is visible that they are equally targeting both iOS and Android mobile phones based on the reports of the most recently discovered or released attack tools. In 2019, a spyware known as Exodus affected iPhone devices for the first time after hackers pushed it through rather unconventional channels by getting users to install infected apps from testing platforms. In May the same year, a rather unconventional device fingerprinting attack called sensorID was discovered. The attack could read calibration data on devices and use it as a unique identifier. In July the same year, an Israeli company advertised its iPhone hacking services promising to help law enforcement agencies get access to any locked iPhone device. In August the same year, a man-in-the-disk attack was discovered which could allow malicious apps to read and manipulate data on external storage intended to be used by other apps. The attack capitalized on the weak security options for data stored on external storage media. Other featured attacks of 2019 are Spearphone, Tap n Ghost and the common WordPress backdoor problem that requires continuous monitoring of all assets and knowledge to avoid phishing tactics from potential attackers. The Spearphone attack allows malicious actors to eavesdrop on calls while Tap n Ghost allowed hackers to forcibly join NFC-enabled devices to rogue wireless network.
As observed in this chapter, there has been an increase in the number of attack techniques that hackers can use. Unconventional techniques are being observed such as the spying of calls using reverberations recorded by accelerometers and reading calibration data to uniquely identify devices. The number of zero day vulnerabilities is also high. This shows that cyber attackers are making rather fast advancements at a pace that the cyber security industry is finding hard to keep up with.
The next chapter will be on lateral movement and will discuss the ways hackers move around a system once they have compromised it. The chapter will talk about how the attackers find their way to other parts of the system, how they avoid detection, and will then focus on the ways hackers perform lateral movement.
Further reading Exodus: New Android Spyware Made in Italy https://securitywithoutborders.org/blog/2019/03/29/exodus.html
Fireeye Blog post about CommandoVM https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html
iOT Threat Report by Sophus https://nakedsecurity.sophos.com/2018/11/23/mobile-and-iot-attacks-sophoslabs-2019-threat-report/
Mitre Attack Framework https://attack.mitre.org/
Cross site Scripting (XSS) https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Google Project Zero iOS Zero Days in the wild https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1
Hackers hit malware in CC Cleaner software https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security
Fair Use Source: Cybersecurity – Attack and Defense Strategies - Third Edition by Yuri Diogenes, Dr. Erdal Ozkaya, Packt Publishing, September 2022, 689 pages, https://learning.oreilly.com/library/view/cybersecurity-attack/9781803248776/text/ch007.xhtml#further-reading-2
Android: Android Programming Fundamentals, Android Inventor - Android Designer: Android Inc. in October 2003 by Andy Rubin, Rich Miner, Nick Sears, and Chris White - Released September 23, 2008 by Google; Android Development, Android Internals, Jetpack Compose, Android Development tools, Android Studio, Kotlin-Java, Dart-Flutter, Android Development Bibliography, Manning Kotlin Series, Manning Mobile Series, Android Development Courses, Android DevOps - Android Development CI/CD, Android Security - Android Pentesting, Functional Programming and Android Development, Android Development and Concurrency, Android Development and Data Science - Android Development and Databases, Android Development and Machine Learning, Android Development Glossary, Awesome Android Development, Android Development GitHub, Android Development Topics. (navbar_android - see also navbar_mobile, navbar_kotlin)
Cloud Monk is Retired (for now). Buddha with you. © 2005 - 2024 Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.