SmartID and SealSign on Mobile World Congress 2015

Florence Broderick    23 February, 2015
In this increasingly digital world, where users’ identity and privacy are exposed to continuous threats, from Telefónica and ElevenPaths have created a secure digital ecosystem which allows users to keep control of their personal data, preserve their digital identity and safeguard their privacy.

As already announced, we have incorporated in our identity and privacy solutions, SmartID, what is known as “strong authentication”, based on biometry, and, SealSign, as robust digital signature technology which prevents possible identity theft and opens up more ways to safely digitise business processes such as legal and commercial documents.

Both solutions will be on display at the Telefónica stand at the Mobile World Congress 2015 (MWC15), to be held from 2 to 5 March in Barcelona.

Currently, many of the security breaches we see involve an attack on people’s identities, so dealing with this is one of the most complex, but important, issues faced today. The reduction of fraud and problems related to identity theft must be a priority for individuals and companies in order to retain confidence in digital services and applications. Through these two new ElevenPaths solutions we are in a strong position to help provide this much needed protection as well as opening up new ways of working and accessing digital services.

1. SmartID is a solution which allows for more secure user authentication when accessing applications and physical equipment, by combining different elements such as smart cards, RFID/NFC devices and biometric fingerprint recognition.
SmartID essentially combines something you are (such as your fingerprint, face and voice recognition); something you have, such as your eID or your mobile phone, and finally, something you know, such as your user name, password or PIN to provide more complete identity protection and verification. Through a combination of these factors, identity theft in the authentication process is dramatically minimised in scenarios like accessing an e-commerce website, logging into your personal or work email account or when passing through security control at an airport. SmartID can also be integrated with Latch, the ElevenPaths “digital padlock” service which minimises the exposure time of personal data, therefore further reducing the risk of cyber-attacks and identity theft.

This solution is compatible with the new Spanish electronic ID, DNIe 3.0, which allows for secure identification and replaces common passwords with multi-credential systems which combine at least two factors to establish the user’s digital identity. By using SmartID Spanish companies can implement security solutions based on the new identity card quickly and easily, reducing fraud and identity theft.

2. SealSign is an electronic document-signing platform for companies, compatible with digital certificates, biometric systems, One-time Password (OTP) systems and the long-term storage of signed documents. This service offers a solution based on behavioural biometry, such as a user’s voice or signature. Biometric recognition coupled with electronic signatures allows user payments, among other things, to be protected, permits access to sensitive information to be safeguarded, and also enables electronic document signing in a safe way – saving businesses time and money.
To demonstrate the effectiveness of SealSign visitors will be challenged to forge the signature of a well-known personality showcasing the reliability and accuracy of the SealSign biometric signature solution.
Come to Hall Stand 3J2O and participate in our demos!

» Download press release in PDF

JSDialers: apps calling premium rate numbers (with new techniques) in Google Play

Florence Broderick    20 February, 2015
During last year, a lot of “made in Spain” malware was found in Google Play. It was basically malware that tried to silently subscribe the victim to premium SMS numbers. From a while now, the problem has vanished, and it was hard to find this kind of apps, at least in Google Play. In Eleven Paths we have found seven apps during these last weeks that use new techniques based in JavaScript, more dynamic and smart. They managed to upload fraudulent apps to Google Play. We have called them JSDialers. Let’s see how they work.

With Google Play more vigilant about SMS premium apps in their market, the attackers have tried some other techniques that avoids Java and focus in JavaScript received from the servers. Besides, they do not only subscribe to SMS premium services, but they make phone calls to premium rate numbers. Everything in a very smart way, because, for example, they try to mute the telephone and microphone during the phone calls, tries to hide the phone call itself from the screen… and take the whole code from the servers instead of embedding it.

What the user perceives

When the user downloads and installs any of these apps, something like this will be shown.

First views of the apps

These are the typical “terms and conditions” that probably nobody will read. Accepting them implies making the phone call in an automatic and transparent way for the user. The image “Aceptar” image shown, is taken from this jpg file:

hxxp://www.contentmobileapps.com/called/images/continuar_call_100.jpg

Whatever the user responds about the age, the device will show an animation (a GIF taken from here hxxp://www.contentmobileapps.com/called/images/loading.gif) while the actual phone call is done to a premium rate number.

GIF shown to the user while the phone call is done

It seems that, depending on the phone, a green bar may appear during a few seconds, but the developer tries to hide it.

The device making the call may be detected in the background

The attacker mutes the telephone and microphone so the user is unable to hear the message of the phone calling and the locution.

On the last line one can observe the attempt to mute the microphone and device volume

The victim will be subscribed to this service and will have to face the costs of premium rate calls. The user will now be able to browser the recipes, but the phone call has already been made.

The app is just some links to a web, but the phone call has been made

Once clicking on the “Help” button, the option to unsubscribe is given.

