Mobile-Security – SWITCH Security-Blog

The Mai/June 2020 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

The coronavirus: a blessing for some, a curse for others – where is IT security at with contactless payment?
You’ve got mail (and malware too) – serious security gap in Apple’s Mail app on iPads and iPhones now closed
Everything must go – ‘Shade’ hackers ‘shut down’ and publish hundreds of thousands of decryption keys
Swiss users targeted by cybercriminals
Elite targets – ETH supercomputers Euler and Leonhard (and more) hacked

The Security Report is available in both English and German.

»» Download the English report. »» Download the German report.

The January/February 2019 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

Company networks at serious risk: recent waves of malspam have been spreading the multifunctional trojan Emotet, targeting Windows devices in particular
Phishing, porn, data theft: rogue apps appearing as a new and harmful type of ‘non-sellers’ on Google Play and other app stores
Spy Time now also available for Apple devices – Serious security vulnerabilities allow outsiders to eavesdrop on FaceTime conversations and steal passwords from Keychain in MacOS
Alexa home alone, nuclear attack via Nest and a new password law in California – what happens when IoT gadgets run amok?

The Security Report is available in both English and German.

»» Download the english report . »» Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

Rogue Mobile App

Rogue mobile apps are counterfeit apps designed to mimic trusted brands or apps with non-advertised malicious features. In both cases, the goal is that unaware users install the app in order to steal sensitive information such as credit card data or login credentials.

The common way to install apps is to use the official app store. By default, neither Android nor Apple’s iPhone allow users to install apps from unknown sources. However, this does not mean we can just trust the official app store. SWITCH-CERT has been monitoring Apple’s App Store and Google Play for some time and noticed that many rogue apps are able to sneak into Google Play especially.

Google Play

Attackers are abusing the weak app testing procedure of Google to sneak their rogue apps into Google Play. One can find counterfeit apps of Swiss brands on a regular basis. Typically, the apps reside on Google Play for some time until it is removed because of take down requests from security researchers. Until that happens, unaware users are likely to install such apps and put their data at risk.

The screenshot below shows apps found when searching for Bluewin. During the last months, Bluewin has been a common target for rogue counterfeit apps. The red circle indicates the rogue app.

Play Store result for the search key word “Bluewin”

Continue reading “Rogue Mobile App”

A new issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

An own goal and serious foul: Spanish football league’s app turns 10 million users into involuntarily spies
Amazon Rekognition – useful security and convenience tool or total surveillance for pennies?
An underestimated risk: the number of malware attacks on smartphones and tablets is exploding
Phishing with the stars: scammers take advantage of our celebrity obsession and the crypto craze to cause harm to users

The Security Report is available in both English and German.

»» Download the english report. »» Download the german report.

A new issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

Meltdown and Spectre: security meltdown directly from the processor
Leaks, fakes and cryptocurrency hacks: business models of a different kind
Italianitá in the smartphone – state trojan monitors smartphone users
Kaspersky shut out of Lithuania as well
Strava leaks – fitness secrets of a different kind

The Security Report is available in both English and German.

»» Download the english report. »» Download the german report.

Adups — The Spy in your Pocket

written by Antoine Neuenschwander

Smartphones have become inseparable companions of our everyday life. They are so cheap nowadays, you can buy commodity devices running Android OS for less than a hundred Swiss francs. Smartphones aren’t mere wireless telephony devices. They are modern computer systems equipped with a variety of sensors: cameras, microphone, GPS receiver, gyroscopes and accelerometers, etc. They also feature multiple wireless communication interfaces such as multi-generation mobile networking, 2.4 and 5 GHz Wi-Fi, Bluetooth, NFC, etc, which make them a polyvalent communication platform with a quasi permanent Internet connection. Another way of looking at it: using all the components typical smartphones are equipped with, they can be fitted as perfect bugging devices.

On November 15th 2016, Kryptowire published a blog post revealing that „several models of Android mobile devices contained a firmware that collected sensitive personal data about their users and transmitted the data to third-party servers without disclosure or the users’ consent“. The sensitive data includes unique device and user identifiers, but also contact lists, call history, installed applications, and under circumstances text messages as well as fine grained location data. The said firmware originates from Adups, a Shanghai-based company specialized in mobile and IoT technologies. It is part of their FOTA product, a commercial replacement of Google’s Over-The-Air upgrade system, which is used to deploy firmware upgrades to the devices (hence the acronym: Firmware Over The Air). The FOTA component is pre-installed on various brands and models of Android devices manufactured in China. Being installed as a system APK, the software has unrestricted access to all data on the device and cannot be uninstalled.

