NFC Payment Test at Olympics Will Inspire Mobile Attackers to Go for the Gold

Visa is testing out its PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app. Contactless payments aren’t new, and similar payments by mobile phone have been tested by Google with its Wallet app and other NFC smartphones.

Image of Samsung Galaxy SIII

A Samsung Galaxy SIII will be given to every athlete competing at the 2012 Summer Olympics in London.

When we last looked at NFC phones and similar apps, there were questions of whether an attacker could go after the apps or the phone hardware and the Android OS. Since then we have seen a PIN-reset vulnerability that allowed an attacker to use the free prepaid card and the ability to crack PINs on the phone. Google updated the Wallet app to fix those vulnerabilities and make attacks much harder. Now attackers would need to go after the hardware itself, though this does not necessarily involve going after the Secure Element portion. One can get excellent results by targeting the OS and its NFC-handling libraries.

Fuzzing the hardware, which involves feeding corrupt or damaged data to an app to discover vulnerabilities, is a good first step. Researchers Charlie Miller and Collin Mulliner fuzzed SMS messages to great effect to discover exploitable vulnerabilities on Android and iOS phones a few years back. Mulliner has also looked at fuzzing NFC tags, going as far as developing a Python library and framework for testing older devices. Recently he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results. He can programmatically feed crafted or damaged NFC tags to Android’s library and then capture any crashes or code-execution opportunities.

Collin Mulliner’s NFC library can be used in fuzzing Android phones. This is very useful for discovering new vulnerabilities.

The Samsung Galaxy SIII goes on sale in North America and wordlwide within the first two weeks of July. An attacker wishing to target the device can purchase one easily and use Mulliner’s research to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases. The Olympics will also provide a concentrated pool of targets (people and phones) to pilfer from–especially if everyone is busy watching who wins the medals and not worrying about where his or her phone is.

 

Spamdroid: Stock, Financial, and Pharmaceutical Spam Appears to Come from Android Devices

Co-contributor: Paul Thomas

Over the last few days, we have seen reports of an Android botnet hijacking mail clients on Android devices and sending spam promoting stocks, finance, and pharmaceuticals. While an Android botnet is a possible culprit, other scenarios are more likely—such as spam originating from compromised computers.

To begin, here is a sample of a spam email sent on July 3:

 

 

Sample subject lines may appear as:

  • Wall Street SHOCK ahead!
  • Leading Edge Market Analysis
  • RE RE: Controlled Prescriptions
  • Special Situation Report
  • Fwd: Ground Breaking News Report

Two indicators suggest these spam messages originate from a hijacked Android mail client:

  • Message includes the string "androidMobile" in the Message-ID field
  • Message uses the "Sent from Yahoo! Mail on Android" email signature

 

 

Note: The preceding Yahoo signature is used by default when sending any mail using the Yahoo! Mail for Android application.

So, while we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices.

First, without a local exploit and specially crafted hijacking code, applications that attempt to send mail through the default Android mail application cannot do so automatically in the background. The mail client will, at most, display the message to be sent and require the user to actively send the message. Further, the mails do not appear to come from the default mail client, but rather specifically, the Yahoo! Mail for Android application.

Second, the accounts being used do not actually appear to be legitimate email accounts. Rather, the accounts appear to be specifically created to send this spam and they all share a similar pattern: Firstname Lastname, two lowercase characters, and two numeric digits. The following are example email addresses:

And finally, the vast majority of originating IPs for this spam do not appear to come from a mobile network. Some of the IPs used have already been seen previously sending spam without mobile indicators, for instance. Unfortunately IPs are recycled and determining device by IP is inconclusive since it can be masked by a wireless access point (WAP).

Currently, there are a few theories as to how this spam is being generated:

  1. The spammers are using the same Web services used by the Yahoo! Mail for Android application. The spam in this case likely originates through compromised computers owned by the spammers, but could also originate through a malicious Android application. We have confirmed the ability to send mail through the Web services from a PC.
  2. A malicious application has somehow hijacked the actual Yahoo! Mail for Android application. Emails are being addressed and sent automatically in the background, without user knowledge. This scenario would require a design flaw in the application. We are examining the application, but have not found any such flaw at this time.
  3. The spammers are spoofing the message header fields.

The first theory is the most likely, but, whichever tactic is used, they undoubtedly have the same goal: to evade spam filters.

Symantec has seen an uptick in this type of spam since May 2012 and has rules in place to prevent it from hitting your inbox. We will monitor this situation closely for any developments and attempt to determine the true origin of this spam.

Monkif Botnet Hides Commands in JPEGs

As we see new threats arrive daily employing unique and complex capabilities, it is surprising to find a Swedish bot using a control server that was active in 2009. Generally malware authors keep changing their control servers–especially after reports about them surface–but not in this case. This network belongs to prq.se, which hosts at IP address 88.80.7.152 and is an Internet service provider.