The app offers instructions on how to cancel the subscription


What happens and how does it work?

These apps depend strongly on the servers and work via Cordova plugin. It is a set of device APIs that allow a developer to access device functions via JavaScript… The permissions of the analyzed app are these, although they are not the same in all of them. Some of them lack of the SMS permissions.

Permissions in one of the apps. Some of them lack SMS permissions

The first thing the app does is executing a WebView with Cordova that shows an internal HTML.

The obfuscated domain starts the real communication with the server

A request like this is done: hxxp://highmas.com/alcalinas/home.php?movil=ffffffff-XXXX-ffff-ffffd6de17fd&version=16&modelo=GT-XXXX%20(goldenxx). The user will receive a welcome screen and will be asked for his/her age. Whatever is clicked, the app will go to the same function that gathers some information with a form. The value in CAPTCHA field is useless. It seems to belong to some discarded proofs.

Form sent to the server

A web redirect after the request, takes the user to a webpage where the country and carrier is checked.

The app checks the country and carrier via JavaScript

Once everything is checked, terms and conditions are shown. When accepted, the app calls”term_acept.asp”, which finally returns dynamically the premium rate number to be called.

The premium rate number is returned. The app will make an unnoticed phone call

With Cordova’s help and a dialler plugin, it finally makes an actual phone call.

Some other interesting info and more apps

The developers have found a way to get back to fraudulent activity with premium rate phone calls. Who is behind these apps? The domains being used and terms and conditions are very clear. We are investigating the developers and some other apps they have, and will try to offer a report soon.

With Path5, we could find similar apps. Some of them have already been removed, but not all of them. They are working on uploading fraudulent apps since early January.

Some examples of found apps

Some apps have mutated from apps related with cars (in Japanese), to porn. This is the preferred way to hide better in Google Play.

App that changed at some point

These are the applications, package names and hashes. Only one of these apps has been analyzed in Virustotal, and it was not detected by any engine so far.

  • Videos hd peliculas porno sexo, com.gepekline, 6f1c3a596920298873f1e38842f751991875e6d6
  • Peliculas videos sexo Porno hd,com.wheelpvies,34b2bba921e9b7d9c8242d31e2cc011908684d9a
  • Videos hd peliculas porno sexo ,com.spportss,ada71fc53f9aae5f84cc69814b58f65f1e273067
  • Canciones infantiles y videos, com.sursongsonline, 1fcce1b8effdcbdef54cc02675eefc5214fec67b
  • Peliculas videos porno sexo hd,com.escarsysview, 031490dd0b824c02be7d0fe728d67f998ef7c914
  • Cine estrenos peliculas online, com.filmsmeka, e856cd2d4a366abbb1df18c8bc53c7a35a6da535
  • Un millón de recetas de cocina, com.recippes, 194362c46b124161a5289d1d3c4c56f93b142044

With our database, we have been able to locate some other apps, and prove that the developers behind  them come from Valencia and have been working on these frauds for a few months now.

Fraudulent JSDialers in our data base

The whole document is available here:

Sergio de los Santos
@ssantosv
Juan Manuel Tirado
Miguel Ángel García

New Tool: JavaRuleSetter for creating Devployment Rule Sets in Java

Florence Broderick    16 February, 2015
Oracle introduced the notion of whitelisting in Java 7 update 40. It was called Deployment Rule Set. In Java update 51, it introduced a new feature, that was close to whitelisting as well, but very different. It was called Exception Site List. In this post, we are going to make clear the differences and introduce a new tool we have just developed, that may be seen like some kind of Java firewall. It is called JavaRuleSetter.

Deployment Rule Set

In the beginning, there was just the Deployment Rule Set to try to create white and black lists of Java applets executions. It was basically meant for administrators to block RIAs (Java applets and Java Web Start Applications, known collectively as Rich Internet Applications) by domain, certificates or name. This was great but quite difficult to implement. The steps to get this rule sets,were:

  • Create a ruleset in xml. You have to know the syntax… for example:
    <rule>
      <id location=”http://*.java.com” />
      <action permission=”run” version=”SECURE-1.7″ />
    </rule>
    <rule>
    <id />
      <action permission=”block”>
      <message>Bloqueado por las reglas del sistema</message>
    </action>
    </rule>
    </ruleset>

  • Compile it with Java (you would need the JDK).
  • Sign it with a trusted certificate of your own. If you do not have one,you have to create it
  • Copy it to a standard place in the system.

The result was that, when visiting a web page with an applet, this is the decision tree Java follows to run it or not. The rule may block it completely, or allow but only if digitally signed properly. The applet is run without prompts. If set to “default”, it goes to the exception lists decision tree.

