Tag Archives: Security

Android Malware Alert

A report was just released regarding malware that targets Android, called Joker. This malware has been around since 2016, but it continues to be one of the major threats to Android devices. It can steal SMS messages, Contact lists, and device information. It can also sign up users for pricey subscription services such as Wireless Application Protocol (WAP) services. This malware gets added to applications that can be downloaded from the Google Play Store, and though Google has removed many of those apps, the malware keeps coming back. So how does it do what it does?

How it works

The apps that get the Joker malware are essentially “knock-offs” of legitimate apps that can fool people into downloading them. They do not directly contain the malware, instead they contain what is called a “dropper”, code which at some future time days or weeks later will contact a remote site and then download the actual malware. This dropper code is heavily obfuscated in a variety of ways. Sometimes the code is AES encrypted, other times it masquerades as legitimate files that are common in other applications such as JSON files and CSS. The download is frequently a *.dex file (Dalvik Executable) which is the native format now for Android applications. Joker can also use code injection to hide inside of legitimate third-party packages that reside on an Android phone, such as org.junit.internal, com.google.android.gms.dynamite, or com.unity3d.player.UnityProvider. The security research firm Zscaler issued the most recent report on this, and they explained some of the methods Joker uses to download the malware.

Direct Download

In this scenario, a URL is hidden in the code via string obfuscation. This is a technique for hiding executable code by making it hard for the code to be detected. The Sucuri site gives the example of calling PHP to execute the commands where the functions are broken up into 2-3 character chunks, each chunk inside single quotes, and separated by periods. PHP will then join the chunks, remove the single quotes, and execute the function just created.

Once the URL has been “decoded”, the app will contact a Command and Control (C&C) server to get another URL which will take them to the final download of the malware payload. It also supplies a JSON file that has the configuration information for the final download. Once the JSON file is downloaded and executed, the final download takes place.

One-Stage Download

This variant downloads a stager payload first, which then leads to the final download. The URL for the stager payload is encoded using AES encryption. There are two varieties of stager payload that Zcaler has noted, either an APK file or a *.dex file. This stager is responsible for obtaining the URL for the final payload download. The stager is also responsible for executing the final payload.

Two-Stage Download

In this variant, the infected app executes code to contact the C&C server, which replies by sending a message with the URL for the first stager payload which it hides in the location header. The first stager payload is downloaded and executed, which then downloads the second stager payload, which in turn contains the hard-coded URL for the final payload. That is then downloaded.

Final Payload

Regardless of the download method, the final payload of malware is the same. To begin with, it uses DES encryption to execute the C&C activities. And it uses string obfuscation techniques to hide all important strings.

If you want a more detailed description of all the things the final payload does, you can check this site using a browser that can translate from Chinese to English.

What can you do?

Given that this malware has been infecting apps in the Google Play Store for 5 years now, it does not seem like someone else is going to fix the problem. The Zscaler report says that Google has removed these apps, but cannot remove them from your phone if you had the misfortune to download one of them. Using an anti-malware app on your phone may help, but the techniques Joker uses to hide make it challenging to detect and remove.

Step one is to check if you have one of these apps and remove it manually from your phone. You can see the latest batch of 17 apps Zscaler found at this Web page. Once that is done, there are some common sense precautions you can take.

  • Be careful to only download and install apps that serve a genuine need. Downloading lots of apps willy-nilly will only increase your attack surface.
  • Carefully check the history of the app. If it is fairly new and has relatively few downloads, you should probably steer clear. Remember that Google does remove these apps from the Play Store as soon as they are aware of them, so they don’t tend to last long.
  • Stick with developers that have a good reputation and track record.
  • For apps you rarely use or haven’t used recently, consider uninstalling them. Remember it is about the size of the attack surface.
  • Pay attention to permissions. Every time you install an app, it asks you for permissions to do things. Most people just click OK without paying attention, and that is what malware authors rely on. If a solitaire app asks for permission to access your Contacts list and your SMS, you probably shouldn’t allow it.
  • Manage your existing permissions. A good thing Android 11 does is to allow you to remove permissions for apps you haven’t used in a while. You can read more about this and how to manage permissions in this TechRepublic article.

References

Hacked?

On Thursday evening, as I was having my dinner, my wife came in to tell me that my Facebook account was hacked and I should change my password. The evidence for this was that some other people that I was already friends with were getting friend requests that appeared to come from me. Now I have been on the other end of this many times, and didn’t give it a lot of thought. Other people getting hacked is not exactly news as far as I am concerned. It sucks for them, but nothing I need to get worked up about. But having it happen to me made me think a little harder.

The first thing that puzzled me is that I have enabled Two-Factor Authentication on my account. I have to enter a code from my phone to log in to Facebook, and I didn’t see any way that someone could get in without me knowing about it. And at the time I was in fact logged in, and how could there be two different logins at the same time?

And the answer is that my account was not hacked at all. What happened was a Facebook Clone scam, something increasingly common. What the scammers do is clone your account by using all of the information Facebook makes public about you. This is not difficult at all. I decided to go through the steps of cloning (without actually doing it, of course) just to illustrate how it is done.

