Is your phone really locked?


Recently, new information has been discovered regarding lock screen vulnerability on certain Android products. “Google recently issued a patch for Nexus mobile devices to fix an Android Lollipop vulnerability that lets hackers bypass the lock screen and gain control of mobile devices. However, it could take weeks to months for manufacturers and service providers to roll out the patch for other Android devices.” University of Texas security researcher John Gordon was the person to discover this exposure of information.

Locking methods of the pattern or PIN lock do not provide a text field. The hack needs text pasted into that field to crash the lock screen so the safest thing to do is to use one of those two methods of securing your cell. “Lock screen security in general is iffy, lock screen vulnerabilities happen on all mobile operating platforms,” Lysa Myers, a researcher for Eset told LinuxInsider.

Many owners of these types of phones may ignore this recent news as they fell they have set a tricky password to crack but that is no deterrent to these hackers. “This is a major threat. Even when users feel confident about locking their phone with a strong password, if their device is exposed to this exploit, it does not really matter how strong the password is,” said Armando Leon, director of mobile at LaunchKey.

Overall, it could take many months for most users to receive the patches. As these patches are slowly getting out to the users at such a slow speed there is not any measures in place to stop these hackers from bypassing a persons lock screen and going straight to their home screen. This results in loss of personal data as well as huge inconvenience to the owner.


Lisa Ann Hornak

Android SMS Malware

According to SOPHOS’ ‘naked security’ blog, there are fake Android Applications making the rounds, which uses SMS (Text messages) to act similarly to a worm and infect as many people as possible. Applications such as ‘Heart App’ and ‘Self-time’ have been discussed and fixed previously, but the most recent malicious app (as of March 6th) goes by the name Gazon.

So how does one become infected by Gazon? It starts with having a friend (or other contact) that has been infected with it already. You would receive an SMS from this person which would contain an introduction, some message stating that they are sending you an amazon gift card, followed by a ‘link’ to where you can claim it. These links are usually obscured by URL shortening services such as Bitly, so they generally wouldn’t look like a normal domain name. If you were to follow this link, it would direct you to download and install Gazon, masquerading as an Amazon Rewards Application. Upon downloading and running this app, every contact that a user has becomes a viable target, as Gazon doesn’t limit itself to the amount contacts it will attempt to reach like Heart App and Self-time do. On top of this, pop-up ads will be displayed when using browsers, advertising games, vouchers and rewards (according to the article).

There are two things that I find interesting about this ordeal. The first is that this this app is not certified by Google, and thus does not appear on the Google Play store. The only way that this app can spread is through SMS, meaning that if you’ve ever gotten a message similar to this, than one of your contacts has fallen for this tactic and downloaded it. Furthermore, I could not find an ‘Amazon Rewards’ app on the Google Play store, legitimate or otherwise, meaning that its likely no such application exists. The second thing that I found interesting is how many ways that infection could be avoided with this app, which are not taken by the victims. For example, simply responding to the message by asking the contact what its all about would likely result in the contact confirming its spam. Similarly, someone upon being prompted to download the app could look it up on Google Play to check its legitimacy, and find that it is not legitimate. However, neither of these actions are taken, and thus the worm has proceeded to spread quickly.

The author of the malicious app has yet to be identified. Previous iterations of these kinds have apps are able to be tracked, such as the Heart App which was traced to a bored Chinese college student, but it depends on how well the authors are attempting to stay hidden. On that note the Self-time App, which is close to half a year old at this point, still has not been traced to any definitive creator.

Written By Jeff Gruttadauria

Articles Used:

Android Malware Fakes Shutdown, Steals Data

A new type of Android malware is able to hijack your phone’s shutdown process to fake being turned off. Once in this false shutdown this malware is used to steal data and use the phone’s services. The phone must be rooted to be vulnerable to this exploit.

Researchers at AVG found the malware and posted information about it to their blog on February 18, 2015. When an infected phone is being shutdown a fake dialog box appears giving the user what appears to be standard options. When shutdown is selected the malware plays a fake shutdown sequence and appears to be turned off. Once in this state the victim’s phone can be accessed and used to make calls, take pictures and transfer data without the victim’s knowledge.

According to AVG the malware has been spread to at least 10,000 Chinese devices so far through third-party app sites. They have reported that the malware can affect devices with any Android OS prior to version .5 (Lollipop) and the phone must be rooted.

The exploit involves the ShutDownThread.shutdown function and mWindowManagerFuncs.shutdown interface object. The malware tries to gain root permissions and once successful injects a modified system_server process to hijack the stock shutdown function. It then listens for the power key button to be called at which point it launches it’s own fake dialog box.

Jacob R Hooker


CurrentC Hacked Before It Is Even Launched

CurrentC is a mobile payment system slated for release in 2015 that is meant to compete with Google Wallet and Apple Pay. On October 30, Merchants Customer Exchange (MCX), which is the organization behind the smartphone app, informed its beta testers that their database had been hacked and that users’ email addresses had been compromised. Unlike Google Wallet and Apple Pay, CurrentC uses a completely different system that uses QR codes instead of NFC to make financial transactions. It also does not allow you to pay using a credit card and instead links directly to your checking account. The system is being backed by many retail giants since it would allow them to avoid paying for credit card transaction fees. Although no financial information had been leaked during this breach, this is still a huge cause for concern for many people since CurrentC requires for you to enter in your bank account information and social security number. It also does not help that Kmart, Lowe’s, Target, and several other companies that are members of MCX have already experienced data breaches of their own over this past year.


-Chris Jones

Firechat: not secure….yet

Firechat is a new app for Android, iOS, and Windows phone that has gained momentum because of its interesting ability to create mesh networks or Ad hoc networks. There are a few conditions to use the app, one being that an internet connection is requited for initial creation of username and password. The fact that the creators ask for real names show how much they don’t understand how their app is being used. Though there is no verification on the real name. Firechat has become so popular because when in large protests like in Hong Kong cell networks can be congested and almost unusable. Also in protest situations the government can actually shutdown the networks to prohibit communication. Lastly there is the case where there is no network at all, for example at Burning Man in Nevada. This is where firechat comes in. Firechat uses mesh networks created with a combination of Bluetooth and Wi-Fi. Each phone acts as a node that has the ability to forward messages to the nodes around them.

This app is really cool just on the technical side alone but in practice there are some security flaws to mention. The messages the all the nodes on the mesh network are receiving are in plain text and there is no verification on the messages to see if they were manipulated. Using a tool called Blucat, it is a version of Netcat that port scans on Bluetooth can see the messages. It is then possible to spoof where the messages are coming from and sent your own fake messages.

In conclusion, firechat is a cool new app that has a lot of potential. I hope these security flaws are fixed soon and in the meanwhile have fun.

Live demo of Blucat @ 9:16

Source article