Wednesday, 15 August 2018

New Man-in-the-Disk attack leaves millions of Android phones vulnerable

man-in-the-disk android hacking apps
Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize 'External Storage' system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android's built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

How Android Man-in-the-Disk Attack Works?

Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative "would lead to harmful results."
man-in-the-disk android hacking apps
For instance, researchers found that Xiaomi web browser downloads its latest version on the external storage of the device before installing the update. Since app fails to validate the integrity of the data, the app's legitimate update code can be replaced with a malicious one.

"Xiaomi Browser was found to be using the External Storage as a staging resource for application updates," the researchers said in a blog post.

"As a result, our team was able to carry out an attack by which the application’s update code was replaced, resulting in the installation of an alternative, undesired application instead of the legitimate update."

In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user's smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them.

The attack can also be abused to install another malicious app in the background without the user's knowledge, which can eventually be used to escalate privileges and gain access to other parts of the Android device, like camera, microphone, contact list, and more.

Man-in-the-Disk Attack Video Demonstrations

Check Point researchers also managed to compromise files and crash Google Translate, Google Voice-to-Text, and Yandex Translate because those apps also failed to validate the integrity of data used from the Android's external storage.

Among the apps that Check Point researchers tested for this new MitD attack were Google Translate, Yandex Translate, Google Voice Typing, LG Application Manager, LG World, Google Text-to-Speech, and Xiaomi Browser.

Google, which itself doesn't follow its security guidelines, acknowledged and fixed some affected applications and is in the process of fixing other vulnerable apps as well, Check Point said.

Besides Google, the researchers also approached the developers of other vulnerable applications as well, but some, including, Xiaomi declined to fix the issue, according to the researchers.
"Upon discovery of these application vulnerabilities, we contacted Google, Xiaomi, and vendors of other vulnerable applications to update them and request their response," Check Point researchers said.

"A fix to the applications of Google was released shortly after, additional vulnerable applications are being updated and will be disclosed once the patch is made available to their users, while Xiaomi chose not to address it at this time."
The researchers stressed they only tested a small number of major applications and therefore expect the issue affects a more significant number of Android apps than what they explicitly noted, leaving millions of Android users potentially vulnerable to cyber threats.

Former Microsoft Engineer Gets Prison for Role in Reveton Ransomware

microsoft hacker reveton ransomware
A former Microsoft network engineer who was charged in April this year has now been sentencedto 18 months in prison after pleading guilty to money laundering in connection with the Reveton ransomware.

Reveton malware is old ransomware, also known as scareware or police ransomware that instead of encrypting files locks the screen of victims’ computers and displays a message purporting to come from a national law enforcement agency.

The splash screen of the malware was designed to falsely tell unsuspecting victims that they have been caught doing illegal or malicious activities online or the law enforcement had found illegal material on their computer, forcing users to make pay a "fine" of $200-300 within 48 hours to regain access to their computers.

Raymond Odigie Uadiale, 41-year-old, who worked as a Microsoft network engineer, is not the actual author of the Reveton ransomware, but he helped the Reveton distributor, residing in the UK and identified as the online moniker "K!NG," in cashing out ransom money collected from victims in the form of Green Dot MoneyPak prepaid vouchers.

Uadiale, who was a student at Florida International University at the time of his crime in 2012 and 2013, was said to have acquired MoneyPak debit cards under the fake name of Mike Roland and received payments from victims of Reveton.

Using Liberty Reserve service, Uadiale then transferred $93,640 into accounts of his unnamed co-conspirator in the United Kingdom, after keeping his 30 percent cut.
microsoft reveton police ransomware
Liberty Reserve was itself closed down by US authorities in May 2013, after its creator pleaded guilty to laundering hundreds of millions of dollars through the digital currency exchange and was sentenced to 20 years in prison.

In the Southern Florida US District Court on Monday, Uadiale was given an 18-month prison sentence and three years of supervised release, after he agreed to a plea agreement that dismissed the second count of substantive money laundering.
"The indictment charged Uadiale with one count of conspiracy to commit money laundering and one count of substantive money laundering. As part of the plea agreement, the government dismissed the substantive count."
"By cashing out and then laundering victim payments, Raymond Uadiale played an essential role in an international criminal operation that victimized unsuspecting Americans by infecting their computers with malicious ransomware," said Assistant Attorney General Brian Benczkowski.
Microsoft hired Uadiale as a network engineer after the conspiracy charged related to the ransomware scheme in the indictment ended