An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday.

The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” according to the advisory posted by Google.

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes, which previously handled this process, according to Branch, a company that offers various linking options for mobile applications.

“Instead of assigning window.location or an iframe.src to the URI scheme, in Chrome, developers need to use their intent string as defined in this document,” the company explained on its website. Intent “adds complexity” but “automatically handles the case of the mobile app not being installed” within links, according to the post.

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, according to MITRE’s Common Weakness Enumeration site.

“When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application,” according to a post on the site. “This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.”

**Fending Off Exploits**

As is typical, Google did not disclose specific details of the bug until it is widely patched to avoid threat actors taking further advantage of it, a strategy that one security professional noted is a wise one.

“Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws,” observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable, in an email to Threatpost.

 Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project. These all could be affected if an exploit for a vulnerability is released, he said.

“It is extremely valuable for defenders to have that buffer,” Narang added.

While the majority of the fixes in the update are for vulnerabilities rated as high or medium risk, Google did patch a critical bug tracked as CVE-2022-2852, a use-after-free issue in FedCM reported by Sergei Glazunov of Google Project Zero on Aug. 8. FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, according to Google.

**Fifth Chrome 0Day Patch So Far**

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In July, the company fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8 tracked as CVE-2022-1096 and under active attack also spurred a hasty patch.

February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.

Google Patches Chrome’s Fifth Zero-Day of the Year

**SAN FRANCISCO, Aug. 17, 2022 —** The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

**Premier Member Quote**

**Capital One**

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

*   Chris Nims, EVP of Cloud & Productivity Engineering at Capital One

**General Member Quotes**

**Akamai**

"Improving the security of open source software — so central to the internet ecosystem — is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk_._ As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

*   Robert Blumofe, EVP and CTO, Akamai

**Kasten by Veeam**

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

*   Gaurav Rishi, Vice President of Products and Partnerships at Kasten by Veeam

**Scantist**

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

*   Dr. Liu Yang，Professor at Nanyang Technological University, Singapore and Co-Founder of Scantist

**SHE BASH**

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

*   Cameron Banowsky, Co-founder and CTØ, SHE BASH

**Socket Security**

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

*   Feross Aboukhadijeh, Founder and CEO, Socket Security

**Sysdig**

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

*   Edd Wilder-James, Vice President, Open Source Ecosystem at Sysdig

**Timesys**

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

*   Atul Bansal, CEO of Timesys

**ZTE Corporation**

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

*   Xiang Shuming, Director of OSS Compliance and Security Governance, ZTE Corporation

Additional Resources

*   View the complete list of the 89 OpenSSF members
*   Watch the recent August OpenSSF Town Hall
*   Contribute efforts to one or more of the active OpenSSF working groups and projects

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain

The best end-to-end encrypted messaging app has a host of security features. Here are the ones you should care about.

In times of uncertainty, people rightly often turn to the encrypted messaging app Signal. Whether it’s to protect sensitive conversations amid social unrest or to keep your communications private after the fall of _Roe v. Wade_, Signal represents most people’s best way to communicate safely. And thanks in part to a $50 million infusion in 2018 from Brian Acton, the former WhatsApp CEO and current interim Signal Foundation CEO, the once niche app is more accessible than ever.

Signal’s popularity often spikes in times of strife or when alternatives seem more precarious. In May 2020, as police brutality protests swept US cities, daily Signal downloads nearly tripled from their average, according to analytics company Apptopia. It saw another surge in January 2021 after WhatsApp, which end-to-end encrypts personal chats using the Signal Protocol, botched the messaging around a privacy policy update. Apptopia now estimates Signal has more than 600 million active monthly users. All of those people can take advantage of end-to-end encryption, which means that no one—not the government, their phone company, or Signal itself—can read the contents of messages as they pass between devices.

Signal is not the only messaging app to offer end-to-end encryption; iMessage has it, as do stand-alone apps like Telegram. But Signal stands apart, both for its rich features and the fact that its code has been open source for years, meaning cryptographers have had plenty of opportunities to poke and prod it for flaws.

WIRED has long encouraged readers to adopt Signal. Here, we’re offering tips on how to get the most out of it once you do.

_Updated August 2022: Signal has added a few new features since we first ran this story, which are now reflected below._

Know Its Limits

For those who are new to encrypted messaging, the most important thing to remember is that it’s not magic. Having Signal on your phone does not make you invincible. Nearly 2,000 users found that out the hard way this month. Signal uses communications firm Twilio to verify users’ phone numbers and send out device registration codes via SMS messages. So when attackers successfully breached Twilio through a recent phishing campaign, they were able to access those SMS codes for some 1,900 Signal accounts and potentially register a victim’s phone number with their own device.

Signal says all affected users “can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.” But the attackers were able to take over at least one account and pose as that person on Signal. It’s a potent reminder that even an app that’s designed around security can have weak spots.

Most importantly, remember that if you’re messaging with someone who doesn’t have Signal installed, nothing’s encrypted. It only works for Signal-to-Signal communications. And make sure you have a strong password on your phone in the first place, since anyone who has physical access to your device can still read your messages.

