There's a worrying trend amongst businesses who haven't yet been through some kind of IT related security issue. It's human nature to think bad things only happ...
iOS AirDrop - video shows live iPhone hack
- Editor 0 Comments
Installs signed apps without warning the user
Security researcher Mark Dowd has disclosed a vulnerability in Apples iOS and OS X which allows attackers to overwrite any file on a targeted device. With a little manipulation, it can even install a signed app which is fully trusted by the onboard system without even warning the user.
It turns out AirDrop is the culprit - the feature in Apples' operating systems which allow files to be sent directly to other devices. When set to allow connections from anyone, an attacker can hack the device even when it's locked.
Dowd used his own Apple Enterprise Certificate to make a profile for a test app which enabled it to run on any device.
Lockscreen Android hack gives full access
- William Damage 0 Comments
Video shows how to hack affected handsets
When users hear about hacks to smartphones they usually conjure up images of darkened rooms, hunched figures over keyboards and masses upon masses of software tools, debuggers and general highbrow geekiness. A new hack has emerged which blows that away - it lets users (eventually) unlock a locked handset using nothing but their thumb. Ok, it's as tedious as it is ingenious, and it must be stressed upfront this doesn't hit all Android handsets - a fix has already been issued - but the video shows a hack that has to be admired for the convoluted way it achieves its objective.
Chinas VERC warns of Android SmsSpy
- Editor 0 Comments
Messaging trojan discovered
The National Computer Virus Emergency Response Center in China is alerting users of a new Android virus discovered called Android/SmsSpy.ccr. The state news agency, Xinhuanet, is warning that it can create its own variants in a short time and so spreads quickly to other vulnerable handsets. The virus also blocks messages by giving infected devices the Android permissions required to receive, read and send SMS messages to any contact in the devices contact list.
The virus hides itself after infection by removing its icon from the launcher. It also "activates controls to prevent uninstallation", although what these are exactly is not specified.
VERC is advising concerned users not to open text messages from unknown senders. No word yet from the anti-virus providers on how serious this really is, but the usual advice regarding only installing software from trusted sources applies.
Qualcomm puts antivirus in hardware
- Editor 0 Comments
New Snapdragon CPU defends against malware
Qualcomm moved the anti-virus arms race into a different league when they recently announced they are building malware defenses right in the CPU.
The new technology is termed "Smart Protect" and is claimed to be able to utilize real-time machine learning to detect new malicious apps before their signatures have been incorporated into traditional AV software providers systems. Rather than relying on the usual lookup processes, the new system uses machine learning-based behavioral analysis.
Dendroid author found guilty
- Carl Whalley 0 Comments
Author worked at security company
The author of the Dendroid malware creation system has been caught and will be sentenced on December 2nd - he faces a maximum term of 10 years in prison and a $250,000 fine. According to his Linked In profile, he spent 4 months at FireEye working on improving Android malware detection tools.
Dendroid wasn't just a regular virus but formed an SDK - a set of tools which allowed other virus authors to develop them. A student of Carnegie Mellon University, the author Morgan Culbertson, 20, provided a system which let authors access the phones camera, downloaded audio and video and could record phone calls.
Phone charger shines UV light on phone to kill physical viruses!
- Carl Whalley 0 Comments
Mobile phones can have "18 times more harmful bacteria" than a public restroom
When people hear the term "Smartphone Virus" they immediately think of the kind of things we here at, err, smartphonevirus.com constantly worry about - malware, phishing, denial of-service attacks and such aimed at your mobile. However, it should never be forgotton that the computer/mobile industry hijacked the "virus" term from something that existed a long, long time before then. I'm talking about physical viruses - the kind which spread as germs from contact between contaminated surfaces.
By a strange co-incidence, of course that includes something we touch the most throughout the day - the mobile phone itself. Yes, it certainly can spread real viruses and, as the creator of a new device designed to combat this points out, "one in 6 phones contain fecal matter."
Android Task Hijack
- William Damage 0 Comments
Android on the ropes ... again
Oh man, is Android taking a battering at the moment. Right after the infamous Stagefright bug, and its botched fix, we have the Android Task Hijack bug, which this time puts every single release of Android at risk.
The exploit was presented at the USENIX Security 15 conference in Washington DC recently and is detailed in a pdf. Proof-of-concept demonstrations were shown which could result in UI spoofing, denial-of-service and user spying attacks.
The 5 man team from Pennsylvania State University who discovered the vulnerability have notified Google.
Google botches Stagefright fix
- Editor 0 Comments
If at first you don't succeed...
Google just rushed out a fix for the notorious Stagefright bug but in their haste appears to have missed something critical, leaving even "fixed" devices still open to attack. That's the finding from Exodus Intelligence who have detailed the code provided in the patch, along with the vulnerability which was missed.
Google rolled out their patch to 950 million devices this week but it looks like they'll have to do it all over again once they've wiped the egg from their face. Exodus said "Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"
Android Stagefright: Video of live hack released
- Carl Whalley 0 Comments
Google in "World's largest" software update
The Stagefright attack is the nightmare perfect storm for smartphone users because it doesn't need the user to do anything to succeed. Most exploits need a user to at least install something first to compromise their handset, and are duly warned constantly against using apps from untrusted sources. The Stagefright vulnerability, however, was baked in from the day the smartphone left the factory door which means it's up to the manufacturer to fix it. Google have announced they are about to do this for all current Nexus models, which is easier for them since they directly control the OTA updates for those, and in partnership with all the major manufacturers in what has been dubbed the "World's largest software update" of just under a billion devices.
Android gets bug bounty rewards
- Carl Whalley 0 Comments
Google Announces Android Security Rewards
Fancy a cool $40,000? That's how much Google will pay up to if you disclose a new critical flaw in Android. Also, in recognition of many weaknesses being found in older libraries, they have announced a program to discourage developers from using them.
Naturally, there are a few conditions - fora start, they must be found in the current Nexus device line up. That's not too surprising, since those are the only "pure" Android devices in the wild which Google directly controls. They are in effect saying the carriers are responsible for any non-core Android bugs.