Category Archives: Cell Phone (iPhone, Android, windows mobile)

Firebase Analytics – To be compliance or not to be compliance on personal privacy

Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic.  Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It  allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.

CVE-2018-3561 – Is this a hiccups or it will maintain longer?

Retrospectively, the annual revenue growth of smartphone chips vendor on 2017 Q3. Samsung is the winner.Qualcomm growth only 23% but apple only growth of 12%. From my personal point of view, even though operating system or vulnerability on iPhone looks mystery. Perhaps it is a business strategy in order to avoid competitor know the details. By the way, Qualcomm techincal design limitation lure my interest. Regarding to the CVE 2017-15834 it proof that there is a vulnerability occur in kernel let it encountered potential heap overflow. But this bug found last year, however I believe that it will continous expose something bad until MDM9615 and MDM9x07 end of life.The MDM9615 appears to be a Qualcomm chip. But apple iPad deployed it. Android phone is the biggest comsumer of MDM9615 and MDM9x07 so far. A new vulnerability identify by US-CERT on Mar 2018 with vulnerability record reference no. CVE-2018-3561.The issue is that Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition in diag_ioctl_lsm_deinit() leads to a Use After Free condition. Stay alert and update your Android phone once patch for security update available.

Do you concerns of your e-wallet?

Electronic wallets play an important role in our daily lives. Perhaps the demand of e-wallet market in Hong Kong cannot compare with Greater China market. However mobile phone itself like computer device will encounter Zero – day. This week I keen my personal interest review the TNG wallet design. I am concerning the vulnerability (CVE-2016-5195) on android OS in past. TNG wallet is able to working with armeabi-v7a and armeabi.

From cyber security perspective, it is highly recommend TNG e-wallet user follow the security advice of mobile phone vendor. It is better to update OS once it is available. For more details, please refer to below diagram for reference.

Undetected malware on android

Preface:

Till 2018-02-01, the official announcement provides the following details.

Security patch level—Vulnerability details

Start discussion:

ART (Android RunTime) is the next version of Dalvik. Unlike Dalvik, ART introduces the use of ahead-of-time (AOT) compilation by compiling entire applications into native machine code upon their installation. Regarding to Android security bulletin on February 2018, the official announcement did not had cyber incident reports of active customer exploitation or abuse of reported issues. But why do security expert said Andorid smartphone system is under cyber attack.

Basic understanding of ART boot sequence (see below diagram for reference)

Zygote is running as UID=0 (root). After forking child process, its UID is changed by setuid system call.

A closer look on above diagram step 4 to step 6 operation flow (see below)

Software/application installation workflow

We heard that Google App store sometimes contains malicious code APK. And such a way compromise the Android OS. Below diagram can explicitly provide an idea how Android download and install a application program in normal way.

Lock down

Refer to above information (3 items of diagrams), we lock down 2 items of components for our investigation.

Zygote – When the application start, the Zygote will be forked, target into 2 units of VM. Since all the core library interconnect with zygote. And therefore both zygote and application sharing the library. The memory will only be copied if the new process tries to modify it.

Even thought the core library is read only. However the copy of memory procedure lure threat actors modifies Zygote system process in the memory to achieve their goal.

How does it works? – The injection code works is that their payload is part of any new process spawned, whereas if you use Frida to inject into Zygote it will stay behind when it calls fork() to become the app to be spawned. (Though technically Frida’s code Frida 9.x) will be part of the newly forked child, but no threads survive the fork except the thread that called fork(), so any hooked functions will call into Frida code (Frida 9.x) in an undefined state.

Summarize of the concept

  1. spawn([“com.android.xxx”]) with the package name.
  2. enable_spawn_gating() and listen to the spawned signal in order to do early compromise of memory address. For more details, please see below information for reference.

Reference: Frida (Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers).

APK – We notice that Google scan the apps on their play store to avoid malicious APK place on their store. However the security expert aware that it is hard to scan the APK which contained the malicious script embedded in APK file. Below example may a old style technique. However we only provides awareness and therefore I quote this example for reference.

