Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Expensive free apps

Kaspersky Securelist - 33 min 1 sek zpět

This post is the result of collaboration between 11paths (Telefonica’s Cybersecurity Global Unit) and Kaspersky Lab. Both companies have used their own expertise, researchers and tools, such as 11path’s Tacyt (Android apps monitoring) and GReAT’s internal tools and resources.

Big Brother and Google Play

Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new. Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years.

Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time.

Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now.

[Analysis:cdd254ee6310331a82e96f32901c67c74ae12425]

This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick. First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play. Then, some days later, a new version was uploaded with a major features update, including subscription to paying services. This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015).

It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin:

com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;
com.granhermano162; from 2015-09-29 to 2015-11-14;
com.granhermanodieciseis; from 2015-09-29 to 2015-11-11
com.granh.gh16_3; from 2015-10-05 to 2015-10-15;
com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed).

As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual:

The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way. Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers.

This app is using several commercial third party services such as Parse.com for the first network communication. This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc).

{“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]}

As we can see above, it references to different URLs:

spamea.me is service that no longer exists at the time of writing, but that used to be hosted on 107.6.184.212, which seems a hosting service shared with many other websites.

ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing. It is used from the app in order to subscribe the user to a service called “yourmob.com”.

Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand.

Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed.

Presence outside Google Play

It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J. Sánchez that spotted this).

Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4

This app worked slightly different. It uses other 3rd party services and it sends Premium SMSs for monetization. They got from the server what number to use, for how many seconds and if the screen should be on or off.

We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before.

One of the webservices used by this application (http://104.238.188.38/806/) exposed a control panel showing information about people using this app:

As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one:

https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/

It was using this vps as well http://vps237553.ovh.net. Some of the panels and services provided by the VPS were located here:

http://vps237553.ovh.net/nexmo/getcode.php?code=
http://vps237553.ovh.net/polonia/autodirect1.php
http://vps237553.ovh.net/polonia/autodirect2.php
http://vps237553.ovh.net/polonia/guardar_instalacion.php
http://vps237553.ovh.net/polonia/guardar_numero.php
http://vps237553.ovh.net/polonia/guardar_numero.php?androidID=
http://vps237553.ovh.net/polonia/guardar_sms.php
http://vps237553.ovh.net/polonia/push_recibido.php
http://vps237553.ovh.net/polonia/panel.php
http://vps237553.ovh.net/nexmo/

As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc).

In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names:

In particular, 45.32.236.127 was pointed by different domain names in the past months:

  • kongwholesaler.tk (2016-05-22)
  • acc-facebook.com (2016-04-11)
  • h-instagram.com (2016-04-11)
  • msg-vk.com (2016-04-11)
  • msg-google.ru (2016-04-10)
  • msg-mail.ru (2016-04-10)
  • iwantbitcoins.xyz (2015-11-04)

These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services.

Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to 51.255.199.164, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play).

Back to Google Play

As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before.

e49faf379b827ee8d3a777e69f3f9bd3e559ba03
11a131c23e6427dd7e0e47280dd8f421febdc4f7

These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play.

Conclusions

This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show. Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.

Source Code for another Android Banking Malware Leaked

The Hacker News - 1 hodina 7 min zpět
Another bad news for Android users — Source code for another Android banking malware has been leaked online via an underground hacking forum. This newly discovered banking Trojan is designed to steal money from bank accounts of Android devices' owners by gaining administrator privileges on their smartphones. Apparently, it will attract the attention of many cyber criminals who can recompile
Kategorie: Hacking & Security

Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain

The Hacker News - 22 Leden, 2017 - 10:09
A Russian computer hacker wanted by the FBI on hacking allegations was arrested and jailed in Spain earlier this week, while a decision on his extradition to the United States has yet to be made. The Guardia Civil, Spanish law enforcement agency officers, have detained 32-year-old Stanislav Lisov at Barcelona–El Prat Airport based on an international arrest warrant issued by Interpol at the
Kategorie: Hacking & Security

Ruští hackeři sestřelili web fotbalového mistrovství Afriky

Novinky.cz - bezpečnost - 22 Leden, 2017 - 07:47
Skupina ruských hackerů se v sobotu přihlásila k tomu, že vyřadila z provozu internetové stránky probíhajícího fotbalového mistrovství Afriky. Protestují tak proti tomu, že se turnaj koná v Gabonu, kde se po loňských volbách a následných nepokojích drží u moci prezident Ali Bongo.
Kategorie: Hacking & Security

Mozilla’s First Internet Health Report Tackles Security, Privacy

Threatpost - 21 Leden, 2017 - 15:00
Mozilla released its first Internet Health Report, examining the dangers of over-sharing eroding privacy, and the security of connected devices.
Kategorie: Hacking & Security

Explained — What's Up With the WhatsApp 'Backdoor' Story?