  • First, type in a first name into the Facebook search box, and a list of possible account names pops up. Pick one at random. I used my own account for this exercise.
  • Second, click the link under the Profile photo that says “Photos”
  • Try Photos by this person, or Profile Photos if that is there, as places where you can download their Profile photo. My Profile photo was the very first one I saw there.
  • Then, go back and next to the link to Photos you will a see a link to Friends. Click that, and you will see all of this person’s friends listed.
  • You now have everything you need to create a fake account and send out scam Friend requests.

This approach is the well-known security technique of thinking like an attacker, which is very helpful in making yourself safer.

Public Information

The key to this attack is that Facebook makes public all kinds of information about you. This particular attack is pretty obvious, but there are more insidious ones. If you go to the About link, take a look at what is there. Places you have worked? Places you have lived? Where you went to school? Family Relationships? Your birthday? Suppose you found out someone’s spouse? If they also have a Facebook account, you can get the spouse’s birthday. The point is that these are all the kinds of things that are used for “second question” authentication on other accounts. When you are setting this up for your bank account, you might think no one would know this. But in fact it is all publicly available. We had this exact thing happen in 2012 in the U.S. to a Vice-Presidential Candidate, Sarah Palin, who had her e-mail account hacked because her “second questions” were all things easily discoverable, and some kid looked up the information and get into her account. Of course, you can sometimes pwn yourself. I set up a PIN for an account many years ago and it required 4 digits. I thought I would be clever and picked a date from history (my first degree). It took me a few months to realize that my wife’s birthday matched this date, and change it. As to it being a “duplicate” request, that is not even possible even if someone managed to hack into your account. Once someone is your friend you cannot send another Friend request, period. The software won’t allow it.

Now, if this happens, what can the scammers get out of it? If they can get other people to accept this fake account as being you, maybe they can send them Malware, Russian election misinformation, promote illegal activities, or whatever. The good thing is that these days we have seen this so often that almost no one pays them any attention. But it is all a numbers game, and even a very small percentage of successful scams can be profitable when pursued on a large scale.

What you can do

As to what you can do, not a whole lot. Changing your password won’t do anything here because your account is not hacked in the first place. And I tend to be a little leery of changing passwords willy-nilly, because human nature being what it is, it usually results in passwords that get simpler and more guessable over time, which is why NIST recently came out against the requirement in many places that passwords be changed frequently on a schedule. What you can do is pretty simple. If you see someone you already are friends with send you a friend request, do them a favor and click on the profile (you can always do this before accepting a Friend request. I regularly get friend requests from suspiciously attractive females whom I have never met and who seem to have a serious lack of history.) Click the Timeline, and there is a menu on the right with three dots. Click that to report the profile as a fake profile. Of course, it may already be closed when you try to do this, because Facebook has gotten pretty good at finding and shutting down these clone accounts. And you can always check to see if anyone has cloned your account simply by searching on your name. My name is not unusual, but if I see two accounts with my same profile picture, I know one of them is bogus.

The other thing you can do if you have not done so yet is set up Two-Factor Authentication.

  • Go to your Home Page in Facebook
  • Click the drop-down arrow on the Top Right
  • Select Settings and Privacy
  • Select Settings
  • Select Security and Login
  • Go to the Two-Factor Authentication, and turn it on
  • Set up how you want to do it. I have a Facebook App on my Android phone, and that gives me a code, but you have a few options here.

Scam alert: Be wary of accepting Facebook friend requests from people you’re already friends with

The LastPass Security Dashboard

I just got an e-mail from LastPass regarding a new feature that I wanted to share. It is called the Security Dashboard, and it offers a couple of useful features.

As I have mentioned previously, I am a big believer in using a password manager, whether that be 1Password, Dashlane, LastPass, Keepass, or whatever. I actually use both LastPass and Keepass for two reasons:

  • Lastpass is designed for online use, which is great for Web sites, but problematic for some offline uses.
  • Keepass works much better on my Android phone while LastPass is awkward there and tends to get in the way instead of help me.

So, I tend to think most of them are good, the question becoming one of what works for you. The benefit, though, comes from actually using it. If you want to get some opinions on which program may be best for your needs, there are reviews available that can help you make a choice.

I could have listed many more reviews, so there is no lack of information out there. I went with LastPass years ago because Steve Gibson looked at the technical details and said they were doing it right. And Keepass is a stand-alone desktop program that has a Linux client and is licensed under the GPL. Also I can use it on multiple machines by putting the database in Dropbox where any changes I make on one machine get pushed out to all other machines.

Of course, the main reason you want to use a password manager, whichever one you choose, is so that you can put secure passwords on important web sites. And secure passwords mean long ones with a lot of entropy, as I covered in Passwords, Entropy, and Good Password Practices. Your pet’s name won’t cut it, neither does “leet speak” like substituting the @ sign for the letter “a”. If it isn’t long gibberish, it is not secure, and of course long gibberish is precisely what humans cannot remember. And that is the reason for password managers.