Signal also has a desktop app, which should be plenty secure for the vast majority of people; just be aware that desktop environments face a litany of threats. And using Signal on multiple devices means more places your messages can be compromised or stolen.

Get Set Up Safely

When you join, Signal requires you to provide a phone number that essentially serves as your user name. This doesn’t mean you have to use your actual phone number, though. To avoid giving it up, use a Google Voice number instead.

To do so, head to Google Voice in your browser, log in with a Google account, and select a new phone number. Google will ask you to verify it by providing your actual phone number, where it’ll send a code that will let you complete your registration. You can now use that Google Voice number for your Signal account, keeping it separate from your main line. (Heads up: If you don't place a call or receive a single text to your Google Voice number every six months, Google will reclaim that number. If that happens, you can get it back within 45 days. So make sure to shoot your Google Voice number a text at least once every few months.)

You should feel comfortable letting Signal access your device’s contacts; it stores that information on your phone, not in the cloud. The app does periodically send truncated, hashed phone numbers back to Signal’s servers, which is how it checks if any of your contacts are also using it, but the company also says it discards that information “immediately.” That way, the app can alert you when one of your contacts signs up for Signal; if you’d rather not get those updates, tap **Settings**, then **Notifications**, and toggle off **Contact Joined Signal**.

(Note: Android users can access Signal’s **Settings** menu either by tapping their profile icon or selecting the menu under the three dots in the upper-right corner, then tapping **Settings**. iOS users will need to tap their profile icon and then Settings to access the full menu.)

On Android, you can make Signal your default messaging app by going to **Settings** > **Apps & notifications** > **Advanced** > **Default Apps** > **SMS app**, and picking **Signal**. Just remember that not everyone you text has it installed and that an iOS user you’re texting with might check their Signal app less often than they do iMessage. (iOS still doesn’t let you change the default messaging app, sorry!)

One of the most critical settings to enable is profile PINs, which will make it easier for you to keep your account data even when you transfer devices and to protect your contact lists, profile information, settings, and more. You can set one up when you join or head to **Privacy** > **Signal PIN** in your app settings to set or change yours anytime. The introduction of PINs was controversial among cryptography hard-liners, who questioned whether the so-called Secure Value Recovery they were tied to introduced potential vulnerabilities. It didn’t help that Signal had at first made the PINs mandatory. You can opt out now by going to the **Create PIN** screen and tapping **Select more**, then **Disable PIN**. Just remember that if you do so, you won’t be able to bring your contacts with you to a new device, and sensitive account information may be more vulnerable.

Lastly, once you have your PIN set up, enable **Registration Lock** by going to **Settings** > **Account** and toggling on **Registration Lock**. With this feature enabled, attackers won’t be able to take over your account and register it to a new device in the way they did through the Twilio hack mentioned above.

Protect Your Screen

It’s important to make sure that what happens in Signal stays in Signal. This means keeping people from seeing what you’re doing there from a lock screen or when switching apps. There’s not much point in having an app for sensitive messages if they just pop up on your display whenever you receive one.

To turn off Signal lock screen notifications on iOS, go to your phone’s **Settings** > **Notifications**, then scroll down and tap **Signal** > **Show Previews** > **Never**. On Android, the process is similar. From your home screen, head to **Settings**, then **Apps & Notifications**, where you can turn off all notifications. If you need more granular control, you can find that in the Signal app itself, where the steps are the same no matter what platform you’re on. Tap your profile, then **Notifications**, then **Show**, where you can choose whether to display the name, content, and actions for an incoming text; just the name; or nothing at all. You can also mute notifications for a specific conversation for a set amount of time by tapping on a message thread, then the contact header, and then **Mute**. You can silence a contact’s notifications for an hour, a day, a week, or a year.

If you’re on Android and want to enable Signal notifications, you may want to disable smart replies by going to **Settings** > **Apps & Notifications** > **Notifications** > **Advanced** and making sure “**Suggested actions and replies**” are turned off. Google says it keeps smart replies private by processing them locally on your device, but the safest bet is to limit Signal’s interactions with the rest of the operating system.

Signal also has a Screen Lock feature that requires your password—or FaceID or TouchID, whatever you use to get into your phone—to view the app’s contents. Within the Signal app on either platform, tap your profile, then **Privacy**, then toggle the **Screen Lock** option to on. Android gives you a little more granularity, with a **Screen Lock Inactivity Timeout** option that lets you set the feature to kick in after a certain amount of time. 

You’ll also want to enable **Screen Security**, which keeps Signal contents from showing up in your app switcher. On Android, select your profile, then **Privacy**, and switch on **Screen Security**. If you use iOS, go to your profile, tap **Settings** > **Privacy**, and enable **Hide Screen in App Switcher**.

Make Messages Disappear

While you can always delete messages manually along the way, that action only applies to your own phone. The people you’re chatting with still have it on their devices. To ensure that the conversation is deleted on both ends of a thread, you should embrace “disappearing messages” instead.

Signal now allows you to enable disappearing messages on all new chats by default, which we highly recommend. Go to **Settings** > **Privacy** > **Default Timer for New Chats**, and select the length of time you want your messages to disappear by default. You can choose preset options ranging from 30 seconds to four weeks, or set whatever custom time you like. Note that enabling this setting only applies to new chats and won’t override the settings for chats you were in before turning it on.

You can also tweak your disappearing message settings for individual chats. From within a chat, tap on the name of your contact. Toggle over **Disappearing Messages** and set the amount of time you want them to be live before they vanish. A timer icon will show up in your thread; either of you can change the disappearing time by tapping on it and adjusting it as needed. That’s also how you can disable disappearing messages altogether within a particular chat.

It’s a handy feature, but a quick reminder that people can still screenshot your conversations to keep a record, so don’t assume they’re gone forever—especially if you don’t trust whoever’s on the other end of the line.

Place an Encrypted Call

Signal’s not just for messages; you can make end-to-end encrypted voice and video calls from the app as well. To do so, just tap the pencil icon within the app like you would to start a chat. Pick a contact, then select either the video icon or phone icon, depending on which type of call you’d like to make.

Signal also now allows group video calls. If you already have a group created, tap on the chat, then select the video icon. If you want to create a new group, select the **pencil icon** > **New Group**, select the contacts you’d like to include, and tap **Next**. Give your group a name, and hit **Create**. Then tap the video icon.

An important note here: If you do make calls from Signal on iOS, make sure to first head to **Privacy** within the app and toggle off **Show Calls in Recents**. Otherwise, your Signal call history will sync with iCloud, creating an unnecessary record of your conversation. And if you’re extra cautious, go to **Settings** > **Privacy** and toggle on **Always Relay Calls**; that’ll route your calls through Signal’s servers and hide your IP address in the process.

Send Photos and Videos

As with other messaging apps, you can use Signal to send photos and videos—with a privacy-friendly media feature that sets it apart.

First things first: If you take a photo from within Signal—just tap the camera icon either from your contact list or within a chat—it doesn’t automatically save to your camera roll, which means it doesn’t get backed up to your cloud photo library. That’s good! The fewer ways you can accidentally leave a trail, the better. If you want to keep an image for posterity, you can tap the save icon in the upper right corner. Otherwise, just send it and move on.

You can also make sure that your photo and video don’t stay on the recipient’s device long. Before you hit send, note the infinity icon next to the chat bubble. That means the media you’re about to share can be viewed indefinitely. Tap it once, though, and it’ll switch to a **1x**, meaning that the photo or video will disappear from the conversation as soon as it’s been viewed. A record will remain in the thread that media was shared, but the image itself will no longer be visible.

Extra Measures

This list is not 100 percent comprehensive. Some features are too minor to mention; others are intended for niche use cases. But there are a few other stray tips that might be helpful to know as you get used to using Signal.

**Read Receipts:** Some people feel strongly about these! If you’re one of them, head to **Settings** > **Privacy** and toggle them off when you’re in the app.

**Stickers:** As part of its long-term quest to find broad appeal, Signal recently added a limited selection of stickers to liven up your secret chats. (Incorporating them required some tricky encryption itself.) Just tap the sticker icon in the chat compose window to peruse your options.

**Emoji Reactions:** Similarly, Signal finally expanded its emoji reaction options in June 2020. From seven basic choices, the app broadened the palette to a full range of faces, animals, foods, buildings, and yes, smiling poop. To add a reaction, just hold down on the response, then tap the three horizontal dots to access the full keyboard.

**Block Party:** Block! Block! Block! Block! To shut down unwanted conversations, either tap on the user’s name from within a chat and toggle over **Block This User**, or strike preemptively by tapping your profile icon, then **Privacy** > **Blocked** > **Add Blocked User**, and then the party you don’t want to hear from.

**Message Requests:** As of August 2020, you can also approve or block other Signal users when they first reach out to you, without their knowing that you’ve seen their incoming message or call. If you do block someone, they won’t get any indication other than remaining in limbo. And the feature also blocks strangers from adding you to group chats, a popular spammer tactic. It’s similar to what you’ve likely already experienced in Facebook Messenger or Twitter direct messages and will be increasingly useful as Signal’s user base expands.

**Private Type:** On Android, third-party keyboard apps can retain a record of what you type and swipe; not ideal when you’re trying to send private messages. Under **Privacy**, go ahead and toggle on **Incognito Keyboard** to keep them in the dark.

**Change your number:** If you get a new phone number or want to change the number you use with your Signal account, the app now allows you to do so without losing everything. The feature doesn’t work in all situations or with every version of the app or operating system, so check the details here.

That should be enough to get you started! Just remember, as you get used to the advanced settings and figure out what combination of disappearing messages and screen locking works for you, that you’ve already taken the most important step of all: downloading Signal in the first place.

How to Use Signal Encrypted Messaging

By Waqas
Another day, another set of nasty applications on the official Google Play Store. The growing efforts of cyber-criminals…
This is a post from HackRead.com Read the original post: 35 malicious apps found on Google Play Store, installed by 2m users

****Another day, another set of nasty applications on the official Google Play Store.****

The growing efforts of cyber-criminals to have malicious apps listed on the Google Play Store have resulted in some of the most widely used smartphone applications being exposed to malware and banking trojans in recent years.

