Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • Email Subscription

  • About Us

    A new breed of cybercriminals has surfaced in China. They are bolder and more reckless than their more experienced veteran counterparts. All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online. They find and share readily available code and use those to make their own malware. It’s these same teens that are causing a surge in mobile ransomware in the Chinese underground market.

    A younger mobile ransomware landscape

    These young cybercriminals’ reckless foray into cybercrime was probably emboldened by the weak enforcement of existing local laws and—highly likely—teen bravado.

    We first noticed these cybercriminal upstarts while monitoring a particular Android ransomware, ANDROIDOS_JIANMO.HAT. This variant makes it impossible for a user to access his device since it locks the screen, restricting any kind of user activity.

    Going underground, we found that there are more than a thousand variants of this malware. About 250 of these contained information about the malware creator, including their contact details and their ages, which range from 16 to 21.


    Figure 1. QQ (Chinese messenging service) account profiles of the the malware creators, including age (last row)

    Examining these variants, it became apparent that they all came from a single source code that was widely distributed in underground forums. In the image below, we can see the two versions of the ransomware lock screen. The original version on the left has text fields with jokes. The modified version on the right contains the information ransomware victims can use to contact their extortionist. In this case, the extortionist left a QQ group account.


    Figure 2. The malware on the right contains a message (in red) that coyly states “If you want to unlock it, do not contact QQ group account [number]”

    It’s possible that the original was simply a prototype since it didn’t contain any information regarding payment. But after the code was distributed in the underground, it became the foundation for ransomware variants. All that was left for the teen cybercriminals to was to input their contact details.

    Currently, these cybercriminals are demanding payments that range from US$5-10. While it might seem cheap compared to other ransomware variants, it’s highly possible that they can demand for more in the future. It’s also possible that they don’t demand as much since they have a lot of victims.

    Spreading the infection

    As we’ve previously noted, the Chinese cybercriminal underground offers several training services.  So-called masters can train interested apprentices so they can pass on their knowledge hacking and the like. These teens follow the same setup. On top of their ransomware activities, they also offer tutorial services.


    Figure 3. Forum post advertising malware tutorials

    These cybercriminals rely on two methods to distribute their malware. First, they lurk in public forums, looking for posts about app recommendations. Should anyone request for app recommendations, they’d proceed with posting links pointing to the malware. These malware tutors can also make their apprentices distribute the malware in lieu of a “tuition fee.”


    Figure 4. Distributing malware through app recommendations

    We looked into some individuals who have entered into this type of venture. The first is one of the earliest recorded makers of the JIANMO malware, a 19-year old teen from China. From the JIANMO malware, he has since moved on to other ransomware.  This newer malware of his, detected as ANDROIDOS_BZY.HBT, offers more features like a device administrator lock, effectively controlling the device. The victims will only receive a text message with unlocking details once they pay. We have noticed hundreds of online posts asking for help clean it.

    Figure 5. QQ profile of 19-year old ransomware creator, containing a signature that says “providing remote unlock support” (top) and his latest malware, disguised as “Android Performance Booster” (bottom)

    We found another malware creator with a similar business. This creator heads a group of apprentices that he tutors and uses for distributing malware. The figure below is the QQ profile of the group. It contains information like the fact that the group is based in Xi’an, China. It also contains a breakdown of information regarding its members. For example, 79% of the members are male, 6% are in Xi’an, and 62% of the members were born in the 90s.

    Figure 6. “Study group” for malware creation and distribution, where 62% of the members were born in the 90s

    Figure 7. Malware shared internally by the group

    Information made available and accessible

    As we mentioned earlier, these cybercriminals aren’t truly concerned with covering their tracks. They often use their IM accounts like those for QQ to contact their victims. These QQ accounts are usually their personal ones, meaning anyone can find out their real identities. Of course, it would be all too easy to fake the information posted on their QQ profiles. But given that we have seen young people involved in other cybercrime operations, having 19 year-old cybercriminals is highly plausible.

    We were even able to gain access to the email account used in the mobile ransomware we detect as ANDROIDOS_GREYWOLF.HBT. This ransomware was made by the creator of the “study group” just mentioned. It pretends to be a love declaration app, designed to lure users into downloading and running the malware. It generates random serial number and unlock keys pair, and sends them back to the creator’s email. We were able to do so because the creator embedded both the email account and the password in the malware.