When browser detects a RIA (applet or JWSA) it first goes through this decision system for Deployment Rule Sets

That was really hard for an administrator and even impossible to achieve for a standard user, so Java reacted creating the Exception Site List. But Rule Sets may very well be used by single users, not only administrators. This is one of the reasons we have just created this tool. To simplify creation of rules for advanced users, and, for creating the whole system for less savvy users (create a certificate, sign it, etc).

Exception Site List

This was created in January 2014 (just months after Deployment rules) for users. It does not require administrative privileges and it is all done via Java interface. It may be seen as a second way to whitelist, but not as powerful as Rule Sets, and as a first layer of defense for a single user.

In a nutshell, Exception Lists affect prompts. It will never make them disappear, but will never make an applet be blocked either, even if security is set to “high”. Exception Lists makes no difference if security level is set to medium. This diagram shows it:

Exception List flow

For creating an Exception List, just run javaclp.exe and add a domain. It will work one way or another depending on the Java security configuration.

How Exception Lists are configured in Java 7. I may differ a bit in Java 8

The file controlling the Exception Site List is stored in the user’s deployment location C:UsersusernameAppDataLocalLowSunJavaDeploymentsecurityexception.sites in Windows.

Rule Sets VS Exception Site Lists

So the main differences are:

Comparison between Exception Site List and Deployment Rule Set

Rule Sets allows to create a rule set and distribute to several computers. It wins over Exception Site Lists in case of conflict, and may be modified just by an administrator (not by the user). Another interesting thing is that Rule Sets works on a very early stage. If some day, security levels are defeated, exception site lists would be bypassed, but not the rule sets.

The whole picture

Java is complicated right now. This is the decision flow when executing and applet (or RIA, in general). This is the best way to understand how security has improved in just two years. The complete flow of Java applets executing or not depending on JRE version, Deployment Rules, Exception Lists, etc, is this. Deployment rules work on the second level from start, and Exception lists work on the fifth level.

Java, the whole decision picture about RIAs

The tool

Java Rule Setter is intended for users that are really worried about Java security (they all should) and have to work with it (if you don’t, just uninstall it from the browser).

If you have no idea of what you are doing, just add a domain you need Java to run and click on “Apply changes”. The program will create default settings and apply them.If you are a savvy user, you can use your usual keystore and sign the Deployment Rule file, and skip the whole process. Click on “Advanced mode” for more information.

Blocking everything will avoid the execution of any applet in a very early stage
Browser blocking rules because of the program

Adding a new domain to be whitelisted

Domain added to be allowed domains

For more granularity, the advanced mode may be used

There is very basic way to use it. Just run it and add a rule with a domain you want to have in your whitelist (wildcards supported). Click on “Block everything else” and apply changes. You will need to elevate privileges twice: one for adding a cert (only the first time) and one for copying the Rule Set file to system32.

The tool works in GNU/Linux and Mac OS X, although it has not been fully tested in those platforms.

We have created two versions, for Java 8 and Java 7. This tool is in alpha version, so it may contain some bugs. Please report so we can fix them.

To deeply get to know the Deployment Rule Set system and take full advantage of the tool, we recommend reading this official documentation:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

More information and instructions are available here.

Sergio de los Santos

Winners of the Latch Plugins Contest

Florence Broderick    12 February, 2015

As you know, last 16th of October 2014, as part of our annual “Security Innovation Day” event, we announced the launch of the “Latch Plugins Contest“, the first Latch competition aimed at developing innovative and useful plugins for the Latch service.

The story tells the that something went wrong in the latest ElevenPaths job, and Chema Alonso needed your help. He promised to reward anyone who succeeded in making the best Latch plugin with a financial prize of up to US$10,000 (in bitcoins). Take a look at the video and remember the story!

January 15th was the deadline for registrations, and then it was up to our jury. A top-notch panel featuring Chema Alonso (CEO of ElevenPaths) José Palazón (Head of Software and Product Development), David Barroso (Technical Manager) and Olvido Nicolás (Head of Marketing).

Well, here they are, these are the winning plugins in the first Latch Plugins Contest:

First prize – US$10,000
Winner: Carlos Rodríguez
Plugin: Devise_latcheable
Description:

  • The Latch plugin for Ruby on Rails enables Latch to be integrated in the user authentication and registration process.
  • This plugin makes Latch a gem for Ruby on Rails and allows an additional security layer (2FA) to be added to the authentication progress in any Ruby application.

    • What we liked about it:

  • It provides knowledge and a security solution for a community of developers at Ruby on Rails.

    • Second prize – US$5,000
    Winner: Gregorio Juliana Quirós
    Plugin: Latch for electronic door locks using DNIe, NFC and mobile app identification
    Description:

  • The idea of the prototype consists of a system for locking and unlocking electronic doors activated by a mobile app or smart cards based on NFC.
  • This plugin allows Latch to be integrated in electronic locks using DNIe, NFC and identification via mobile apps to allow or deny access in the user authentication process. How? Easy: In the case of fraudulent use of your identity, Latch will warn you with an alert on your Latch app on your cell phone.

