New camera security flaw puts millions of Android devices at risk of cyber espionage

Erez Yalon, Director of Security Research at Checkmarx disclosed the security vulnerability stemming from permission bypass issues. The bug, dubbed as CVE-2019-2234, allows cybercriminals to hijack Android’s phone camera and covertly take pictures or record video even if a device is locked. The vulnerability impacts all Google handsets, including those beyond the Pixel product line. The researchers started with a security investigation of smartphones' camera capabilities by exploring the Google Camera app on a Google Pixel 2 XL and Pixel 3. As per the discovery, the researchers could tamper with devices using particular actions and, overall, make it possible for rogue applications without specific permissions to control the Google Camera app. They could take photos, record video during the moment target device was locked or when the screen was turned off, or even when a victim was speaking on a phone call. In Google devices, however, users must accept permission requests, but in Checkmarx's attack scenario, these requirements were overlooked and bypassed. Additionally, since images are often recorded and embedded with the GPS metadata while being stored on the device, it is possible that an attacker could extract this data and gain knowledge of the target’s whereabouts. To consider a worst-case scenario for the identified vulnerability, researchers performed a demonstration mocking a weather app. The app, when opened, connects to a C&C server and waits for the operator to send commands to take and steal footage. Using the PoC exploit, they could perform functions including: Taking a photo or recording a video and uploading it to the C&C, Silence the phone while taking photos and recording videos and Parse photos for GPS tags and locate the phone on a global map, and more. The experiment proved that, as long as there are basic storage permissions in place, this attack vector is possible.


Google will award 1.5 million to hackers who can hack Titan M Security Chip

Google is willing to award up to $1.5 million to hackers who can successfully hack its Titan M security chip on the company’s Pixel devices as part of an expansion of its Android bug-bounty program unveiled this week. Google already has paid out more than $4 million in 1,800 reports to those who’ve identified vulnerabilities on the platform, it said. The expansion of the program focuses mainly on Google’s own technology rather than the greater ecosystem, with the company offering a significant prize for hackers to test the security of its Titan security chip on forthcoming versions of Android. Google introduced Titan M in its Pixel 3 smartphone released last year. The chip adds deep, device-level protection to separate the most sensitive data stored on the Pixel from its main processor, which can protect it from certain types of attacks. Google also integrated Titan M in its Android security-key technology, releasing the Titan Security Key in August 2018. The technology is a USB dongle that offers an added layer of security features for Google accounts, such as two-factor authentication and protections from phishing attacks. In addition to sweetening the deal for white-hat hackers to help it improve Titan M, Google also has expanded bug-bounty rewards in other critical device security areas. These include threats involving data exfiltration and lockscreen bypass, according to the post. Depending on the exploit category, people now can earn up to $500,000 for reporting bugs. A comprehensive list of the changes is available on the Android Security Rewards Program Rules website. Google created the Android bug bounty program in 2015 as part of its mobile security efforts, which the company has been ramping up recently as it continues to struggle to get a handle on Android mobile device and application security.

Rare, aggressive Phoenix keylogger is on the hotlist of cybercrooks

A report from Cybereason, a cybersecurity firm, has linked more than 10,000 infections to a new keylogger called Phoenix which debuted on hacking forums. Researchers from the firm say this keylogger is the work of an experienced malware author. Research on Twitter revealed that malware distribution for the Phoenix keylogger campaigns was spotted every few weeks. The malware has reportedly transformed from a simple keystroke logger into a multi-functional information-stealing trojan over the past few months. Besides logging keystrokes, this newer version brings the ability to dump user data, such as passwords from 20 different browsers, four mail clients (Outlook, Thunderbird, Seamonkey, Foxmail), FTP clients, and chat applications. Phoenix keylogger was observed to be deployed in various corners of the world, in different configurations, with varying goals of the attackers. This new keylogger malware attempts to disable the Defender AntiSpyware module by changing the registry key. It uses an aggressive anti-AV and anti-VM modules to terminate the process of over 80 well-known security products, keeping it from being detected. Generally, professional security products come with an alert feature to notify users when a local app tries to alter their process. However, a successful Phoenix keylogger collects the data it was configured to collect and drops it to a remote location. According to Cybereason, this can be a remote FTP server, a remote SMTP email account, or even a Telegram channel. Phoenix’s rare ability to gain boot persistence on infected Windows systems did garner some attention from the researchers. Another important discovery was also made related to Phoenix's ability to extract and steal usernames and passwords. Since this data could be extracted in seconds after the initial infection, the groups spreading the malware rarely bothered for establishing boot persistence.


Linux Webmin Servers under attack by Roboto P2P Botnet

Vulnerable Linux Webmin servers are under active attack by a newly-discovered peer-to-peer (P2P) botnet, dubbed Roboto by researchers. The botnet is targeting a remote code-execution vulnerability (CVE-2019-15107) in Webmin, a web-based system configuration tool for Linux servers. CVE-2019-15107 was previously patched on Aug. 17 and can be mitigated by updating to Webmin 1.930, said researchers with NetLab 360. The Roboto botnet mainly supports seven functions: reverse shell (allowing attackers to execute commands on infected bots) and self-uninstall capabilities; as well as the ability to gather process network information, gather bot information, execute system commands, run encrypted files specified in URLs and launch distributed denial-of-service (DDoS) attacks. However, Roboto’s main goals remain unknown at this point, researchers said “Roboto botnet has DDoS functionality, but it seems DDoS is not its main goal. We have yet to capture a single DDoS attack command since it showed up on our radar. We are still yet to learn its true purpose.” After Roboto targeted their honeypot, researchers were able to further analyze the botnet’s associated downloader and bot modules, as well as vulnerability-scanning modules and its P2P control module. Post-infection, the botnet collects further information (including a list of processes running, and network information) about the infected bot. Roboto also uses algorithms like Curve25519, Ed25519, TEA, SHA256 and HMAC-SHA256 for communication. These algorithms allow Roboto to “ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control,” researchers said.


Critical Flaws in VNC Threaten Industrial Environments

The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption vulnerabilities – many of which are critical in severity and some of which could result in remote code execution (RCE). According to researchers at Kaspersky, they potentially affect 600,000 web-accessible servers in systems that use the code. The research looked into four popular VNC-based systems, LibVNC, UltraVNC, TightVNC1.X and TurboVNC, which are actively used in automated industrial facilities to enable remote control of systems, according to the firm. Approximately 32 percent of industrial network computers having some form of remote administration tools, including VNC. Kasperksy found vulnerabilities not only in the client, but also on the server-side of the system; many of the latter however can only be exploited after password authentication. Across all 37 bugs, there are two main attack vectors, the firm said “An attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server’s privileges or a user connects to an attacker’s ‘server’ using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user’s machine.” A significant number of the problems detailed in the research were found and reported last year; however, each of the projects examined also had newly discovered bugs.


Edited and compiled by cyber security specialist James Aguilan.