    Figure 8. Ransomware serial number and unlock code sent from victims’ device

    Figure 9. Sample transaction email with a victim

    Furthermore, these cybercriminals favor payments made via Alipay, WeChat, and bank transfers. This is a marked departure from the current trend of using cryptocurrency to cover any illegal activity.

    Security practices

    Since the start of the year, we have seen more than 20 new mobile ransomware families, with one malware now having 1,000+ versions and offshoots. For users, this translates to a bigger probability of encountering ransomware while online.

    To ensure that your downloaded apps are legitimate and not malware, you should only rely on official app stores and developers’ websites. Asking for app recommendations in forums is fine, so long as you don’t click on provided links. It’s better to search for the app itself than rely on a link posted by a stranger.

    Before downloading any app, double check its developer and be very meticulous of the app reviews to verify apps’ legitimacy. On-device security solutions like Trend Micro Mobile Security can add a layer of protection against threats like these.

    With additional insight from Lion Gu.

    Here are the SHA1 hashes related to the mobile malware reported above:

    ANDROIDOS_JIANMO.HAT

    • 6828d9e301b190c5bbf7b6c92627ebf45a898f0f
    • b2c1b0738fbfb21c1905322d434c5958be889e73
    • c600fc7b3828f2dbbbac46a290390a50c0c605f9
    • d0af92d32f35ea6ce10bbab5e350cbccc1360f86

    ANDROIDOS_GREYWOLF.HBT

    • 007830d17abf70b4e5d2194f3aa1a628cb4a70f2
    • f3c1cf6b96c1eb92f43dda545575d2b4a15af6a7

    ANDROIDOS_BZY.HBT

    • 3d0e995d4a795ab4c59b4285f62c4c4585c11fa6
    • 4da1062ededceb523a886690515b48167b608753
    • 65c66561ad8b5c719d6a9b6df6d9025048a8057b
     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Are professional social media sites the weak link in companies’ security strategies?

    Before (and during) a targeted attack, information about the target organization and its employees is useful to an attacker. This can be used to craft well-designed social engineering attacks that are more likely to be opened by its targets. It can also provide more information about the targets themselves, allowing the attacker to decide which individuals in an organization should be targeted.

    Social media sites like Facebook and Twitter are a valuable source of information. Other publicly-facing sites (such as those of the target organization) can also contain details that can prove useful. However, one valuable source of generally private information may be unappreciated: professional social media sites.

    Like in other social media sites, professional social networks encourage its users to share information. Unfortunately, the nature of the information shared in these networks — employment history, job titles, and others — makes them very attractive sources of information for attackers.

    For example, the largest professional social media site, LinkedIn is already known for being the medium of employees inadvertently leaking information from their employer. In early 2015, engineers for chip manufacturer AMD inadvertently leaked details about next-generation products in their profiles. It is also known that several NSA codenames were added by US government employees to their profiles. These incidents highlight how information can be disclosed – even inadvertently – via LinkedIn profiles.

    Active attacks on social media

    It’s one thing to have information passively leaked on social media, and another to have attackers actively try to exploit it. We will demonstrate how this being done – by revealing some attacks on Trend Micro itself.

    Recently, we saw a wave of Viadeo invitations that were sent to the French offices of Trend Micro. (Viadeo is a professional social media network that is based in France.) It targeted several employees, including myself, and it all came from one Viadeo profile. This profile pretended to belong to an IT manager from the Trend Micro Australia office, who had been with the company for 18 years. The profile of this person was quite empty, and when I received the invitation and checked it out, it had only 4 contacts.

    The profile also said its owner studied at “havard, new yord”, which could be a typo for “Harvard, New York”… which is odd in and of itself, as Harvard University is not in New York. Neither is there a town named Harvard in the state of New York.

    This was enough to raise suspicion. A quick check of the company directory confirmed that there was indeed no employee with that name; no person by that name had been employed by the Australian office either.

    It was clear that this was an attempt to gather contacts/information from Trend Micro. In response, we raised an internal alarm to our employees to avoid any potential problems.

    What information can be gathered this way?

    Using information gathered from professional social networks, a skilled attacker can essentially become an insider and learn much of what an employee knows. For example, he may know who someone’s immediate superiors are, who their teammates are, what projects they are working on, etcetera. This gives them much of the access an insider would have.