    • What we liked about it:

  • It’s a usable, simple and convenient security application.

    • Third prize – US$1,000
    Winner: Javier Pena Rendo
    Plugin: Latch Plugin for Liferay
    Description:

  • The Latch plugin for Liferay enables Latch to be integrated in the user authentication process in any instance of Liferay.

    • What we liked about it:

  • The quality of its implementation and that it may be used in any Liferay product .

    • Special mention – 200
    Winner: David Garduño
    Plugin: Latch Plugin for Asterisk
    Description:

  • The Latch plugin for Asterisk enables Latch to be integrated in an Asterisk switchboard to be able to set the call operations. That means we can block or unblock a certain kind of calls and even program the time segment when we wish to be disconnected. For example, if we went to bed and didn’t want to receive any calls, we could do this with the Latch plugin for Asterik.

    • What we liked about it:

  • The innovation and originality of the idea, the clarity of the documentation, and the capacity to convey it.

    • Congratulations to the winners!

    Detected some "clickers" in Google Play simulating apps and games

    Florence Broderick    3 February, 2015
    During the last days, some apps have appeared in Google Play that work like “clickers”, between them an app simulating Talking Tom (that was online for just a few hours) and a “Cut the Rope”. In this case they visit ads and porn websites and simulate clicking in the banners, so they get some benefit. This is a known schema that affects the data plan of the user, because the apps will keep on requesting pages in the background and the victim will not be aware. ElevenPaths has detected in an early way the apps in the market, that work in an interesting way and that seems to be created by someone in Turkey.

    Since December, a developer has been uploading apps to Google Play, with the only intention of booting with the device and make GET requests in the background. Promising different kind of apps (from remote controls and X video searchers to flight simulators and games) these apps sum up to 50.000 downloads between all of the 32 apps we have spotted. Obviously not all the downloads translate into an infection (VerifyApps and other factor may affect) but they seem to be quite popular.

    Some of the apps are just “clickers” under different “disguises”to attract victims

    One of the apps is a scientific calculator with the description text in Italian. We have asked Google to remove the application that was still online (maybe because it was a little more advanced than the others and passed unnoticed) and that we have located thanks to Path5.

    App that wasn’t removed from Google Play. One of the latest remaining.
    It worked in a more sophisticated way than the others.

    What the app does

    When it starts, it always shows a dialog with the text “Application is not compatible” in Italian, Turkish and Spanish, between other languages.

    The app always shows the same dialog when it starts

    It hides its icon, modifiying values in the Manifest, after the first time it runs and after showing the message. It does nothing else until it receives a change in WiFi, data connection or a reboot. It connects to this encoded URL (it is not base64, although it looks like it).

    Encoded URL

    Decoded, it turns out to be: hxxp://1.oin.systems/check.php. If it responds with a “True” (which is  pretty much always by now), its activity will start.

    Other variants connect to other URLs like this one:

    Or this, depending on the sample: hxxp://pop.oin.systems/commands.php.

    Every time a new request is made, the apps get instructions on where to go and click. In every connection they get new domains to connect to.

    Request for the place it has to visit

    In just a few minutes, the device has generated dozens of requests. For the user standpoint, the problem will be the data consumption if he has a paying data plan. Apps are activated when the device boots so, although the app itself is not active or launched, the device will be consuming data all the time.

    Extract of the traffic generated by the device during a few minutes.
    Most of them are porn sites

    Indiscriminate visits will be done through a service that builds a WindowManager with a weight and height of “-2” so the user is not able to actually see it in the screen, where a WebView is added. There is where the URLs are loaded.

    It will take some other values from some other URL. Every 15 seconds (time to load the web) it will call:

    Another task will take care of executing this JavaScript over the loaded URLs. This will result in random clicks on the web.

    This strategy of hiding the icon, avoids the user to even bothering in uninstalling an app, because he will think it was never installed in the first place. Moreover, if it keeps quiet until next reboot or when connectivity changes, there are more chances of the user forgetting about it.

    Permissions are not very blatant.

    Permissions of these apps

    Detection

    The app was not deteced by any engine during December and January. January 20th we sent it (for the first time) to VirusTotal from ElevenPaths’ lab.

    Detection in January

    Eventually in February, some engines started detecting it. Engines have created a specific signature for this family, called Riskware.Clicker.

    Detection in February

    The attacker

    This is a typical schema, but quite witty in its implementation. We have detected that the attacker has been acting since later December and that he probably is Turkish (thanks to the information obtained from its ad-hoc certificate). Its current timezone is GMT+2, added to the language used in some apps, makes us think that it’s someone developing from Turkey, although with some Italian relationship. Some other specific characteristics has allowed us to spot the other apps very quickly.

