Security of Java takes a dangerous turn for the worse, experts say

The security of Oracle's Java software framework, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits, security researchers said.

The most visible sign of deterioration is in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7 and using the insights to craft exploits for the older version. Because Java 6 is no longer supported, those same flaws will never be fixed.

"This is a large pool of vulnerable users who will never be protected with security fixes and so [they're] viable targets for attack," Budd said.

Read 3 remaining paragraphs | Comments


Fingerprints as passwords: New iPhone Touch ID gets mixed security verdict (Updated)

Of all the new features of Apple's new iPhone 5S, few have drawn more attention than the built-in fingerprint scanner known as Touch ID. Apple billed it as an "innovative way to simply and securely unlock your phone with just the touch of a finger." More breathless accounts were calling it a potential "death knell for passwords" or using similarly overblown phrases.

Until the new phones are in the hands of skilled hackers and security consultants, we won't know for sure if Touch ID represents a step forward from the security and privacy offered by today's iPhones. I spent several hours parsing the limited number of details provided by Apple and speaking to software and security engineers. I found evidence both supporting and undermining the case that the fingerprint readers are an improvement. The thoughts that follow aren't intended to be a final verdict—the proof won't be delivered until we see how the feature works in the real world.

The pros

I'll start with the encouraging evidence. Apple said Touch ID is powered by a laser-cut sapphire crystal and a capacitive touch sensor that is able to take a high-resolution image based on the sub-epidermal layers of a user's skin. While not definitive, this detail suggests Apple engineers may have designed a system that is not susceptible to casual attacks. If the scans probe deeply enough, for instance, Touch ID probably wouldn't be tricked by the type of clones that are generated from smudges pulled off a door knob or computer monitor. In 2008, hackers demonstrated just how easy it was to create such clones when they published more than 4,000 pieces of plastic film containing the fingerprint of a German politician who supported the mandatory collection of citizens' unique physical characteristics. By slipping the foil over their own fingers, critics were able to mimic then-Interior Minister Wolfgang Schauble's fingerprint when touching certain types of biometric readers.

Read 15 remaining paragraphs | Comments


Android Ransomware Predictions Hold True

Contributor: Lionel Payet

Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as mobile devices.


As part of our pre-emptive SMS spam domain identification, we have detected a recently-registered domain that is currently serving a new Android FakeAV app using ransomware social engineering.  Different hints led us to believe that this application is linked to, or coming from, the same authors behind Android.Fakedefender, which we blogged about back in June. Despite it using a new design and a different ransom payment method, this new variant still contains the older images in its package file. Both versions mainly target Russians users.

Although we have not confirmed the infection vector of this variant we suspect spam, containing a link to the malicious domain, is used.

Domain picture 2.JPG

Figure 1. Recently-registered domain serves malicious Android app

The author behind this malicious application helps users install Android apps from unknown or third-party sources.

Symantec detects this malicious app as Android.Fakedefender.B. It has been impersonating the official application of an adult video website and user who falls prey to the social engineering and installs the app will end up locked out of their Android device.

Once installed a warning message prompts users to run an antivirus scan before entering the full application.

The previous version of this malware impersonated the Android Defender app. In this version, the malware impersonates the Avast antivirus brand. As soon as the antivirus scan finishes, it tricks the user into believing their device is infected by different threats and viruses and informs them their device is locked for protection.

In this variant, the ransom payment method the authors use is MoneyPak—$100 USD to unlock the device— compared to the previous version where the malware authors were asking for the user’s credit card number in exchange of unlocking their phones.  Web money is a popular payment method used by FakeAV and ransomware threats on the Windows platform and has been for many years now. Paying through one of these Web payment companies would perhaps appear more legitimate and secure to affected users than directly handing over their credit card details.


Figure 2. Fake AV app

Since FakeAV and ransomware on Windows systems have been successful for many years – continuing to evolve with new techniques and designs – we have been expecting Android mobile malware to evolve in the same way and come up with new tricks in order to entice users into paying ransoms.

At this time, Android.FakeDefender.B is not incorporating any exploits in an attempt to stop victims from removing the infection. We have previously seen other Android malware, such as Android.Obad, using exploits to surreptitiously extend device administrator privileges making the malware removal difficult. The authors of Android.FakeDefender.B are relying on social engineering and simple tricks such as continuous pop-ups in attempts to extort money from its victims. Anyone infected with Android.FakeDefender.B can manually uninstall the software through Application Manager on their Android device.

To avoid being initially infected, Symantec recommends all users install a mobile security app, such as Norton Mobile Security or Symantec Mobile Security. Malicious apps can also be avoided by only downloading and installing apps from trusted app markets. For general smartphone and tablet safety tips, please visit our Mobile Security website.