The Hacker News - 21 Leden, 2017 - 11:51
What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that
Kategorie: Hacking & Security

Lavabit — Encrypted Email Service Once Used by Snowden, Is Back

The Hacker News - 21 Leden, 2017 - 09:41
Texas-based Encrypted Email Service 'Lavabit,' that was forced to shut down in 2013 after not complying with a court order demanding access to SSL keys to snoop on Edward Snowden's emails, is relaunching on Friday. Lavabit CEO Ladar Levison had custody of the service's SSL encryption key that could have helped the government obtain Snowden's password. Although the FBI insisted it was only
Kategorie: Hacking & Security

Already on probation, Symantec issues more illegit HTTPS certificates

Ars Technica - 20 Leden, 2017 - 22:40

Enlarge (credit: Own Work)

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication that they were created for test purposes—were revoked within an hour of being issued. Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing.

Read 7 remaining paragraphs | Comments

Kategorie: Hacking & Security

Coalition of Cryptographers, Researchers Urge Guardian to Retract WhatsApp Story

Threatpost - 20 Leden, 2017 - 21:31
A coalition of researchers and cryptographers are urging the Guardian to retract a story it published last week which suggested the encrypted messaging app WhatsApp contained a backdoor.
Kategorie: Hacking & Security

Hadoop, CouchDB Next Targets in Wave of Database Attacks

Threatpost - 20 Leden, 2017 - 20:18
Insecure Hadoop and CouchDB installations are the latest attack targets of cybercriminals who are hijacking and deleting stolen data.
Kategorie: Hacking & Security

How A Bug Hunter Forced Apple to Completely Remove A Newly Launched Feature

The Hacker News - 20 Leden, 2017 - 19:36
Recently Apple released a new Feature for iPhone and iPad users, but it was so buggy that the company had no option other than rolling back the feature completely. In November, Apple introduced a new App Store feature, dubbed "Notify" button — a bright orange button that users can click if they want to be alerted via iCloud Mail when any game or app becomes available on the App Store.
Kategorie: Hacking & Security

Hack the Army Bounty Pays Out $100,000; 118 Flaws Fixed

Threatpost - 20 Leden, 2017 - 19:00
The U.S. Army released the results of its Hack the Army bug bounty, and said that close to $100,000 was paid out, and 118 unique and actionable vulnerabilities were reported.
Kategorie: Hacking & Security

Threatpost News Wrap, January 20, 2017

Threatpost - 20 Leden, 2017 - 17:50
Mike Mimoso, Tom Spring, and Chris Brook discuss security-wise what they hope will and won't change under a Trump presidency, then discuss the news of the week, including SHA-1 deprecation, Carbanak's return, and the WhatsApp "backdoor" debacle.
Kategorie: Hacking & Security

Protestors urged to try and swamp White House website

Sophos Naked Security - 20 Leden, 2017 - 17:23
As the inauguration of Donald Trump gets under way in Washington DC, one activist is calling for a DIY DDoS-style attack - which may not be legal

Meitu app is all the rage, but privacy concerns abound

Sophos Naked Security - 20 Leden, 2017 - 17:02
Be aware of what the the viral selfie-enhancing app is collecting, which includes Wi-Fi, Sim card, GPS location and cell data

Megaviral Meitu “beauty” app’s data grab is anything but skin-deep

Ars Technica - 20 Leden, 2017 - 14:54

Our editor, Sebastian, finally achieves self actualisation through technology. (credit: Sebastian Anthony)

A Chinese app which allegedly makes selfies look more attractive—or more like an anime character, at any rate—has a dark secret: it demands permissions for far more personal data than it needs, including users' IMEIs, phone numbers, and GPS coordinates.

Meitu, an app which has been out for years on both iOS and Android in China, has shot to fame outside the country in the last few weeks, due to the "beauty" filters it can apply to people's selfies. Among other functions, it can sharpen people's jaws, put a sparkle in their eyes, and smooth out and lighten their skin.

The result? Meitu-filtered pictures are suddenly everywhere. The backlash, however, has been just as swift.

Read 7 remaining paragraphs | Comments

Kategorie: Hacking & Security

Alleged child molester caught after 18 years thanks to facial recognition

Sophos Naked Security - 20 Leden, 2017 - 14:22
FBI database throws up a hit after alleged attacker applied for a passport using a stolen identity

Adding a Section to PE Binary

InfoSec Institute Resources - 20 Leden, 2017 - 14:00
Let’s take a look at expanding PE formatted binaries by hand. I was working on a project back in 2004 when we were required to add some interoperability for a program. Some of the problems that we ran into were that we needed space to make the modifications we needed and it was decided that […]
Kategorie: Hacking & Security

API Call Logging Part I

InfoSec Institute Resources - 20 Leden, 2017 - 14:00
API call logging is a mechanism of logging API call made by an application. In this series, we are going to learn about how to develop an API call logger using Windows API. Windows provides a feature for instrumenting applications known as Windows debugging API. These are certain calls which provide an interface for instrumentation. […]
Kategorie: Hacking & Security
Syndikovat obsah