Pre-Installed Malware Found on Nearly 5 Million Android Devices

A malware referred to as RottenSys has been discovered to have infected nearly 5 million devices since 2016. It is possible that the malware could have been installed on older devices as well.

Check Point Software Technologies, the company that discovered the infections, found that 49.2% of the infected devices had been shipped through Tian Pai, a Hangzhou based mobile phone distributor. At this point, it is not clear if Tian Pai is directly involved or not. The manufacturers that have been affected are Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE.

The malware is disguised as a System Wi-Fi service app that has no malicious code and doesn’t initially perform any malicious activity, in order to go unnoticed. After a set amount of time, the program communicates with its Command and Controller (C&C) server to download the components required for its activity. RottenSys then is able to use multiple open-source Android frameworks to ensure the continued functionality of the RottenSys and to feed advertisements to the user. From March third to March twelfth, the malware had generated over $115,000 in ad-click revenue.

It is unclear what the developers of RottenSys plan to use their massive botnet for besides aggressively serving people ads, but they do have the ability to send any code they want to the infected phones. This means they would be able to have the phones participate in large-scale botnet attacks.

In order to remove the malware from a device, a user has to remove four separate packages.

Package Name App Name 每日黄历
com.changmi.launcher 畅米桌面 系统WIFI服务

There is nothing that consumers are able to do to prevent an attack of this nature from occurring. The only thing we can do is be extremely paranoid about the applications that come pre-installed on our phones. We need to check the permissions that the applications request and determine if the permission is something that the application should need. Of course, this is not a reasonable thing to ask of most people to do, and so most people are left at the mercy of the industry to keep their devices safe.

– Zachary Campanella



Marine Force Data Leak


More than 20,000 US marine sailors Identities and information were exposed when an email with sensitive data was sent to the wrong email distribution list by the defense travel system (DTS).

 The email has an attachment that contains personal and sensitive data such as social security numbers, bank account information, credit card information, and mailing address.

Andrew Aranda, A spokesman from the Marine Forces, said that “no malicious intent was involved” and some changes will be made to prevent similar incidents from happening in the future.

According to Paul Edon, an Information Technology professional and director at Tripwire, there should be a regular checkup for the system and access limitation for sensitive information since these military systems store a lot of them.

With the expose of their personal information, victims should change their passwords and keep checking their bank accounts continuously in cases of any potential breach, said Paul Edon.

  • Mohammed Alhamadah  


Equifax Breach Bigger Than Initially Thought

Recently, Equifax added 2.4 million more people to those effected by the 2017 breach. While this is a small number compared the number of people already effected by the breach, it’s unsettling to know that these breaches of customers information was only just discovered. The individuals that were just added to the list of victims for the Equifax breach had their names and a portion of their US driver’s license exposed, meaning the damage isn’t as severe to the the initial group of people effected by the 2017 breach.

The leaked information from the licenses to the newly discovered victim did not have the state issued information or date of issuance or its expiration date. In attempts to help their newly effected customers, Equifax has stated that they will be providing credit monitoring and identity theft protection just like offered the original victims.

-Steven Galarza

Trustico Servers Compromised

When you surf the web, your web browser requests and receives data from some remote server. If you are logging into a website, you would want to have your login info secure, meaning when you send that information to the remote server for verification, you don’t want the data to be in plaintext such that it can eavesdropped by someone on the network. This is where SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols come in. These protocols are used when then website you visit has HTTPS instead of HTTP, with the ‘S’ standing for “secure”.

These protocols are based on a public key and a private key. These keys separately can be thought of as half of a whole key, and the whole key can be used to determine whether the information sent or received is from a source you expect, allowing you to know the data has not been compromised by another party. This is because data encrypted using somebody’s public key can only be decrypted using the same person’t private key. Suppose you are sending data to A from B. Then B uses A’s public key to encrypt the data, and when A receives the data, A can uses its private key to decrypt the data. Therefore, it is important to keep the private key locked up and secret.

This is where companies who issue SSL certificates come in. There are various ways to encrypt the data to make it secure, and various companies claim there algorithm is more secure or meets whatever criteria required for the server’s use, including warranties, browser support, subdomains, speed, and other additional exclusive features in a package.

On March 1, a user with the Twitter handle @svblxyz has noticed that he was not able to validate his certificate issued by Trustico, a certificate re-seller, and the site was instead sending curl requests (an application used in scripts for downloading various data) as displayed in the application logs. Another user with the Twitter handle @Manawyrm revealed that it’s possible to trick the script on the server doing the curl request to use some other command, also known as code injection. The most shocking thing about that was that the application logs showed that the command was run as root (highest privilege, no restrictions), meaning that script was running as admin. Another user by the Twitter handle @ebuildy also helped reveal that the company doesn’t use proxies, meaning that it is possible to inject code that would display all of the IP address of their LAN devices.

Having a code injection vulnerability on a server is bad enough since you let anyone to essentially mess around with. Having a code injection vulnerability that allows you run things as root is even worse since you then have complete access to the server. Having all that on a server which validates SSL certificates, and you have a complete nightmare. Following the tweets, it did not take the internet long to put Trustico’s server offline. One bad thing that have happened is someone wiping all data on the server, possibly without hopes for recovery or someone installing a bunch of backdoors on their server (allowing the person to get back in even after Trustico fixed the problem).

However, the worst thing that could have happened is private keys for SSL certificates being compromised. The user by the Twitter handle @ebuildy was able to figure out that Trustico doesn’t use proxies because when using code injection to display their localhost info, the results returned their own certificate under the company’s name. This means their private key could have been compromised and anyone could use code injection to run a command see the data unencrypted if they wanted to. Anyone who sends their SSL certificates for validation would have their certificates compromised. As of now the exploit is fixed and their old certificate was revoked and replaced with a new one.

A few days before the security flaw was found, Trustico was meaning to revoke security certificates by Symantec/DigiCert. Mozilla and Chrome browsers were rejecting DigiCert certificates after misissuing of over 30,000 of them. As a result Trustico decided it was better to switch from DigiCert to Comodo. According to a statement by Trustico, “We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn’t meet our stringent security requirements”.

After they requested DigiCert to revoke the certificates to replace them with Comodo ones, DigiCert declined to do such unless they were compromised. Trustico then proceeded to email them the private keys of the certificates, and thus compromising them, providing insight that their certificate validation tools logged private keys of certificates. According to Jeremy Rowley from DigiCert, “Trustico not has provided any details how the private key leaked or how did they acquire the keys”, now leading to skepticism on whether any stored private keys were accessed by unauthorized during the time the code inject vulnerability was present.

— Alex Baraker




Security Without Communication is Worthless

Security without communication is worthless. This is because if the public doesn’t understand security terms, they will be affected. This can be due to the fact that security policies use very technical terms to describe things. They were technical enough that people were either affected that they didn’t follow the terms correctly, or they didn’t care. For example, the industry doesn’t use the prefix “cyber” on its own as most people don’t interpret it as hacking. Another technical term is “black market”, which means the dark web in the general way. The new cyber security guide aims to bridge the communication gap, so anybody can understand it.

This is because in order for one to get his/her way of things, he/she must communicate it in a way that the other person thinks. For example, if one talks about his/her position to someone who isn’t in the same field they may or may not understand what the position does. Or, when you are helping someone with their homework, it is best to explain it in their way of thinking, so they can understand your message. This is because in security, if one says it the technical way and the general public doesn’t understand, people in security are wasting his/her time explaining. The solution to this problem is the “new cyber security style guide”. This means that it will use terms that the general public uses and understands so security protocols can be followed in a correct manner.

-Anil Adharapurapu