    The strategy has been the usual one. During most of the time, the app starts in Google Play like an anodyne app. It consolidates in the market and maybe someone downloads it. For the next version, the apps mutate into something more attractive to the user, maybe it changes the code, maybe the icons and description. In this moment a “race” starts, because Google will remove it quickly but it will try to get the more the better installations.

    The app was something called Beklre (up in Google Play)
    and then mutated into a fake Talking Tom (down in Path5)
    The app was something called “Sebebi Neydi ki” (“Which is the reason” in Turkish) 
    and then mutated into a fake Cut the Rope for some hours (down in Path5)
    The domains being used tell us about the person behind the app, because the data in the Whois database seems to offer real names and emails, used before in some forums. Some other apps in our database show that this domain has been used legitimately before. The developer created some apps about movies (in February 2014) and now has reused the server for this fraud. Something about Italy appears again.
    Some other apps that seem to belong to the attacker
    Anecdotal, in some of these apps, is a homemade photo of a minor manipulating a mobile phone (taken in the middle of the past decade) which may be found inside the APK. It doesn’t seem to be a public photo (a search in Google does not show anything).
    In a few days, we will make public a more advanced and detailed study about the way this threat works technically.
    Sergio de los Santos

    News: ownCloud Latch plugin

    Florence Broderick    20 January, 2015
    We have uploaded to GitHub our latest plugin for ownCloud. It makes it easier to use Latch technology with this free software similar to widely used Dropbox. You can download it form here. This is a little “how to” so you can check how easy the integration is.

    Admins have to follow the usual steps if they want to protect ownCloud with Latch:

    Steps 1, 2 and 3 are documented on the website of Eleven Paths and step 4 is going to explained in this post.

    ownCloud plugin is a zip file, copy its contents to the apps directory of ownCloud.

    ownCloud apps directory

    After copying the plugin, ownCloud administrator has to access his own account and enabled. To do so, go to the “Apps” section, tap the “+ Apps” button and go to the Latch plugin referenced as “Latch Authentication Plugin”

    Enabling Latch plugin

    After enabling the plugin, the administrator has to enter the “Application ID” and the “Secret” to the section corresponding to “Latch Configuration” under the “Admin” menu.

    Introduce the Application ID and Secret

    Latch is now ready to be used and users are ready to pair their accounts. Users with ownCloud accounts have to set their own accounts going to “Personal – Latch Account”. Type the token generated on the phone into the text box displayed on the web.

    Introduce the token generated by Latch

    A notification will be received on the phone, announcing that the account is already paired.

    Notification received after successful pairing

    Now the user may lock and unlock access to his ownCloud account and a notification on his phone will be received, warning about somebody trying to access the account

    Notification of an unauthorized access attemp

    The database

    When Latch is installed in ownCloud, ownCloud database is set to store the values needed by Latch. Specifically the oc_appconfig table stores the “Application ID” and “Secret”.

    oc_appconfig table with the Application ID and Secret

    The oc_ preferences table indicates which user account has been paired with Latch.

    oc_preferences table with the users that have already paired their accounts

    5.500 apps potentially vulnerable to Man in the Middle attacks in Google Play

    Florence Broderick    22 December, 2014
    It has been discovered than AppsGeyser, an app creator “with just a few clicks”, deactivates the SSL certificate validation in its apps. An attacker on the same network as the user running these apps, will be able to inject any page when browsing from the affected apps, or view and modify webs that should be protected. This app generator is very popular and (as they show in their own web, there have been installed almost a thousand million apps). There are 5500 AppsGeyser apps in this moment in Google Play. Let’s analyze the problem, and its details.

    AppsGeyser main website

    AppsGeyseris a service that eases the creation of Android apps with just a few clicks. Literally, it allows users to create apps in three simple steps, so the web experience is translated to an app. This kind of applications introduce risks we have already talked about, since de programmer does not control the code and it may introduce unwanted security vulnerabilities.

    In this case, AppsGeyser has deliberately introduced a function that disables the SSL certificate validation of HTTPS traffic in all apps developed from this platform. This vulnerability means that any navigation from an app created by AppsGeyser may be intercepted, forwarded, faked… No certificate from the remote server will be validated.

    In order to be successful, the attacker has to be on the same local network as the victim. Then the attacker needs to access the victim’s traffic with any known technique (ARP spoofing, proxy control, gateway…) and analyze the traffic generated from any of the apps created with AppsGeyser. If an user of these apps visits an HTTPS website, the attacker would just have to introduce his own web signed with any certificate, and the victim would not notice anything. It would be like the perfect phishing. Or intercepting traffic between the victim and a secure website. Even if the victim does not explicitly visits an HTTPS webpage, the attacker could redirect him. For example, if an AppsGeyser apps visits some ads, the attacker could forward the user to a fake Facebook, Twitter, etc. webpage and ask for his password in any moment. 

