Critical app flaw bypasses screen lock on up to 100 million Android phones

A critical flaw in an Android app downloaded as many as 100 million times allows attackers to take full control of handsets even when they're protected by screen locks.

The vulnerability in the Skype rival known as Viber affects Android smartphone brands such as Samsung, Sony, and HTC, according to a blog post published Tuesday by Bkav Internet Security. Although attack techniques differ from model to model, they all exploit programming logic in the way Viber handles popup messages, researchers with the company wrote.

A spokesman Viber Media, maker of the affected app, said company officials learned of the vulnerability on Wednesday and plan to release a fix next week.

Read 3 remaining paragraphs | Comments

Phishers Campaign for More Votes Against Syrian Regime

Contributor: Avdhoot Patil

Phishers are not letting go of the chaos in Syria. They are using a common phishing template and modifying the messages. In March, phishers mimicked the same website of an organization in the Arab Gulf States observed in a previous phishing site. But instead of promoting the Syrian opposition, phishers impersonated the UN in a scheme meant to show support for the people of Syria. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, in the United States.

Just recently, phishers have tried to entice users by condemning the Syrian regime. Now, they are citing the Syrian President, Bashar al-Assad, in particular. The phishing site we observed contained a message in Arabic that asked users if they agreed with condemnation of the Syrian President as a war criminal. The message gave options for users to agree or disagree. The phishing page also notified users that the voting could only be done once.


Figure 1. Vote to support condemnation of President Bashar Al Assad

After the option to agree was selected, the resulting page prompted users to choose from four diferent email service providers in order to cast their vote and have it count.


Figure 2. Choose email service provider to cast vote

After any of the four brands was selected, users were then redirected to a phishing page spoofing the login of the email service provider. If user login credentials were entered, the phishing page then redirected to an acknowledgment page stating the voting process was successful and the results would be announced by April 5, 2013. Unfortunately, if users fell victim to these phishing sites, phishers would have successfully stolen their information for identity theft.


Figure 3. Vote acknowledgement page

Users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security, which protects you from online phishing) frequently

Java Exploit CVE-2013-2423 Coverage

Java vulnerabilities have always been popular among cybercriminals (exploit kits authors) since they can work across multiple browsers and even multiple operating systems, the potential for infecting large numbers of users is very high.

On April 16, Oracle released its Java Critical Patch Update (CPU) for April 2013 that addressed vulnerabilities found in numerous supported products. Interestingly, one of the vulnerabilities, CVE-2013-2423, was publicly disclosed the following day and this was closely followed by a Metasploit proof of concept on April 20.

It didn’t take long for exploit kit authors to adopt this openly available vulnerability. We are currently seeing cases of Cool EK using this new Java vulnerability and we expect this exploit to be rolled out to other exploit kits.

The following Intrusion Prevention Signatures (IPS) are in place to block attacks using this exploit through the Cool EK exploit kit:

Symantec detects the malicious files as Trojan.Maljava using our antivirus protection technology.

Symantec recommends users apply the critical Java patch released by Oracle as this vulnerability is now seen as a high priority. As listed above, Symantec has released new IPS signatures for proactive detection so we also recommend updating your Symantec security product with the latest security components. Please be aware of malware that masquerades as software updates and patches and only download the patch from the official website.