Despite efforts made by Google to enhance security, researchers continue to expose malicious campaigns that use innovative tactics to get around corporate safety controls.

Now, the IT security researchers at Bitdefender have identified 35 malicious applications on the Play Store with over two million downloads. These apps are designed with methods of action that allow them to masquerade as legitimate ones by changing their names and icons and bombarding the victim’s device with advertisements.

According to Bitdefender, these ads help cybercriminals achieve their monetary goals along with directing victims to malicious sites or links that drop additional malware on the targeted devices.

In their **blog post**, BitDefender’s research team stated that the cybercriminals behind the campaign used several methods to trick victims into keeping the malicious apps on their devices. For instance, some of the apps offered version updates that allowed the attackers to hide and evade detection on the device.

> Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims. Most of the time, users can choose to delete the application if they don’t like it. But these new malicious apps trick victims into installing them, only to change their name and icons and even take some extra steps to conceal their presence on the device.
> 
> Bitdefender

However, one positive aspect of this report is that BitDefender identified the malicious campaign using its (soon to be unveiled) behavioral technology designed to analyze malicious app activity after installation.

Behavioral technology in cybersecurity can be used to track malware behavior across all channels, including websites and social media platforms. This data can then be used to improve the security and user experience in real-time.

> Bitdefender identified the malicious apps using a new real-time behavioral technology designed to detect precisely these dangerous practices, among many others. This new technology is slowly being rolled out to our customer base and will become available to everyone in the coming months.
> 
> Bitdefender

**List of Malicious Apps**

1.  gb.tolltwentytwo.ikey
2.  com.smart.tools.wifi
3.  jkdf.gds.gds.g
4.  com.newsoft.camera
5.  hj.jk.jikj.jkj
6.  finze.lockgti.dae.cag
7.  kk.f.ea.tew.t
8.  sc.qs.vak
9.  zzhse.ge.ge.ge.e
10.  ice.ccylice.volume
11.  ck.lad.secret
12.  smart.ggps.lockakt
13.  am.asm.master
14.  com.charging.show
15.  joao.de.def.e.aew
16.  ifa.nod.vys
17.  qu.motor.astrolog
18.  ice.ccylice.colorize
19.  gb.blindthirty.funkeyfour
20.  com.voice.sleep.sounds
21.  com.creator.smartqrcreator
22.  com.xmas.girlsartwallpaper
23.  gb.theme.twentythreetheme
24.  gb.fiftysubstantiated.wallsfour
25.  com.xmas.artgirlswallpaperhd
26.  gb.packlivewalls.fournatewren
27.  gb.labcamerathirty.mathcamera
28.  gb.mega.sixtyeffectcameravideo
29.  gb.actualfifty.sevenelegantvideo
30.  de.eightylamocenko.editioneight
31.  gb.helectronsoftforty.comlivefour
32.  gb.crediblefifty.editconvincingeight
33.  gb.convenientsoftfiftyreal.threeborder
34.  gb.sixtycreativecyber.magiceleganttwo
35.  gb.convincingmomentumeightyverified.realgamequicksix

**Protection Against Malicious Apps**

With more than two billion active Android devices, it is no wonder that the Google Play Store is a target for malware developers. It’s no secret that the Google Play Store is home to some nasty malware including **DawDropper**, **Joker**, **SharkBot**, **Xenomorph,** and many more.

However, at the same time, it is one of the most secure platforms to download Android apps. So how can you protect your phone from all of the bad stuff? Here are a few tips:

1.  First, make sure you’re running the latest version of Android. Google is constantly working to improve security on the platform, so newer versions of Android are less vulnerable to attack.  
    
2.  Next, take a look at the app permissions before installing anything from the Play Store. If an app asks for more permissions than it needs, that’s a red flag that it might be up to no good.  
    
3.  Install a reputable security app from the Play Store. This will add an extra layer of protection to your device, catching any malware that slips through the cracks.  
    
4.  Only download apps from trusted sources. This means avoiding third-party app stores and websites – Stick to the Google Play Store.  
    
5.  Finally, check reviews before downloading an app. If an app has a lot of negative reviews, it’s probably not worth your time. (**_Read how fake reviews cause 50% of threats against Android_**).

1.  **Play Store Apps Caught Spreading Android Malware to Millions**
2.  **BRATA Android malware factory resets phones after stealing funds**
3.  **New MaliBot Android Malware Found Stealing Personal, Banking Data**
4.  **Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets**
5.  **New Russian Android Malware Tracks GPS Location and Spies on Victims**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

35 malicious apps found on Google Play Store, installed by 2m users

In Sony Xperia series 1, 5, and Pro, an out of bound memory access can occur due to lack of validation of the number of frames being passed during music playback.

May 18, 2022

**Research by:** Slava Makkaveev, Netanel Ben Simon

**Introduction**

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The ALAC issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file. In addition, an unprivileged Android app can use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine.

In this study, we focus on mobile devices.

**OpenMAX Codecs**

Open Media Acceleration (OpenMAX or OMX) is the set of C-language programming interfaces that provides abstractions useful for multimedia processing.

On Android devices, the Stagefright media playback engine integrates OpenMAX to recognize and use custom hardware-based multimedia codecs.