    5.500 vulnerable apps

    By using Path5, ElevenPaths’s app markets monitorization, correlation and research product, we have been able to detect 5.532 AppsGeyser apps created and still active on Google Play. During this year, more than 7.000 have been in this official platform, what confirms its popularity. There is even a browser developed with AppsGeyser that claims to be a tool to easily visit Twitter, Amazon, Facebook… in a totally insecure way. Some antivirus already detected AppsGeyser apps as badware, no matter the app’s features.. Now it is confirmed that they have good reasons to do it. 

    A browser with direct links to popular pages, created with AppsGeyser

    There are some serious institutions and companies that have used this method to create its app. Even very popular apps with hundreds of thousands of downloads. There are about 50 apps created with this platform that have been downloaded more than 100.000 times.

    Maybe not every single one of them is vulnerable, but we have our doubts. In order to avoid being vulnerable, the original developer should have to add or remove the SSL explicit deactivation made by AppsGeyser. The vast majority of developers that have delegated the development of an app to a third party, it is not very likely they have the needed technical level for solving it. Moreover, AppsGeyser does not tell the developer that is invalidating the SSL check. 

    Why deactivating SSL? We think that is has been done to make everything easier for the creator using autosigned certificates for his web, or certificates that can not be validated by the system. AppsGeyser saves support incidents in its support system. Users will never see a “SSL validation error” with their apps. AppsGeyser disables SSL certificate validation and then they avoid problems to their support department, but jeopardizes any user of their apps.

    Proof of concept

    This proof of concept shows a MITM attack against an AppsGeyser app (https://play.google.com/store/apps/details?id=com.SantiniLabsWebBrowser) that allows to get encrypted traffic. The attacker has to enable IP forwarding and redirect HTTP AND HTTPS traffic to a webproxy in this machine.

    Then he needs to launch an ARP spoofing attack (although any other technique would work).

    The victim opens a Facebook session from the browser in the app.

    The traffic is captured, although the user thinks is encrypted, since actually all is done with the non-trusted certificate in the webproxy:


    The user would not be able to check the certificate from the browser, because the app does not allow this functionality.

    Technical details

    Technically, the failure is easy to spot. For example, we can have a look to the code from this browser created with AppsGeyser. It would be the same in any app created with this third party that have not explicitly fixed the vulnerability.

    In the onCreate(…) method in the initial activity, we can find the following code snippet:

    The first highlighted line, stores in the mStartupScreenViewContainer attribute the FrameLayout startupScreenContainer , that we will see when the app is launched. The second line, creates a controller from the FrameLayout with this code:

    StartupScreenController class contains these attributes:

    BrowserWebView will be the one in charge of showing web pages. To get it, it will need to use a WebViewClient object, established when building StartupScreenController:

    You can see highlighted in this code, how BrowserWebView is recovered (in the initial activity layout) and how the WebViewClient is assigned as an instance of FullScreenBannerWebViewClient object.

    As we can see, the class inherits from SimpleWebViewClient:

    That in turn, inherits from WebViewClient, that, according to the Android API documentation, has the following method:

    And this method is overwritten in SimpleWebViewClient with the following code, so, when an invalid SSL certificate is found, the page is still loaded with no warnings.


    So, risky connections inside the apps, would be the ones from the objects that inherit from SimpleWebViewClient and BrowserWebViewClient. and provided that they do not overwrite onReceivedSslError behavior with paramSslErrorHandler.cancel().

    Miguel Ángel García
    Sergio de los Santos

    Latch USB Monitor: New tool to monitor PNP devices with Latch

    Florence Broderick    11 December, 2014
    Latch USB Monitor is a tool that monitors Plug ‘n Play device (PNP) changes in Windows and gives the user the possibility of tracking incoming devices, and react accordingly to a preconfigured Latch response. For instance, it would allow to block USB ports so it will not recognize a new inserted memory USB stick until it is authorized with the movile device.

    This means that Latch USB Monitor will ask Latch servers what to do when a certain PNP device is detected in a Windows machine. So the administrator has a tool to potentially react to plugged devices, and modify the behavior and scripts launched in any way, at any moment, just sliding a bar from his mobile device.

    How it works

    Latch USB Monitor works as a service and has a GUI to configure it. That means it still works and monitors incoming devices even when no user is logged in. The service is constantly monitoring any device with the characteristics given by the user. When it occurs, it asks Latch servers and reacts in the way that the user has configured it.

    It may as well be used as an alerting system, with no action associated to an event. So if a device is plugged to the machine, a blocking message is sent by Latch to the mobile device, but no action is taken.

    Latch USB Monitor with some configured rules

     How to install it

    No special instructions. Just accept the license and choose the path. If, for the sake of security, you do not want the service to run as SYSTEM, you may change it to whatever account you wish, as long as it has privileges to run as a service, and network access.

