Mobile Phone Application
HTTP Request Hijacking attack said to be simple to do against Apple IOS apps
Network World - Many Apple iOS applications are vulnerable to a man-in-the-middle attack that can result in permanent manipulation by the attacker, according to start-up Skycure, which released its research findings on this today during the RSA Europe conference.
Skycure CTO Yair Amit says many mobile iOS apps are vulnerable to a “very simple attack that relies on the 301 HTTP Response, a permanent re-direction.” If an Apple iOS app can cache these so-called 301 HTTP Re-Direct Response requests — and many popular iOS apps do, according to Skycure — then the app is vulnerable to being repeatedly hijacked via re-direction to the attacker’s server.
While this general type of man-in-the-middle attack has been known on the Web for many years, for mobile applications the result is worse in that it “persistently changes the URL” of the server and lets the attacker take dynamic control over the app, says Amit. In the information that Skycure is publishing today, the company notes the impact of the attack is basically that instead of loading data from the real site that the user wants to visit, the attacker can make the app permanently load the data from the attacker’s site.
Skycure isn’t releasing the names of the vulnerable iOS apps because this issue hasn’t necessarily been fixed. Amit says according to Skycure’s research, a significant portion of apps available through the official Apple App Store could be attacked this way. The problem is not a vulnerability in iOS itself but a coding weakness on the part of the developer.
Skycure says “HTTP Request Hijacking” of Apple iOS mobile devices such as iPhones and iPads starts with a man-in-the-middle attack, which would typically commence in a public WiFi zone, such as in a coffee shop. While a type of attack like this has been known to happen on the Web between computer-based Web browsers and Web servers for quite some time, the way a similar attack works on mobile devices hasn’t yet been subject to much scrutiny, says Amit.
He adds the implication of such an attack on news or financial information received through iOS devices is troubling.
“In a mobile application, it changes the application,” he says, adding “there’s no easy way to remove the problem.” But Skycure believes there are a number of steps that app developers can take to remediate or mitigate against it.
Among them are making sure the app doesn’t cache a 301 HTTP Re-Direct Response for re-direction. Another is to make sure the mobile device interacts with a designated server via an encrypted protocol, such as HTTPS, instead of HTTP. “If you want your application to behave differently with a server, just release an update,” he suggests. Making changes to apps to correct for this may be somewhat disruptive to the end-user, he adds.
The HTTP Request Hijacking attack on iOS that Skycure has identified may also exist in Android or other mobile-device platforms, but Skycure currently puts its focus primarily on Apple iOS. Skycure believes one danger in this type of man-in-the-middle attack on mobile devices is that it is much less visible to the victimized end-user than the more traditional computer-based form of the attack.
Source: Network World
Android users are probably familiar with the Swype keyboard which basically allows users to type on their phones just by swiping (or “swyping”) between characters versus pecking at individual letters one at a time. In fact one iOS developer has event attempted to port Swype onto iOS devices although it didn’t exactly take off. However it seems that Apple did think about keyboard alternatives back in the day, and thanks to a recent patent that was published, it looks like Apple’s idea was pretty similar to Swype. According to the patent filing, it was filed for back in 2007 which is the same year that the first iPhone debuted, suggesting that Apple was already looking for keyboard alternatives for touchscreen devices back in the day.
However given that it’s 6 years later and the only revision to the Apple keyboard on iOS would be its design, it’s safe to say that Apple decided not to pursue this idea, or other keyboard ideas the Cupertino company and its team might have cooked up then. In any case Apple’s keyboard is more than functional and is pretty accurate as far as onscreen keyboards are concerned.
A new piece of Android malware has been discovered that can intercept your incoming text messages and forward them on to criminals. Once installed, the trojan can be used to steal sensitive messages for blackmailing purposes or more directly, codes which are used to confirm online banking transactions.
The malware in question, detected as “Android.Pincer.2.origin” by Russian security firm Doctor Web, is the second iteration of the Android.Pincer family according to the company. Both threats spread as security certificates, meaning they must be deliberately installed onto an Android device by a careless user.
Upon launching Android.Pincer.2.origin, the user will see a fake notification about the certificate’s successful installation but after that, the trojan will not perform any noticeable activities for a while. Here are a few screenshots:
The malware is loaded at startup via CheckCommandServices, a service that runs silently in the background (right-most screenshot above). It will then connect to a remote server and send over the following information about the mobile device to those behind the attack: handset model, device’s serial number, IMEI, carrier, cell phone number, default system language, operating system, and availability of the root account.
The threat then awaits instructions that contain commands in the following format: command:[command]. Doctor Web has found criminals can send the following instructions to the trojan:
• start_sms_forwarding [telephone number]— begin intercepting communications from a specified number
• stop_sms_forwarding — stop intercepting messages
• send_sms [phone number and text] — send a short message using the specified parameters
• simple_execute_ussd — send a USSD message
• stop_program—stop working
• show_message—display a message on the screen of the mobile device
• set_urls – change the address of the control server
• ping – send an SMS containing the text ‘pong’ to a previously specified number
• set_sms_number—change the number to which messages containing the text string ‘pong’ are sent.
The first one allows attackers to indicate the number from which the trojan should intercept messages, meaning this can be used for targeted attacks to steal specific messages. The third one from the bottom shows the criminals have planned for changing servers in case they believe the current one will be shut down.
Although Doctor Web doesn’t say so, the good news here is that Pincer2 is not likely to be very prevalent. It has not been found on Google Play, where most Android users should be getting their apps, and appears to be meant for precise attacks, as opposed to being aimed at as many users as possible.
In short, this malware threat isn’t one that you will likely be hit with, but it is an interesting example of how Android malware is evolving. Our advice is the same as always: only install apps that you know are safe.
Malware that avoided detection and made its way onto the official Google Play store has been downloaded at least 2 million times, a security firm warned today.
Google was notified of the outbreak by Lookout and all affected rogue apps have been removed from the Android store. As many as 9 million could have downloaded the dirty code.
Lookout found 32 applications contained code from the “BadNews” software development kit, which masqueraded as a standard advertising network SDK.
But it was particularly aggressive, sending phone number and device IDs to their command and control servers, and prompting users to install applications, including AlphaSMS, a “well-known premium rate SMS fraud malware”, which can cost users plenty of money.
“It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network,” the company wrote in a blog post.
“However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetisation SDK.”
“Further, it is clear that a substantial amount of code in BadNews has previously appeared in other families associated with Eastern European toll fraud.”
Lookout identified three C&C servers, in Russia, Ukraine and Germany.
It’s another big outbreak of Android malware, which has been spreading rapidly in recent years. NQ Mobile reported earlier this week that mobile malware jumped 163 percent in 2012, with almost all threats aimed at Android.
Governments appear to be using mobile Trojans too. China was this month implicated in attacks on Tibetan activists, which sought to get malicious kit on Android devices.
Source: Tech Week Europe