Posts tagged: Android

Dec 22 2011

Backdoor in Android for No-Permissions Reverse Shell

Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes.

Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon-18 Presentation.

It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms.

The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication.

“In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.”Thomas Cannon said

Sep 15 2011

DroidSheep – Android Application for Session Hijacking

DroidSheep – One-click session hijacking using your android smartphone or tablet computer.

DroidSheep

DroidSheep makes it easy to use for everybody. Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That’s it.

What do you need to run DroidSheep?
– You need an android-powered device, running at least version 2.1 of Android
– You need Root-Access on your phone (link)
– You need DroidSheep

Which websites does DroidSheep support?
– amazon.de
– facebook.com
– flickr.com
– twitter.com
– linkedin.com
– yahoo.com
– live.com
– google.de (only the non-encrypted services like “maps”)

Download: droidsheep-current.apk

Aug 23 2011

Get Paid to Hack Your TouchPad to Run Android

HP TouchPad Android
After HP announced it would discontinue production of its TouchPad tablet last week, it looked like early HP tablet adopters spent $500 on a dud. If you’re an enterprising software hacker, however, there could be an opportunity to make your money back — and then some.

A hardware-modification web site is offering a $1,500 cash bounty for the first person to successfully port a full version of the Android operating system over to HP’s TouchPad.

Hacknmod.com offers a tiered bounty system for would-be TouchPad hackers: Just getting Android to run on the TouchPad without taking full advantage of the tablet’s hardware will win you a cool $450. But the more you’re able to integrate the system software into the device, the more cash you’ll earn. Get the Wi-Fi, multitouch capability, audio and camera up and running, and you’ll add another $1,050 to the pot.

While the bounty is characteristic of the Android-modding crowd which basically wants to slap Android onto anything with a circuit board and touch screen, it’s also an admirable effort to breathe new life into a dying piece of hardware. After reports of dismal sales and third-party retailers sitting on hundreds of thousands of unsold TouchPads, HP decided to kill production after a mere 49 days on the market.

It was bad news for current TouchPad owners. No more HP hardware gives little incentive for webOS app developers to continue producing applications for the platform. In turn, TouchPad owners miss out on the latest popular applications to come to mobile devices. And of course, it gives potential customers no incentive to buy the remaining TouchPads retailers have in stock, costing HP and retail stores hundreds of millions of dollars. Everyone loses.

But if the porting plans work, it could mean bringing a slew of Android apps over to HP’s tablet. If the TouchPad can be made capable of running thousands of Android apps, the device may not be obsolete.

This isn’t the first time the Android-modification community tried to port the operating system over to non-Android devices. Android modders have run the operating system on Barnes And Noble’s Nook Color e-reader, certain Nokia smartphones and even an iPhone.

Jul 12 2011

Zeus For Android Steals One-Time Banking Passwords

Android ZeusResearchers have discovered a new variant of the insidious Zeus trojan that is designed to run on Google Android smartphones, security researchers have warned.

The malicious program is a new version of Zitmo, a mobile trojan application first discovered last year that stands for “Zeus in the mobile,” Derek Manky, a senior security strategist at network security firm Fortinet’s FortiGuard Labs, told SCMagazineUS.com on Tuesday.

It is designed to steal mobile transaction authentication numbers (mTANs), or one-time passwords that some banks, mostly in Europe, send via SMS message to mobile users as an additional layer of security.

The malware poses as a legitimate banking security application called Rapport, which is made by web security firm Trusteer. Once installed, the bogus app intercepts all incoming SMS messages and forwards them to a remote server.

Mickey Boodaei, CEO of Trusteer, told SCMagazineUS.com on Tuesday that Zitmo’s masterminds leveraged his company’s name to gain users’ trust. The program spread for four to five days during late May and early June, but the servers supporting the operation were taken offline more than a month ago.

The Zitmo variant for Android worked in conjunction with Zeus version 2.1.0.10, Boodaei said. Once a user’s PC was infected with Zeus, the malware tried to trick them into downloading Zitmo on their smartphone.

The Zitmo family of malware has also previously targeted Symbian, BlackBerry and Windows Mobile phones, Boodaei said.

Zitmo is the first malicious mobile application designed to work in combination with a Windows trojan.