**Figure 1:** OpenMAX in Android media.

While Android provides built-in software codecs for common media formats, a hardware manufacturer can add an OpenMAX codec to decode/encode a specific one.

All media codecs presented on the device are listed in the /vendor/etc/media_codecs.xml file. According to the OpenMax specification, the codec name and content type must be declared for each codec.

**Figure 2:** Built-in software codecs.

An OpenMAX codec is a dynamic library that implements the corresponding decoding/encoding logic. The relationship table between the codec name and the library name is built into the OpenMAX Core library /vendor/lib/libOmxCore.so. On MediaTek devices, the /vendor/etc/mtk_omx_core.cfg configuration file contains this table in text format.

**Figure 3:** Core configuration.

Both MediaTek and Qualcomm provide custom OpenMAX decoders for the ALAC format. The ALAC declaration is shown in Figure 4, where the first line refers to MediaTek devices and the second line to those belonging to Qualcomm.

**Figure 4:** ALAC decoder declaration.

/vendor/lib/libMtkOmxAlacDec.so is the OpenMAX ALAC library on MediaTek devices and /vendor/lib/libOmxAlacDecSw.so is the library on Qualcomm. Media service /vendor/bin/hw/[email protected] loads the ALAC library when requested by an Android app, and then calls it to decode the supplied frames.

A malicious .m4a audio file can be used to attack a device even when played in a safe app based on the Android media framework. In addition, a malicious app can use a harmful frame to attack the privileged [email protected] service.

**Requesting frame decoding from the app**

The Android framework provides the android.media.MediaCodec class to access low-level media codecs.

We can create the ALAC decoder by using its name.

The configure method can be used to tune the decoder. A Codec-specific Data (csd-0) array allows us to set the frame length and bit depth parameters that we want to control in order to exploit the vulnerabilities.

To pass an arbitrary frame to the decoder for processing:

The Android app does not require any permissions to initiate decoding. To attack the media service, all we need to do is to prepare a malformed frame that causes the vulnerability.

**The ALAC vulnerabilities****MediaTek**

A quick look at the libMtkOmxAlacDec.so library showed that it is more likely based on the Shairport source code than on the code published by Apple. In fact, both sources are quite similar and have the same security issues.

The MtkOmxAlacDec::InitAlacDecoder method is responsible for initializing the ALAC decoder based on the csd-0 information provided by the app or included in the audio file header. The method calls the alac_init function, which fills an internal object with the audio parameters and allocates working buffers to store the decoded data.

The setinfo_max_samples_per_frame field of the alac object is initialized with the frame length (the first DWORD of the csd-0), and the setinfo_sample_size field is initialized with the bit depth.

The frame length times 4 of the heap memory is allocated as the outputsamples_buffer_a buffer. No integer overflow check is performed. In the 32-bit media server, if the provided frame length is greater than or equal to 0x40000000, the wrong amount of memory is allocated.

The MtkOmxAlacDec::DecodeAudio method is responsible for decoding the audio frame. It calls the alac_decode_frame function passing the alac object, the decoding frame, and an output buffer for decoded data as arguments.

The variable outputsamples is the number of samples to decode. As you can see, it is initialized with the setinfo_max_samples_per_frame at the beginning of the function, which is the maximum possible value of samples per frame. However, this variable can be corrected by the actual number of samples, the value of which is encoded in the frame itself. There are no validations associated with the outputsamples, so an invalid number could be provided. For example, in the frame in Figure 5, the number of samples is 0x41414141.

**Figure 5:** Malformed ALAC frame.

Several code snippets like the one shown below are implemented in the alac_decode_frame function to decode the frame data.

As you can see, outputsamples \* setinfo_sample_size bits are decoded from the input frame into the outputsamples_buffer_a buffer, the size of which is setinfo_max_samples_per_frame \* 4. We control all the involved values: the outputsamples, the setinfo_sample_size, the setinfo_max_samples_per_frame, and the decoding content.

For a heap data leak, we set the outputsamples and the setinfo_max_samples_per_frame to be larger than the input frame. In this case, the contents of the heap after the frame buffer are “decoded” to the outputsamples_buffer_a, which is then copied to the output buffer.

To overwrite the heap, we set the setinfo_max_samples_per_frame to be smaller than the input frame. In this case, the data is decoded outside the outputsamples_buffer_a buffer as determined by what we set in the outputsamples.

In Figure 6, you can see the crash dump caused by the malformed frame shown in Figure 5. The test device is the Xiaomi Redmi Note 9T 5G (MediaTek MT6853 Dimensity 800U 5G chipset) with MIUI Global 12.5.2.0 OS.

**Figure 6:** Crash dump of MediaTek’s ALAC decoder.

All of the described vulnerabilities can be exploited as they provide both read and write primitives.

**Qualcomm**

The ALAC decoder implemented by Qualcomm has exactly the same issues as the MediaTek’s decoder.

The OpenMAX libOmxAlacDecSw.so library is a wrapper over the libAlacSwDec.so, which is based on the source code shared by Apple.

The ALACDecoder::Init method allocates the mMixBufferU buffer to store the decoded data. The buffer size is 4 times the frame length specified in the csd-0 and controlled by the attacker.