The Android ZIP APIs do not prevent directory traversals by default, allowing for a file with a directory traversal in the name to be injected into the ZIP. This allows us to gain an arbitrary write in the context of the app. The zip was injected with a directory traversal that writes inside of the app directory. As a result, the malicious zip files were written in the application’s data directory. You can gain an arbitrary file write primitive. But the Arbitrary File contains risk causes remote code execution. For instance, Mercury Browser for Android is prone to directory traversal vulnerability and a security bypass vulnerability. Exploiting these issues will allow an attacker to bypass security restrictions, perform unauthorized actions and access, read and execute files. Information harvested may aid in launching further attacks.

Recommendation

In order to avoid unforeseen cyber incident encounter. Below details is the recommendation provided by federal government.

Federal Mobile Device Security Recommendations

  1. Create a mobile device security framework based on existing standards and best practices.
  2. Bolster Federal Information Security Modernization Act (FISMA) metrics to focus on protecting mobile devices, applications and network infrastructure.
  3. Incorporate mobility into the Continuous Diagnostics and Mitigation program to address the security of mobile devices and applications with capabilities that are similar to those of workstations, servers and other network devices.
  4. Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities.
  5. Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include security and defense against mobile threats.
  6. Develop cooperative arrangements and capabilities with mobile network operators to detect and respond to threats.
  7. Create a new defensive security research program to address vulnerabilities in mobile network infrastructure.
  8. Increase active participation by the federal government in mobile-related standards bodies and industry associations.
  9. Develop policies and procedures regarding U.S. government use of mobile devices overseas.

— End of discussion —

 

Special Edition – HIDDEN COBRA – Malicious Cyber Activity

Special Edition: Information security focus

US Homeland security (DHS) urge the world to staying alert with HIDDEN COBRA Malicious Cyber Activity. It looks that the cyber attack wreak havoc to the world. And therefore DHS suggest to add below Yara rule into your IDS or malware detector (For instance RSA ECAT).

The following YARA rule may be used to detect the proxy tools:

rule NK_SSL_PROXY{
meta:
Author = "US-CERT Code Analysis Team"
Date = "2018/01/09"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
Info= "Detects NK SSL PROXY"
strings:
$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
$s2 = {4775401F713435747975366867766869375E2524736466}
$s3 = {67686667686A75797566676467667472}
$s4 = {6D2A5E265E676866676534776572}
$s5 = {3171617A5853444332337765}
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
condition:
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

There are total 2 items of malware would like to draw your considerations.

  • Trojan: HARDRAIN (Backdoor – Remote Access Tool)
  • Trojan: BADCALL (data thief and surveillance)

In order to avoid unforeseen data breach happens to enterprise firm and personal data privacy protection. We better to consider the suggestion by DHS.

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to run unwanted software applications
  • Enforce a strong password policy and
  • implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date.
  • Enable a personal firewall on agency workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g.,
  • USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

Threat actor transform Vehicle GSM GPRS GPS Tracker Car Vehicle Tracking Locator technology

Since the mobile phone usage volume bigger than personal computer today. Perhaps digital e-wallet function and BYOD concept let people keep their confidential data on mobile phone. And therefore it lure the hacker focusing the mobile phone device especially Android. This round hacker relies on GRPS TCP/UDP connection (see below diagram for reference) create Trojan (BADCALL) to listen for incoming connections to a compromised Android device, on port 60000. Meanwhile it awaken the security concern on GPRS gateway.

Since this is a special edition of article so we summarize the technical details as below:

Trojan: HARDRAIN

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

3dae0dc356c2b217a452b477c4b1db06 (3DAE0DC356C2B217A452B477C4B1DB06)

746cfecfd348b0751ce36c8f504d2c76 (746CFECFD348B0751CE36C8F504D2C76)

  • Executable Linkable Format (ELF) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

9ce9a0b3876aacbf0e8023c97fd0a21d (9CE9A0B3876AACBF0E8023C97FD0A21D)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Trojan: BADCALL (data thief and surveillance)

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

c01dc42f65acaf1c917c0cc29ba63adc (C01DC42F65ACAF1C917C0CC29BA63ADC)

c6f78ad187c365d117cacbee140f6230 (C6F78AD187C365D117CACBEE140F6230)

  • run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

d93b6a5c04d392fc8ed30375be17beb4 (D93B6A5C04D392FC8ED30375BE17BEB4)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

End discussion, thak you for your attention.

Happy valentines day.

Renaissance – Cyber attack transformation

Preface:

Renaissance – The period of this revival, roughly the 14th through the 16th century, marking the transition from medieval to modern times.