    Simply put, users are more likely to believe someone they “know”, and someone they have connected to on a professional social media site fit into this category. This can transform what was previously an “outside” threat into one mounted by an insider.

    We’ve spoken before about the threat an insider can pose to an organization: now imagine if someone was able to pose as an insider. The information acquired could directly lead to an organization’s weaknesses, as well as where any potentially valuable information was located. The damage could be significant.

    What can companies and users do?

    End users can consult our article titled How to Spot Frauds on Professional Networks for tips and best practices on how to spot and avoid these attacks on professional social media.

    Organizations need to make sure that they have a social media policy in place. This policy needs to go beyond something simplistic like banning social media sites within the office. It needs to outline clearly what employees can and cannot disclose on social media. Different industries will be subject to different rules: a neighborhood restaurant does not need the same secrecy as a defense contractor.

    The organization also needs to empower its employees to detect and report attempts to target them in this way. An incident response team must be able to take note of incidents like these and warn other parts of the company, as needed. Tools that can help employees find out if/when a person is (or was) employed by the company may be useful as well.

    Defending against social engineering attacks requires recognizing that not all solutions are technical in nature. Some defenses must be based on hardening the humans involved. Accepting that fact may require a change in mindset on the part of defenders.

    Our blog posts covering other aspects of how to defend against targeted attacks can be found below:

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow.

    Figure 1. DYRE-related infections (values are rounded off to the nearest thousand)

    Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.

    Figure 2. DYRE infection count per region in Q1

    Online banking malware infections have long been North America’s problem. Europe has seen its share of notorious banking malware too, such as DRIDEX. With DYRE’s presence in APAC, we see evidence that  cybercriminals are trying to gain a stronger foothold in more regions.

    A recent spike in spammed attachments that drop the DYRE shows that APAC is getting substantially more emails than the usual targets. Out of the thousands of DYRE-infected emails we spotted in the first week of May, 44% were directed at users in the Asia Pacific region, followed by 39% against users in Europe, and 17% against those in North America.

    Figure 3. DYRE-related spam volume from May 1-7

    We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like.

    Spam Drops Upgraded UPATRE Malware

    We found a new version of DYRE in a new spam run. We now detect this variant as TSPY_DYRE.IK.

    What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX.

    This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can disable detection, thus making it easier for the download of DYRE or other malware into user systems.

    Specifically, its additional functions include the following:

    • Disabling firewall/network related security by modifying some registry entries.
    • Disabling firewall/network related security via stoppage of related services.
    • Disabling window’s default anti-malware feature (WinDef)

    Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers.

    UPATRE Spam Content

    Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to scare users into opening an attached file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam.

    Figure 4. Screenshot of a sample spam mail infected with UPATRE

    Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences. Logically, more English-speaking regions will take notice of the said email, given that it is more relatable to them. Note that, since cybercriminals are already making the move to expand globally, they can potentially spew out more regionalized messages for their next spam runs.

    What Do We Do Now?

    It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via spammed mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions.

    Specifically, the Trend Micro™ Custom Defense™ technology wards off UPATRE, DYRE, and CHM downloader threats for enterprises. It detects and analyzes advanced threats and attacks and monitors malicious behaviors so as to mitigate upcoming threats.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware to turn the most inconspicuous network router into a vital tool for their schemes.

    We already know that routers sometimes ship with malicious DNS server settings. In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages defined by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc.

    We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes.

    Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack.

    Brute-force attacks possible with DNS router malware

    DNS is the Internet standard for assigning IP addresses to domain names. It acts like a phone book that translates human-friendly host names to PC-friendly IP addresses. Cybercriminals create DNS changer malware to modify the DNS settings of a system. We had previously discussed DNS changer malware back in 2011, when the said malware infected more than 4,000,000 computers used as Esthost bots. We took part in the said botnet’s takedown in Operation Ghost Click.

    Internet users commonly take DNS for granted because they are usually assigned by their ISPs. And since the DNS usually works as expected, there would be no reason to suspect otherwise.

    DNS settings work like signposts that direct your browser where to go. In the case of a DNS changer malware infection, the “signs” can be switched without you noticing. Now even if the you observe proper security practices—like typing in the correct URL of your bank’s website, logging in using your super-secure password, and even logging out after you’re done—if the malware was successful in making the subtle redirection before your transaction, chances are your data would get stolen.

