FireEye

Two 'FireEye' stories August 2015 - September 2015

Porn app for Android takes pictures of users, holds them for $500 ransom

BBC News reports that security firm Zscaler recently discovered an app for Android which advertised itself as a way to access pornography, but which actually blackmailed its users for money:

Adult Player appeared to offer pornography, but secretly took pictures of users with the phone’s front-facing camera.

It then locked the user’s device and displayed a demand for $500 (£330) which was difficult to bypass.

Ransomware is the name given to malicious software which gains access to a computer — desktop or otherwise — and then threatens to wipe the device or release private information gathered from it if the owner doesn’t send the demanded amount of money. The BBC for its report quotes Intel Security as saying examples of this software appearing in the wild have increased 127% since 2014. “Apps like this rely on the embarrassment factor. If you don’t pay, your reputation is on the line,” said Raj Samani, chief technology officer for Intel Security.

One very important line in this story is somewhat buried, however:

The app was not available from vetted storefronts such as Google Play, but could be installed directly from a webpage.

What this means is that for someone to actually install this ransomware on their Android device, they’d have to intentionally bypass the security measures put in place specifically to prevent nightmares like what this software can do from occurring. And it’s clear that from descriptions of the app that its misbehaviors, like locking the device and constantly displaying messages across the system, would be blatant enough to trip up Google’s Bouncer anti-malware screening:

Zscaler said the app’s ransom message kept the phone’s screen switched on at all times, and reappeared if the handset was restarted.

Samani’s advice for steering clear of software like Adult Player is the same thing we heard during the desktop era:

Only download apps from the proper Google Play store. And if you receive an app download link in an email, don’t click it.

When it comes to software-based technology, attackers will always be digging from new exploits which means us consumers will always be on the defense. This is another case in particular, however, where the solution is simple: Download your apps and files from reputable providers, and if you need to download a new app store altogether, like Amazon’s, grab it straight from their official HTTPS-secured website.

HTC One Max fingerprint sensor data left unsecured for apps to see

A report from FireEye Labs (a security firm) reveals that some smartphones with fingerprint sensors aren’t as secure as we’d like them to be. The one device named specifically was the HTC One Max which was supposed to store fingerprint data in a secure enclave that no one could get to. Turns out, that wasn’t the case and any app could have potentially gained access to the fingerprint data and even recreated a bitmap image of the fingerprints stored. Thankfully, HTC fixed the gaping hole “in all regions” before the report went public.

FireEye shared images they managed to gain access to inside the HTC One Max, and cropped them to protect the identity of the owners. What you see to the left is just a small portion of someone’s fingerprint. Data obtained through the One Max’s supposedly ‘secure’ enclave. If there’s one small comfort to be taken from this, it’s that the HTC One Max isn’t the most popular phone around, and by now, it’s also relatively old. What’s more, HTC told The Verge that the flaw was only present in the HTC One Max, and doesn’t effect any of its other phones or devices.

While the One Max is the only device specifically named in the vulnerability report, the company does suggest devices from other manufacturers suffer(ed) with the same issue. What’s more, another issue present in a number of devices was a vulnerability which could potentially allow any app to interrupt the fingerprint scanning process as a user was using the sensor. If taken advantage of, this would see software with the ability to take fingerprint data as it’s being read, in real-time.

All devices mentioned (including the Galaxy S5) and others hinted at, have all be locked down since the vulnerability was discovered. When it comes to fingerprint data, we like to think that the information is being treated with paramount focus. Once someone gets your fingerprint data, there’s not a lot you can do about it. You can’t change it like a PIN, password or pattern.