bancontact payconiq company - assets-us-01.kc …

Classification: Internal Classification: Internal

Bancontact Payconiq Company

SEPA Rulebooks Scheme Manuals Remote Domain 46D0 – Schedules 1, 2, and 3 – News 67 Mobile App Security Guidelines

Android, iOS Newsletter 67

Confidential

Newsletter 67 Copyright Bancontact Payconiq Company nv/sa of 23


COPYRIGHT

This document is confidential and protected by copyright.

Its contents must not be disclosed or reproduced in any form whatsoever without the prior written consent of Bancontact Payconiq Company sa/nv.

Except with respect to the limited license to download and print certain material from this document for non-commercial and personal use only, nothing contained in this document shall grant any license or right to use any of Bancontact Payconiq Company sa/nv’s proprietary material.

AUTHORS

This monthly newsletter is written by NVISO, experts in mobile security, on behalf of Bancontact Company sa/nv.

ABOUT NVISO

NVISO is a consultancy firm exclusively focusing on IT security. NVISO has a very clear sector focus with several references in the financial and governmental sectors. The Research and Development department of NVISO is NVISO Labs, whose goals are to allow our people to increase their skills and knowledge, to come up with innovative service offerings, to contribute to the security community, and to give valuable insights to our clients. The fundamental values of NVISO are client satisfaction, focus, entrepreneurship, innovation, and ability to adapt. Our mission is to be an innovative and respected partner for our clients. For more information, we are happy to refer you to our website: https://www.nviso.be. If you want to stay up to date with our latest research and other activities of NVISO Labs, we refer you to our blog: https://blog.nviso.be

Confidential



Table of Contents

Table of Contents 3

1 Summary of security impacts 4

2 Vulnerabilities & Malware 5

2.1 iOS Malware 5 Exodus Spyware on iOS [1.N67.1] 5

2.2 Android Malware 8 Anubis Trojan [2.N67.1] 8

3 Case study – Android Security Transparency Report 11

3.1 History of mobile malware 11

3.2 Techniques used in banking malware 14

3.3 Defenses 16

3.4 Conclusion 17

3.5 Sources 17

3.6 References 17

4 Security updates 18

4.1 iOS security update 18

4.2 Android security update 18

5 Security news 19

5.1 Mobile security news 19 The security state of financial applications 19 Critical Flaw on Qualcomm technology 19

5.2 General security news 20 Secret Access Tokens Leaked from WordPress iOS App 20 New versions of the XLoader malware have been identified 20 Phishing using a fake Android Chrome address bar 20 Tax scammers are launching new fake mobile apps as tax day is coming 21 WhatsApp fixes bug which allows the spreading of spyware 21

6 Statistics 22

6.1 OS market shares 22

6.2 iOS 22

6.3 Android 23

Confidential



1 Summary of security impacts

April was an active month in terms of mobile malware discovery. Both a new iOS spyware and an Android banking Trojan have been identified by security researchers.

The first malware is a port of an already existing spyware from Android to iOS. Exodus, which has been discussed in detail in the previous newsletter, does not target banking applications directly but could have some impact since it has an extensive list of data collection capabilities. The malware leverages Apple’s enterprise provisioning system to distribute the malicious app on phishing pages of legitimate mobile carriers.

The second malware is a new variant of the well-known Anubis banking trojan. While the initial variant focused on obtaining banking credentials and personal details from its victims, the new variant has the capability to act as a fully functional ransomware. Anubis targets over 370 banking apps and online platforms such as eBay, PayPal, and Amazon. It is often able to successfully find its way to the Google Play Store by circumventing Google’s automated security scanning.

Apple patched 42 vulnerabilities in their major 12.3 iOS update. Most of the vulnerabilities were related to WebKit, where the most critical vulnerabilities allowed an attacker to execute arbitrary code and disclose process memory. Android also fixed many high impact vulnerabilities in their monthly security update. The latest Android security update fixes 30 vulnerabilities spread across several components. The most critical issue allowed a remote attacker to gain arbitrary code execution in the proxy auto-config without needing any additional privileges or user interaction.

Due to the fast evolution of mobile phones, attackers are able to quickly adapt new and creative techniques and build more and more advanced malware. This month’s case study elaborates on the history of malware and shows the evolution in the different techniques and tactics used by malware creators to trick their victims. Since most attackers are usually interested in financial gain, banking apps are often a target of choice and we will dive deeper on some creative techniques used in banking malware.