    While this type of malware is not new, we’ve been seeing a growing number of links in phishing attacks in Brazil. These are used as entry points for a script, which we detect as HTML_DNSCHA, that performs a brute-force attack against the router from the internal network. This means that when user’s browser executes the malicious script, from the network point of view, an admin would see this DNS changing request from the user machine to the router, so internal traffic is seen. Therefore, admins looking for external attacks in firewall/router logs won’t find anything.

    Brute-force attacks can still succeed because router owners are still notorious for not creating router passwords or using default passwords for popular brands of routers, all of which are available online.

    Upon acquiring access to the router’s administration interface, the script sends a single HTTP request to the router with a malicious DNS server IP address to replace the current one—this is all that’s required for the cybercriminal to completely own the router from this point forward. Apart from the temporary navigation files, no other files are created in the victim machine, no persistent technique is needed, and as far as the user is concerned, there is no single clue that anything has changed.

    In fact the victim will be able to navigate to any website of his choice as he normally would. However, when a victim tries to access a website of interest to cybercriminals, let’s use our earlier example of a banking website, the victim actually sees a clone of the original website, and this clone has been carefully designed to harvest the victim’s user credentials.

    Needless to say, users that do not change the default credentials to their routers are highly vulnerable to this kind of attack.

    One of the samples we studied captures the victim external IP address. The part of source code that does this is shown in the screenshot below:

    Figure 1. The source code above shows how victims’ IPs are captured

    The script tries to guess both the router IP address and administration credentials. Different device models are supported by a single script. The same sample targets D-Link and TPLINK ADSL routers, which are both very common in Brazil. The following image shows the source code responsible for the brute force part:

    Figure 2. The source code above shows brute force routines

    The script tries to connect to the router using class A and C IP addresses and the external (public) IP as well. It is easy to see that this type of attack takes advantage of router default settings.

    Victim profiles

    As previously mentioned, majority of the affected routers by this threat are centered in Brazil. The data shown below is the number of hits to the redirected URLs by DNS servers.

    Figure 3. Majority of affected routers are from Brazil

    Some of the redirected sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices.

    The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.

    Best Practices

    To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:

    • Use strong passwords all user accounts.
    • Use a different IP address than the default.
    • Disable remote administration features.

    It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript.

    For investigators and network administrators, I wrote a simple UNIX shell script that can be configured with a list of well-known domains (from email providers, online banking, etc.) and must receive a suspicious DNS server address as input, or use the default system DNS server. The script makes a DNS query request to a public DNS server (owned by Google) and another one to the suspicious DNS server and then compares the answers. If they are the different, that can be an indicator that the suspicious DNS server checked is indeed malicious.

    Related hashes (HTML_DNSCHA.SM):

    • b7f2d91a1206b9325463e7970da32a0006a3ead5
    • 92b62f4a5bcf39e2b164fb5088b5868f54fa37b0
    • 48dbea87e50215504d3f5b49f29ecc4f284c6799
    • af6398ea2ade1ec6d3b3f45667f774008593a59f
    • 07a97f34b73c4525c65dabe1de15340e31d3353a
    • 86363fcf087c5d5a6830b7c398a73ea3fa4ee961
    • 62a2f5f5c6dd075c2dc3c744273fc8689e2e1e5f
    • 321f4ba49d978c7d2af97b2dc7aab8b40c40d36e

    Malicious DNS servers:

    • 176.119.37.193
    • 176.119.49.210
    • 52.8.68.249
    • 52.8.85.139
    • 64.186.146.68
    • 64.186.158.42
    • 192.99.111.84
    • 46.161.41.146

    Updated May 30, 2015, 4:32 AM PST

    We updated due to technical accuracy.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    We’ve discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behavior of apps just by clicking a URL. The extent of the modifications can range from causing nuisance for app users to crashing the apps completely.

    Designated as CVE-2015-1835, this high-severity vulnerability affects all versions of Apache Cordova up to 4.0.1. Apache has released a security bulletin confirming the vulnerability. This means that majority of Cordova-based apps, which accounts for 5.6% of all apps in Google Play, are prone to exploits.

    The vulnerability is found in a Cordova feature where secondary configuration variables (also as preferences) could be set from intent bundles in the base activity. This feature was part of a code update (also known as commit in Github) Apache released in November 2010, along with the Cordova Android update to 0.9.3.

    Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.