    A config file is created in XML format. This file contains sensitive information. Take care with the permissions specially in shared computers.

    Pairing with Latch

    First of all, a Latch account has to be set with a pairing token. Go to Latch management and add the App ID and secret. A timeout is specified here. This means that if the computer is not connected to a network or, for any other reason it cannot get a response from Latch in the specified time limit (0 milliseconds by default which corresponds to no timeout) the “no response” action is applied.

    How to add and configure a device

    Each monitored device, may have these fields:

    • Device (optional): If your device is currently plugged in, you can choose it from this dropdown menu where all attached devices are listed.
    • Description (optional): Giving a meaningful description of the device helps you better identify it in the main list.
    • Device Instance ID: The ID that uniquely identifies a device in a Windows machine. When an arriving Device Instance ID is detected it goes through a matching system that can be used to discard or allow the rule. If the string set matches, the Latch query will be launched. This is treated as a string, so “Starts with”, “Contains”… may be used to match.
    • Operation ID: The operation ID used in Latch.
    • Actions.Open (optional): If the Latch query responds with an “on”, the process specified here will be launched, with the specified argument set (optional).
    • Actions.Closed (optional): If the Latch query responds with an “off”, the process specified here will be launched, with the specified argument set (optional).
    • Actions.No response (optional): If the Latch query doesn’t respond (because there’s no connectivity, for instance, after the timeout declared in “Latch settings”), the process specified here will be launched, with the specified argument set (optional).

      Device details with pendrive example

      The tool is written in C# and may be freely downloaded from: https://elevenpaths.com/downloads/LatchUSBMonitor.zip. You may want to check out Latch Event Monitor, too.

      We encourage you to use it.

      PhpMyAdmin fixes a XSS detected by ElevenPaths (CVE-2014-9219)

      Florence Broderick    4 December, 2014
      On November 28th, while our Faast team was developing an intrusion module for PhpMyAdmin MySQL manager, we detected a new cross site scripting vulnerability not known so far in this popular program. It has been privately reported to the team responsible for PhpMyAdmin security and the CVE-2014-9219 has been assigned. It affected all known versions.

      Vulnerability and fix announce

      PhpMyAdmin security team has reacted promptly and in just three days they have fixed the problem and released a new version. The vulnerability (currently exploitable in any version previous to 4.2.13.1) relies in a bad filtering in the “url.php” file. The function htmlspecialchars was being incorrectly used.

      The figure below shows the applied patch where htmlspecialchars function is replaced by PMA_escapeJsString.

      Commit 9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 with the fixing line

      Just filtering HTML special characters, its exploitation was trivial. Besides, it was possible to bypass anti-XSS protections in browsers, because the injected code was reflexed into a “script” tag. This kind of vulnerabilities are very common in web applications, and allow different attacks, as obtaining session cookies, as shown in the figure below.

      Exploiting the vulnerability

      If you are using PhpMyAdmin, it is recommended to update as soon as possible to latest version (4.2.13.1) or applying the patch available here. Besides, we recommend using Faast that, of course, already detects this vulnerability.

      Finally, remember we have a Latch plugin for PhpMyAdmin. All the information about how to install it, is here.

      Manuel Fernández

      Shuabang botnet: BlackHat App Store Optimization (BlackASO) in Google Play

      Florence Broderick    25 November, 2014
      ElevenPaths has detected malicious apps in Google Play (already removed by Google), aimed at performing Shuabang techniques, or BlackASO (Black Hat App Store Optimization). These malicious apps link fake accounts with the real device of the victim, getting very “real” accounts. With these accounts, the attacker sends tasks to the victims so they download apps (although not effective on the victim’s device). The victim’s account remains safe, but not the data about the phone. We describe in this report the details of this interesting attack.

      Shuabang

      Shuabang techniques, or BlackASO (Black Hat App Store Optimization). This is a real industry in China that has been active for years. The method consists in creating an infrastructure to score or artificially inflate the number of downloads of an app so they rise up their position on the markets. This infrastructure requires fundamentally Google or iOS accounts so they can distort actions, as if they were generated by real users. This “service” is usually sold to a third party intermediary (companies) that claim to enhance and optimize positions in any market but they do not really care about the methods to achieve it.

      To carry out the fraudulent scheme, the attacker needs active Google accounts associated with real devices that do not appear suspicious to Google, which would quickly eliminate them otherwise. Different techniques are used for this purpose. The most usual is to manually hire users that will create accounts in the market and rate apps they are told to. On this particular occasion, they came up with a system that starting from a set of fake Google accounts, distributes and associates them to different devices, so they take full advantage of the number of phones associated with an account. Besides, it allows sending tasks to the device so it simulates downloading apps under fake accounts. The potential of these malicious apps spotted for Shuabang is above average, since it demonstrates in-depth knowledge of the specific operation of Google’s authentication protocols. Before getting into the details, let’s see how Google accounts work.