The ALACDecoder::Decode method decodes ALAC frames. Again, there is no verification of the number of samples provided in the frame.

Depending on the numSamples and the size of the input frame, the mMixBufferU buffer can be overflowed with the input frame or filled with leaked data.

In Figure 7, you can see the crash dump of Qualcomm’s ALAC decoder. The test device is the Sony Xperia XZ Premium.

**Figure 7:** Crash dump of Qualcomm’s ALAC decoder.

**Conclusion**

We discovered several vulnerabilities in the Apple lossless audio codec that are relevant for smartphones with MediaTek and Qualcomm chipsets. Two thirds of all smartphones sold in 2021 are vulnerable.

The issues we found could be used by an attacker for RCE on a mobile device via a malicious audio file, or for LPE from an unprivileged Android application. The attacker could gain access to user conversations and stored media.

MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Check Point’s customers _remain fully protected_ against such threats while using Harmony Mobile Security.

CVE-2022-23747: #ALHACK: One codec to hack the whole world - Check Point Research

Google’s new mobile operating system has arrived. Take back some control with these privacy and security tips.

It's late summer in the northern hemisphere, which means new phone operating systems are coming. In a few weeks, Apple will release iOS 16 to millions of iPhones and iPads around the world. Google, meanwhile, has already made the latest version of Android available—on some phones you can now download Android 13.

The newest version of the Android operating system is more “evolution than revolution,” with the majority of changes smaller than in previous iterations. But Android’s security team is trying to simplify people’s privacy options throughout Android 13. This version of the OS involves changes under the hood for app developers and some streamlined security options for users.

You probably don’t spend a lot of time thinking about the privacy and security settings on your phone. However, whenever you download a new operating system, it’s worth spending a few minutes scrolling and tapping through all the options you haven’t touched in the past 12 months. Here’s what you should take a look at on Android 13.

Clamp Down on App Permissions

In Android 12, Google introduced “nearby device” permissions. This was designed to stop your headphones app from requesting your precise location when it was trying to wirelessly connect to your headphones. Android 13 expands on these controls to stop apps from using Wi-Fi permissions to collect your location data. In their code, app developers have to specify that they will never use Wi-Fi APIs to access location information.

Android’s **Privacy dashboard** has also been updated. The dashboard, which can be accessed through **Settings >** **Privacy**, shows the permissions you have given apps to use—this includes the apps that can access your camera, contacts, and multiple other sensors and types of data. It will now show which apps have used each permission over the past seven days, rather than just 24 hours.

Some of the privacy changes in Android 13 don’t require you to do anything, but it is worth knowing about them anyway. For instance, the OS will start deleting your clipboard history automatically after a short period of time so that apps don’t snoop on the information you previously copied. Also, from now on, apps that use Google’s advertising ID, which is a unique code assigned to your device, must declare the ad ID permission in their documentation. “If your app does not declare this permission when targeting Android 13 or higher, the advertising ID is automatically removed and replaced with a string of zeroes,” Google says.

Photo Picker

When you want to use a photo you’ve taken in another app—for instance, as a Twitter profile photo or to share images with friends—your device uses Photo Picker. This loads up a screen that includes the photos on your device and gives you the option to use them in the app you’re in. The new privacy changes in Android 13 mean you won’t automatically give an app access to all your photos and videos. Instead, the photo picker will now only give the app access to the photos you allow it.

In addition, Android’s developer pages state that if apps want to use images, audio, or video that other apps have created, they must explicitly say the type of files they want access to and give you clear prompts that this will happen.

More Notification Control

Few things are more infuriating than apps that send a constant barrage of notifications. And there are some notifications you may not want appearing on your screen for anyone nearby to see. While it has been possible to control app notifications for some time, Android 13 is making it easier to do so from the outset. Now, when you open up an app for the first time or use it for the first time in a while, you’ll be asked if you want it to send you notifications. Spammy notifications, be gone.

Other Security and Privacy Options

While you’re thinking about your phone’s privacy settings, it’s worth taking some time to flick through your device’s other options to boost your overall protection. It’s possible there are previous changes that you’ve missed. The vast majority of the settings below can be changed by visiting **Settings** on your Android and then following the specific options.

In the **Security** section, Android provides you with an overview of your device’s status. It will show you when the last security update was applied, let you set a screen lock and fingerprint or biometric unlocking (if your device supports them), and let you go through Google’s wider security checkup that looks at the current state of your accounts. (Later this year, Android will introduce a new **Security & privacy** option that will put all of these settings in one place.)

In the **Privacy** menu, there are a few things you should change. The **Privacy dashboard**, as described above, will show you which apps have used which sensors and data on your phone in the past seven days. After looking at this, you should tap on **Permission manager**, where you’ll be presented with all the sensors and types of data that your phone can give to apps. These range from your location and camera access to your calendar and files. You should look through each of the permissions and decide if an app really needs access to them to function.

Next in **Privacy**, you should open **Google location history** and **Activity controls**. Both of these options are linked to your wider Google account(s), but the settings here allow you to control what data Google keeps about you—it’s a lot. Using these options, you can wipe your web and activity data, the locations Google keeps on your movements, and details such as YouTube search history.