Here is a quote from their English website:

Refugee hosting
Our boundless commitment to free speech has been tested and proven over and over again. If it is legal in Sweden, we will host it, and will keep it up regardless of any pressure to take it down. We have ZERO tolerance against SPAM and related services!

This botnet is Monkif, which uses stealth techniques to hide its commands. It receives download URLs encrypted in JPEG files to avoid detection by network intrusion prevention systems. We have also found some samples that use SSL communications to download other threats.

The site http://www.ableads.net is also hosted on same network, at IP 88.80.5.123

Figure 1. GET request with control server.

 

Figure 2. SSL communication with control server.

 

Figure 3. SSL certificate.

The botnet is installed as plug-in or browser helper object. As a check, it enumerates all running programs to compare them with their parent process names and antivirus or firewall programs to avoid detection while executing. The names of these security programs are encrypted in the binary with different algorithms from sample to sample.

Further to evade detection, the Monkif generates random filename and other encoded parameters:

GET /photo/lfzt.php?rzj=51<75=26x644646x4x4x4x524x7x0x6x5x5772=716×5772=70<x

GET /babynot/pzj.php?dnr=722576<x644420x4x4x4x0x

GET /sodoma/xcgyscm.php?gquo=<<<6<4x644475x4x4

GET /karaq/mueoyisc.php?wgau=127=27×64446<x4x4x4x53

The response to these requests is an image file. Monkif parses the first 32 bytes of the JPEG header by comparing embedded 32 bytes as header in the sample. It then decodes the remaining bytes, which is a URL for downloading a malicious file.

 

Figure 4 The control server responds with an image file.

The decryption follows:

 

Figure 4b Decrypting the JPEG to reveal the URL for a malicious download.

 

(Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9`<5a2<6ge<a323b5gf5b4=610fb=gga4″bm`9560″591595907|200041|0|0|0|0

(Decoded) http://88.80.7.152/d/dl.php?fl=d81e682ca8e767f1cb1f09254bf9cce0&fid=124&1=51=1=43x644405x4x4x4x4

 

(Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9faf<<“6g`eefb0`63=64143`g6=b<<5″bm`9560″591753617|200042|0|0|0|0

(Decoded) http://88.80.7.152/d/dl.php?fl=beb88dd2cdaabf4d27920507dc29f881&fid=124&1=5317253x644406x4x4x4x4

 

Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9b3`5a<0423ag11`=a14b4`=5f<520e25″bm`9561″591925694|200044|0|0|0|0

(Decoded) http://88.80.7.152/d/dl.php?fl=f7d1e84067ec55d9e50f0d91b8164a61&fid=125&1=5=612=0x644400x4x4x4x4

 

In response to the preceding request, Monkif downloads another executable. We currently see the botnet downloading adware files, but it may download other complex threats as well.

 

Figure 5 Downloading another malicious file.

 

McAfee customers are protected by signature 0×48807500.

Secretly Monitor Cop Stops With New ACLU App

The American Civil Liberties Union of New Jersey is unveiling an Android app allowing citizens to secretly record audio and video of police stops, and have the footage sent to the group’s servers for review.

“This app provides an essential tool for police accountability,” ACLU-NJ Executive Director Deborah Jacobs said in a statement. “Too often incidents of serious misconduct go unreported because citizens don’t feel that they will be believed. Here, the technology empowers citizens to place a check on police power directly.”

The Police Tape app is among a growing number of apps aimed at empowering citizens in their encounters with police activity. The New York chapter of the ACLU released a similar app last month, and others enable protesters to notify family, friends and attorneys if they’ve been arrested.

Its development comes two weeks after the death of Rodney King, whose 1991 video-taped beating at the hands of Los Angeles police seemingly ushered in new role of the citizen watchdog. Now two decades later, a wide swath of the public is armed with tiny recording devices — their mobile phones, and the ACLU is seeking to make it as easy as ever to capture the authorities with video or audio — though police officers never seem to be fans of the practice.

The latest app allows users to press a button on their Android device and it will secretly record video or audio, although the phone won’t look like it’s in recording mode. The recordings can be uploaded to the New Jersey affiliate’s servers, or simply stored on the phone in a non-obvious file system location.

The iPhone version is awaiting approval from Apple.

Alex Shalom, policy counsel for the New Jersey affiliate, said in a telephone interview that though the app is intended for residents of the Garden State, if the group believes somebody outside of New Jersey’s rights were violated, the group would send the footage to the appropriate ACLU affiliate for review.

“We think taping police is a good accountability tool,” he said. “We’re bringing it into the 21st Century.”

At least in this case, the feds don’t disagree with the ACLU. In May, the Justice Department said the public had a constitutional right to record the police in public.