Confidential



2 Vulnerabilities & Malware

2.1 iOS Malware

Exodus Spyware on iOS [1.N67.1]

Overall risk: Low Impact: Medium Likelihood: Low

Summary Researchers at Security Without Borders recently discovered a new Android spyware dubbed Exodus infecting several thousand devices through the Google Play Store over the last three years. The spyware was hidden in almost 25 apps on the Google Play Store and inside apps on phishing websites. The spyware is composed out of two stages. The first stage acts as a dropper while the second stage contains the main spyware capabilities. Once it gains full access to the mobile device it can launch an extensive list of data collection and exfiltration techniques including a reverse shell. A detailed report of the Exodus spyware for Android can be found in the previous newsletter.

A few days after the discovery of the Exodus malware, Lookout researchers found that the spyware had been ported to the Apple iOS ecosystem. While the iOS variant isn’t as sophisticated as the Android version and is not using any exploits, it relies on documented programming interfaces to exfiltrate a variety of sensitive data.

Details The malware creators leveraged the Apple’s enterprise provision system to deploy the Exodus malware outside Apple’s App Store. Apple’s enterprise provision system is intended to allow organizations to distribute test or in-house apps to their employees without using the App Store. Since businesses should meet some specific requirements before acquiring access to this program, it is uncommon to see this technique used for malware distribution. For example, an eligible business must be a legal entity with over 100 employees, a D-U-N-S number and a legal binding authority.

In order to distribute an app outside the App Store, the IPA must contain a mobile provisions profile containing the enterprise’s certificate. In case of the Exodus spyware for iOS, the profile contained a certificate linked to the company Connexxa S.R.L.. Connexxa S.R.L. is a business unit of eSurv S.R.L., the same Italian company whose domains and IP addresses were used by the Android version of Exodus. Hence, it’s very likely both the Android and iOS version was the work of one single person or a group of persons.

Figure 1: Certificate used by the Exodus spyware (source)

Confidential



The spyware was distributed on two phishing websites imitating legitimate mobile carriers Wind Tre from Italy and TMCell from Turkmenistan.

The alleged purpose of the app containing the spyware capabilities is to provide carrier assistance. When the app is initially launched it shows the users the following message: “keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators”.

Figure 2: Phising website of an Italian mobile carrier with a link to the Exodus spyware (source)

Figure 3: Initial screen when launching the app (source)

Confidential



Although the iOS variant is not as sophisticated as the Android version, it is still capable of exfiltrating information from the infected iPhones including contact information, audio recordings, photos, videos, GPS location and general device information. The stolen data is uploaded using HTTP PUT requests to a C&C server controlled by the attacker. In fact, the C&C server is the same as seen in the Android version. Additionally, the spyware includes a feature to perform remote audio recordings which could be controlled by push notifications.

Currently, no exploit code is included in this iOS version of the Exodus Trojan. This is somewhat surprising, as exploits for older iOS versions are freely available and could be included with relative ease. On the other hand, distribution must happen through a valid certificate, which is directly linked to the distributing party. In the current conditions, the application owner might think that it is not breaking any explicit rules and may think that Apple will not revoke their certificate. However, as Apple has shown in recent months that it actively revokes certificates of major companies that use the enterprise distribution channel for apps that collect data and personal information.

Mitigation The spyware makes use of Apple’s enterprise provision system to digitally sign the app with a company’s certificate. This enables iOS users to install the app after trusting the certificate. However, the app is not distributed via the official App Store and can only be found on phishing websites. Therefore, it is recommended to only install apps originating from the App Store and be very precautious with apps using the Apple’s enterprise provision system.

For Infected devices it is sufficient to just delete the malicious app in order to remove the spyware from the device.

From a development perspective, little is currently to be done as the application does not target other installed applications yet.

Sources

• https://blog.lookout.com/esurv-research

Confidential



2.2 Android Malware

Anubis Trojan [2.N67.1]

Overall risk: Medium Impact: Medium Likelihood: Medium

Summary Lukas Stefanko, an expert security researcher from ESET, identified a new variant of the known Anubis Trojan. The initial variant of the trojan focused on obtaining data (e.g. banking credentials, personal details) from its victims. To do this it used a number of techniques such as motion-based evasion techniques, a RAT backdoor, SMS interception and keylogging capabilities.

The newly discovered variant contains the capability to also act as a fully functional malware ransomware module, including a device lock feature. According to the security researcher this functionality is easy to bypass, which leads to believe the identified sample is only an early prototype of the full CryptoLocker implementation in Anubis.

