android | Page 2


While inspecting the Pokémon Go application, I incidentally found information on ... Pokémon Go Plus. Basically, this is the Pokémon IoT: a connected wristband with a button (to throw a pokéball, for instance), a RGB LED, and vibration capability (e.g to notify of nearby Pokémon). The device is not yet released, and the software is still under development: as you can see below, versions 0.29.x corresponds to "BETA4". Implementation in version... [Read More]
by RSS Axelle Apvrille  |  Aug 11, 2016  |  Filed in: Security Research
Recently, we - i.e Giuseppe Pacelli (student at Eurecom), Matteo Bertolino (student at Eurecom) and their supervisors Ludovic Apvrille (Telecom ParisTech) and myself - had a closer look at a few Android samples infected with the Feiwo adware. This adware family is not new, but the instances we analyzed were still undetected by all anti-virus vendors last week, as far as we know. Besides aggressively serving ads to your mobile phone, this potentially unwanted application (PUA) posts your phone number and list of applications you installed... [Read More]
by RSS Axelle Apvrille  |  May 20, 2016  |  Filed in: Security Research
From time to time, AV analysts encounter "funny" Android malware or PUA: Riskware/Secretmimi!Android is one of those.  This riskware is a social app used to share secrets (gossip). The "fun" part is that you certainly should not use it if you expect them to remain secret ;) Besides using aggressive adkits such as Umeng, the application obviously does not know about HTTPS and posts everything in clear text. For example, when you register your birthday and gender are posted in the clear (see Figure... [Read More]
by RSS Axelle Apvrille  |  Apr 22, 2016  |  Filed in: Security Research
Google fixed a denial of service vulnerability in Minikin library (CVE-2016-2414) with the Android patches of this month. I reported this vulnerability to Google in early March, 2016 and Google confirmed it was a duplicated report of bug 26413177 which had been reported by another researcher in November, 2015. In this blog, we will provide an in-depth analysis of this vulnerability. It exists because the Minikin library fails to parse .TTF font files correctly. As a result, it could allow a local attacker... [Read More]
by RSS Kai Lu  |  Apr 13, 2016  |  Filed in: Security Research
Our automated crawling and analysis system, SherlockDroid / Alligator, has just discovered a new Android malware family, on a third party marketplace. Figure 1: Part of SherlockDroid report. Android/BadMirror sample found as suspicious The malware is an application whose name translated to "Phone Mirror". Because it is malicious, we have dubbed it 'BadMirror'.  The malware sends loads of information to its remote CnC (phone number, MAC adddress, list of installed applications...) - see Figure 2 - but it also has... [Read More]
by RSS Axelle Apvrille  |  Mar 07, 2016  |  Filed in: Security Research
Malware has been known to use new and innovative ways to evade detection by Antivirus software, a phenomenon AV analysts have often seen with PC malware. Not a lot of examples of the same have been seen employed by mobile malware. A recently discovered Android malware has brought to light one such Antivirus evasion technique with its use of "a legitimate firewall to thwart security software". The legitimate firewall referred to is iptables which is a well-known "administration tool for IPv4 packet filtering and NAT" on... [Read More]
by RSS Ruchna Nigam  |  Jan 21, 2016  |  Filed in: Security Research
For the 18th edition of the Association of Antivirus Asia Researchers conference, we flew to Da Nang in the beautiful country of Vietnam. Every major security vendor was present, not only those from Asia. After two full days of presentations, we would like to call out the briefings we enjoyed the most. I would say as usual that Mikko Hypponen from F-Secure gave a good talk about Securing Our Future, reaffirming that our job is to protect users globally and that the key for that is to work altogether. That means not... [Read More]
by RSS David Maciejak  |  Dec 09, 2015  |  Filed in: Industry Trends & News
Mobile banking is a convenient way for users to complete transactions anywhere and anytime. KPMG predicts that the mobile banking user base will grow to 1.8 billion by 2019. And, when money is involved, the bad guys always find creative ways to steal it. Now they are increasingly doing so on the Android platform in the same way they did for online banking on PCs.  In the beginning of December, the Association of Banks in Singapore (ABS) released an advisory on mobile banking malware infecting Android smartphones and the substantial... [Read More]
by RSS Floser Bacurio  |  Dec 09, 2015  |  Filed in: Security Research
Update Aug 28, 2015: Typos in the final table: CVE-2015-3864 does not concern covr but tx3g. CVE-2015-3828 does not occur for yrrc. Detecting the PoCs published by Zimperium is not difficult: you can fingerprint the PoCs, for example. Detecting variants of the PoCs, i.e., MP4s that use one of the discovered vulnerabilities, is far more difficult. I'll explain why in a moment. First, apart from here (in Chinese), there hasn't been so much in the way of technical details. Getting into the guts of StageFright... [Read More]
by RSS Axelle Apvrille  |  Aug 25, 2015  |  Filed in: Security Research
You've heard about StageFright, right? Where a malicious MMS compromises an Android handset by exploiting vulnerabilities on the phone's mediaserver. Are you aware that StageFright is not an MMS issue, but an issue with anything that will try to open a malicious MP4? If not, you are now, and I hope I am about to convince you even more thouroughly below... Telegram Yes, for instance, StageFright occurs with Telegram. The only (fortunate) difference is that Telegram does not preview the MP4, so it will only crash if you open the video... [Read More]
by RSS Axelle Apvrille  |  Aug 14, 2015  |  Filed in: Security Research