Background:

The virus and malware wreak havoc in information technology environment in past decade especially on Microsoft windows operating system platform. It looks that a transformation was happened since smartphone leading the IT technology trend today. The percentage of usage for smartphones are bigger than traditional computer devices (desktop, notebook and server).

Transformation of cyber attack scenario

The major of cyber attacks in information technology environment are given by tradition virus since early 90’s. A quick and simplified explanation below diagram is able to awaken your memories in this regard.

The Evolution diagram of virus, worm, malware and ransomware

Remark: Perhaps we shown the generations of the virus and malware past three decades. The diagram looks simple. However it represents the virus and malware in the specific period of time.

The attack surface targets to Microsoft products till SmartPhone appears.

We all known the design goal of virus and malware targeted Microsoft products fundamentally. We feel that Linux base operating system will be provided a secure environment. But the question is that which element change the atmosphere in silent way?

We understand that the infection of malware divided into four phase (see below diagram). Since the malicious file (so called dropper – file) relies on the PE (portable executable) to execute the infiltation. The way is that the malicious code will try to infiltrate for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems.

However the specifics mechanism does not work in Linux environment till ELF malware invented.

Stages of a Malware Infection and technology evolution overview

Where it began? Code Injection to Linux world.

Linux Operating system looks like a well protected castle but a beast live inside. Whether are you familiar with ptrace() command on Linux? With reference to tutorial (execute man command in Linux). The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.

Docker, an open-source technology. Meanwhile Docker is the company driving the container movement and the only container platform provider to address every application across the hybrid cloud. Microsoft cloud product family also embraced Docker. Below informatics diagram can bring an idea to you on how the docker works.

No matter Fedora workstation or Cloud computing platform (Docker). The command (ptrace()) can do the magic. Even though attach to system process!

Reference: you can disable this behavior by the following:

If you are using Fedora (see below for reference)

echo 0 > /proc/sys/kernel/yama/ptrace_scope

or modify (with root privileges)

/etc/sysctl.d/10-ptrace.conf

If you are using Docker, you will probably need below options:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Above detail information intends to proof of comment which described earlier. Linux Operating system looks like a well protected castle but a beast live inside. Why? If there is a zero day vulnerability occurred in Linux. A ELF format of file embedded malicious code relies on zero day vulnerability execute the attack. That is to awake the beast with privileges escalation. This assumption not rare. Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel found last year. Such incident not only harm to workstation. It also includes cloud infrastructure. From technical point of view, it do not have difference in between Microsoft Product and Linux product.

ELF malware space

Above example highlight the ELF format file. ELF is flexible, extensible, and cross-platform, not bound to any given central processing unit (CPU) or instruction set architecture. This has allowed it to be adopted by many different operating systems on many different hardware platforms. Since smartphone especially Android phone fully utilize Linux OS platform. Perhaps the vendor announcement told this is not a standard Linux OS. But the truth is that they are using Linux base kernel.

According to the IDC Quarterly Mobile Phone Tracker, phone companies shipped a total of 344.3 million smartphones worldwide in the first quarter of 2017 (1Q17). And such away the cyber attack includes BYOD botnet or IoT botnet wreak havoc.

In order to cope with IT technology and smartphone trend. The attackers will build ELF malware using a customized builder. And therefore the malware of target to Linux system includes smartphone rapidly growth. For instance, Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms. Should you have interest, please refer below url for reference.

https://wikileaks.org/vault7/#OutlawCountry

Summary:

Information security expert found Stagefright exploit puts millions of Android devices at risk on early 2016. The attack is effective against devices running Android versions 2.2 through 4.0 and 5.0 and 5.1. Another way round of malware attack to android devices is copyCat. CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016. Since this is a history but the malware attacks to Linux world are on the way!

SS7 flaw make two factor authentication insecure – Reveal the veil

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference.

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

The enemy of ASLR (Address space layout randomization) – memory leak

Preface

Address space layout randomization (ASLR) is a computer security technique which popular in cyber world today. Since it reduce the ratio of incident hit rate of malware infection. Do you agree that there is not required to worries about malware infection once ASLR implemented?