Anubis is a malware which already has a proven track record. It targets over 370 banking apps and online platforms such as eBay, PayPal, and Amazon. The malware has built-in protection and detection mechanisms to circumvent detection by automated security scanning on the Google Play Store. As a direct result the malware is still present in several apps on the Google Play Store. Therefore the likelihood is rated as medium. Taking into account the currently limited ransomware implementation, the impact is rated as medium.

Details The Android Anubis banking trojan is a well-known banking trojan which makes use of a dropper concept, where a seemingly legitimate application is used to download the malware on the victim’s device. To avoid detection the malware only prompts for Android install permissions (i.e. REQUEST_PACKAGE_INSTALL) after a certain amount of time has passed. It pretends to be a legitimate system update, encouraging the user to install the application.

After approving this permission the malicious APK package gets installed on the victim’s device. In some variants users are tricked into installing the malicious APK using a fake system update.

Apart from using the dropper technique for installing the malware, the Anubis malware also makes use of the device’s motion detection capabilities to avoid detection. The malware authors assumed when running their application in a sandbox, the device would not make any movements. As such, no sensor data is captured and the initial dropper does not perform any suspicious behavior.

The installation process of the Anubis malware follows these steps:

1) A seemingly legitimate application is downloaded from the Google Play store. 2) After a while it prompts for the REQUEST_PACKAGE_INSTALL Android permission. 3) After granting the permission, the malware gets installed on to the device.

Figure 4: Fake system update (source)

Confidential



Figure 5: Detection of movement in Anubis source code (source)

The installed Anubis payload will try to perform the following actions once installed:

• Trick users into entering their credentials • Take screenshots of login screens; • Establish a connection with C&C servers.

Finally, it will try to gather accessibility rights by pretending to be the Google Play Protect service and ask the user to grant the needed privileges. These privileges can then be used to target different banking applications.

Anubis does not make use of overlay views as most other banking trojans do, where an attacking app overlays different input forms on top of the targeted app. Instead, it makes use of a built-in keylogger which records all keystrokes to steal the user’s password.

In the new variant detected by the Lukas Stefanko, several new features are present:

• Files on the device get encrypted and receive the .AnubisCrypt file extension; • A black screen is displayed on the victim’s device.

According to the security researcher the black screen can easily be bypassed. The researcher claims this indicates the new features are still under development. Currently, no ransom is requested once the files are encrypted.

Mitigation The Anubis malware does not make use of any vulnerabilities present in the Android ecosystem. Instead it relies on tricking a user into allowing it to install a backdoor on the victim’s device. Therefore user awareness and user alertness can prevent a user into installing the malicious application.

Overall Anubis is a malware which has had a remarkable spread across the world. Trend Micro’s data shows the latest version of Anubis has been distributed to over 93 different countries and targets the users of 377 different banking apps.

The malicious apps containing the Anubis malware may also be found in the Google Play store as the malware is proficient at deceiving the Google Play store automated security scanning.

Confidential



Sources

• https://www.2-spyware.com/android-banking-trojan-anubis-found-incorporating-ransomware-features

• https://news.sophos.com/en-us/2018/08/14/anubis-is-back-are-you-prepared/

Confidential



3 Case study – Android Security Transparency Report

During the last two decades, mobile phones have become a large part of our daily lives. While phones were initially used for voice and text communication, they turned ’smart’ to such an extent that they are able to connect us through social media, perform banking operations, watch videos, play videogames and even do online shopping with only a single touch on a button. As a result, these devices are storing a huge amount of personal data, which makes them attractive targets of information and identity theft by malicious actors. Due to the fast evolution of mobile phones, attackers are able to quickly adapt new and creative techniques and build more and more advanced malware.

First, we will take a look at the history of mobile malware and how malware advanced alongside the evolution of the smartphone.

Since most attackers are usually interested in some kind of financial gain, banking apps are often a target of choice. This led to an increase in the volume and complexity of banking malware. The different tactics and techniques to trick users performing banking actions on their mobile phone are elaborated in the second section.

Finally, we will take a look at which actions a user can take in order to protect against such innovative and complex mobile attacks.

3.1 History of mobile malware

The first ever malware targeting mobile phones appeared in 2000 and was actually a PC virus which caused infected devices to send text messages to randomly-selected Telefonica phones. ‘Timofonica’ exploited email-to-SMS gateways, where sent emails appear as SMS text messages. While the virus was not destructive per se, but more a problem of unwanted messages and spam, it caused some widespread speculation about the possibilities and impact of mobile phone viruses.

In 2004, the first ever ‘mobile’ malware Cabir was discovered by researchers from Kaspersky Labs. Back in 2004, Symbian OS was the most popular mobile operating system at the time. Cabir was a worm infecting Bluetooth enabled devices by prompting users to download the malicious file. Once downloaded, it displayed the word ‘Caribe’ and continued it search for new victims. While Cabir was not malicious, the concept was used one year later by a new malware called Commwarrior. Commwarrior used the same spreading technique over bluetooth but instead of displaying just harmless text, it sent out text messages to everyone in the address book. Back in 2005, sending a large amount of text messages cost a decent amount of money, which caused a financial impact on the victims.

In 2006, a multiplatform version of Commwarrior running on Java 2 micro edition appeared. Contrary to its predecessor, RedBrowser was sending text messages to premium-rate numbers. For the first time, malware caused not only financial loss for the victims, but also financial gain for the malware creators.

Upon the release of the first iPhone in 2007, the smartphone industry gained some serious momentum. Not surprisingly, attackers caught up quickly and malware became more advanced. Mobile devices began to deal with malware similar to traditional malware spreading around on PCs. For the first time, a specific piece of spyware was discovered on mobile devices successfully extracting private information like text messages, address book details and recordings from compromised devices. The spyware,

Figure 6: Cabir malware (source)

Confidential



dubbed ‘FlexiSpy’ was advertised and even commercialized as the perfect tool for people to spy on their partners.

The first iOS malware ‘Ikee’ appeared in 2009. The malware was targeting jailbroken devices with OpenSSH, where the default SSH password (alpine) was not changed by the user. While the malware was harmless and just changed the background picture to the creator or Rick Astley, it reminded people iPhones were targeted as well and iOS security was as important as protection of other mobile phone operating systems.

Starting from 2010, independent hackers started creating criminal organizations across the globe and sharing experience and techniques in order to generate more money together. At the same time, major banks were rolling out banking apps offering customers the ability to perform basic banking operations from their mobile phone. Clearly, this was very interesting to attackers who identified new ways to make money. Zitmo, the mobile counterpart of the popular Zeus malware, was able to steal transaction authorization numbers. Since the malware could migrate from PC to mobile and back, it led to massive losses for victims using online banking.

In 2011, Android became the biggest mobile operating system overtaking iOS, Blackberry OS, Windows Phone and Symbian OS. In the beginning, attackers often disguised their malware as a useful app in the Google Play Store. For example, the spyware DroidDream was present in more than 50 apps in the Google Play Store with each more than 10.000 downloads. Two years later, the first Android ransomware called FakeDefender appeared in several supposedly legitimate apps on the Google Play Store. The malware would display fake virus and security alerts and convince users to buy an antivirus app which would remove the alleged virus. However, after buying and installing the antivirus, it would just display a picture of an animal captioned with “Android Defender”.

Figure 7: iPhone Ikee malware (source)

Figure 8: Android FakeDefender malware (source)

Confidential



As of 2014, mobile malware infections continued to escalate and increase even more compared to previous years. Malware became more and more sophisticated, stealthy and financially aggressive. Due to Google’s increased security screening and other effective measures to ban all malware from the Google Play Store, attackers started leveraging different mediums to distribute their malware.

DroidPak was a malware which downloaded a malicious APK on an infected Windows machine. Once an Android device was connected by cable, it tried to install the APK directly to the mobile phone.

The spyware ’SMS Thief’ disguised itself as an uninstaller utility which could be downloaded from unofficial app stores stealing text messages in the background. While the malware was not widespread, it was actively updated making it harder to detect and more complex, making it very tricky to uninstall for the average user.

The last three years, malware is becoming more all-inclusive by incorporating multiple malicious behaviors in a single malicious app. Xbot was discovered by researchers in 2016 and was found in 22 different Android apps acting as both spyware and ransomware. Amongst other things, Xbot is capable of:

• Stealing banking and credit card details via phishing pages of Google Play or multiple banking apps;

• Stealing SMS messages, contact information and mobile transaction authentication messages from banks;

• Remotely locking or encrypting all files of the infected devices. The device could only be unlocked or decrypted after a 100-dollar ransom was payed through PayPal.

These all-inclusive malware’s are often evolving throughout the years and reappear on the official Google Play Store or other app stores in different formats and versions. For example BankBot, a Trojan targeting Android devices, combines code obfuscation and sophisticated payload dropping in order to

Figure 9: Xbot ransomware asking the victim for 100USD to decrypt all files (source)

Confidential



evade Google’s security scans. The malware attempts to steal banking credentials by overlaying a transparent window onto login screens of legitimate banking apps. Since BankBot supports a wide range of banks (over 400 international banks), it is quite successful in its objectives.

In recent history of mobile security threats, we could observe an increase in malware incorporating advanced keylogger functionalities. These malicious apps take advantage of Android’s accessibility services. Normally, this feature assists users with disabilities or assists users to access apps while driving by providing user interface enhancements. By abusing the service, attacks are able to access the UI of other installed apps, entered text on the device as well as grant themselves more permissions and rights.

3.2 Techniques used in banking malware

Nowadays banks are aiming to offer a rich banking experience to their customers by means of online banking on the PC or through a mobile app. Their motto is to bring the bank closer to the customer and allow users to perform any action without actually going to the bank. Often forgotten or neglected is the fact this convenience comes with a trade-off: security.

Since most attackers are usually interested in some kind of financial gain, these banking apps are often a target of choice. In what follows we will elaborate on the different methods and tactics used by malware creators in order to steal victim’s login credentials, private banking information or even perform forged banking transactions.

Fake login pages Most basic banking trojans rely on impersonating legitimate banking apps in order to obtain login credentials or credit card details. When the malware is launched, it displays a fake login page of a banking app where the submitted text is sent to the attacker’s server. To increase the success rate, fake login pages of multiple legitimate banking apps are included in the Trojan and selected based on the apps installed on the victim’s device. This is a fairly easy attack vector and very similar to a normal phishing attack. The difference is that in browsers it is easy to identify a fake page, while it is much more difficult to identify a fake banking application.

Impersonating legitimate banking apps More advanced malware attempts to remove and replace the legitimate banking app by their malicious counterpart. An infected device will prompt the user to update the banking app since it is supposedly outdated. Upon confirmation, the malware downloads the fake version and installs it on the infected device. This allows the fake banking app to be persistent even if the malware is removed.

Figure 10: List of different legitimate banking apps a banking Trojan is able to impersonate (source)

Interception & exploitation To increase the security of banking apps, they often require users to perform multi-factor authentication (MFA) when signing in or executing a banking transaction. MFA can be implemented in several ways. A popular method is to send a text message to the user containing a secret code, which then has to be provided when performing the action. However, banking malware quickly adapted to this security measure and is now in general able to bypass this control. On a mobile device, this is easy to do as any application can request access to read SMS messages. The malware is constantly monitoring the victim’s incoming text messages and relays all bank-related messages to the attacker’s server. The attacker can use the received code to carry out bank app operations on behalf of the victim.

Confidential



Some banking trojans even apply the same principle to phone calls made from the victim's device to the bank. In some cases, the entire call is recorded and sent to the attacker’s server in order to extract personal details and sensitive information. In other cases, the attacker actively hijacks calls made to the bank and talks directly to the victim. To prevent the victim from noticing any suspicious behavior, the malware is able to spoof the caller id of incoming calls and block incoming calls of the bank.

Advanced interception techniques As discussed in section 3.1, the last three years attackers are implementing advanced key logging and interception techniques in order to extract even more information from infected devices. The malware leverages Android’s Accessibility Service to monitor the user interface of other, legitimate banking apps. It allows to extract inserted text, view app screens and even perform some basic actions just within a few seconds, making it very hard for victims to notice that their device has been compromised.

Other variants Some trojans are not impersonating banking apps, but regular apps and try to extract banking information in other ways. One possibility is to mimic a legitimate app or game which has in-app purchases enabled. Instead of redirecting to the Google Play Store to enter credit card information, the malicious app would redirect to a fake phishing page which sends the credit card information to the attacker. Some trojans just display a scam or phishing page making the victim think he/she won a prize. In order to redeem the prize, the victim is required to enter their credit card information.

Figure 11: Malware requests credit card information to claim non-existent prize (source)

Confidential



Infiltrating Google Play Store To impact as many users as possible, malware creators try to sneak their way into the Google Play Store, since this is the official store where all apps are supposedly secure thanks to the high security standard Google enforces on all the submitted apps. Directly submitting malware to the Google Play Store is usually flagged and rejected by Google. Instead, once a ‘lightweight’, malicious app is installed through the Google Play Store, it acts as dropper and downloads the actual malware from a different server. Afterwards, it dynamically loads and installs itself and tries to hide itself under a legitimate looking app.

Different evasion techniques are used by applications in an attempt to not be detected by Google’s automated tests. A good example of this is the Anubis malware mentioned in the first part of this newsletter, which uses gyroscopic data in order to detect emulation or automated analysis. Other malware developers rely on specific triggers to start the infection chain, which can be as simple as a specific amount of time to pass, or a very complicated set of events such as repeated battery cycles, changing WIFI networks changing detected Bluetooth devices

3.3 Defenses

As the volume of mobile malware keeps increasing and attacks are becoming more and more sophisticated, it is important for every smartphone user to stay protected from mobile security threats by taking the following precautions:

• Install a trusted antivirus app which monitors your device for any suspicious behavior and installation of malicious apps;

• Keep your phone up to date at all times to reduce the chance of getting exploited; • Do not download apps from untrusted marketplaces or developers. Only install apps found on

the Google Play Store or Apple App Store: • Do not root or jailbreak your device; • Pay close attention to permissions asked when installing a certain application. Especially

applications requesting Android Accessibility services permission triggers a red flag; • Pay close attention to CPU and memory usage of your device. High usage of these resources

might be a symptom of malicious processes and/or apps; • Make frequent backups of all your data in case your device ever gets compromised.

From a mobile developer perspective, it is important to create a secure application with a very small attack surface. Items to keep in mind:

• Don’t rely on 2FA via SMS messages • Create strong device binding, enforced through the application code. This will make sure that

spoofing of a user is not possible without reverse-engineering the application • Use the platform’s security features such as secure views and overlay detection • If stored, properly protect all sensitive information on the device

More specific recommendations can be found in OWASP’s MASVS, which is a checklist of security controls, and the OWASP MSTG, which is a testing guide for all possible vulnerabilities.

Confidential



3.4 Conclusion

Over the last two decades, mobile phones became a large part of our daily lives. While it brings a lot of convenience to ease day-to-day activities, it also introduces many security concerns. The industry is evolving very fast and smartphones are becoming more and more advanced. This also leads to malware becoming more sophisticated each year. Since malware creators are often interested in a financial gain, a lot of new tricks and techniques are used to build malware targeting banking apps. In fact, this results in an ever-lasting fight between the malware creators and security measures taken by Google and Apple. Therefore it is important for smartphone users to educate themselves about mobile device security and apply some easy and simple ways to reduce their risk of getting compromised.

3.5 Sources

• An Analysis of Mobile Malware Evolution http://www.cs.tufts.edu/comp/116/archive/fall2017/tzhu.pdf

• The Rise of Mobile Malware https://www.secalliance.com/blog/the-rise-of-mobile-malware/

• NetMotion – Mobile Malware Threats https://www.netmotionsoftware.com/blog/security/mobile-malware-threats/

• The Evolution of Mobile Banking Trojans https://medium.com/threat-intel/the-evolution-of-mobile-banking-trojans-608625c79143

• Android Banking Malware: Sophisticated trojans vs fake banking apps https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf

3.6 References

• OWASP Mobile Security Testing Guide https://github.com/OWASP/owasp-mstg

• OWASP Mobile Application Security Verification Standard https://github.com/OWASP/owasp-masvs

Confidential



4 Security updates

4.1 iOS security update

On May 13th, Apple released the latest major update for their iOS devices: iOS 12.3. In total the update includes fixes for 42 security vulnerabilities.

Most fixes were for vulnerabilities in Apple’s web rendering engine WekKit. In total 21 vulnerabilities have been fixed in this component. One of the vulnerabilities (CVE-2019-8607), allows attackers to create maliciously crafted web content that may result in the disclosure of process memory.

Another vulnerability (with multiple related CVE codes) allows an attacker to create web content that may lead to arbitrary code execution.

Several other components also contain vulnerabilities. For example, the sysdiagnose component contained a vulnerability (CVE-2019-8574) which allows an attacker to execute arbitrary code with system privileges.

The full security update, containing an overview of all vulnerabilities, can be read on the following webpage:

https://support.apple.com/en-gb/HT210118

4.2 Android security update

On May 6th, the Android development team released their monthly security bulletin.

The Android security team fixed 30 vulnerabilities in their May security update. Most of the vulnerabilities are related to System and Qualcomm closed-source components. Of the system-related vulnerabilities 3 vulnerabilities are related to remote code execution (RCE), 2 vulnerabilities to privilege escalation and 3 to information disclosure.

The most severe security vulnerability reported in this month’s security bulletin is CVE-2019-2047. This security vulnerability allows remote code execution in the proxy auto-config with no additional execution privileges needed. User interaction is not needed for exploitation.

More information can be found on the May 2019 security bulletin: https://source.android.com/security/bulletin/2019-05-01#asterisk

Confidential



5 Security news

5.1 Mobile security news

The security state of financial applications A security researcher reverse engineered 30 Android mobile financial applications and found out that many of the banking applications were actually not properly respecting security best practices (e.g. hard coding sensitive data inside their builds).

The key reported issues were that 97% of the tested applications were lacking binary code protection, 83% of the apps were storing data outside of the apps control, 80% of the apps were implementing weak encryption algorithms and 70% were using insecure random-number generators. These issues left the apps exposed to code extraction, identify APIs, read file names, access sensitive data and more.

Just with the lack of binary protections, eleven weaknesses were identified. The image shows an overview of the different weaknesses.

These results demonstrate that banking apps are not always as secure as they should be. According to the security researcher the main improvement areas are implementing application shielding techniques such as application binding, repackaging- and tamper detection, data-at-rest encryption and key protection.

https://threatpost.com/financial-apps-are-ripe-for-exploit-via-reverse-engineering/143348/

Critical Flaw on Qualcomm technology A side-channel attack in Qualcomm technology was discovered by researchers. This attack allows attackers to extract sensitive data from Qualcomm's secure KeyStore.

In modern Android devices, a hardware-backed KeyStore is included to allow developers to protect their cryptographic keys. On Qualcomm hardware, this is done by splitting the data execution into a "secure world" and a "normal world". Any sensitive data should only be handled by the secure world, while other data, such as the Android OS, will be handled in the normal world. However, the two worlds are using the same microarchitectural structures which allows for a side-channel attack to sniff out memory cache samples, which can end up in private key extraction.

The discovered flaw impacts up to 36 Qualcomm chipsets, which are used in most Android mobile devices. This includes, but is not limited to, the following smartphone lines: Samsung Galaxy, Sony Xperia, Xiaomi Mi, LG V50, ZTE Axon. In addition, the Qualcomm technology is also used in embedded devices.

To perform the attack, the device needs to be rooted, which lowers the likelihood of exploitation. However, as most other vulnerabilities such as buffer overflows have a decreased interest, attackers focus more on advanced attacks such as side-channel attacks. The flaw has already been patched by

Figure 12: Vulnerability findings across financial apps (source)

Confidential



several OEMs, but some devices are still vulnerable. Users are advised to update their devices to the latest available version.

https://threatpost.com/qualcomm-critical-flaw-private-keys-android/144112/

5.2 General security news

Secret Access Tokens Leaked from WordPress iOS App Discovered by a team of WordPress engineers, a vulnerability in the WordPress iOS application allows the leakage of authorization tokens on blogs having images hosted with certain third-party websites.

The implementation to fetch the images from third-party websites contained a bad implementation. The requests to retrieve the images send along a sensitive WordPress authorization token. As such, third-party websites had a copy of an authorization token.

The vulnerability affected all versions of the WordPress iOS app for over two years. It was patched with version release 11.9.1. Since the authorization token was leaking, and not the passwords, users don't need to change their password. As a precaution, all access tokens have been reset. Furthermore a warning message was sent out to all iOS users using third-party image services.

https://thehackernews.com/2019/04/wordpress-ios-security.html

New versions of the XLoader malware have been identified New variants of the XLoader banking malware Trojan have been identified by Trend Micro. These new versions target mobile devices by either acting as a security application on Android or on iOS by using a malicious iOS profile. After installation, the malware steals sensitive information (e.g. IMEI, IMSI, Android device ID, device ID…) from the infected devices.

These new variants also contain remarkable code changes which include a new update procedure and support for new command-and-control channels (such as Tumblr and Instagram). Trend Micro claims these additional operations make the malware very dangerous as threat actors can use these to perform targeted attacks.

Trend Micro researchers believe the malware is closely related to the FakeSpy malware. Characteristics (e.g. deployment technique, similar naming methods, hosting of the fake iOS profile on a site previously linked to FakeSpy…) are all very similar in both malware versions.

https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/

Phishing using a fake Android Chrome address bar Security researcher James Fisher found a new interesting way of phishing Android users. On his security blog he published a technique which allows an attacker to mimic the Chrome address bar with a custom chosen URL. This technique allows attackers to persuade unknowing victims that they are on a legitimate website, while in fact they are on an attacker controlled domain.

The attack is caused by an UX design feature present in the mobile version of Google Chrome. While scrolling down on a website, the Chrome browser lets the original address bar vanish to have more screen estate. This allowed the security researcher to show his own fake address bar instead. As the design of the header is completely similar to the original URL bar, potential victims could be tricked into believing a malicious domain is a valid trusted domain.

Confidential



Figure 13: Fake address bar in Chrome on Android (source)

Furthermore the security researcher also succeeded into tricking Chrome to not display the address bar header at all on webpage load. He succeeded in doing this by using Javascript to force the Chrome browser to already navigate down.

His suggested solution is to have the Chrome browser always display the URL of the currently visited domain.

https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/

Tax scammers are launching new fake mobile apps as tax day is coming As the United States national deadline for tax declaration is approaching, the number of fake mobile apps released by tax scammers is also on the rise. Scammers try to scam people as they are urged to fill in their tax declaration before the deadline.

According to RiskIQ numbers, the amount of malicious apps matching common tax keywords and brands are rising to record levels. In total 4.2 million applications have been identified on app stores using these common keywords. Of these 4.2 million, 30 percent (1.2 million) are exhibiting suspicious behavior or blacklisted. Furthermore, over 1.3 million phishing hosts have been identified by Risk IQ. Tax scammers are taking advantage of the proven efficacy of tax phishing and malware attacks.

Consumers and businesses are recommended to properly vet and select the mobile apps they use for prepping their tax declaration. Additionally it is recommended to not click on links in tax phishing mails.

https://threatpost.com/threatlist-tax-scammers-launch-a-raft-of-fake-mobile-apps/143728/

WhatsApp fixes bug which allows the spreading of spyware A security issue in the WhatsApp mobile applications allowed the secretive Israeli spying firm NSO group to spread spyware to any WhatsApp user. The spyware did not require any user interaction to be installed, the attackers only required a valid phone number linked to a powered-on phone and WhatsApp account to install the spyware.

WhatsApp has fixed the issue in their latest application update and recommends all users to update the WhatsApp application.

The attack in this case can clearly be attributed to the secretive Israeli NSO group which has a proven track record of creating spyware for government intended usage.

https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab

Confidential



6 Statistics

6.1 OS market shares

Figure 1 - OS market share (Source)

If we compare this month’s operating system market shares to last month’s, we can see a slight increase in Android. In opposition, iOS has slightly decreased compared to last month. All other OS’s didn’t have a lot of fluctuation compared to last month.

6.2 iOS

Figure 2 - Usage of iOS versions (Source)

Similar to the previous four months, iOS users continue to shift towards the newest iOS 12 versions which is a good thing. Since the stable release of iOS 12 in mid-September, we have seen a shift against the new operating system.

Android70,22%

iOS28,21%

iOS 10.X2,86% iOS 11.X

9,56%

iOS 12.X85,60%

Confidential



6.3 Android

Version Codename Distribution Netmarketshare

Android 2.3.3 - 2.3.7 Gingerbread 0.3% 0.1% Android 4.0.3 - 4.0.4 Ice Cream Sandwich 0.3% 1.4%

Android 4.1.x Jelly Bean 1.2% 0.6% Android 4.2.x Jelly Bean 1.5% 2.73% Android 4.3 Jelly Bean 0.5% 0.1% Android 4.4 KitKat 6.9% 2.4% Android 5.0 Lollipop 3.0% 1.5% Android 5.1 Lollipop 11.5% 6.8% Android 6.0 Marshmallow 16.9% 12.8% Android 7.0 Nougat 11.4% 12.1% Android 7.1 Nougat 7.8% 9.1% Android 8.0 Oreo 12.9% 18.74% Android 8.1 Oreo 15.4% 23.6% Android 9 Pie 10.4% 1.68%

(Source)

Google has updated their distribution dashboard, so the data in the table above is once again from Google itself. As a comparison, we’ve added a column for Netmarketshare to examine the difference.

It is clear to see that Google’s statistics are in fact more pessimistic than those from Netmarketshare as Google reports higher percentages for all versions up until Android 6.0. This means that there are much more devices running lower Android versions than Netmarketshare thinks.

On the other hand, Google reports a much higher adoption rate for Android P, Google’s latest release.

Netmarketshare’s data is based on website visits to various websites. While this does give a global picture, Google’s information should be much more detailed, as they can most likely see the version information of any Android device which has the Google Play Services installed.

bancontact payconiq company - assets-us-01.kc …

Documents