New Year, New Vulnerabilities

Well, we got to ring in the new year with some major excitement, haven’t we? 2018 has met us with a nasty 1-2 punch combination, no doubt! First, the exposure of a vulnerability that effects millions of GPS tracking devices. Security researchers were able to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. All this was said to be possible with no authentication needed.

This was immediately followed up by the Meltdown and Spectre vulnerabilities in what is essentially anything device connected to the internet. From mobile phones, to tablets, to laptop and desktop PCs, these flaws do expose us to some pretty significant risk. But the world is not, in fact, over. Not yet at least.

The RedLegg team has been fielding calls from clients, friends, and family about these vulnerabilities that have been drawing a lot of attention this week. There is significant implication as to the damage that could result from successful exploit of these issues, but we wanted to present some additional facts for consideration. Here’s what we know:

Meltdown

This vulnerability allows any application to access all system memory, including memory allocated for the kernel. Patches are being , and in some cases have been, rolled out and should be applied as soon as possible. So far, research indicates that only Intel chips have been shown to be vulnerable.

Spectre

This vulnerability allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel and affects nearly every CPU built on the x86 architecture. This vulnerability may require changes to processor architecture in order to fully mitigate. According to leading research, this vulnerability impacts Intel, AMD, and ARM chips. Due to the development life-cycle implemented by processor manufacturers, this issue will likely be around for a very long time.

Exploitation is possible. Security researchers produced and release proof of concept exploit code within roughly a day. There is no reason to believe that the bad guys will be working feverishly to weaponize these and deploy them for nefarious means. And while there definitely is significant risk associated with these vulnerabilities, there is no proof or reason to believe weaponized exploit code is in use in “the wild”.

Consider taking an inventory of all your systems by processor type, be sure to apply vendor patches as they become available, and track the progress of the updates as they’re released.

  • Microsoft has issued a patch for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018.
  • MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

For anyone using Qualys Vulnerability Management, Qualys will continue to release QIDs for any vendor patches that mitigate this vulnerability. A list of currently-released QIDs is being maintained in this Qualys Support article.

It’s an increasingly interesting time to be in the world of security, and an increasingly dangerous time to fall victim. Take the time to read the information that’s out there on these issues, there is a lot. But be sure to understand what you’re reading. Proof of concept exploits for these issues continue to surface, and with each release the potential for a weaponized exploit increases. Considering the number of devices impacted here, we really need to be watching the horizon as the research develops.

Happy New Year. Stay safe out there!

 

Detecting and Removing Android Malware

Android Malware

A friend reached out recently asking for some advice as to how to determine if her Android device had been infected. Apparently, she’d fallen prey to a Facebook Messenger attack and clicked on a dirty link, now her phone was doing some weird things. So after walking her through the process, I figured it might be worth sharing with others. Also, I have been too busy to write much so it’s a chance for me to turn the notes into a post- 2 birds and all that!

NOTE: If you rooted your device, you should be able to fix it. These steps still apply, in some capacity, but rooting the device opens up a whole other can of worms from a security aspect. 

CAVEAT: Before we go on, we should level-set our understanding to one sad but simple fact. Modern malware is nasty. Software isn’t made well in many cases and it is entirely too easy for a skilled bad guy to outsmart the good guys. If your device is infected, I highly recommend backing up your data to salvage what you can and do a factory reset on the device. We can take our chances with disinfecting, but a reset is always the safest bet if you can afford it.

Indicators of Compromise

While none of these are issues in and of themselves, technology is messy and sometimes things happen. But if you experience these symptoms regularly, it’s increasingly likely that there is an issue.

Decreased Performance

Different behavior from a device is the first indicator that something may be afoot. Unfortunately, that doesn’t mean just being slow because that is an inherent trait of the Android platform. Much like your laptop or desktop, these devices need maintenance in order to run properly. You may just need to do some housekeeping. We’ll look more at removing malware and doing general housekeeping later on in the post, but let’s look at some signs of infection.

Bad Battery Life

Another IoC is when batteries mysteriously drain quicker than usual. Users generally have a good idea of how long their battery should last. Sudden, increased battery usage is likely due to something suspicious. Continuously displaying aggressive ads, for example, can impact battery life significantly. Malware may hide in plain sight by pretending to be a regular application or try to stay hidden from the user, abnormal battery drainage can indicate the presence of an Android infection.