    Prerequisites for a successful exploit

    Only two conditions are required to successfully exploit this vulnerability:

    1. At least one of the application’s components extending from Cordova’s base activity: CordovaActivity or configuring Cordova framework such that Config.java is not properly secured, meaning it is accessible from outside the app.
    2. At least one of Cordova supported preferences (except LogLevel and ErrorUrl) is not defined in the configuration file: config.xml.

    How it works

    To understand how the vulnerability works, we’ll look into how preferences are set in apps.

    Secondary configuration variables, also known as preferences, are set of variables reserved for developers to configure their apps.  They are the sources of the build-in characteristics of Cordova-based Apps and should be only controlled by app developers.  Any tampering to these variables during runtime initialization will certainly mess up the APP’s normal behaviors.

    The Apache Cordova framework on Android (up to 4.0.1) supports the following preferences:

    • Fullscreen
    • DisallowOverscroll
    • BackgroundColor
    • Orientation
    • KeepRunning
    • LoadUrlTimeoutValue
    • SplashScreen
    • SplashScreenDelay
    • InAppBrowserStorageEnabled
    • LoadingDialog
    • LoadingPageDialog
    • ErrorUrl
    • ShowTitle
    • LogLevel
    • SetFullscreen
    • AndroidLaunchMode
    • DefaultVolumeStream

    These preferences could be explicitly set in config.xml in Cordova framework, or left undefined and implicitly linked to default values. It is important to note that many developers take the latter option in practice since not all of these preferences are necessary for their APPs.  Once a preference is not explicitly configured in config.xml, the Cordova framework will set it from intent bundles in the base activity.

    Figure 1. The app loads the intent bundle and copies it to preference during initialization in CordovaActivity

    Figure 2. The app loads the preference value from its bundle when it is absent in config.xml

    App developers are usually guided to extend CordovaActivity in their applications to make this hybrid framework work.

    Figure 3. A subclass extent from CordovaActivity to launch web pages

    Unfortunately, in this case, it is this common developer guidance that leaves apps vulnerable to attacks. The activity being extended means that it is accessible from outside the app, so attackers can inject malicious intent bundles to the activity to tamper the build-in characteristics of app, either from remote web servers, or local compromised apps.

    We discovered that all of these preferences except LogLevel and ErrorUrl could be exploited. The Cordova framework handles the two preferences in a specific way which makes them immune to this vulnerability.

    We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the “CordovaActivity” and very few explicitly define all preferences in their configuration. Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet  the exploit prerequisites mentioned earlier, thus all of them are vulnerable.

    Proof-of-Concept

    We’ve created a demo of a typical remote intent injection attack which utilizes a previous disclosed vulnerability of the  intent URL scheme in a vulnerable Android device: a Huawei T950E smartphone.

    Here is the HTML code located on the remote server:

    <html>
    <body bgcolor=white text=red>
    <font size=10>Your Cordova APP</center>
    <br>
    <font size=20>   is hacked!!</font>
    <script>
    setTimeout(function()
    {location.href=”intent:#Intent;S.loadingpagedialog=hacked,haha..blabla..please contact with www.trendmicro.com.cn or send to seven_shen@trendmicro.com.cn for solotion ;SEL;component=com.trendmicro.justademo/.MainActivity;end;”},5000);
    </script>
    </body>
    </html>

    Just by accessing the page on the device stock browser, the local designed Cordova-based app could be injected with an unwanted dialog along with the pushed tile and text messages. A video of how this works can be seen in the demo video here:

    We can also modify other app preferences, and created demo videos for these cases:

    We also found that it is possible to remotely crash Cordova-based apps by injecting special data into the intent bundle.

    adb shell am start -n com.trendmicro.justademo/.MainActivity --es backgroundcolor ffffff

    This attack will cause an exception in Cordova framework and force the app to close.

    Figure 4. The app crashing due to exploitation

    Possible Impact

    So far we’ve been able to discover the following possible impact this vulnerability has to Cordova-based apps and its users:

    1. Tamper app appearance
    2. Inject popups and texts
    3. Inject splash screens
    4. Modify basic functionalities
    5. Crash the app

    While this vulnerability affects apps, there is also a great risk of exploitation in thousands of Apache Cordova third-party plugins, especially since their functionalities are highly dependent on preferences.

    Solutions

    We privately disclosed this vulnerability to Apache, and they have released an official bulletin regarding this vulnerability. We suggest Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice