Android security

Do I need an antivirus for Android?

When choosing a mobile device, you need to take into account many factors: price, functionality, reliability, etc. - all these characteristics help you assess how suitable this device is for you. If we are talking about functionality, then it is also necessary to evaluate mobile security. Apple operating systems work in a closed system: the source code is not provided to application developers, and the owners of iOS devices are not able to independently change the code, which makes such devices safer^[1]

On the other hand, devices Android with are seen as less secure devices because they run on the system with. open source This means that the owner of the device can seriously "play" with the system settings to customize them as they like. This code is also open to application developers. Unfortunately, this approach can become a weak side in the device and make it more open to. malware

Malicious programs install unwanted program code (programs, applications) on your device for malicious purposes. Such goals can be relatively harmless (cause your irritation), and can be very extreme (access to confidential information for its theft and use against you).

Can Android phones get infected with viruses?

Traditional "viruses" are common among PCs and they are a program that is distributed by "attaching" to another program (more often quite legitimate). Devices Android with do not receive such traditional viruses, but can "catch" other malicious programs: for example, programs that are designed to secretly control the device or even steal confidential information from it.

An example of such malware for Android is Triout. Triout was first discovered in August 2018, complete with a legitimate app on Google Play. This malware could hide in your Android and record phone calls, save text messages, record videos, take photos and collect information about your location. Although this first version of the program was only active between May and December 2018, new variations of it are currently being discovered.

Built-in security features in Android

Although Android is known for being less secure, the developers of the operating system have built into it a number of security features to prevent viruses and malware.

Application Rights

There is also an app rights feature located in the Apps menu that allows you to see which apps have access rights to your phone's features. Here you can control which apps have control over your microphone, camera, location and sensitive information.

Software and Security Updates

Android offers new security and software updates for Android devices both through the site and through the built-in feature in the operating system.

Safe browsing of sites

Android devices have a'secure site browsing' mode that is built into the operating system and enabled by default. When using Google Chrome, this feature will alert you before opening a suspicious site. While your Chrome and Android are updated to the latest version, this feature will work to protect you from malicious sites.

How do you use your Android?

While Android has all these basic security features, they may not be enough depending on how you use your device. In this case, you better use antivirus for Android.

Downloading applications

The advantage of an open source operating system is that you get access to a huge variety of applications. But although Google Play tries to carefully check all applications, nevertheless, quite often dangerous applications elude their control. In 2017, Google removed 700,000 malicious apps from its Google Play store. Installing an antivirus for Android will provide you with an additional layer of protection and limit access to these dangerous applications.

Administer your phone

There are many people who like to be able to deep administer and control their phone, because this advantage gives them a certain freedom. However, with such freedom, the level of security is significantly reduced, while other threats appear. To counteract this, it is very useful to add an antivirus app that will scan your Android for threats.

Using your phone for work

Do you use your phone for work? If this is the case, then it may contain a lot of confidential information (passwords, bank data), the loss of which can cost you dearly. It is for this reason that, most likely, you will need an additional level of security that antivirus for Android can provide you.

Loss or theft of a device

Are you afraid of losing your device? If you do not want it to fall into the wrong hands along with all your information, it makes sense to install an antivirus for Android that can detect your device and remotely erase any confidential information on it.

Antivirus functions for Android

Antivirus Android to make up for your operating system Android security flaws. Whether it's protection or performance that interests you, or you need privacy and anti-thief features, the antivirus can help solve these problems.

Here are some of the features included in the Android antivirus:

• Real-time anti-virus protection
• On-Demand Virus and Threat Scanning
• Scanning an SD card
• Optimizing Device Performance
• Optimizing Battery Consumption
• Verifying Access Rights for Installed Applications
• Remotely purge sensitive data
• Device Detection and Remote Locking

ETSI TS 103 732 (Smartphone Protection Standard)

Main article: ETSI TS 103 732 (smartphone protection standard)

App security in the Google Play Store

Main article: App security in the Google Play Store

2023

421 million times downloaded Android app with spyware

On May 29, 2023, the company Dr.Web"" announced the identification of a software module for, OS Android which has spyware functions. It collects information about devices stored on devices, files is able to transmit them to attackers, and can also replace and load the contents of the clipboard to a remote one. server This module is distributed under the guise marketing SDK and is embedded by developers in various Android games, applications including those available in. According to Google Play the classification, it Dr.Web was named Android.Spy.SpinOk.

The SpinOk module is designed to keep users in applications using mini-games, a task system, as well as supposedly prize draws. When initialized, this Trojan SDK connects to the C&C server, sending a request to it with a lot of technical data about the infected device. Among them are sensor data, such as a gyroscope, magnetometer, etc., which can be used to recognize work in the emulator environment and adjust the operation of a malicious application to avoid detecting its activity by researchers. For the same purpose, the device proxy settings are also ignored, which allows you to hide network connections during analysis. In response, the module receives from the management server a list of links that it downloads to WebView to demonstrate advertising banners.

At the same time, the Trojan SDK expands the capabilities of JavaScript code executed on downloadable advertising web pages. It adds many features to such a code, including:

• retrieving a list of files in the specified directories,
• checking for a specified file or directory on the device,
• retrieving the file from the device
• obtaining and changing the contents of the clipboard.

This allows those who manage this Trojan module to receive confidential information and files from the user's device. For example, files that an application with built-in Android.Spy.SpinOk has access to. To do this, attackers will need to add the appropriate code to the HTML page of the advertising banner.

Doctor Web specialists have identified this Trojan module and several of its modifications in a number of applications distributed through the Google Play catalog. Some of them still contain a malicious SDK, others had it only in certain versions, or have already been removed. Viral analysts found it in 101 programs that were downloaded at least 421 290 300 times in total. Thus, hundreds of millions of Android device owners risk becoming victims of cyber espionage. Doctor Web has notified Google of the identified threat.

Fingerprint scanners on 10 smartphones were hacked by brute force

On May 18, 2023, Chinese researchers from Tencent and Zhejiang University announced the development of a new method for bypassing biometric protection of smartphones and other devices. We are talking about hacking user identification algorithms based on fingerprints.

Experts experimented with "brute force" attacks. This approach involves entering a password by enumerating all possible combinations. The more complex the cipher, the more time and computing resources it takes to crack. However, in the case of fingerprints, security algorithms do not verify the full compliance of the reference and provided samples. Instead, the input fingerprint must overcome a certain threshold of accuracy. That is why the number of finger scanning attempts is limited: the fact is that sooner or later an attacker can choose a suitable "pattern" to deceive the protection system.

Chinese researchers have managed to circumvent existing security measures, such as a small number of attempts to enter a fingerprint. The developed hacking method was called BrutePrint. It is based on the exploitation of zero-day vulnerabilities Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). The idea is to force the target device to take fingerprint samples until the accuracy threshold is crossed. After that, the lock is removed from the gadget.

During the attack, a checksum error is initiated in the fingerprint data, which allows you to stop the authentication process at a premature point. This gives attackers the ability to enter various samples an infinite number of times. The criminal needs physical access to the target device and equipment worth about $15. Researchers tested 10 smartphones: Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, Oppo Reno Ace, Samsung Galaxy S10 +, OnePlus 5T, Huawei Mate30 Pro 5G, Huawei P40, Apple iPhone SE and Apple iPhone 7. During the experiments, the specialists managed to get an unlimited number of attempts to enter fingerprints on all smartphones with the Android operating system and 15 attempts on devices running iOS. ref> Here’s how long it takes new BrutePrint attack to unlock 10 different smartphones</ref>

New Trojan extorts money from Android users in Russia, threatening to "leak" data

In May 2023, Kaspersky Lab discovered a new ransomware program called Rasket. The virus targets users of Android devices in Russia. Read more here.

Updated Xenomorph Trojan automates theft of funds from a bank account

On March 13, it became known that the Imperva Red team at the end of 2022 discovered in, browser Google Chrome vulnerability which is being monitored under identifier CVE-2022-3656. At the time the vulnerability was active, it affected over 2.5 billion users Chrome and allowed to malefactors the theft of confidential ones, files such as cryptopurses accounts. data cloudy provider More. here

2022

Attackers pass off malicious Android applications as job search programs

On November 21, 2022, the company Dr.Web"" announced the distribution of harmful applications for that OS Android attackers pass off as job search programs. With their help swindlers , they can collect personal information victims, as well as deceive them to steal money from them.

According to the company, the criminal scheme identified by Dr.Web specialists works as follows. Cybercriminals distribute programs through the Google Play directory with which users can allegedly find work. To attract the attention of potential victims and increase the chances of their successful deception, scammers can pass off such Trojan applications as real job search programs. For example, they distributed one of them under the guise of the official client software of the Job Today service. She had a similar icon and title, and a misleading description on a page in the directory. At the same time, Trojans are actively advertised - for example, in other applications through the advertising systems built into them. This allows you to increase the number of their settings.

As of November 2022, the antivirus laboratory of Doctor Web revealed 7 such fakes:

• Jobs Today-find your jobs
• Notpon - Build a Career
• JobsFinder
• Nanoss
• All online jobs
• Jobs Online
• Grabjobs

All of them were added to the Dr.Web virus database as members of the Android.FakeApp family. At the same time, other similar programs may appear, since high qualifications are not required from programmers to create them.

In fact, these Trojans are web applications. At launch, they download websites with fake job lists inside their windows. In some of their modifications, the addresses are originally spelled out in the settings, while others connect to a remote server to obtain target links. He sends the necessary parameters in the form of JSON.

Depending on the content of the website being downloaded, various attack scenarios can be implemented. So, one of the basic scenarios involves the collection of personal information. When a user chooses an advertisement he likes and tries to respond to a vacancy, the site offers to fill out a mini-questionnaire, indicating data about himself in it. In fact, this is phishing a form, and the information entered in it when sending a "request" is sent not to the hiring company, but to the attackers. Those, in turn, replenish databases their own and can either use the information received on their own - to make various, attacks or sell it on the black market.

When implementing another, more complex scenario after choosing an announcement, the user sees a message with an offer to contact the "employer" directly - for example, through WhatsApp, Telegram or other messengers.

By agreeing to this, he risks facing a wide variety of cheating schemes. In particular, attackers can introduce themselves as employees of certain companies and really offer work to interest a potential victim. However, this will turn out to be a trick, and in the end they will strive to take possession of not only personal data, but also user money. In the example under consideration, cybercriminals pose as representatives of a company called ML-Smart International E-commerce and have a WhatsApp business account.

At the beginning of the conversation, scammers report that they are representatives of a large international electronics manufacturer and ask the user to give his name, age and occupation. After receiving an answer, they reveal the essence of the proposed "work" and describe all its imaginary merits. According to their statements, the user will participate in raising the rating of goods in online stores by placing virtual orders for these goods, for which sellers will allegedly pay commissions. At the same time, the attackers promise that the earnings received in the future can be withdrawn from the system at any time. To become a member of the platform, the user must register on the corresponding site, for which he is given a link. After registration, 120 rubles are credited to his personal internal account as a "bonus." This amount is just enough to complete several "training tasks."

When implementing this scheme, fraudsters are in constant contact with the victim. They give her instructions and accompany her every step, maintaining interest in the service, as well as the illusion of its performance and safety. However, after successful test "purchases" and "crediting" the first reward, they report that for further work it is necessary to replenish the account by 500 rubles - allegedly to activate the account. At the same time attackers in every possible way assure the victim that after replenishment, the money with interest will immediately be returned back to its internal account, after which the final - increased - amount can be withdrawn from the system to the bank account. For persuasiveness, cybercriminals can additionally send screenshots of payments allegedly received by other participants.

In such schemes, fraudsters either immediately steal the money contributed by users, or really at first allow them to withdraw the initial "earnings" as bait. In the second case, in the future, victims will be offered more and more expensive goods, for the execution of orders for which, due to the lack of the necessary funds in the account, it will need to be replenished for an increasingly large amount. As a result, the scammers themselves will either stop communicating, having received enough money from users, or the victims, suspecting something was wrong, will try to withdraw the available funds, but will not be able to do this by a cause invented by intruders. Thus, this scheme boils down to an attempt to cash in on the desire of users to get easy and fast earnings on the Internet. At the same time, it can be used in attacks on residents from different countries.

The Doctor Web company reminds that any offers of easy earnings on the Internet should be treated as carefully as possible. If the conditions that are offered look too tempting, most likely the user is trying to deceive. When looking for a job online, you need to use proven resources. At the same time, it is important to make sure that the user is dealing with real recruiting services. To do this, check websites for signs of forgery (missing or expired security certificate, incorrect domain name, presence of explicit grammar or punctuation errors in the content of sites, etc.), as well as install branded applications from official sources - sites or app stores. In the second case, you should also make sure that the publisher of the program is not an imitator and does not try to impersonate the real developer of the desired software. In addition, it is important to use antivirus with parental control. It will protect not only from malicious and fraudulent applications, but also from dangerous sites. Experts notified Google of detected malicious applications. For November 2022, most remained available for download.

Malaysian Android users are attacked by banking Trojans under the guise of store apps

The Malaysian users Android attack bank trojans under the guise applications of -magazines. The company "" Dr.Web announced this on October 19, 2022.

Attackers spread malware under the guise of mobile store applications. At the same time, unlike many others, these bankers not only have icons and store names, but also imitate the full operation of such programs in order to look more believable and not raise unnecessary suspicions. These Trojans steal logins and access passwords from accounts of remote banking systems, and also intercept SMS with one-time banking confirmation codes. In addition, they steal the victims' personal information, including date of birth, mobile phone number and individual identity card number.

This is the approach chosen by the creators of malware Android.Banker.5097 and Android.Banker.5098, who discovered viral analysts.

These banking Trojans are distributed under the guise of mobile store apps called Olivia Beauty, 44 Speed ​ ​ Mart, Eco Queen and Pinky Cat, each of which is dedicated to a separate category of products: food, cosmetics, household products, children and animals.

Attackers are betting that users are becoming more and more accustomed to trends in the digital economy and the growing concept of "Service ― Application." That is, to the fact that many companies, online stores, and sometimes even communities on social networks have their own mobile program. Due to less awareness of the potential danger and underestimation of risks, mobile device owners tend to download such applications even from unknown sites. And since the main function of the online store ― to provide the opportunity to buy goods and services, potential victims are more likely to disclose bank card data and other confidential information to such a program. This is what virus writers use.

Android.Banker.5097 and Android.Banker.5098 are aimed at Malaysian users. They are distributed through malicious sites using standard social engineering methods. So, potential victims who visited them are invited to download the application of a particular store in the Google Play or AppGallery catalog. In fact, APK files are downloaded directly from the sites themselves, and well-known directories are indicated only for misleading users. To install downloaded Trojans, users must enable the appropriate action in their mobile device settings.

At first glance, these Trojans really look like real store apps. They provide a list of items that the user can explore, add to the cart and try to buy. However, this is just a trick, and there is actually no real functionality in them. At the same time, for greater attractiveness, the programs offer to purchase goods with a discount of 49% to 95%.

Password-free authorization feature appeared on Chrome and Android platforms

Google has announced the introduction of Passkeys technology, the latest generation authentication standard, in Android and Chrome. This became known on October 13, 2022. Read more here.

RatMilad spyware for Android collects full user information

Researchers INFORMATION SECURITY at Zimperium Labs have discovered a spy ON for Android called RatMilad, which was created by attackers Middle East on and is used to spy on and steal data users. This became known on October 5, 2022. Stolen data can be used to access private corporate systems, blackmail the victim and other malicious targets.

Spyware is distributed through a fake NumRent virtual number generator. After installation, the application asks for questionable permissions, and then uses them to download the RatMilad malicious payload.

The fake app's main distribution channel is Telegram, as NumRent or other droppers downloading RatMilad are not available on the Google Play store or third-party stores.

RatMilad operators have also created a dedicated website to promote the mobile RAT Trojan to make the app look more convincing. This website is advertised on Telegram and other social networks.

After installing on the victim's device, RatMilad steals the following data:

• Basic information about the device (model, brand, buildID, Android version);
• MAC address of the device;
• Contact list;
• SMS;
• Call logs;
• Account names and permissions;
• List of installed applications and permissions;
• Clipboard data;
• GPS location data;
• SIM card information (number, country, IMEI, region);
• List of files and their contents.

RatMilad can perform file actions such as:

• Deleting and stealing files;
• Change application permissions;
• Use the microphone of the device to record audio.

RatMilad spyware is designed to work silently in the background without arousing suspicion. According to experts, RatMilad operators received the source code from the AppMila Telegram channel. Zimperium researchers conclude that RatMilad operators attack random targets and do not conduct targeted campaigns^[2].

BugDrop dropper infects Android devices with dangerous Xenomorph Trojan

Researchers at ThreatFabric have discovered a previously unknown dropper Trojan for Android, which is under development as of August 2022. The malware tries to penetrate Android devices using technology that has not previously been encountered by specialists, and then infect the victim with a dangerous Xenomorph Trojan. This became known on August 19, 2022.

Experts called the BugDrop dropper and noted that it was designed specifically to bypass the security features implemented in Android 13. The malware can even bypass Accessibility Services accessibility protection from malware.

ThreatFabric associates the dropper with the infamous Hadoken Security group, which developed and distributed the malicious ON Xenomorph and Gymdrop.

BugDrop, like many other malware, used the Accessibility API to intercept content on the display and perform actions on behalf of the user. Google drew attention to this and took radical measures - they completely blocked access to the Accessibility API for applications that are not installed from Google Play.

However, the BugDrop developers were not going to give up so easily, so they released a sophisticated version of the dropper, disguising it as a QR code reader. This version deploys the malicious load through the session installation process.

Experts suggest that attackers are using a ready-made malware that can independently install APK on the victim's device. This approach could make banking Android Trojans even more dangerous, researchers warn^[3].

FluBot Trojan destroyed

Europol announced the destruction of one of the fastest spreading malwares - - Androidtrojan FluBot. This became known on June 1, 2022. More. here

Google fixed a critical vulnerability in the Android kernel

On May 12, 2022, it became known that Google it had eliminated the critical vulnerability in, kernel Android which was vigorously used. cybermalefactors The fixes were made as part of a cumulative patch released on May 5, 2022. Another Android patch was released just four days earlier.

The CVE-2021-22600 vulnerability is a bug in the Linux kernel, on the basis of which the Android OS is built, which allows you to elevate the privileges of a local user. The vulnerability, accordingly, affected not only Android users, but also systems based on Linux and its derivatives.

The problem was identified back in January 2022. At the same time, Google experts presented a fix and handed it over to Linux distribution providers. However, the integration of the patch into Android for some reason took several months.

This is all the more surprising given the energetic exploitation of the vulnerability by cybercriminals, which the US Digital Infrastructure Protection Agency (CISA) issued a bulletin in April 2022. Google claims that the exploitation of the bug was "limited, narrowly focused."

"Most likely, the exploitation of the vulnerability in Android began after the disclosure of information for Linux by Google. Only this can explain the sluggish attention to the bug of the Android developer. In addition, the vulnerability can only be exploited locally, that is, by holding someone else's or your smartphone in your hands; such bugs cannot be widely distributed, "- believes Mikhail Zaytsev, information security expert at SEQ.

Privilege escalation

The publication of Bleeping Computer indicates that it is not known exactly how the vulnerability is exploited, but it is likely that it is used to execute commands that require increased rights in the system, which opens up opportunities for moving through corporate networks in which compromised systems are located.

Recent versions of Android (10-12) have more stringent mechanisms for issuing permissions to applications, which makes it difficult for attackers to inject malware and gain access to system functions. Therefore, an increased interest of cybercriminals in elevating privileges after the introduction of the malware is quite likely. The vulnerability could also be used to root the device, Bleeping Computer notes.

Among other vulnerabilities that have been fixed by the May patches are bugs in the Android Framework that allow you to elevate privileges and disclose data; three privilege escalation vulnerabilities, two DoS bugs and two Android data disclosure bugs; three privilege elevation vulnerabilities and one data disclosure vulnerability in the Android kernel; three highly dangerous vulnerabilities in MediaTek components and 15 highly dangerous and one critical vulnerability in Qualcomm components.

Updates only apply to versions of Android starting from the 10th. Earlier - not updated.^[4]

Android malware Octo allows you to remotely control your device

On April 11, 2022, it became known that ThreatFabric specialists discovered another option bank malware for Android Octo devices, which is an evolved ExoCompact - malware based on trojan Exo, which disappeared cybercriminal from the stage in 2018.

Unlike ExoCompact, the malicious ON Octo is equipped with a remote access module that allows you to to malefactors remotely control the victim's device and perform fraudulent actions.

Remote access is provided using stream the real screen transfer module (time updated every two seconds) through Android MediaProjection and remote actions through the Accessibility Service.

With the black screen, Octo hides its remote operations from the victim - the malware reduces the screen brightness to zero and turns off notifications using Do Not Disturb mode.

While the victim thinks that the device is disabled, in fact, it performs various actions, including playing touches on the screen and gestures for control, typing text, modifying the clipboard, pasting data and scrolling up and down pages.

In addition to remote access, Octo is also equipped with a keylogger that monitors and records all victim actions on an infected Android device, including entering PIN codes, opening sites, clicking on items, etc. In addition, the malware executes the following commands: blocking push notifications from certain applications, intercepting SMS messages, mute and temporarily blocking the device screen, launching certain applications, starting/stopping a remote access session, updating the list of C&C servers, opening certain URLs and sending SMS messages to specified phone numbers.

At the beginning of April 2022, Octo was sold on hacker forums like the Russian-language XSS by a cybercriminal under the pseudonym Architect and goodluck.^[5]

2021

Threat Growth Fivefold

On February 22, 2022, ESET global telemetry data for the period from September to December 2021 became known. In general, in 2021, the volume of all types of threats to Android increased fivefold compared to 2020. In 2021, malware against users of this OS was most active on Saturdays and Sundays. And on Tuesdays, ESET telemetry detected the fewest attacks. Read more here.

In the summer of 2021, the total number of malicious programs for Android increased by 32.6%

On November 11, 2021, it became known that Russia entered the top five countries with the most threats to Android users. For the period from May to August 2021, the number of detected Android threats increased by 32.6% compared to the beginning of the year. The increase in hacker activity was also recorded in India, Brazil, Mexico and Ukraine, follows from the report on web threats of the international developer of antivirus solutions ESET.

ESET noted the increased activity of bank harmful programs and applications for Android - attacks there have been 200% more of them since the beginning of 2021. For example, the number of downloads common Russia in the dangerous trojan TrojanDropper.Agent, which penetrates, operating system changes internal settings and steals personal, data increased by 18.4%.

Other categories in which there is an increase in cyber threats are spy ON (+ 71%) and Trojans for displaying unwanted advertizing (+ 63%) on Android.

The only categories of threats whose share in the world decreased from May to August were cryptominers (-14.3%) and ransomware (-7.7%).

44% of mobile threats for Android are adware

On July 2, 2021, the company Avast announced that in 2021 advertizing ON it will continue to be the most serious threat to and. phones tablets Android The majority (44%) of mobile threats for this one OS detected in the first five months of 2021 are adware. In second place are fake applications (18%), in third place are loaders (6%). banking Trojans Spyware is also in fourth place - each of which is 5% attacked of Android users.

^{Threats to Android that Avast discovered and blocked in January 2020 - May 2021}

According to the company, Avast researchers were twice as likely to find malicious advertising software in Russia compared to 2020. In January-May 2020, only 22% of detected mobile threats were adware. In 2020, the number of Android users who encountered these malware increased by 65% - from an average of 2.23% in the first five months of 2020 to 3.7% in 2021.

Adware obsessively displays ads. It often mimics legitimate apps - and so encourages itself to download. A recent example of the widespread use of adware - the HiddenAds family - was last reported by Avast in October 2020. The researchers note two conditional types of advertising software: "traditional" - games, photo editors and other applications that, after downloading, bombard a person with advertising spam in the application and beyond. The second common type is fraudulent ad apps. Such software launches a malicious load in the background and shows ads in notifications, irrelevant ads, or uses other aggressive methods. Sometimes apps also show ads with malicious content, so protection is very important. The encrypted file can be downloaded automatically with the application - then it can launch clicks on ads without the knowledge of users or sign them up for paid services.

The second most common mobile threat is fake or fake apps. They impersonate ordinary legitimate applications, such as the Covid-19 contact tracing program or, for example, AdBlocker. It was these examples that Avast researchers observed in the first months of 2021. Fake apps can spy on users, show them ads, or perform other malicious activities.

Bootloaders are a type of Trojan that, after installation, when you have access to the network, connect to a remote server or site and download additional programs (usually malicious) to an infected device.

Banking Trojans or "bankers" act secretly to gain the trust of users downloading the application - and then steal them. data They disguise themselves as real apps to gain access bank to the details (or information for) two-factor authentication the victims: for example, asking them to enter their bank account details by mimicking a login screen or a general login screen with the logo of the bank concerned.

Spyware is malicious applications that try to be as invisible as possible on gadgets. They can track and copy everything that the victim enters, unloads, downloads and stores. Some such applications can activate cameras and microphones - and in the background, quietly watch users, listen to their conversations.

How to avoid mobile malware attacks:

• Download applications only from the official store - Google Play. It provides security measures to check applications before developers download them or directly from the application's official website for additional insurance.
• Check the application rating: adware has a lot of both positive and negative reviews. The latter may refer to low functionality, excessive advertising. The former, on the contrary, can be extremely, suspiciously enthusiastic.
• Analyze the permissions requested by the application before downloading it. If an application requests access to data that it does not exactly need, this is a warning sign.
• Use a reliable antivirus on your smartphone to detect and prevent any attack attempts in time.

Human rights activists filed a complaint against Google for illegal surveillance of users

Non-profit organization NOYB (none of your business), founded by human rights activist Max Schrems, filed a complaint Google for using a unique identifier Android Advertising ID (AAID) to track users. This became known on April 7, 2021.

In November 2020, the same organization filed a complaint against Apple for illegal surveillance of users. According to human rights activists, the unique IDFA (The Identifier for Advertisers) number that Apple assigns to each device allows the tech giant and all applications on the phone to track the user and collect information about his actions on the Internet and on mobile devices. As with cookies, in accordance with EU law, this requires the consent of users, but Apple implements these tracking codes without the knowledge of device owners.

For April 2021, the group is taking similar actions against Google by filing a complaint with the body under data protection the. France As reported in the document, AAID "is a simple tracking identifier in a mobile phone, not a tracking identifier in a cookie," and browser therefore both AAID storage and access to it are illegal without the user's prior consent.

The complaint also notes the use of AAID in a variety of features, including identifying a specific device or application, personalizing ads, and matching customers with IDFA and AAID.

Human rights activists ask the French authorities to investigate this issue, fine the tech giant, and also demand that Google bring its data processing in line with the legislation^[6].

2020

Vulnerability in Linux kernel endangers web servers and Android devices

A vulnerability in the kernel Linux endangers web servers and devices on. Android This became known on December 26, 2020. More. here

Google sued for consuming mobile traffic on Android devices without permission

Google has been sued for consuming mobile traffic on Android devices without permission. This became known on November 16, 2020.

For some unknown reason, Android devices send 260 MB of data per month to Google using mobile traffic.

The lawsuit "Taylor et al. v. Google" was filed in federal district court in the city of San Jose (California, USA) on behalf of four citizens living in Illinois, Wisconsin and Iowa. The plaintiffs hope that the lawsuit will receive collective status.

According to the statement of claim, Google, without permission, spending precious megabytes of traffic, transmits user data that is not related to Google services to its servers via the mobile Internet. However, the plaintiffs are worried not only about the transmission of data over Wi-Fi or in its absence - via the mobile Internet, but also about the very fact of the transmission. According to the plaintiffs, the company collects information that is not directly related to the interaction of users with their devices.

Google developed and implemented its Android operating system and applications for extracting and transmitting large amounts of information between Plaintiffs and Google cellular devices using Plaintiffs cellular data permissions. Google's misappropriation of the Plaintiffs' cellular data permissions through passive transmission occurs in the background, does not result from the Plaintiffs' direct interaction with Google's applications and resources on their devices, and occurs without the Plaintiffs' consent, the statement of claim said.

To participate in the Google ecosystem, Android users must accept four user agreements: Terms of Use; Privacy policy; Managed Agreement; Google Play Terms of use of Google Play. According to the court, none of them reports that Google spends mobile traffic of users on these background programs.

To confirm the allegations, a lawyer for the plaintiffs tested an Android-powered Samsung Galaxy S7 with a registered Google account and default settings and found that in standby mode, without a Wi-Fi connection, the phone sent and received 8.88 MB of data per day, and 94% of those communications occurred between Google and the device.

With applications closed, the phone transmitted data to Google servers about 16 times an hour or 389 times in 24 hours. Even if half of that data is outbound, Google gets about 4.4 MB per day or 130 MB per month. Based on the average price of $8 per 1 GB of data in the United States, these 130 MB cost the user about $1 per month (if the device is disconnected from Wi-Fi all the time, and passive data transfer is carried out only over cellular communications).

According to the statement iPhone of claim, with open in the background browser Safari , transmits Apple ten times less data.

Most of the data transferred is log files that record network availability, open applications, and operating system metrics. Google could delay the transfer of this information until a Wi-Fi connection is available, but instead it uses cellular data, thereby ensuring that it can collect data at any time^[7].

Fix a vulnerability that allows you to replace an application on a user's device without administrator rights

Employees of Stingray Technologies, a resident, Skolkovo Foundation Information Technology Cluster discovered a critical vulnerability in. operating system Android It allowed to implement the substitution of any applications user on the device without administrator rights and special permissions. This was announced on October 30, 2020. Skolkovo Foundation

Attackers, exploiting this vulnerability, could replace absolutely any application with, harmful steal user accounts data and gain access to any services on: smartphone banking applications, social networks electronic wallets, etc. At the same time, the mechanism two-factor authentication did not save from using this vulnerability.

Stingray Technologies experts discovered this vulnerability as a result of research on potential vectors of attacks on Android applications, which they are engaged in as part of the development of the Stingray dynamic analysis system. Information about the vulnerability was immediately transferred to the Android platform developer.

On October 29, Google released an update to fix this vulnerability, the only critical one in version 11 of Android, and included experts from the Skolkovo company Yury Shabalin and Yevgeny Blashko in the list of personal thanks.

There are about 3.5 billion smartphones in the world, more than 74% of them run on Android. I am proud that the research we do as part of the development of our system benefits not only our customers, but all users of this mobile operating system.

We are very glad that Skolkovo participating companies have experts who provide a positive impact on the software security vector on a global, global scale. In our opinion, Stingray is a promising project that will significantly affect the security of all applications from the iOS and Android ecosystems. And perhaps in the near future it will become an indispensable tool for all software developers for mobile platforms.

Google suspected of tracking Android users

Chief Prosecutor of Arizona, USA, Mark Brnovich (Mark Brnovich) filed a lawsuit against Google in May 2020, accusing it of illegally collecting geolocation data of users of Android devices^[8][9]..

"Google gives the impression that users can turn off tracking. But the company is on other paths to invade privacy. It is almost impossible to prohibit Google from tracking the user's location, which is contrary to Arizona law, and even the most innovative companies must comply with the law, "Brnovich said.

Geolocation data is used to determine the weather and clarify the results of search queries, but even if this information is disabled in the Google Chrome settings, geodata are still transmitted to the company's servers.

Brnovich pressed Google to pay the profits it could make for ads based on the location of Arizona residents. The court may also perceive the company's actions as fraudulent, and for this, Arizona is entitled to a fine of $10 thousand.

State authorities launched an investigation after the publication of an Associated Press story that Google secretly collects information about the location of users. The company uses web activity and applications to sell ads. Google uses deceptive and unscrupulous methods to gather as much information as possible, the survey found. In addition, it is very difficult for users to manage their data.

Samsung devices fail after Android update

In mid-April 2020, it became known about problems with the Android update in Samsung smartphones. Installing a new firmware disables devices, and forever. Read more here.

Start blocking the installation of non-Google Play apps on Android devices

On March 19, 2020, it became known that Google began blocking the installation of applications on mobile Android devices if they were not downloaded from the Google Play store. This means that users will no longer be able to download an APK file with a distribution kit of a particular utility from third-party resources and install it themselves, bypassing Google services.

The changes, according to the 9to5Google portal, will affect all owners of Android devices in the foreseeable future. They will be implemented using the Advanced Protection Program (APP) - the Android function, the implementation of which, as of March 2020, has already begun.

integration Google justified the need for APP in Android with concern safety for users. According to its representatives, the protection tools available in Android cannot check applications downloaded outside of Google Play, which increases the risk of device infection malware and theft. personal data

For the first time, the possible appearance of an additional "defender" in Android became known in December 2019, when a mention of it was found in the code of the Google Play application. 9to5Google experts then suggested that there would be no forced blocking of the installation of programs not from Google Play.

Blocking the installation of applications downloaded from other than Google Play is one of two goals that Google pursues by implementing the Advanced Protection Program. The second is to force Play Protect, a standard Android tool for checking programs installed from Google Play.

Play Protect is a kind of antivirus that blocks the installation of potentially dangerous software. For March 2020, it can be disabled in the system settings, but the introduction of the Advanced Protection Program will exclude this possibility - the "defender" will always work.

This change by Google will make Android look more like iOS - Apple's rival mobile platform. Installation of applications from third-party sources in it is prohibited from the very first days of the App Store - Apple's proprietary marketplace, launched in the summer of 2008, according to CNews.

Bypassing these restrictions is possible only by jailbreaking - hacking iOS to gain access to the file system of Apple mobile devices. You can jailbreak even on gadgets with iOS 13.3 - a stable version of Apple's mobile OS.

After the hack, it becomes possible to install applications on iPhone and iPad from third-party stores, including the most famous one - Cydia. At the end of 2018, it was planned for closure, but as of March 2020, it is still functioning.

Advanced Protection Program is linked to a Google account, which will not avoid its appearance on a smartphone or tablet by refusing updates to the OS or its individual components. However, there is one effective way to bypass blocking the installation of APK files, according to CNews.

Distributions downloaded from the Internet can be installed on the gadget bypassing the Android defender using a desktop PC or laptop and the ADB (Android Debug Bridge) utility. The performance of this method is confirmed by Google itself, which knows about its existence. It is possible that in the future this loophole will be closed.

APP also does not apply to apps downloaded from branded stores of large manufacturers. Such marketplaces are promoted, including by Samsung (Galaxy Store) and Huawei (Huawei Mobile Services), and Google will not interfere with the installation of software from this kind of directories.

Google will also not interfere with applications installed through APK before the implementation of the Advanced Protection Program. They will continue to function and in some cases will even be able to receive updates, noted in CNews.^[10]

Android remote code execution vulnerability fixed

On January 9, 2020, Google announced the release of planned security updates for Android and fixes for a number of vulnerabilities in various components, including seven dangerous and one critical.

A critical vulnerability (CVE-2020-0002) is contained in the Android Media platform, which includes support for playing various types of multimedia. files The problem affects versions OS of Android 8.0, 8.1 and 9. Exploitation of this vulnerability allows a remote attacker to execute arbitrary code in the context of a privileged process using a specially created file.

Privilege escalation vulnerabilities (CVE-2020-0001 and CVE-2020-0003) and a denial-of-service (CVE-2020-0004) issue in the Android framework have also been fixed. Their exploitation "allowed a local malicious application to bypass user interaction requirements and gain access to additional permissions."

In addition, Android has fixed three dangerous vulnerabilities (CVE-2020-0006, CVE-2020-0007, CVE-2020-0008) that could lead to remote disclosure without the need for additional privileges.

Among other things, twenty-nine vulnerabilities in Qualcomm components that are used in Android devices have been fixed. One critical vulnerability was contained in the Qualcomm Realtek (CVE-2019-17666) rtlwifi driver and allowed code to be executed remotely. The rtlwifi driver is a software component that allows some Realtek Wi-Fi modules used on Linux devices to communicate with Linux.^[11]

2019

414 vulnerabilities found in Android OS

In total OS Android , 414 vulnerabilities were discovered in 2019. This became known on March 10, 2020.

The Android operating system turned out to be the most vulnerable platform in 2019. This conclusion was reached by the specialists of TheBestVPN portal during the analysis of vulnerability statistics in various operating systems and software products at the end of 2019.

If in 1999 only 894 vulnerabilities were recorded, then after 20 years this figure increased almost 14 times - to 12,174. In 2018, the largest number of vulnerabilities were discovered - 16,556, 1,197 of which were contained in a free OS. Debian GNU/Linux

In 2019, the leader of this rating was Android OS with 414 vulnerabilities discovered over the year. Debian Linux (360 vulnerabilities) is in second place, and Windows Server 2016 and Windows 10 (357) are in third place.

Despite this situation, fewer problems are detected in Android every year. Last year, 525 vulnerabilities were discovered, and a year earlier - 843. For the entire existence of Android, 2563 vulnerabilities have been found in it.

In total, 12,174 vulnerabilities were found in the software for the entire 2019. 25.3% of all problems allowed attackers to execute arbitrary code on devices, 17.7% were vulnerabilities such as cross-site script execution, and 13.9% were buffer overflows.

Over the past 20 years, companies have become more reliant on digital data and cloud computing, increasing their exposure to cyber attacks. In 2019, 668 vulnerabilities were recorded in Microsoft products. Since 1999, this figure has been 6,814, making Microsoft the most vulnerable supplier in 20 years. It is followed by Oracle (6,115) and IBM (4 679).^[12]

New Android virus has lost Russian banks

At the end of November 2019, it became known about the attack of a new virus on Russian. banks This Trojan is able to automatically transfer funds through banking mobile applications for, operating system Android experts said. Group-IB

Previously, many viruses for Android displayed fake windows through which payments for a product or service occurred. The same Trojans told attackers the code digits sent by banks to customers to confirm the operation.

With the advent of a new virus to steal money, the owner of a smartphone does not even need to pay for something through a mobile application.

The malicious element penetrates into banking programs on the infected device, captures the mobile application and automatically transfers the victim's funds to the account specified by the attacker. Experts call such a mechanism "auto-ignition."

Fraudsters disguise viruses as applications (games, browsers) or files, then distribute them as a link on adult sites, sites with hacked applications and pirated films, torrent trackers, email and SMS. The smartphone becomes infected when the user downloads the file or application offered to him.

As he writes, RBC at least two of the largest banks - Post of the Bank and - ICD Russia in faced such a virus.

The appearance of a new type of Trojans was confirmed in Kaspersky Lab. However, cases when he managed a banking application, forcing him to make a payment, are isolated, says Viktor Chebyshev, an antivirus expert at Kaspersky Lab.

According to Group-IB calculations, in the period from July 2018 to June 2019, hackers managed to steal about 110 million rubles using Android shaking, which is 43% less than a year earlier. Every day there are about 40 successful attacks, and the average amount of damage from them is 11 thousand rubles.^[13]

Vulnerability that allows you to control the Camera application

On November 19, 2019, it became known that the head of the company's security research department Checkmarx , Erez Yalon, discovered Google Samsung a number of vulnerabilities in mobile devices that were combined under one CVE-2019-2234 identifier.

In a study of the security of cameras in Google Pixel 2 XL and Pixel 3 devices, a team of Checkmarx specialists discovered vulnerabilities in Google's Camera app that allowed them to control some functions without obtaining appropriate permission.

In general, the CVE-2019-2234 allows any application to control the Camera application without appropriate permission, including taking photos and videos, even if the device is locked, the screen is off, and the user is talking on the phone. According to experts, in addition to Google, the problem affects other manufacturers of Android devices, including Samsung.

Google restricts app access to sensitive features such as camera, microphone and geolocation services. To access them, you must first obtain the appropriate permission. However, the vulnerability discovered by the researchers allows you to bypass these restrictions.

The Camera app OS in Android usually saves photos on SD cards, so other apps request access to the SD card to access them.

Unfortunately, this resolution has a wide range of actions and provides access to the SD card as a whole. There are a number of legitimate applications that request access to the storage, although they do not require images and videos to work. In fact, this is one of the most requested permits, the researchers said.

It was this resolution that experts decided to use as an attack vector. As it turned out, if a malicious application is given access to an SD card, it will not only gain access to photos and videos, but due to the vulnerability it will also force the photo application to take new photos and videos.

We could easily record the voice of both the user during the conversation and the voice of the caller. This is unwanted activity, since the Google Camera app should not be fully controlled by an external app, the researchers noted.

Researchers notified Google of the problem in July 2019. At first, the company considered a medium-risk vulnerability, but then recognized it as highly dangerous, registered CVE and released^[14].

NFC vulnerability in Android versions 7, 8 and 9

On October 25, 2019, it became known that a team of researchers from Checkmarx Security Research discovered a vulnerability affecting OS Android versions 7, 8 and 9. The vulnerability is contained in the pre-installed Tags application, designed to read Near Field Communication (NFC) tags, analyze and send results to relevant applications.

The vulnerability (CVE-2019-9295) allows any unauthorized application to deceive Tags to simulate an NFC tag, which can be exploited by attackers in attacks. User interaction is also required to exploit the vulnerability.

Experts described several attack scenarios. The first involves the implementation of a pop-up window that prompts the user to scan the NFC tag (generated by a malicious application). The user will need to interact with this window to select the appropriate application. When the user tries to read the NFC tag, the malicious application counts it, changes the content and then calls the default Android tag viewer, without the user suspecting anything.

In the second scenario, the user scans the present application, which will allow the malware to intercept and change the content of the tag before it is processed by the corresponding operating system application. For example, during a user scan of a company shortcut with a phone number, an unauthorized application can change this number without arousing the victim's suspicion.

Both scenarios require the user to follow a link redirecting to a page controlled by attackers with an incorrect number or other data that can be embedded in NFC tags.

Google has fixed this problem in Android 10, but previous versions of the OS are still vulnerable. Users are urged to update to the latest version of the OS^[15].

Vulnerability in Android allows you to "capture devices" Huawei, Xiaomi, Samsung and Oppo

On October 8, 2019, it became known that Google Threat Analysis Group experts announced the discovery of a zero-day vulnerability in. operating system Android The vulnerability CVE-2019-2215 threatens users Google Pixel smartphones of devices, as well as tablets Android developed by,,, and Huawei Xiaomi Samsung Oreo. Oppo Moto

The problem is caused by the use-after-free error in the Binder interprocess interaction framework driver. This vulnerability can be exploited remotely and in theory allows you to malefactors to increase your privileges in the local system at the level. Ultimately, kernels the "bug" allows you to remotely "root" (obtain superuser rights) the device. The CVE-2019-2215 vulnerability can be exploited in two ways: either through a specially prepared malicious application one or through online ones. In the attacks second case, attackers will need to pair an exploit to this vulnerability with another aimed at a vulnerability in the code. browser Chrome

According to Threat Analysis Group expert Maddie Stone, the vulnerability affects "most Android devices released before the fall of 2018," and the same exploit will work on all devices with minimal or no "adaptation" for different models.

Stone also noted that she has "technical information" that the vulnerability was exploited by NSO Group or one of its clients. NSO is an Israeli firm that searches for vulnerabilities in mobile operating systems and creates and sells exploits to them. NSO, however, claims that it has nothing to do with exploiting this vulnerability.

CNews noted that the same "bug" was discovered and fixed in December 2017 in the 4.14 LTS Linux kernel (without assigning a CVE index) and in the Android kernel versions 3.18, 4.4 and 4.9. However, then the vulnerability somehow reappeared in Android.

"Interestingly, despite the obvious threat posed by this vulnerability, it was given the status of High Severity (" high severity "), but not Critical, although we are talking about the possibility of remotely seizing control over the device without much effort. Also noteworthy is the fact that an already fixed vulnerability has reappeared, " noted' Anastasia Melnikova, information security expert at SEQ (formerly SEC Consult Services) '

As of October 2019, a vulnerability has been confirmed in the following devices: Google Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL based on Android 9 and Android 10 Preview; Samsung S7S9-; ; Huawei P20 Xiaomi A1 Redmi , 5A и Redmi Note 5; Oppo A3; ; Moto Z3 Oreo smartphones are also vulnerable. LG

Due to the fact that the vulnerability is actively exploited, Google experts published information about the "bug" just a week after the discovery.

Google Pixel devices will receive patches in the October cumulative update for Android. When the same thing happens to other devices depends on their manufacturers.^[16]

Bank botnet Geost infected 800 thousand. Android devices in the Russian Federation

On October 3, 2019, researchers from Czech the University of Technology, the National Kuyo University Argentina , and the company Avast discovered one of the bank botnets called Geost. The harmful victims of Android RUSSIAN FEDERATION the campaign were at least 800 thousand owners of devices in, in particular, attackers gained access to their bank accounts, in which a total of several million euros were stored. More. here

Multiple vulnerabilities in VoIP components

On October 2, 2019, it became known that a team of specialists OPPO from ZIWU Cyber ​ ​ Security Chinese Lab, the University Hong Kong Singapore of Management and the University of Management discovered multiple vulnerabilities in the components. VoIP operating system Android Security problems were identified during the study (until recently, only VoIP equipment and, but servers not mobile applications VoIP components of Android were tested).

Within a few years, a team of specialists developed three methods for analyzing Android VoIP backends and with their help searched for vulnerabilities that could be exploited in cyber attacks. Most often, the researchers used fuzzing, a software testing technique that involves sending incorrect, unexpected or random input data to the application.

During testing, the researchers analyzed only the latest versions of Android, ranging from Android 7.0 (Nougat) to Android 9.0 (Pie). In total, they discovered nine vulnerabilities that were immediately notified to Google (some vulnerabilities were then fixed). Eight problems directly affected the VoIP backend of Android, and the ninth concerned a third-party application.

Vulnerabilities allow unauthorized VoIP calls, spoofing the caller's ID, rejecting incoming calls, and even executing malicious code on the user's device. ^[17].

Vulnerabilities that allow you to hack Android wirelessly

On August 6, 2019, it became known that security researchers from the Tencent Blade group discovered WLAN Snapdragon Qualcomm two dangerous vulnerabilities in the system firmware on the crystal, the exploitation of which could allow an attacker to hack a modem kernel Android over a wireless network. More. here

Fix 33 vulnerabilities

On July 2, 2019, it became known that as part of the July planned security updates for Android, Google has fixed 33 vulnerabilities. Level patches 2019-07-01 and 2019-07-05 fix vulnerabilities in the Android system, framework, library, media framework and Qualcomm components, including closed source.

The bulletin has two levels of patches, which provides Android partners with greater maneuverability to quickly fix groups of vulnerabilities that are the same on all Android devices, the security bulletin says.

Four fixed vulnerabilities are critical and allow code to be executed remotely. The most dangerous vulnerability has been fixed in the media framework. With its help, an attacker can remotely execute arbitrary code in the context of a privileged process using a specially configured file.

Critical CVE-2019-2106 and CVE-2019-2107 vulnerabilities affect all versions OS starting with Android 7.0. CVE-2019-2109 affects all versions starting with Android 7.0, with the exception of Android 9. Only devices running Android 9 are CVE-2019-2111 affected by the vulnerabilities.

The remaining issues are either related to privilege elevation and disclosure or have not been classified. Evidence of their operation in real attacks was not found. Android partners were notified of the vulnerabilities at least a month before their disclosure to the general public^[18].

Scam scheme that quickly discharges millions of Android smartphones revealed

In March 2019, a giant fraud scheme was revealed in which hidden video ads were launched in Android apps. Because of her, the devices quickly discharged and personal data was transferred.

Fraudsters used services that pay for viewing ads, and made it so that users allegedly launched video ads that were not actually visible to device owners. To implement the scam, the attackers used popular applications that download millions of users.

Main article: Fraud in advertising

Positive Technologies discovers dangerous multi-year vulnerability in Android 7.0, 8.0, 9.0

On March 21, 2019 Positive Technologies , he announced that his expert, Sergei Toshin, had identified a critically dangerous vulnerability in current versions (operating system Google Android 7.0, 8.0, 9.0) and its earlier editions. An error was detected in the WebView component. It allows you to access confidential to data Android users through an installed harmful application or an instant app (Android instant apps).

Google experts assess the level of danger of this vulnerability (CVE-2019-5765) as high.

The WebView component is used in most Android mobile applications, so attacks on it are extremely dangerous. The most obvious attack scenario involves little-known third-party applications. An attacker can add malicious functionality to them to read information from WebView of other applications, which will allow him to intercept browser history, authentication tokens and headers (which are a fairly common authentication method) and other data. Starting with Android 7.0, the WebView component is implemented through Google Chrome, so to fix the vulnerability, you just need to update this browser. On older versions of Android, you will have to update the WebView component through the Google Play update system. Users of hardware that does not have Google services need to wait for WebView updates from the device provider.

WebView is a component of the Android platform that allows you to display web pages inside an Android application. The problem was discovered in the Chromium engine on which WebView is built, starting with Android 4.4. The vulnerability also threatens users of Chromium-based mobile browsers such as Google Chrome, Samsung Internet, Yandex.Browsers.

Instant apps technology allows you to view the application on the device without installation: only a small file is downloaded to the user's device after clicking on the link in the browser. When attacking through instant apps, data interception is possible if the user clicks on a link with a malicious instant application.

The vulnerability allowed a malicious PNG image to execute arbitrary code on the device

On February 7, 2019, information appeared that three dangerous vulnerabilities were fixed in Android, but it is not known when the patches will reach end users - not all Android device manufacturers release updates every month.

In this regard, users of Android devices should be careful when opening graphic files downloaded from the Internet or received in a message. By opening a seemingly harmless picture, the user risks exposing his smartphone to the threat of hacking.

The cause of the threat is three recently discovered vulnerabilities affecting versions of Android from 7.0 Nougat to 9.0 Pie. Google has not yet disclosed any technical details about them, but the updates mention a fix for buffer overflows, errors in SkPngCodec and a number of problems with components for rendering PNG images.

According to a security notice from Google, the most dangerous of the three vulnerabilities allows a specially configured malicious PNG image to execute arbitrary code on the device.

The most dangerous is a critical vulnerability in the Framework, which allows a remote attacker to execute arbitrary code in the context of a privileged process using a specially configured PNG file, the security notification says.

To exploit the vulnerability, it is enough for an attacker to force the victim to open a malicious PNG image that cannot be distinguished from harmless by the naked eye. The image can be sent to the victim in the messenger or by email.

CVE-2019-1986, CVE-2019-1987 and CVE-2019-1988 have been fixed in the Android Open Source Project (AOSP) with the release of planned February security updates.^[19].

2018: Android sandbox flaw

On August 14, 2018, it became known that Check Point Software Technologies Ltd. researchers discovered a hole in the sandbox - Android a secure area on storages data Android devices. Its function is not to allow harmful to applications you to affect other applications, as well as harm yourself. OS

Some applications store data not in the Android sandbox, but in external storage (either in a section on the device or on an external SD card), which creates a potential danger to the user. Attackers can attack devices by automatically downloading unknown malicious applications, conduct denial-of-service attacks on legitimate applications, and even cause failures in their operation, as well as code injection attacks, which can then be launched in the privileged context of the attacked application.

The vulnerability works as follows:

1. External storage of an Android device is a public area that can be detected or modified by a third-party (malicious) application.
2. Android does not provide built-in protection for data stored in external storage. It offers only recommendations for developers on how to properly use this resource.
3. Not all developers understand the importance of security tools and understand the potential risks, and also do not always follow the recommendations.
4. Many pre-installed and popular apps ignore Android recommendations and store sensitive data in unsecured external storage.
5. This could lead to a "Man-in-the-Disk" attack that could lead to manipulation and/or abuse of unsecured sensitive data.
6. Changing the data may result in unwanted results on the user's device.

2017

Tracking users even when geolocation is turned off and there is no SIM card

Devices under control OS Android collect information about the location of users and send them to the company, Google even if all geolocation services are turned off on them, no application is running or there is no SIM card. Data is sent to Google every time the device connects to. This to the Internet conclusion was reached in November 2017 during its own investigation by Quartz^[20]

Since the beginning of 2017, Android smartphones have begun to remember the addresses of nearby cell towers, even if geolocation services on devices are disabled by the user, and send this data to Google, the publication found out. Thus, the company began to receive data that in its composition goes beyond users' ideas about protecting their privacy. You cannot disable this user. According to Quartz, the changes were made to the Firebase Cloud Messaging service, which is present by default on all Android devices.

The experiment conducted by the publication showed that even resetting to factory settings, implying the removal of all installed applications, does not help - the smartphone continues to send the addresses of the nearest towers to Google as it moves from one to another. If a SIM card is not inserted into the phone, it sends data when it catches Wi-Fi.

Google has confirmed to Quartz that it has been resorting to this practice for 11 months. Tower addresses are transmitted to a system that sends push notifications and messages to smartphones. This system works separately from conventional geolocation services. The company assures that this data is not stored or used in any way. After contact with Quartz, Google management decided to curtail this practice. By the end of November, Android will stop collecting tower addresses and transferring them to the company - at least in a way in which the user cannot disable it.

Technically, the new practice is expressed in the fact that Android has begun to track Cell ID - an identifier that is assigned by the operator to each sector of the base station. However, Google assures that Cell ID was never built into the network synchronization system, so the collected data was immediately deleted. After the update, the system will stop requesting an identifier.

The company says the Cell ID collection was done to improve message delivery. In turn, Quartz writes that it is not entirely clear how this could improve it. The publication notes that using the addresses of not one, but several towers at once, the user's location can be determined with an accuracy of 400 meters, and in urban conditions - even more accurately, since the towers are located not far from each other.

Google's privacy policy provides for the collection of data on the location of the user, but does not specify that the collection of data continues even after the shutdown of geolocation services.

All versions of Android except Oreo allow you to seize control of the device

In early September 2017, all versions of mobile, OS Android except Oreo (8.0), discovered a serious vulnerability that allows you to seize full control of the device using modified pop-up notifications. In the event of a successful attack, attackers can install on smartphone arbitrary programs or disable it.^[21]

The essence of the attack

The vulnerability was identified by Palo Alto Networks researchers. According to the description of experts, the attack is a type of "Cloak and Dagger" attack, which was described in the spring of 2017 by specialists from the University of California at Santa Barbara and the Georgia Institute of Technology.

The essence of the attack is that the malicious application displays its own over all windows, hiding real notifications from the operating system. Thus, as a result of the attack, the user will see a fake window with a non-binding phrase, however, by clicking on the "Ok" button in the interface, he unknowingly agrees to install the malware, while granting her administrator rights.

Attack features

The publication of experts from the University of California and the Georgia Institute of Technology indicated that malware trying to carry out such attacks has two serious obstacles: they must get unequivocal permission to use the draw on top function (just allowing the application to display its windows on top of the rest), and this is only available to applications from Google Play.

Palo Alto Networks experts, in turn, found that Android system pop-up notifications (called Toast) can be used to carry out attacks similar to the Cloak and Dagger: these notifications pop up on top of all windows, do not require special permissions from users, and they can be modified to cover the entire display of the device, turning them into the functional equivalent of regular application windows.

Patches

As noted, patches that close the vulnerability are already being distributed. Palo Alto experts strongly recommend not installing applications from anywhere other than Google Play.

Google has closed 12 critical vulnerabilities in Android

Google in early August released a planned Android security update that fixes a total of 51 problems in MediaServer, AudioServer, CameraServer, various libraries, etc. According to the description, of the total number of vulnerabilities fixed, 12 were critical.^[22]

In particular, 10 critical vulnerabilities in the Media Framework component (multimedia libraries), one vulnerability in the library (CVE-2017-0713) and another problem (CVE-2017-0740) in Broadcom components were closed. Vulnerabilities in the Media Framework allowed arbitrary code to be executed remotely in the context of a privileged process by sending a specially crafted file. By exploiting the last two problems, an attacker could remotely execute the code in the context of an unprivileged process.

Among other fixed problems: 16 vulnerabilities in the Media Framework component, which allowed to cause a denial of service, elevate privileges and disclose data; 5 privilege escalation vulnerabilities in the OS core, 2 privilege escalation vulnerabilities in MediaTek components, as well as 6 vulnerabilities that allowed to increase rights and disclose data in Qualcomm components.

Play Protect is a protective feature for Android

At the end of July 2017, it became known that Google decided to increase the overall security level of the Android mobile platform by adding a new Play Protect screen to all Android devices that use Google Mobile Services 11 or newer. You can find the new tool in the settings menu (Google section, Security tab, Application Scan item). According to the company's plans, the service will soon appear on Google Play and replace the Google Verify Apps feature.^[23]

A security feature will be required to check applications for security issues and availability. The "Verified with malicious code Google Play Protect" icon will also be added to individual app lists. The safe working option Internet in will warn the user when he tries to go to a suspicious site in. browser Chrome

Applications are checked automatically. The user will receive notifications about all detected risks. In addition, Google has moved the Find Device service to Play Protect, with which you can determine the location of the device, block, call it or delete all data from it.

The growth of malware on Android

2016: Vulnerability growth - 158%

On December 2, 2016, Quick Heal Technologies reported a 158% increase in vulnerabilities in the Android platform. The company's report reflects the information for the third quarter of 2016 compared to the previous year.

According to the company's experts, in 2017 the number of cyberattacks using ransomware and malicious banking software will increase.

Over the past three months, the number of ransomware for mobile platforms has grown by 33% compared to the second quarter of 2016, according to the study. Experts recorded a slight decrease in the activity of potentially unwanted software and adware by 3% and 12%, respectively. In the third quarter of 2016, the number of mobile banking Trojans increased by 25%. Compared to 2015, the number of malware designed to attack mobile platforms increased by 76%^[24]

The researchers noted the expansion of the scope of attacks by cybercriminals through the use of malicious adware. If previously attackers were limited to showing unwanted ads, now their main goal is to steal information.

According to forecasts, in 2017 the number will increase cyber attacks using ransomware and malware banking software.

Attackers will continue to attack owners of Android and Windows devices, as well as companies (especially financial institutions) that use these platforms for daily business operations. Sanjay Katkar, Managing Director of Quick Heal Technologies

2015

How to break the Android lock system

In September 2015, researchers wondered: if one of the most wanted cyber criminals in the US used his cat's name as his password, and a Google study found that typical security issues like 'Your favorite dish?' were practically useless, what should we expect from an unlocking system that protects our smartphone from unauthorized access? Of course, not very much...

Like obvious passwords and answers, the pictures we draw on the screen to unlock our smartphone are usually easy to guess. This was demonstrated by Martha Loge's^[25], a researcher at the Norwegian University of Science and Technology, in her research, which she presented at the PasswordsCon conference in Las Vegas in September 2015.

After analyzing approximately 4,000 real user combinations, the expert discovered a set of inappropriate options that were repeated very often. First of all, when choosing a blocking pattern, you can connect up to 9 points (3 * 3 grid), but most users prefer to connect much fewer points.

The average number of points used is five, reducing the number of possible combinations to 9,000. However, it turns out that most users choose only connections of four points (the minimum allowed option), which means that the range of combinations in this case is limited to only 1600, which are clearly not enough.

This is not the only mistake we make, because 44% of us start drawing a drawing from the upper left corner of the screen. As if that's not enough, 77% of the drawings start at any of the four corners of the grid. Knowing that the drawing connects only four points, and one of them must be in one of the corners, then in this case the safety of the drawing is significantly reduced.

In addition, it turns out that we are more likely to make a drawing from left to right and from top to bottom, and therefore it becomes even easier to guess such a drawing.

There are other important factors that we need to consider in addition to the number of points to connect. The complexity of a sequence of points is also important when choosing a pattern. If we use numbers from 1 to 9, then we see that it is much more difficult to guess the combination '2, 1, 3, 6' than '1, 2, 3, 6'.

Although both combinations have only 4 values, but the first combination complicates the match by changing in direction (from 2 to 1 and from 1 to 3), while the simpler version shows all the errors that we talked about earlier: the beginning in the upper left corner of the screen, movement from left to right and top to bottom. If you use similar combinations to protect your mobile device, you need to change it as quickly as possible.

It is usually said that the user is the weakest link in cyber security issues. As Loge said on PasswordsCon, "human essence is comprehensible," and therefore it can act quite guessably. In fact, "we see the same combinations in pictures to unlock as in PINs or digital passwords," Logé said.

The ability to steal data through an MMS message

On July 28, 2015, it became known about the vulnerability of Android devices discovered by the research company Zimperium, she called it... "the most dangerous in the entire existence of the Android mobile OS^[26].

According to the company's research, every Android smartphone can become infected by receiving an MMS message. Joshua Drake from Zimperium noted that the smartphone can become infected even before the playback of the sound of the incoming message ends - the user may simply not find out about the accomplished event^[27]. A message with malicious code will come to the phone, which will begin to immediately steal data or transmit information from the camera and microphone.

Hangouts, 2014

Leading Google Android security engineer Adrian Ludwig acknowledged the vulnerability and its high level of danger: hackers can use the Hangouts function to optimize the viewing of the video received in the message. An attacker can send a video with hidden malicious code to the user's phone and Hangouts will make the malicious code work - Hangouts instantly processes all received videos and hackers can use it.

However, according to media reports, as of July 28, 2015, there were no cases of exploitation of the discovered vulnerability, and the Zimperium team transferred all the necessary information to Google. Still, there's some bad news:

• first, even after Google closes the vulnerability with an update, it probably won't reach more than half of the devices;
• Secondly, even if the user does not use Hangouts, this means that the malware will not be launched automatically, but it will still start when the user opens the received video.

According to the media, the vulnerability appeared through bugs in the Stagefright media player built into Android. All phones with OS version above 2.2 can be attacked. Depending on the OS version, the level of access received also varies - from full control to access to photos.

Zimperium has been transmitting vulnerability reports to Google since April 9, 2015, when the vendor responded with an obligation to include patches from in the following updates. After that, 6 more bugs were found in Zimperium. Google announced that it has informed all smartphone manufacturers and their responsibilities are to fix the vulnerabilities, but according to Forbes as of July 27, 2015, HTC, LG, Lenovo, Motorola, Samsung, Sony and Google itself have not released updates for their devices.

2012

18% of Android devices infected in Russia

In 2012, the number of attacks on mobile devices running Android OS more than doubled compared to 2011. The annual increase in malware for mobile devices was 163%.

Researchers at security manufacturer NQ Mobile discovered 65,227 new blocks of malicious code ON targeting mobile platforms in 2012, compared to just 24,794 blocks in 2011. Among this "sea" of ​ ​ hacker products, 94.8% are designed to attack the Android platform, and only 4% are designed to attack the open Symbian OS. According to NQ Mobile, in 2012 more than 32.8 million Android devices were infected (for comparison: in 2011 - only 10.8 million), and the growth for the year was 200%.

The leading among infected devices is in China, where 25.5% of the total volume of Android devices sold in this country is infected. India is in second place (19.4%), Russia is in third (17.9%). They are followed by the United States (9.8%) and Saudi Arabia (9.6%). Data from NQ Mobile shows that 53% of American users of Android devices have installed security tools.

In 2012, malicious codes were not very diverse in composition: 65% were so-called potentially dangerous programs (exploits, spyware, penetrating advertising and Trojans), 28% were collector programs that extract personal data, and 7% were codes that make the device function in an unusual way.

The main way to introduce malicious codes in 2012 was App Repackaging (adding code strings to legal applications and overloading an application with code to third-party sales sites), as well as Smiling ("cheating"), which are pseudo-links that cause OS control to switch to downloading an application with malicious codes or to a dangerous website. Another method of infection is the use of a malicious URL that redirects the browser from a genuine site to its clone to extract the user's personal data.

Researchers consider the reason for such a massive infection of Android devices to be a data protection policy for Google Play storage, which made it, in fact, open to hackers and allowed them to distribute malicious codes using Android applications. In Android 4.2 (Jelly Bean), Google has significantly reduced the risks to this platform.

However, the picture received by NQ Mobile looks more daunting for Android than a similar study by F-Secure, according to which only 79% of malicious codes for mobile devices are focused on this OS.

Android caught up with Windows in the number of malware

Trend Micro reports on cyber threat trends and mobile security (Trend Micro 2012 Annual Roundup and Mobile Security), in 2012, the range of hackers' goals expanded significantly and now includes not only PCs, but also devices running Android, social media and even Mac OS X platforms. In particular, in less than the last three years, the number of malware for Android alone has equaled the number of malware for Windows created in 14 years. According to Trend Micro forecasts, the number of threats to Android users will cross the 1 million mark in 2013.

According to Trend Micro estimates, at the end of 2012, the number of threats to the Android platform was 350 thousand. In three years, Android has the same amount of malware as a PC in fourteen years.

2012 was also marked by the fact that hackers shifted the focus of their Windows attacks to Java and vulnerabilities in other systems. In particular, we witnessed the first large-scale attack on Mac OS.

English and Russian occupy leading positions in the list of 10 most popular languages ​ ​ of spam messages; India tops the global ranking of "spam suppliers."

Social media is attracting increased attention from cybercriminals. Many users put themselves at risk by being overly frank when communicating on the Internet and posting information on their social media pages that attackers can use.

2012 was marked by a number of sophisticated APT attacks, such as Luckycat, Taidoor, IXESHE, etc.

Instead of "inventing" new attacks, attackers began to master professional software development methods. Blackhole (BHEK) exploits, automatic money transfer (ATS) systems and ransomware have been improved and provided with new functionality using development technologies that any commercial software manufacturer would be proud of. The rise in threats to mobile systems and devices is a key trend in the post-PC era. Over the past three years, as many malware programs have appeared for the Android platform as have been created for PCs in 14 years. In addition, only 20% of users of Android devices use security apps. As of the end of 2012, the number of threats to this relatively new mobile platform reached 350 thousand; Trend Micro forecasts that the number of malicious Android apps could increase to 1 million in 2013.

2011

Android smartphones send coordinates to Google every hour

After the publication of the article IPhone IPad that the coordinates of the places where their owners visited were recorded, experts showed increased interest in this kind of hidden functions. smartphones According to a study conducted by information security Samy Kamkar, an expert in the field, this kind of information is also collected on the smartphones basis and, Android moreover, sent to Google. Devices record the MAC addresses of all APs Wi-Fi that fall within range, their signal strength and, more importantly, GPS the coordinates of the devices.

As Google it uses this data, Kamar does not explain, but reports that the data is recorded every few seconds, and sent to Google every hour, from anyone smartphone running Android. On a special page, the expert suggests entering the MAC address of any router and finding out where it is in the world. As he writes, Reuters this information is apparently necessary for Google to work with LBS applications such as Google Maps and Latitude. The company has not yet commented on this message. Meanwhile, the author of the blog Daring Fireball, well-known journalist John Gruber, believes that saving information about where device users were in is Apple most likely a software error, since Apple just needs to know where the user is now. He believes that this "bug" will be fixed in the next update. IOS

Ответ Google: To protect your privacy we would like you to know that Google Latitude is running on your mobile device and reporting your location. If you didn't enable this or want to stop reporting your location, please open Latitude privacy settings or sign out of Latitude. To learn more, visit the Latitude Help Center.

Android malware up 400%

Juniper Networks analysts in May 2011 published the results of their study investigating potential threats to mobile devices. According to the data obtained, since the summer of 2010, the number of malware for Android has increased by 400%. In addition, it is reported that during this period, mobile devices owned by both companies and individuals were subjected to a record number of threats, including targeted attacks on Wi-Fi networks.

Of extreme concern is the fact that ON applications downloaded to mobile devices contribute most to the spread of malware. However, despite the growing number of threats to Android, most users still neglect protection and do not consider it necessary to install any antivirus on their gadget.

German scientists from the University of Ulm conducted a study in which they proved the vulnerability of the vast majority of mobile devices based on Android. It is related to the use of the ClientLogin authentication protocol. When the user enters data for identification on password-protected services, a digital key (authToken) is created, transmitted in the form of a simple text file that can be intercepted. Thanks to this, an attacker can, for example, gain full access to the calendar, contact data, or private web albums of Google users and view, change or delete any contacts, calendar events, or private photos, scientists explained. In addition, you can quietly change the email addresses of your victim's boss or business partners in order to intercept letters containing important or confidential business information. Since the period of validity of authToken lasts up to two weeks, the report notes that an attacker can collect them on a large scale using unsafe wireless access points located in public places. The researchers urge Google to limit the validity of authToken, as well as to stop using unsafe connections for the ClientLogin protocol * * *

See also

• iOS security

Notes