Then head to **Privacy** and **Ads**. Here you can use **Reset advertising ID** to change the ID Google has assigned to your phone. This advertising ID is used by apps and advertisers across the web to track your interests and show you potentially creepy personalized advertising. As well as resetting your ad ID, there’s an option to **Delete advertising ID**, meaning “apps can no longer use this advertising ID to show you personalized ads.”

Finally, while you’re thinking about your digital privacy and security, you should make sure you are using a password manager to protect your online life and using multi-factor authentication wherever possible.

The Android 13 Privacy Settings You Should Update Now

In a sign that malicious actors continue to find ways to work around Google Play Store security protections, researchers have spotted a previously undocumented Android dropper trojan that's currently in development.
"This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals

In a sign that malicious actors continue to find ways to work around Google Play Store security protections, researchers have spotted a previously undocumented Android dropper trojan that's currently in development.

"This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim's devices," ThreatFabric's Han Sahin said in a statement shared with The Hacker News.

Dubbed BugDrop by the Dutch security firm, the dropper app is explicitly designed to defeat new features introduced in the upcoming version of Android that aim to make it difficult for malware to request Accessibility Services privileges from victims.

ThreatFabric attributed the dropper to a cybercriminal group known as "Hadoken Security," which is also behind the creation and distribution of the Xenomorph and Gymdrop Android malware families.

Banking trojans are typically deployed on Android devices through innocuous dropper apps that pose as productivity and utility apps, which, once installed, trick users into granting invasive permissions.

Notably, the Accessibility API, which lets apps read the contents of the screen and perform actions on behalf of the user, has come under heavy abuse, enabling malware operators to capture sensitive data such as credentials and financial information.

This is achieved by means of what's called overlay attacks wherein the trojan injects a fake lookalike login form retrieved from a remote server when a desired app such as a cryptocurrency wallet is opened by the victim.

Given that most of these malicious apps are sideloaded – something that's only possible if the user has allowed installation from unknown sources – Google, with Android 13, has taken the step of blocking accessibility API access to apps installed from outside of an app store.

But that hasn't stopped adversaries from attempting to circumvent this restricted security setting. Enter BugDrop, which masquerades as a QR code reader app and is being tested by its authors to deploy malicious payloads via a session-based installation process.

"What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session-based installation method, which would then later be incorporated in a more elaborate and refined dropper," the researchers said.

The changes, should it become a reality, could make the banking trojans a more dangerous threat capable of bypassing security defenses even before they are in place.

"With the completion and resolution of all the issues currently present in BugDrop, criminals will have another efficient weapon in the war against security teams and banking institutions, defeating solutions that are currently being adopted by Google, which are clearly not sufficient to deter criminals," the company noted.

Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Developing BugDrop Malware to Bypass Android Security Features

Categories: Exploits and vulnerabilities
Categories: News
Tags: 104.0.5112.101

Tags:  Google

Tags:  Chrome

Tags:  CVE-2022-2852

Tags:  CVE-2022-2856

Tags:  CVE-2022-2854

Tags:  CVE-2022-2853

Tags:  UAF

Tags:  heap buffer overflow

Google issued an update that includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild.



(Read more...)




The post Update Chrome now! Google issues patch for zero day spotted in the wild appeared first on Malwarebytes Labs.

Google updated the Stable channel for Chrome to 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows which will roll out over the coming days/weeks. Extended stable channel has been updated to 104.0.5112.101 for Mac and 104.0.5112.102 for Windows , which will roll out over the coming days/weeks.

This update includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild.

**Vulnerabilities**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We discuss some of the CVE’s included in this update below.

CVE-2022-2852: a critical use after free vulnerability in FedCM. Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. The Federated Credential Management API (FedCM) allows the browser to understand the context in which the relying party (for example a website) and the identity provider (a third party authentication service) exchange information.

CVE-2022-2856: Insufficient validation of untrusted input in Intents. Chrome intents are the deep linking replacement for URI schemes on the Android device within the Chrome browser. Google’s Threat Analysis Group submitted the vulnerability and technical details will not be released until everyone has had ample opportunity to update.

Google is aware that an exploit for CVE-2022-2856 exists in the wild. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

CVE-2022-2854: a UAF vulnerability in SwiftShader. SwiftShader is a an open source library that provides a software 3D renderer. The attacker would have to trick the victim to visit a specially crafted website.

CVE-2022-2853: a heap buffer overflow in Downloads. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. The heap is the portion of memory where dynamically allocated memory resides.

**How to protect yourself**

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update the version should be 104.0.5112.101 or later.

Stay safe, everyone!

Update Chrome now! Google issues patch for zero day spotted in the wild

Mobile transactions could’ve been disabled, created and signed by attackers.

Mobile transactions could’ve been disabled, created and signed by attackers.

Smartphone maker Xiaomi, the world’s number three phone maker behind Apple and Samsung, reported it has patched a high-severity flaw in its “trusted environment” used to store payment data that opened some of its handsets to attack.

Researchers at Check Point Research revealed last week in a report released at DEF CON that the Xiaomi smartphone flaw could have allowed hackers to hijack the mobile payment system and disable it or create and sign their own forged transactions.