The big problem is that nearly every web site out there is now demanding passwords before you can do anything. And if you reuse passwords, you are at risk. I just checked in LastPass and I appear to have 478 passwords stored there. That is way more than anyone could possibly memorize, you simply have to use a password manager for that. Which brings us to the latest news from LastPass, the Security Dashboard

Security Dashboard

This feature is available to all LastPass users, including those on free accounts. But note that some features are only available to Premium users. To see your Security Dashboard in LastPass, you need to “open the vault”. Since LastPass is normally up and running on my browser (that is the first thing I do after rebooting my computer), all I have to do is click the LastPass icon to open the vault. Then on the lower left I can see the Security Dashboard. Clicking that opens the Dashboard, which has three sections: Security Score, Dark Web Monitoring, and Alerts.

Security Score

The Security Score is a calculated number based on several factors. First, of course, is how long and complex your passwords are. Then adding multifactor authentication to your LastPass account adds another 10 points to your score. A perfect score would be 100 points, but you have to have at least 50 passwords stored in LastPass to get this. That said, I am looking at the section for Security Score, and I don’t see a score anywhere. But the useful part id that I can see the “at risk” passwords, both as an overall percentage (OK, but not the most useful), and also a list of my passwords when I click the View passwords link on the right side of this box. There I can see all of my accounts and what LastPass thinks of my passwords. The information here is useful. The list has these columns in order:

  1. The Website
  2. The User Name for that website
  3. The password strength. The password is obscured, but you can click the eye icon to have it revealed.
  4. The risk if any. Red boxes have risks, green check marks are OK. The risks I see include Reused, Old, and Weak. Old is a matter of debate. I think the best research now says that making people change passwords just because they are old is more likely to reduce security than enhance it. For more on this, see SANS Security Time for Password Expiration to Die. Reused is a problem if you used the same password for anything that needs security. I don’t care if I reused a password because some blog demanded I create a password before reading an article, but I definitely care if I did so for my bank account.
  5. Action to take – This is not all that informative. If you have a green check mark, it will be blank, otherwise it tell you to change your password. But if you click this button, it will open the web site so you can do that, so it is helpful.

After reviewing my list, I noticed I have a lot of stored passwords for places I don’t go to any longer and for accounts I have closed, so no doubt a little pruning of the list is in the cards.

Dark web monitoring

This is all about whether your credentials have been found on the web sites where such things get traded around. Kind of similar to Have I been pwned in my view, but it does make things easy for you. This feature is only available to Premium users (of which I am one). For this, LastPass partnered with Enzoic to use Enzoic’s database of breached credentials. One useful feature here is that you can simultaneously monitor all of your e-mail accounts, or you can decide that some do not need to be monitored. I noticed that one “e-mail” was actually a typo I must have made at one time, and another was a work e-mail from before I retired, so I cut the monitoring there. Honestly, I don’t know that I would pay for a Premium account just to get this feature, but I like that I get it as part of the package. I could do all of this by just going to Have I been pwned and not spend money, but this is very convenient.

Alerts

This is tied to the Dark web monitoring. Right now it says I don’t have any alerts, but if one of my e-mail addresses/user names was compromised I would get an alert, and a button to click to take me through the process of changing my password.

Bottom Line

I am very happy to be a Premium user of LastPass. We have a family account for my wife and I and it works well. This update basically makes maintenance we should be doing anyway more convenient to do. And now if you will excuse me, I need to go clean up a few passwords.

Listen to the audio version of this post on Hacker Public Radio!

Review of Beyond Fear: Thinking Sensibly About Security In An Uncertain World

Beyond Fear: Thinking Sensibly about Security in an Uncertain World by Bruce Schneier
My rating: 5 of 5 stars

Bruce wrote this book in 2003 as a response to 9/11 and how it lead to changes in security practices in the U.S. He criticizes many of the security measures taken as “security theater” that makes it look like something is being done without actually accomplishing anything useful. His criticisms probably are nothing terribly new to people 2013 when many people have come to similar conclusions, but what I think is more important in this book is that he attempts to lay out a way of thinking about security that is rational. Security can never be 100% in a world of human beings, and security always entails trade-offs that make it a cost-benefit decision. As an example, you would never hire an armed guard to protect your empty bottles for getting the 10 cent deposit back. That just doesn’t make sense. Bruce lays out a 5 point analysis you can do with any security plan that asks questions about what you are trying to protect, what are the costs of the protection, will the proposed solution actually work, etc. It is a good analysis and worth a read if you want to learn how to think intelligently about security.

View all my reviews

Review of The Code Book

The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography by Simon Singh
My rating: 5 of 5 stars

This book is a very good review of the history on encryption and explains the basic principles involved. It is a lot like David Kahn’s The Code Breakers, but is available for a good deal less. Beginning with Herodotus and some secrecy measures from The Persian Wars, it then moves forward with Arab scholars, medieval developments, and right up to asymmetric public key encryption used today. Highly recommended for anyone who wants to get an overview of what the issues are, but is not looking to dive into the mathematics.

View all my reviews