Start discussion

We discuss ASLR topics in our earlier discussion (see below).  Our discussion last time focus on virtual machine (VM) especially VMware.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

We move our focus on mobile phone this time especially Android system. As far as we know, chip-set vendors (Qualcomm and Intel) going to reduce the attack surface with division of duty of design.

Highlight of division of duty of design on mobile chip set

Baseband processor: Manages all the radio functions except Wi-Fi and Bluetooth radios. A baseband processor typically uses its own RAM and firmware.

WiFi chip-sets:  responsible for handling the PHY, MAC and MLME on its own, and hands the kernel driver data packets that are ready to be sent up.

Reference point:  We noticed that research found that hacker can implant malicious code relies on WiFi chip-set design weakness to compromised Baseband processor. Since WiFi chip-set did not protect by ASLR technique. But this time we are not going to focus on chipset design weakness from mobile phone topic. As such we move on to the following items of discussion.

ASLR implementation status on Android

Early Android versions only had stack randomization due to lack of kernel support for ASLR on ARM. The address space layout randomization (ASLR) has been adopted in their design since 2015. Android version  4.1 introduced support for full ASLR by enabling heap randomization and  position Independent Executables (PIE). But we frequently heard that Android OS encountered malware infection. But what is the root causes?

  1. Non traditional spawning model

On Android system (from my personal view point it is a tailor made Linux), but the memory management design have different. A process so called Zygote.
However the zygote process have design limitation. It might have possibilities let malware to do the infiltration (see below detail for reference).

 

Mobile apps like your wife or girlfriend. They are tracing you!

2. Memory leak

Android system needs to manage memory allocation resources. A programmatically initiate that Garbage initiation when memory runs short. Garbage collection base on the following criteria.

a. Verify all object references in memory , non reachable object will go to Garbage collection. Everything else are wiped out from memory to free up resources

b. Everything serving the user should be kept in memory

Garbage collection design weakness Highlight

a. The drawback is that when code are written in negligence form result that unused objects are referenced somehow from reachable objects, garbage collection would mark unused objects as useful object. As a result it would not be able to remove. This is called a memory leak. From technical point of view, memory leak will be few kilo bytes to mega bytes. However mobile phone application relies on  java engine and Java script. Java dynamic language use garbage collect to management memory. To enhance CPU performance, a caching technology will be in use. A design weakness was found is that component shares some of its cache with untrusted applications. Hacker could send malicious JavaScript that specifically targeted this shared memory space.  A known bug (see below CVE details) confirm that JavaScript Attack Breaks ASLR on CPU Micro-Architectures  (vulnerable CPU displayed as below:)

CVE – vulnerabilities on CPU

CVE-2017-5925 is assigned to track the developments for Intel processors
CVE-2017-5926 is assigned to track the developments for AMD processors
CVE-2017-5927 is assigned to track the developments for ARM processors
CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

Vulnerable CPU (mobile phone devices)

Allwinner A64 ARM – Cortex A53 (2016)
Intel Xeon E3-1240 v5 – Skylake (2015)
Intel Core i7-6700K – Skylake (2015)
Intel Celeron N2840 – Silvermont (2014)
Samsung Exynos 5800 – ARM Cortex A15 (2014)
Samsung Exynos 5800 – ARM Cortex A7 (2014)
Nvidia Tegra K1 CD580M-A1 – ARM Cortex A15 (2014)
Nvidia Tegra K1 CD570M-A1 – ARM Cortex A15; LPAE (2014)

b. The side-channel attack capable to bypass ASLR algorithm and assists malware implant to the system. The modern CPU require work with internal or external cache. Therefore this is the other alternative way may potentially bypass ASLR memory protection.

i. Evict + time

The attacker measures the time it takes to execute a piece of victim code. Then attacker flushes part of the cache, executes and times the victim code again. The difference in timing tells something about whether the victim uses that part of the cache.

ii. Prime + probe

The attacker now accesses memory to fill part of the cache with his own memory and waits for the victim code to execute. (Prime) Then the attacker measures the time it takes to access the memory that he would carefully placed in cache before. If it’s slow it is because the victim needed the cache and this gives us knowledge about what victim did. (Probe)

iii. Flush + reload

The flush and reload attack utilizes that processes often share memory. By flushing a shared address, then wait for the victim and finally measuring the time it takes to access the address an attacker can tell if the victim placed the address in question in the cache by accessing it.