HTTP request originating from a device affected by the Adups backdoor

Continue reading “Adups — The Spy in your Pocket”

Swiss economy makes online security its priority

Switzerland is one of the safest countries in the world. To make also the Internet a secure place in Switzerland, the Swiss online economy has started the Swiss Internet Security Alliance (SISA). The goal of the alliance is to make Switzerland the “cleanest” Internet country in the world! The organization launched an online security check today which allows internet users to clean and protect their systems.

Offering more security
The founding of the Swiss Internet Security Alliance is a sign of its members’ commitment to making the Internet a secure place in Switzerland. The association brings together expert knowledge from representatives of various sectors and promotes information-sharing amongst competitors.

Overcoming challenges together
The Swiss Internet Security Alliance focuses on its main assets – the knowledge, experience and technical expertise of its members. Its members asut, Centralway, credit suisse, cyscon Schweiz, Lucerne University of Applied Sciences and Arts, Hostpoint, Migros Bank, PostFinance, Raiffeisen, Sunrise, Swisscard, Swisscom, SWITCH, UBS, upc cablecom and Viseca have longstanding experience in dealing with online security. The association is open to other interested parties. More information can be found in the press release:

https://www.switch.ch/about/news/2014/sisa.html

Comprehensive security check
Upon founding the association, the Swiss Internet Security Alliance is launching a security check. The Swiss Security Check provides protection on three levels.

Users with outdated or incorrectly configured software who are therefore subject to a security risk, will find this out within seconds.
If there is suspicion of malware, the malware cleaner helps with the diagnosis and resolution of the problems.
A cyber vaccine completes the protection and keeps electronic pests at bay.

The Swiss Security Check is free and can be accessed here:
http://www.swiss-isa.ch

Please follow @swiss_isa on Twitter!

IT-Security-Links #60

Mobile Security: FireEye researchers have discovered a new software which takes Android malware to a new level by combining multiple malicious activities into one app.
According to a new blog post from Glenn Greenwald, the GCHQ has developed tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites or censor video content.
After all, new research shows that ‘123456’ is a great password: Websites that would not present a threat if hacked should get throwaway credentials.
World Cup & Threat Intelligence: According to the Imperva Data Security Blog, Hackers like soccer so much, that they put their weapons down during the World Cup Finals. But during the rest of the matches, attacks actually increased.
‘Bill Gates’ is the name of a versatile DDoS trojan for Linux.
Countersurveillance: Germany’s government is seriously considering manual typewriters as a means to avoid spying – not electronic models of course.
Cloud Security: Everybody is talking about it, but how secure is cloud computing really? SWITCH’s Rüdiger Rissmann wrote an interesting article about the technical and non-technical aspects of Cloud security.

IT-Security-Links #58

Troopers14: 27 talks from this years Security Conference Troopers are available online….
HITB2014: …as well as a choice of presentation slides from Hack-in-the-box…
IPv6 Security: …and the recently held IPv6 Business Conference.
Kasperky has uncovered the Luuuk banking fraud campaign which stolen half a million euros in a single week from a single bank.
Phishing goes Mobile: Hackers have trojanized a legitimate Mobile Banking App and redistributed it on Google Play.
Update on the “legal” spyware tool “Remote Control System”: Kaspersky discovered a number of related mobile malware modules and 326 Command & Control Server.
Security experts reproduce NSA’s Advanced Network Technology catalog using off-the-shelf components.
A Swiss Google alternative: Swisscows.ch is a new search engine which promises “No tracking“.
A 20-year-old integer overflow vulnerability in the LZO compression algorithm – used by many scientific and open source projects – has finally been patched.

IT-Security-Links #56

“No Place to Hide” is the new book on the NSA’s sweeping efforts to “Know it All” written by Glenn Greenwald. A comprehensive review has been published on washingtonpost.com.
According to this book the NSA has been covertly implanting interception tools in US network equipment heading overseas…
Cisco is not amused: “Governments should not interfere with the ability of companies to lawfully deliver internet infrastructure as ordered by their customers.”
Crimeware has steadily transferred Windows-based technology to Android. Now “Police Ransomware” expands to the Android ecosystem.
DNS DDoS: Incapsula reported in their blog on a DNS flood of 1.5 Billion requests per minute, fueled by different DDoS protection services.
How to characterize a target device through its wireless traffic? French researchers published a study on passive 802.11 device fingerprinting.

German:

Der deutsche E-Mail-Anbieter Posteo setzt künftig auf DNS-based Authentification of Name Entries (DANE), um Kunden die Möglichkeit zu bieten, Zertifikate für TLS-Verbindungen zu prüfen. DANE basiert auf DNSSEC.

Unser SWITCH Security-Report für Mai 2014 ist verfügbar

Die aktuelle Ausgabe unseres monatlich erscheinenden ‘SWITCHcert Reports zu aktuellen Trends im Bereich IT-Security und Privacy‘ ist soeben erschienen.