The potential pool of victims was massive, considering one in seven of the world’s smartphones are manufactured by Xiaomi, according to Q2/22 data from Canalys. The company is the third largest vendor globally, according to Canalys.  
“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept,” wrote Slava Makkaveev, security researcher with Check Point.

He said, the Check Point study marks the first time Xiaomi’s trusted applications have been reviewed for security issues. WeChat Pay is a mobile payment and digital wallet service developed by a firm of the same name, which is based in China. The service is used by over 300 million customers and allows Android users to make mobile payments and online transactions.

**The Flaw**

It’s unclear how long the vulnerability existed or if it was exploited by attackers in the wild. The bug, tracked as CVE-2020-14125, was patched by Xiaomi in June and has a CVSS severity rating of high.

“A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service,” according to the NIST common vulnerability and exposure description of the bug.

While details of the bug’s impact were limited at the time Xiaomi disclosed the vulnerability in June, researchers at Check Point have outlined in its postmortem of the patched bug and the full potential impact of the flaw.

The core issue with Xiaomi phone was the mobile phones payment method and the Trusted Execution Environment (TEE) component of the phone. The TEE is the Xiaomi’s virtual enclave of the phone, responsible for processing and storing ultra-sensitive security information such fingerprints and the cryptographic keys used in signing transactions.

“Left unpatched, an attacker could steal private keys used to sign WeChat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package,” researchers wrote.

Two types of attacks could have been performed against handsets with the flaw according to Check Point.

*   From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.
*   If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application.

**Two Ways to Skin a TEE**

Controlling the TEE, according to Check Point, is a MediaTek chip component that needed to be present to conduct the attack. To be clear, the flaw was not in the MediaTek chip – however the bug was only executable in phones configured with the MediaTek processor.

“The Asian market,” the researchers noted, is “mainly represented by smartphones based on MediaTek chips.” Xiaomi phones that run on MediaTek chips use a TEE architecture called “Kinibi,” within which Xiaomi can embed and sign their own trusted applications.

“Usually, trusted apps of the Kinibi OS have the MCLF format” – Mobicore Loadable Format – “but Xiaomi decided to come up with one of their own.” Within their own format, however, was a flaw: an absence of version control, without which “an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file.” The signature between versions doesn’t change, so the TEE doesn’t know the difference, and it loads the old one.

In essence the attacker could’ve turned back time, bypassing any security fixes made by Xiaomi or MediaTek in the most sensitive area of the phone.

As a case-in-point, the researchers targeted “Tencent soter,” Xiaomi’s embedded framework providing an API to third-party apps that want to integrate mobile payments. Soter is what’s responsible for verifying payments between phones and backend servers, for hundreds of millions of Android devices worldwide. The researchers performed time travel to exploit an arbitrary read vulnerability in the soter app. This allowed them to steal the private keys used to sign transactions.

The arbitrary read vulnerability is already patched, while the version control vulnerability is “being fixed.”

In addition, the researchers came up with one other trick for exploiting soter.

Using a regular, unprivileged Android application, they were able to communicate with the trusted soter app via “SoterService,” an API for managing soter keys. “In practice, our goal is to steal one of the soter private keys,” the authors wrote. However, by performing a classic heap overflow attack, they were able to “completely compromise the Tencent soter platform,” allowing much greater power to, for example, sign fake payment packages.

**Phones Remain Un-scrutinized**

Mobile payments are already receiving more scrutiny from security researchers, as services like Apple Pay and Google Pay gain popularity in the West. But the issue is even more significant for the Far East, where the market for mobile payments is already way ahead. According to data from Statista, that hemisphere was responsible for a full two-thirds of mobile payments globally in 2021 – about four billion dollars in transactions in all.

And yet, the Asian market “has still not yet been widely explored,” the researchers noted. “No one is scrutinizing trusted applications written by device vendors, such as Xiaomi, instead of by chip manufacturers, even though security management and the core of mobile payments are implemented there.”

As previously noted, Check Point asserted this was the first time Xiaomi’s trusted applications have been reviewed for security issues.

Xiaomi Phone Bug Allowed Payment Forgery

'Hulu / ????' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app.

Published:2022/07/27  Last Updated:2022/07/27

**Overview**

"Hulu / フールー" App for Android uses a hard-coded API key for an external service.

**Products Affected**

*   "Hulu / フールー" App for Android version 3.0.47 or later, and prior to 3.1.2

**Description**

"Hulu / フールー" App for Android provided by HJ Holdings, Inc. uses a hard-coded API key for an external service (CWE-798).

**Impact**

The hard-coded API key may be retrieved via reverse-engineering the application binary.  
Note that the application users are not directly affected by this vulnerability.

**Solution**

The hard-coded API key has been revoked by the developer on June 7, 2022 and this vulnerability is not exploitable now.  
The developer has released "Hulu / フールー" App for Android version 3.1.2 without any API key hard-coded.

**Vendor Status**

Vendor

Status

Last Update

Vendor Notes

HJ Holdings, Inc.

Vulnerable

2022/07/27

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Ryo Sato of BroadBand Security, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

Tag

#android