The latest threats report from McAfee Labs, published today, includes a sobering discussion about ongoing vulnerabilities in mobile apps; details about a powerful, easy-to-use, and now very popular exploit kit; and an overview of the challenging world of potentially unwanted programs (PUPs). The report also includes our regular serving of threats statistics.
Mobile apps exposed to SSL/TLS vulnerabilities
An average person has 27 apps on his or her smartphone and uses them more than 30 hours a month. Many of these mobile apps attempt to securely connect to their companion websites. Unfortunately, the cryptographic implementation on thousands of mobile apps is vulnerable to exploitation, and many of them have not been fixed. With Mobile World Congress coming up on March 2, mobile security is an important topic.
McAfee Labs tested the top 25 downloaded mobile apps that were identified as vulnerable by CERT in September 2014; when we tested them in January this year, we found that 18 still have the same vulnerabilities. We were able to intercept usernames and passwords sent between the apps and their associated websites. Some of these apps log into their own hosts, so users with distinct passwords are exposing only information passed between the mobile app and the website. However, others use third-party services such as Facebook, Instagram, and Microsoft OneDrive, potentially giving attackers access to users’ private information on other websites.
These mobile app vulnerabilities are the result of poor programming practices related to the establishment of Secure Sockets Layer (SSL) connections. Mobile app developers can take advantage of online documentation on SSL vulnerabilities, including sound guidance from CERT and Google’s Android team. Open-source tools such as Nogotofail can also be used to find and fix weak SSL connections and inappropriate cleartext traffic.
And users? Employing unique passwords and logon credentials will contain exposure to at least a single app or service. Think about whether the convenience of using social network credentials for other apps justifies the risk. Is it even worth logging in? What additional benefits are received beyond those of a “guest” user? Before installing a new app (or continuing to use a current one), do a quick web search to see what others are saying about it.
The powerful Angler exploit kit
In 2013, the creator of the popular Blacole exploit kit was arrested. By mid-2014, a new exploit kit, Angler, seems to have taken Blacole’s place as one of the most popular criminal tools. This exploit kit is simple to use and confers hacking powers on anyone who downloads it. During the past year, Angler has added new tricks, including fileless infection, awareness of virtual machines to evade sandboxing, and other security defenses. Angler can deliver many payloads, from rootkits to ransomware, and it is the first kit to exploit a vulnerability in Microsoft Silverlight. Key defenses against Angler include frequent or automatic installation of Windows updates and other software patches, enabling antivirus scanning on all attachments, and using a browser plug-in to block script execution.
Potentially unwanted programs
Malware headlines are usually focused on data theft or unauthorized access, but there is another type of high-risk program that generates more than 90% of the daily hits detected by our telemetry: potentially unwanted programs (PUPs). These programs, often adware, do not steal user data but instead hijack information flow to serve specific ads. Because their actions are not overly malicious, they are difficult to classify and often piggyback on legitimate software installations such as browser extensions and toolbars. McAfee Labs analyzes PUPs for unwanted behavior and then classifies them so that you can easily block them.
For more information on these and other topics, read the February 2015 Threats Report from Intel Security.
The post Threats Report From McAfee Labs Highlights Mobile Apps Vulnerabilities appeared first on McAfee.