Themen diesen Monat:

Android prüft zukünftig kontinuierlich installierte Apps – Fake-Virenscanner ist Shooting Star in Googles App-Store
US-Behörde schafft vollendete Tatsachen in Sachen Netzneutralität
«Heartbleed» setzt Frust und Hoffnung der Open-Source-Entwickler frei
Dropbox will mit Hilfe von Condoleezza Rice weltweit expandieren
Und wie immer Links zu spannenden Präsentationen, Artikeln und Videos rund um die Themen IT-Security und -Privacy.

Zum Download (PDF):

Haben Sie unseren vorigen Security-Report verpasst? Hier kommen Sie zum Archiv.

IT-Security-Links #53

This week the IT-Security world was busy with 3 important things: Heartbleed, Heartbleed and Heartbleed. It’s a serious vulnerability in the very widespread OpenSSL cryptographic software library. The bug has been introduced while implementing the Heartbeat extension in December 2011. When exploited it leads to the leak of memory contents, which might be secret keys or credentials.
Next week the IT-Security world will probably be busy with “the other side of Heartbleed”: Client Vulnerabilities or Reverse Heartbleed. And the question, which services and products are also affected.
2nd major data theft in Germany this year: 18 Million email addresses and passwords have been stolen. Among them also 38.000 which are registered in Switzerland.
WinXP in SCADA systems: Never change a running system? This computer wisdom of the 80th is still reality in critical infrastructure environments.
Android Security: Collin Mulliner compiled a list of Android Hardening Tools.
Security Researcher have to think out-of-the-box: A five-year-old boy worked out a security vulnerability on Microsoft’s Xbox Live service. And has been officially thanked by the company.

IT-Security-Links #51

“SOHO-Farming”: Hackers have compromised 300.000 SOHO routers and changed DNS settings to redirect to the attacker site. Team Cymru has published a report about recent Pharming attacks (PDF) targeting Small office and Home office (SOHO) routers.
WordPress DDoS: securi.net reported that more than 162.000 WordPress sites have been used for a DDoS Attack using the pingback feature. Here you can check, if your WordPress domain participated in the DDoS. Meanwhile Brian Krebs described different ways how to disable the pingback functionality.
We don’t know who Justin Bieber is. But his official twitter account which has more than 50 million followers has been hijacked by attackers to spread spam links from the account. Subsequently more than 13.000 users have favorited the tweets and over 7.000 users have re-tweeted them…
NSA Today: Recently published NSA slides explain some more projects. For example the Tailored Access Operations (TAO) hacking unit run a system called TURBINE, which can spam out millions of pieces of sophisticated malware at a time. HAMMERCHANT and HAMMERSTEIN is malware designed to sit on routers and grab encryption keys to decrypt supposedly secure VPN connections in real time. QUANTUMCOPPER automatically corrupts any data downloaded by a user. In the meantime, Facebook founder and CEO Mark Zuckerberg said he had called President Obama to voice his concerns about government surveillance.
CrowdResponse is a new, free incident response toolkit designed to help enterprises collect the data they need to analyze sophisticated attacks.
Dendroid: Symantec researchers have come to know another android malware toolkit called “Dendroid” which is being sold in the underground forums. And an example already made its way into Google’s official app store.

IT-Security-Links #50

The ICC Belgium published a 72-page Cyber Security Guide including a Security Self Assessment Questionnaire.
Have you heard about the Security Bloggers Network? It’s the largest collection of information security focused blogs and podcasts in the world with almost 300 different blogs and podcasts included. They offer one feed of all the sites. (Sub-feeds for specified categories are in the works.)
Mobile Malware: Ten Years of Mobile Malware – From Symbian Worm to Tor-Based Android Backdoor, an overview by Softpedia with a nice graph from Symantec. Also Kaspersky published an article on Mobile Malware Evolution.
On 20th February 2014 the Niklaus Wirth Birthday Symposium took place in Zurich. Slides and video recordings of the talks are freely available. We recommend Software Defenses Using Compiler Techniques, a talk about compiler-generated software diversity as a defense mechanism against cyber attacks.
Anatomy of a “goto fail” – Apple’s SSL bug explained, by Sophos.

IT-Security-Links #39

FBI warns of bank-robbing Beta Bot malware that disables antivirus.
Biometrics are not safe: iPhone 5S fingerprint sensor hacked by Germany’s Chaos Computer Club
ENISA presents in a 5-page paper a first “taste” of current developments related to the Threat Landscape 2013.
F-Secure released their 50-page Threat Report for H1/2013. It’s about the latest trends, incidents and developments in malware.

German:

Bund bricht Überwachungsprojekt ab: Grössere Probleme bei der Ablösung des Lawful Interception Systems (LIS) des Bundes.
Paypal-Sicherheit: Erfahrungen mit dem “Paypal Bug Bounty Programm” und der Behebung von Sicherheitslücken beim Zahlungsdienstleister.