Rogue mobile apps are counterfeit apps designed to mimic trusted brands or apps with non-advertised malicious features. In both cases, the goal is that unaware users install the app in order to steal sensitive information such as credit card data or login credentials.
The common way to install apps is to use the official app store. By default, neither Android nor Apple’s iPhone allow users to install apps from unknown sources. However, this does not mean we can just trust the official app store. SWITCH-CERT has been monitoring Apple’s App Store and Google Play for some time and noticed that many rogue apps are able to sneak into Google Play especially.
Attackers are abusing the weak app testing procedure of Google to sneak their rogue apps into Google Play. One can find counterfeit apps of Swiss brands on a regular basis. Typically, the apps reside on Google Play for some time until it is removed because of take down requests from security researchers. Until that happens, unaware users are likely to install such apps and put their data at risk.
The screenshot below shows apps found when searching for Bluewin. During the last months, Bluewin has been a common target for rogue counterfeit apps. The red circle indicates the rogue app.
Smartphones have become inseparable companions of our everyday life. They are so cheap nowadays, you can buy commodity devices running Android OS for less than a hundred Swiss francs. Smartphones aren’t mere wireless telephony devices. They are modern computer systems equipped with a variety of sensors: cameras, microphone, GPS receiver, gyroscopes and accelerometers, etc. They also feature multiple wireless communication interfaces such as multi-generation mobile networking, 2.4 and 5 GHz Wi-Fi, Bluetooth, NFC, etc, which make them a polyvalent communication platform with a quasi permanent Internet connection. Another way of looking at it: using all the components typical smartphones are equipped with, they can be fitted as perfect bugging devices.
On November 15th 2016, Kryptowire published a blog post revealing that „several models of Android mobile devices contained a firmware that collected sensitive personal data about their users and transmitted the data to third-party servers without disclosure or the users’ consent“. The sensitive data includes unique device and user identifiers, but also contact lists, call history, installed applications, and under circumstances text messages as well as fine grained location data. The said firmware originates from Adups, a Shanghai-based company specialized in mobile and IoT technologies. It is part of their FOTA product, a commercial replacement of Google’s Over-The-Air upgrade system, which is used to deploy firmware upgrades to the devices (hence the acronym: Firmware Over The Air). The FOTA component is pre-installed on various brands and models of Android devices manufactured in China. Being installed as a system APK, the software has unrestricted access to all data on the device and cannot be uninstalled.
Switzerland is one of the safest countries in the world. To make also the Internet a secure place in Switzerland, the Swiss online economy has started the Swiss Internet Security Alliance (SISA). The goal of the alliance is to make Switzerland the “cleanest” Internet country in the world! The organization launched an online security check today which allows internet users to clean and protect their systems.
Offering more security
The founding of the Swiss Internet Security Alliance is a sign of its members’ commitment to making the Internet a secure place in Switzerland. The association brings together expert knowledge from representatives of various sectors and promotes information-sharing amongst competitors.
Overcoming challenges together
The Swiss Internet Security Alliance focuses on its main assets – the knowledge, experience and technical expertise of its members. Its members asut, Centralway, credit suisse, cyscon Schweiz, Lucerne University of Applied Sciences and Arts, Hostpoint, Migros Bank, PostFinance, Raiffeisen, Sunrise, Swisscard, Swisscom, SWITCH, UBS, upc cablecom and Viseca have longstanding experience in dealing with online security. The association is open to other interested parties. More information can be found in the press release:
After all, new research shows that ‘123456’ is a great password: Websites that would not present a threat if hacked should get throwaway credentials.
World Cup & Threat Intelligence: According to the Imperva Data Security Blog, Hackers like soccer so much, that they put their weapons down during the World Cup Finals. But during the rest of the matches, attacks actually increased.
This week the IT-Security world was busy with 3 important things: Heartbleed, Heartbleed and Heartbleed. It’s a serious vulnerability in the very widespread OpenSSL cryptographic software library. The bug has been introduced while implementing the Heartbeat extension in December 2011. When exploited it leads to the leak of memory contents, which might be secret keys or credentials.
NSA Today: Recently published NSA slides explain some more projects. For example the Tailored Access Operations (TAO) hacking unit run a system called TURBINE, which can spam out millions of pieces of sophisticated malware at a time. HAMMERCHANT and HAMMERSTEIN is malware designed to sit on routers and grab encryption keys to decrypt supposedly secure VPN connections in real time. QUANTUMCOPPER automatically corrupts any data downloaded by a user. In the meantime, Facebook founder and CEO Mark Zuckerberg said he had called President Obama to voice his concerns about government surveillance.
The ICC Belgium published a 72-page Cyber Security Guide including a Security Self Assessment Questionnaire.
Have you heard about the Security Bloggers Network? It’s the largest collection of information security focused blogs and podcasts in the world with almost 300 different blogs and podcasts included. They offer one feed of all the sites. (Sub-feeds for specified categories are in the works.)