      How Google accounts work

      When a user creates a Google account, once the username and password are provided, he has access to dozens of Google services, as a Single Sign On.

      Google account working schema

      The user enters the account password in the device only once. From that point on, he is registered in a Google service (for example Google Play, sending user, password, device ID…) that will return a token. This master token is stored in the device account manager (that remains associated) and will be used from then on in the device  (that remains associated to it) so the password does not have to be entered again. Other temporary tokens are derived from this master token. It is common for users to have several devices registered with the same account. This, for example, allows users to choose where to install apps. For linking or associating a device to an account, the usual process is:

      Registering and associating and account with a device

        • Either creating the account from the device itself. Google prevents automatic creation of fraudulent accounts by discarding accounts created on devices that are not “real”, as well as inserting a CAPTCHA.
        • Or using an existing Google account and signing in with it on the device that it is to be associated with. This process only requires entering the username and password in the phone to add a new account.

        What Google does, is associating a device identifier with the account. The Android phone or device will appear as a device associated with the account on the Google Play settings panel.

        This low-level registration and association protocol has been studied by the community and specially by attackers who carry out fraudulent practices. Registration and association can currently be programmed with raw calls to Google services and providing the necessary information. This process isn’t officially documented, though.

        This kind of botnet is a sophisticated system by which attackers use apps with minimum privileges to associate accounts created by them to real devices. Thus, attackers obtain a number of fake accounts associated with “real” phones and therefore valid for Google services, allowing them to carry out a variety of fraudulent schemes. Specifically, artificially increase app downloads or fraudulent app rating.

        The attack

        The attacker had a pool of 12.500 Google accounts, created with valid username and passwords, but not registered with any device. The vast majority of accounts in this database were created by the attacker, and were delivered to the victims to register them with their devices.

        Brief attack scheme

        Fundamentally, the attacker gets the victim to make two actions:

        • Associate accounts to devices in an automatic way so he can get tokens.
        • Use these tokens in a distributed way, so downloads may be simulated.
        Real example of a response to an infected device, getting an account that will be associated to the device

        The applications turn the device into a zombie that collected these fake accounts from the central server every 10 minutes and associated them with the information on the victim’s phone. The “original” Google account on the victim’s device remains safe and the attacker cannot access it at any time. Each account was associated with between 10 and 30 physical phones of victims. The combinations between Google accounts and associated phones are countless. The image shows an example of an attacker account associated with 18 victim devices.

        Example of an account associated with different victims’ devices

        The attacker published more than 300 applications on Google Play throughout the month of October. They were disguised as games, jokes, wallpapers and general entertainment. Of these, approximately 100 committed the fraud by associating these fake accounts to the device’s settings and identifier. The remaining 200, although harmless in their first version, were usually later updated to commit the fraud. The permissions the apps requested are:

        Permissions requested by the apps infecting the users

        With this attack scheme, the attacker has obtained a database of  60,000 tokens. The attack was focused on victims in Brazil, India and Russia, although it was prepared to add any other country.

        The complete attack scheme is this:

        General scheme of the attack


        Conclusions 

        Although the attacker seems to have a known ultimate goal (black ASO), he achieved several interesting milestones by developing these malicious apps:

        • He created or bought 12,567 Google accounts, most of which were automatically created. Account creation requires breaking a CAPTCHA.
        • He achieved a low level understanding of the Google registration and device to account association process. He was able to program them to work automatically. This is not officially documented and there is very little documentation about this.
        • He was able to introduce some 100 malicious apps in Google Play with apparently harmless permissions.
        • He was able to manage a task system that fully optimized the activity of the infected network by distributing download and account association tasks, etc.
        • He was able to use the victims’ devices features to associate them with accounts and thus perpetrate the fraud, as if a fake user was registered in the victim’s device.
        • Although the victim’s account data is not affected, these malicious apps imply taking advantage of resources and violating privacy.

        Although the Shuabang technique has been known and developed for some time via a variety of apps, the attackers’ target is usually Google Play as an area for privileged distribution. This is the market that poses the most problems for publishing, but once they get it, and thanks to this intelligent technique described, the success for the attacker is remarkable. These malicious apps seem to be in a development phase, and it seems they were experimenting with these techniques.

        A complete report in PDF format is available from here.

        ElevenPaths has been able to determine how, since when and by which methods the fraud was committed and also established links between this attacker and other groups of attackers aside from gathering a series of incriminating evidence. Based on these correlations, ElevenPaths was able to find Google Play developer accounts possibly belonging to the same group of attackers.

        All of which was possible thanks to the use of Path5, a product developed by ElevenPaths, which allows early detection, investigation and correlation of any type of information about Android applications, among other functionalities.This report is a real-life example of the power and effectiveness of a product such as Path5 to investigate similar cases.

        Sergio de los Santos