Security Weekly 54

Security Weekly 54: Fifty Shades Of Insecurity On Android

For a long time, we did not write something about the safety of Android. In general, the situation there seems to be quite good: such serious problems as the three-year-old bug Stagefright, have not yet been found. Since 2016, the Android One program is developing, in which midrange devices receive a single version of the OS and, accordingly, the fastest delivery of security updates. The speed of delivery of updates to traditional vendors, too, according to Google, accelerated.

  • But not that it became quite good. Recently we wrote about an unusual Android-smartphone, pretending to be the tenth iPhone, in which any data protection of the user is completely absent. But this is exotic. But the company Kryptowire analyzed (news) the firmware of a lot of ordinary smartphones that are sold all over the world. In 25 different models, serious security holes were found.
  • This is an understandable, but still pretty fresh look at Android security. It’s one thing when a vulnerability is found in the source code of Android: it is usually affected by all devices, but that’s why it closes quickly. Another thing – the problem introduced during the modification of stock Android by a specific manufacturer: it can sit in the firmware for years.

What was eventually found? Most of the vulnerabilities refer to the scenario “a malicious application gets access where it should not.” For example, on an LG G6 phone, an application without special privileges can lock the device so that only the reset to factory settings will help (otherwise the unlocking is possible if the ADB debug interface was enabled in advance). In the same place, it was possible to access the system logs and send them via the Internet. In Essential Phone, any application can erase absolutely all information from the device. Asus ZenFone 3 Max has the ability to execute commands with system privileges from any application.

Security Weekly 54 Photo 1

Well, and so on. In the presentation of the company at DEF CON it was noted that this weakening of the standards of application isolation is caused precisely by the peculiarities of the specific implementation of Android. In the reference stock version of the OS, there are no such problems. This, of course, is not as epic as 100+ smartphones with an active backdoor, but it seems that for the first time security studies have gone further along the development chain, not just by analyzing the code of Android itself. Whether it is a hundred times invulnerable, it is modified to work on a particular hardware, from a specific operator, with a specific software. People do this, and they can make mistakes.

  • By the way, about the chain. The company Check Point there, at DEF CON, told (news, research) about the attack type Man in the Disk. This is such a fashionable name for a generally banal situation: when one application adds data to external memory, and another modifies it. For example, researchers took Google Translate, Yandex. Translator and Xiaomi Browser.

About this seemingly innocuous action, Google itself in the recommendations for the protection of applications in Android wrote that the validity of data read from external memory should be checked, and executables there preferably should not be stored. All because access to this external memory (roughly speaking, to the microSD card) is possible from any other application.

So, in the translators Google and Yandex, researchers managed to cause the application to fail, replacing the data stored in the shared memory. In itself, this is not so terrible, but in other programs, it is theoretically possible to intercept control, and steal data. For example, in Xiaomi Browser, – it was possible to replace the application itself with a malicious copy, and all because of the browser stores temporary files in external memory.

Another security-armageddon, connected with Android, is expected thanks to the developer of the online game Fortnite. First, the version for Android is still in development, although for iOS the game is available. This has already led to the emergence of many web pages and videos, which tells how to download and install the game on the Android-smartphone – naturally, with some kind of Trojan and data theft in the end. Secondly, Epic Games decided not to upload the game to the Google Play app store so as not to pay Google a perceptible percentage of all user purchases. As a result, even those who honestly look for applications only in the official app store will be motivated to look elsewhere, and it’s good if they immediately go to the developer’s site. And if not? However, it will be quite easy to track the number of malware detections. According to the “Laboratory” for the first three months of this year, the protection software on Android has blocked 1 322 578 malicious applications. By the way, this is less than in the previous quarter. We continue our observation.