If you are like me, I carry my cell phone everywhere, carrying on voice conversations, sending and receiving text messages, utilizing countless apps, and surfing the web. Until recently, I gave very little heed to the security of these external communications as our smart devices are supposed to be somewhat secure. GSM carriers, such as AT&T and T-Mobile, utilize encryption to make communications secure; CDMA carriers, such as Sprint and Verizon also claim to have secure networks. Yes, I do have a major security app on my Android phone which scans new apps and text messages for malware, as well as protects from hazardous websites. Google created Android to be secure, with apps running in a somewhat closed memory space, called by some a “sandbox”, which is supposed to prevent purloined apps from talking over the phone. iPhone fanatics, along with many Apple fans in general, believe that their devices are immune to attack, as Apple would not dare to allow any threats to harm their beloved devices.
Welcome to the world of stark reality. In a recent column I wrote about two newly revealed vulnerabilities that may threaten the security, safety and privacy of nearly a billion smart phones and tablets, known as “Stagefright” and “Certifi-gate”. Since those vulnerabilities were announced in recent weeks, several others have come forward demonstrating previously unannounced additional security vulnerabilities that threaten the security of our smart phones, often including both iPhones and Android devices in their threat assessments.
One of these newly disclosed threats explicitly targets the most technology innocent and uninformed among us, and is appropriately called “grandma malware”. This clever piece of malware sneaks onto “granny’s” phone using a compound method of infection designed to defeat many of the simple security precautions that the most vulnerable users are often blissfully unaware of. While recently updated web browsers and desktop security software, as well as updated phone operating systems have likely patched the vulnerabilities, granny’s often older and unpatched computer and phone may be vulnerable. The first step in the infection sequence occurs when the victim downloads an innocent looking app, often a game or simple photo utility onto their desktop or laptop computer, using any one of the older versions of most of the common desktop internet browsers, which are still in wide use. This small utility, explicitly designed to appeal to “grandma”, does not itself contain any malware, and will pass the scrutiny of many of the less sophisticated desktop security products. This utility sits quietly and apparently innocently on the victim’s computer, often performing its intended tasks. The app surreptitiously monitors “granny’s” web surfing until she logs on to an app store, such as the Google Play Store. The malicious utility captures the logon and connection information from the browser connected app store; with this information, the malware is invisibly downloaded wirelessly to the smart device, installing itself on “granny’s” phone. Once installed on the phone, this malicious app immediately gathers personal data from the phone, and sends it to parties unknown. Even if this malware is detected and removed in a subsequent security scan by a third party security utility, it is too late; all of the personal information was stolen within seconds of the app being installed on granny’s phone. Granny’s private information has just been stolen, and granny might very well become an identity theft victim; as is common in criminal enterprises, the most vulnerable among us are the softer targets, and thus more likely to be victimized.
Despite the travesty of purposely going after granny, it is not one of the most insidious newly announced threats imperiling our smart phone usage. In recent days, a pair of IBM cyber security analysts, Or Peles and Roee Hay, uncovered a flaw in the Android operating system still being used in over a half-billion Android smart phones. This vulnerability, not yet formally named but referred to as a type of “masque” attack, where hackers can take over and remotely control vulnerable Android phones. According to these researchers, “Masque attacks are defined as malicious apps uploaded, say, from emails directing victims to fake web links.” According to Peles and Roee, Google has issued patches for devices running Android 5.1, 5.0, 4.4, and Android M, but as often the case for many Android devices (except some Nexus phones), it is up to the phone manufacturer or cell phone carrier to push these patches to their users, meaning that although the patches are available, over half of Android phones do not yet have the patches installed.
This “masque” attack vulnerability allows hackers to control the security privileges which are a part of the Android operating system, allowing compromised or counterfeit apps to access information on the phone which would otherwise be unavailable to the hacker. According to the researchers, this vulnerability allows the data thieves to steal personal information, capture banking information including logins and passwords, access the phone’s cameras, download contact lists, and pilfer stored files and emails, sending the stolen information to a remote server. While this particular Android vulnerability was recently discovered by IBM cyber security experts, it is very similar to one discovered several months ago by FireEye, that explicitly targets Apple’s iPhones. The mechanism and modus operandi, as well as the data thefts are almost identical between the Android and iPhone vulnerabilities.
A “masque” attack can occur when smart phone users download any of eleven authentic looking, but counterfeit or contaminated apps that also tend to appear to work properly when downloaded and installed. Among the most commonly downloaded iPhone and Android apps that enable this vulnerability are modified copies of Facebook, Twitter, and WhatsApp. According to FireEye, iPhones are as vulnerable to these masque attacks as Android devices. According to Zhaofeng Chen, a senior research engineer and scientist at FireEye, the eleven tainted apps that most threaten Apple devices are, ” WhatsApp, Twitter, Facebook, Facebook Messenger, Google Chrome, Blackberry Messenger, Skype, WeChat, Viber, Telegram, and VK.” These apps are often downloaded from genuine appearing links in emails or SMS text messages, and mimic the functionality of the genuine app, but allow for the remote access to this valuable personal content. FireEye was quoted as stating that this iPhone vulnerability can steal or access a variety of information from compromised phones. Among the dastardly deeds that this masque vulnerability can perform include recording and forwarding phone calls placed on Skype, Wechat, and other voice apps; intercept text and SMS messages from iMessage, WhatsApp, Facebook Messenger, Skype, and other SMS apps; send real-time and historical GPS locations; access website histories; steal contact information and lists; and download photos from the phone. Apple has created patches and upgrades closing this vulnerability, and pushed these patches to many of its users, but there are inevitably iOS device users who have not received or installed these patches.
In recent days, on the Australian version of the “60 Minutes” news magazine, another cell phone vulnerability was demonstrated where hackers in Germany were easily able to listen in on a cell phone chat between individuals in Australia and the UK. This ability to readily capture live calls is known as the “SS7 Vulnerability”. SS7 technology is widely used, legitimate and necessary for cell phone carriers to properly direct calls and text messages to their intended recipients. ComputerWeekly.com describes this as, “SS7 is a protocol used by telecommunication providers to direct calls and text messages between providers. Like any protocol, SS7 is vulnerable to exploitation by sophisticated and well-funded third parties with criminal intentions. … “. In another ComputerWeekly.com story titled “Security flaw exposes billions of mobile phone users to eavesdropping”, the online magazine says, “Hackers, fraudsters, rogue governments and unscrupulous commercial operators are exploiting flaws in the architecture of the mobile phone signalling system known as SS7. … Billions of mobile phone users around the world are at risk from covert theft of data, interception of their voice calls and tracking of their location.” SS7 is not a vulnerability in the phones themselves, as the vulnerability is not brand or operating system dependent, impacting Android, iPhone, Blackberry, and other systems equally, but is in reality a vulnerability in the switching system utilized by the cell carriers themselves.
For those of us who routinely use our Android, iOS, or Blackberry devices without much thought about the inherent security vulnerabilities of our phones and our cellular carriers, we might want to keep at least a spark of consideration in mind every time that we use our devices. While I am fully cognizant of the risks, I will continue to use my smart devices pretty much as I have in the past.
WEBSITES:
- http://www.foxbusiness.com/technology/2015/08/14/new-cyber-hacks-for-mobile-hacks-discovered/
- http://www.komando.com/happening-now/320997/watch-out-for-grandma-malware
- http://www.dailymail.co.uk/news/article-3199978/Hackers-access-call-message-send-world-moment-German-computer-experts-just-easy-eavesdrop-smartphone.html
- http://www.computerweekly.com/news/4500251809/Mobile-phone-users-at-risk-as-hackers-bug-and-track-victims
- http://securityaffairs.co/wordpress/22605/hacking/fireeye-discovered-apple-vulnerability-allows-ios-keylogging.html
- http://www.computerweekly.com/news/4500251756/Security-flaw-exposes-billions-of-mobile-phone-users-to-eavesdropping
- http://media.ccc.de/browse/congress/2014/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel.html#video
- https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html
- http://www.reuters.com/article/2014/11/10/us-apple-cybersecurity-idUSKCN0IU1W620141110