Can You Hear Me Now?

Disruptions during a conversation or dropped calls are another indication of a possible infection. While this can also be the fault of your carrier, malware could be the culprit. Call your service provider to determine if there are any service issues with the network in your area. It’s important to determine if this is the fault of the carrier, or if something more worrisome is going on.

Mo Money, Mo Problems

Android malware can steal data from your device, send text messages to premium numbers, and even make phone calls from a compromised device. This malware  may send an SMS message irregularly to fly under the radar, or may self-destruct after making substantial charges, uninstalling from the device without a trace. Consider setting up usage quotas to help identify anomalies here. Finally, check your phone bill often to determine if anything nefarious is going on.

Housekeeping

If you’re still reading, I’ll presume that you’ve determined, using the Indicators of Compromise above, that your device is compromised. The next step is to start cleaning up the mess. Following these steps can help get things back to normal.

Out with the Bad

The very first thing you want to do, in the event of an infection, is to uninstall anything you no longer need or use. Going through your application manager allows you to identify, and remove, any apps that might be causing problem. It’s also important to look at things you didn’t install as Android malware has been known to act as a “trojan dropper” which simply assists in getting more devious malware onto a compromised device. A good rule of thumb is that if you haven’t used the application in the last 3 months, it can probably go.

Scan for Threats

The next step is to scan the device using some security software. I’ll talk more about general antivirus solutions for android later, but I highly recommend Malwarebyte’s AntiMalware for this task. While nothing is perfect, MBAM is a good starting point for disinfecting an infected device.

Clean the Crap

By this point, we have established at least a little faith in the device. Next it’s important to delete the remnants of unwanted data and free up as much space as we can. Crap Cleaner, or CCleaner, from Pirform Software has long since been a solid housekeeping solution for laptops and desktops for some time. I was elated when they released a mobile version! CCleaner is able to clean cached data, downloaded files, and even gets rid of the old APK files that have been left over after installing apps. Use this handy app regularly to free up space and keep your device running smoothly.

Install Antivirus

Antivirus has served a valuable place in computing for decades and that’s not likely to change anytime soon. If you’re using a device that’s connected to the internet, you should be using some form of antivirus. This goes for your mobile device(s) just as for a laptop or desktop or anything else. There are many solutions out there and I have no intention of opening this can of worms right now. Consider researching the options and determining which is best for you. It’s never a bad idea to test several options but remember, test only one antivirus solution at a time as multiple installations could create conflicts and actually decrease the efficacy of the software. Here is a link to some content by sources I respect. Take some time to do your homework and pick the solution that’s best for you.

Stay Vigilant

These devices have become increasingly important in our day-to-day lives, and they contain more and more sensitive data as a result. Because of this dependence, we have to protect these devices in order to protect our data. While there is no “silver bullet”, and anything can be hacked, these steps can at least make you a harder target.

Default Settings

Am I actually advocating for leaving default settings in place? Yes, I am. Android devices come shipped with several security controls in place which work to prevent compromise in the event of dangerous situations. Leaving these settings in place can help to prevent attacks such as a trojan dropper. Another good default setting to mention here is that of keeping the USB Debugging feature turned OFF. Turning USB Debugging on could allow unauthorized users to gain access to sensitive data on the device without permission.

Shop Responsibly

The Google Play Store is the only source you should trust for installing applications on your Android device. Let me say that again. The Google Play Store is the only source you should trust for installing applications on your Android device.  Google Protect provides several layers of security around the apps that make it to the Play Store and has been proven time and again to quickly address any potential issues that fall through the cracks. Avoid installing apps from other sources that might not be so diligent.

Police your Permissions

One of the longest standing complaints I’ve had about the Android platform is the unnecessarily permissive app requests. For example, if you’re downloading a simple game like Angry Birds, why does it need access to your contact list? Unfortunately, Android users are in a pickle. If you want to use the app, you have to accept the permissions. There’s really no way around it. So, when you’re installing an app, just review these carefully and ask yourself if it’s really necessary.

Conclusion

At the end of the day, due diligence pays off. Knowing what you’re installing and having confidence in the source, as well as paying attention to anomalies, all go a long way to keeping your device safe. Perform regular maintenance on your device by checking for rogue apps and deleting any files that aren’t needed. Take the chance to reduce the attack surface wherever you can and you’ll make yourself a harder target to hit.