Summary:

It looks that new technologies claimed that it avoid malware infection. For instance 64-bit OS and ASLR. As a matter of fact, these technology are valid and required. However we can’t say we are now secure! Refer to above discussion. Any mis-use operation or negligence form of programming technique, hacker might find vulnerability to compromise your mobile system even though ASLR is running on your mobile.

Tips to detect Android memory leak

LeakCanary is an Open Source Java library to detect memory leaks in your debug builds.

You create a RefWatcher instance and give it an object to watch:

// We expect java-id-session to be gone soon (or not), let's watch it.
refWatcher.watch(java-id-session);

When the leak is detected, you automatically get a nice leak trace:

* GC ROOT static ..............
* references .............
* leaks ....... instance

Have  a nice weekend!

 

 

 

 

 

 

Price of your privacy – mobile phone

Preface:

Google Pinyin,QQ,TouchPal,Sogou IME apps has high volume download volume in Google Play store. However user may also be vulnerable to component-hijacking attacks. Do you think whether there are more apps monitor your mobile phone silently!

Start discussion:

We heard technical terms so called predictive search and auto-correction. Google browser (Chrome) keyboard input feature apply similar technologies.

What is predictive search?

Google’s search feature uses a predictive search algorithm based on popular searches to predict a user’s search query. It requires interconnect with Google system.

What is auto-correction?

Auto correction is a feature in which an application predicts the rest of a word a user is typing. It requires interconnect with Google system.

Reality – existing situation in the market 2017

It looks that above criteria make sense, user are allow to disable this function. If mobile owner forgot to enforce the access permission setting. Seems their personal information will be forward to google during web site visiting. Their goal is going to do the web behavior analytic. As far as I know, the applications like google app, Google Zhuyin input, Google  Pinyin input  are maintain the following spy able permissions.

Google App – Reads Browser Bookmarks, Knows location by Cell-ID and WiFi, Knows location by GPS signal, Runs on device startup, Reads all SMS messages and records audio on voice calls

Google Zhuyin Input – Records Audio on Voice Calls, Runs on device startup

Google Pinyin Input – Records Audio on Voice Calls, Runs on device startup

MiTalk (China users) – knows location by GPS signal, Received all SMS messages, Records Audio on Voice calls, Knows location by Cell-ID and WiFi, Handles Outgoing calls and Runs on device startup

Attention –  critical loophole

In 2015, a group of researcher in Chinese university of Hong Kong (Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, Zhou Li) found a vulnerability on Pinyin input. A vulnerability so called cross-app KeyEvent injection (CAKI) attack will be encountered on Google Pinyin input method. The flaw is that it allow 3rd party to harvest entries from the personalized user dictionary of IME through an ostensibly innocuous app only asking for common permissions.

Android CAKI vulnerability

Speculation:

We keep track of android vulnerabilities so far. I note with concerns of CVE-2016-9651.  This vulnerability is allow to collect the Invisible Private Property on your android phone. Details is shown as below:

Get all properties of an special object by d8 shell command

d8> var specialObject = new Error("test");
d8> var ownNames = Object.getOwnPropertyNames(specialObject);
d8> var ownSymbols = Object.getOwnPropertySymbols(specialObject);
d8> var ownKeys = ownNames.concat(ownSymbols)
d8> ownKeys
["stack", "message"] ---------> all public properties got by normal JavaScript
d8> %DebugPrint(specialObject)
DebugPrint: 0x3058e8cd: [JS_ERROR_TYPE]
- map = 0x53d0945d [FastProperties]
- prototype = 0x2560b9e1
- elements = 0x45384125 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
- properties = { ---------> all properties got by DebugPrint
#stack: 0x453d012d <AccessorInfo> (accessor constant)
#message: 0x453bb18d <String[4]: test> (data field at offset 0)
0x453859f1 <Symbol: stack_trace_symbol>: 0x3058e9c1 <JS Array[6]> (data field at offset 1) ---------> private property
}

If above flaw co-exists with this vulnerability. Sounds like a prefect surveillance backdoor allow 3rd to collect the information of your android phone. As a matter of fact, the surveillance program or cyber espionage keep track of our mobile activities daily. If such action is collected by your government for crime prevention purpose or big data foundation framework. From certain point of view, we have no doubt to say no. However, who can say how much is the value your personal privacy on your mobile phone?

