Security Week 31: Fifty Shades of Insecurity on Android
For a long time we did not write something about Android security. In general, the situation there seems to be quite good: we have not yet found such serious problems as the three-year-old Stagefright bug . Since 2016, the Android One program has been developing, in which mid-range devices receive a single version of the OS and, accordingly, the fastest possible delivery of security updates. The speed of delivery of updates to traditional vendors has also accelerated , according to Google.
But not that it became very good. Recently, we wrote about an unusual Android-smartphone pretending to be the tenth iPhone, in which any protection of user data is completely absent. But this is exotic. But the company Kryptowire analyzed ( news) firmware for many common smartphones that are sold around the world. Serious security holes were discovered in 25 different models.
This is a clear, but still quite fresh look at Android security. It’s one thing when a vulnerability is found in the Android source code: as a rule, all devices are exposed to it, but therefore it closes quickly. Another thing is the problem introduced during the modification of stock Android by a specific manufacturer: it can sit in the firmware for years.
What did you find in the end? Most of the vulnerabilities relate to the scenario "a malicious application gets access to where it should not be." For example, on the LG G6 phone, an application without special privileges can lock the device so that only resetting to the factory settings will help (otherwise, unlocking is possible if the ADB debugging interface was turned on in advance). There, the opportunity was found to gain access to system logs and send them via the Internet. In the Essential Phone, any application can erase absolutely all information from the device. Asus ZenFone 3 Max has the ability to execute commands with system privileges from any application.
Well and so on. In the company's presentation at DEF CON, it was noted that this weakening of application isolation standards is caused precisely by the features of a specific Android implementation. In the standard stock version of the OS, there are no such problems. This, of course, is not as epic as 100+ smartphones with an active backdoor , but it seems that for the first time security research has gone further along the development chain, not limited to analyzing the code of Android itself. If it is invulnerable at least a hundred times, it will be modified to work on a specific hardware, for a specific operator, with a specific software. People do this, and they can make mistakes.
By the way, about the chain. The company Check Point in the same place, on DEF CON, told ( news , research) about an attack like Man in the Disk. This is such a fashionable name for a generally trivial situation: when one application adds data to external memory and another modifies it. For an example, the researchers took the Google Translate, Yandex.Translator, and Xiaomi Browser applications.
About this seemingly harmless action, Google itself in the recommendations for protecting applications in Android writes that the validity of data read from external memory should be checked, and it is advisable not to store the executable files there. That's because access to this external memory (roughly speaking, to a microSD card) is possible from any other application.
So, in the translators of Google and Yandex, the researchers managed to cause the application to crash by replacing the service data stored in the shared memory. This in itself is not so scary, but in other programs theoretically possible both control interception and data theft. For example, in Xiaomi Browser, there it was possible to replace the application itself with a malicious copy, and all because the browser stores temporary files in external memory.
Another Android security armageddon is expected thanks to the developer of the online game Fortnite. Firstly, the Android version is still in development, although the game is available for iOS. This has already led to the appearance of many web pages and videos., which tells how to download and install the game on an Android-smartphone, naturally, with some kind of trojan and data theft at the end. Secondly, Epic Games decided not to put the game on the Google Play app store, so as not to pay Google a significant percentage of all user purchases. As a result, even those who conscientiously search for applications only in the official app store will be motivated to search elsewhere, and it’s good if they immediately go to the developer's site. And if not? However, it will be quite easy to track by the number of malware detections. According to the Laboratory, in the first three months of this year, 1,322,578 malicious applications were blocked by Android security software . By the way, this is less than in the previous quarter. We continue the observation.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.
But not that it became very good. Recently, we wrote about an unusual Android-smartphone pretending to be the tenth iPhone, in which any protection of user data is completely absent. But this is exotic. But the company Kryptowire analyzed ( news) firmware for many common smartphones that are sold around the world. Serious security holes were discovered in 25 different models.
This is a clear, but still quite fresh look at Android security. It’s one thing when a vulnerability is found in the Android source code: as a rule, all devices are exposed to it, but therefore it closes quickly. Another thing is the problem introduced during the modification of stock Android by a specific manufacturer: it can sit in the firmware for years.
What did you find in the end? Most of the vulnerabilities relate to the scenario "a malicious application gets access to where it should not be." For example, on the LG G6 phone, an application without special privileges can lock the device so that only resetting to the factory settings will help (otherwise, unlocking is possible if the ADB debugging interface was turned on in advance). There, the opportunity was found to gain access to system logs and send them via the Internet. In the Essential Phone, any application can erase absolutely all information from the device. Asus ZenFone 3 Max has the ability to execute commands with system privileges from any application.
Well and so on. In the company's presentation at DEF CON, it was noted that this weakening of application isolation standards is caused precisely by the features of a specific Android implementation. In the standard stock version of the OS, there are no such problems. This, of course, is not as epic as 100+ smartphones with an active backdoor , but it seems that for the first time security research has gone further along the development chain, not limited to analyzing the code of Android itself. If it is invulnerable at least a hundred times, it will be modified to work on a specific hardware, for a specific operator, with a specific software. People do this, and they can make mistakes.
By the way, about the chain. The company Check Point in the same place, on DEF CON, told ( news , research) about an attack like Man in the Disk. This is such a fashionable name for a generally trivial situation: when one application adds data to external memory and another modifies it. For an example, the researchers took the Google Translate, Yandex.Translator, and Xiaomi Browser applications.
About this seemingly harmless action, Google itself in the recommendations for protecting applications in Android writes that the validity of data read from external memory should be checked, and it is advisable not to store the executable files there. That's because access to this external memory (roughly speaking, to a microSD card) is possible from any other application.
So, in the translators of Google and Yandex, the researchers managed to cause the application to crash by replacing the service data stored in the shared memory. This in itself is not so scary, but in other programs theoretically possible both control interception and data theft. For example, in Xiaomi Browser, there it was possible to replace the application itself with a malicious copy, and all because the browser stores temporary files in external memory.
Another Android security armageddon is expected thanks to the developer of the online game Fortnite. Firstly, the Android version is still in development, although the game is available for iOS. This has already led to the appearance of many web pages and videos., which tells how to download and install the game on an Android-smartphone, naturally, with some kind of trojan and data theft at the end. Secondly, Epic Games decided not to put the game on the Google Play app store, so as not to pay Google a significant percentage of all user purchases. As a result, even those who conscientiously search for applications only in the official app store will be motivated to search elsewhere, and it’s good if they immediately go to the developer's site. And if not? However, it will be quite easy to track by the number of malware detections. According to the Laboratory, in the first three months of this year, 1,322,578 malicious applications were blocked by Android security software . By the way, this is less than in the previous quarter. We continue the observation.
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.