Reference:

Mobile phone applications – access permission component

Application must have an AndroidManifest.xml file in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code. Manifest file capable declares the permissions (see below) that the application must have in order to access protected parts of the API and interact with other applications. It also declared the permissions that others are required to have in order to interact with the application components.

Sample – Manifest file capable declares the permissions

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.photoeffect"
android:versionCode="1"
android:versionName="1.0" >

<uses-sdk
    android:minSdkVersion="8"
    android:targetSdkVersion="18" />

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="com.example.towntour.permission.MAPS_RECEIVE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />

Mobile apps like your wife or girlfriend. They are tracing you!

 

 

 

 

 

Mobile apps like your wife or girlfriend. They are tracing you!

 

Preface

Power is always dangerous…..Android rule the world

 

About mobile phone security

Independently conducted by antihackingonline

The attack hit rate on personal mobile devices rate high. Mobile phone user enjoy to play the game apps. In order to fulfill the application requirement, their web browser require enable the plugins like Flash and Java in order to display some interactive content.

Culprit – Android OS (Zygote)

Zygote is a software component of the Android operating system uses to start apps.  The mechanism of the Zygote process will create a process (System call fork() is used to create processes), and the child process continues where it left off, loading the app itself into the VM.

ActivityThread,main() – see below

public static void main(String[] args) {
    ...
    Environment.initForCurrentUser();
    ...
    Process.setArgV0("<pre-initialized>");
    //Create the main thread looper
    Looper.prepareMainLooper();

    ActivityThread thread = new ActivityThread();
    //attach To the system process
    thread.attach(false);

    if (sMainThreadHandler == null) {
        sMainThreadHandler = thread.getHandler();
    }

    //The main thread enters the loop state
    Looper.loop();

    throw new RuntimeException("Main thread loop unexpectedly exited");
}

Zygote require root permissions on Android OS but it is an inherit right. And therefore Process ID is 1.

Remark: ID 1: init process, invoked by the kernel at the end of the bootstrap procedure.

Android zygote security weaknesses caused by performance design

An evaluation program found that the Address Space Layout Randomization (ASLR) not effectively implement in Android OS. As a result , it leaving software components vulnerable to attacks that bypass the protection. Zygote process creation model causes two types of  memory  layout  sharing  on  Android,  which  undermine  the effectiveness of ASLR. Firstly, the code of an application is always loaded at the exact same memory location across different runs even when  ASLR  is  present;  and  secondly,  all  running apps  inherit  the  commonly  used  libraries  from  the  Zygote process (including the libc library). For more details about the weakness of ASLR on VM. Please refer to below URL for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

 

Remark: Android 7.0 or above, library load order randomization and ASLR improved. The major improvement goal increase randomness feature. As a result it makes some code-reuse attacks decrease successful rate.

Inline hooking – Inline hooking is a method of intercepting calls to target functions. For instance, prepares hooks for the following system properties.

  • java.lang.System.getProperty()
  • android.app.Instrumentation.newApplication()
  • com.android.internal.telephony.SMSDispatcher.dispatchPdus()
  • android.app.ActivityManager.getRunningServices()
  • android.app.ActivityManager.getRunningAppProcesses()
  • android.app.ApplicationPackageManager.getInstalledPackages()
  • android.app.ApplicationPackageManager.getInstalledApplications()

If the software developer would like to obtains SMS data on your mobile phone (Android), he can do the following steps.

  1. Manages SMS operations such as sending data

    void sendDataMessage (String destinationAddress, 
                    String scAddress, 
                    short destinationPort, 
                    byte[] data, 
                    PendingIntent sentIntent, 
                    PendingIntent deliveryIntent)

    2. The null pointer exception is directly linked to name. i.e. isms or isms2.

    3. The transact() method is redefined in the customized program “isms” (or isms2) binder realization, replacing the original.

    4. When the parent application of the customized program sends an SMS it leads to the call of the customized program transact() method.

    5. As a result, the customized program can obtains SMS data (destination number, message text, service center number) from raw PDU.

Current status

It is hard to draw into conclusion on this discussion topics this moment. We keep our eye open see whether a new vulnerability find on Zygote in 3rd quarter in 2017 . Ok, have a good sleep.  Zzzzzzz……