Researchers claim discovery of new Android VPN vulnerability

by Jeff Causey on
tagged , , ,

Android Security

Researchers at the Ben Gurion University Cyber Security Lab are back in the news with a claim that they have discovered a new vulnerability in the Android implementation of VPN. According to the researchers, the exploit would allow a malicious app to bypass an active VPN connection and redirect traffic to a different server. The vulnerability can supposedly be installed without root access and does not need any specific VPN permissions. When the data is redirected by the malicious app, it can be sent unencrypted to a target server without the user being aware the data is being redirected.

» Read the rest

Starbucks app stores personal information in plain-text format

by Jared Peters on
tagged , ,

Starbucks_Logo_Store_Front

If you use the official Starbucks mobile payment app, you may want to reconsider. According to security researcher Daniel Wood, the application stores information like your email address, password, and GPS location and an unencrypted plain-text format. Anyone who has access to your phone could do a bit of work to steal that information, which is not something you want someone else to have access to. Even worse, because the app makes payments using an on-screen barcode, that barcode method could be manipulated to suck money out of your bank account.

Fortunately, someone would need access to your phone to get this information, but it’s still a vulnerability that you should be aware of. Hopefully Starbucks addresses this soon.

source: Computer World

via: Engadget

Samsung issues response to recent claims of KNOX vulnerability

by Jeff Causey on
tagged , , , ,

samsung_knox_logo

Last month security researchers from Ben-Gurion University Cyber Security Labs claimed to have discovered a vulnerability in Samsung’s KNOX security platform. Samsung has issued a statement regarding the claims, indicating the issue identify by the Ben-Gurion researchers was really a classic Man in the Middle (MitM) attack and not a bug or flaw in KNOX or Android. Samsung indicates they reached out and discussed the issue with the security researchers  and were able to verify that the exploit that was identified exists as it “uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.” » Read the rest

Security researcher highlights risks of Google’s weblogin for one-click authentication in Android

by Jeff Causey on
tagged , , ,

defcon_craig_young

At the recently held Def Con 21 security conference in Las Vegas, security researcher Craig Young with Tripwire demonstrated a proof of concept for a vulnerability in the way Android handles one-click authentication for web sites and apps. The authentication method is called “weblogin” and works by generating a unique token that is used to directly authenticate users via their Google+ accounts. Young’s proof of concept demonstrated how a rogue app could steal the weblogin tokens and redirect them to an attacker. Once they have the tokens, attackers could then impersonate victims with a variety of Google services like Gmail, Google Apps, Drive, Calendar and Voice. » Read the rest

New major security threat for Android devices revealed, but Google already has a patch in place this time

by Jared Peters on
tagged , ,

android_trojan

After all the commotion about the latest major security vulnerability to Android devices, you would think things on the security side of the platform would quiet down for a bit. However, that’s not the case, as a Chinese site has posted details about an application exploit similar to Bluebox’s earlier revealed loophole that would allow apps to avoid signature verification to run malicious code on an Android device.  However, the vulnerability was found in older code that was replaced with a security fix, so Google was already aware of the problem and has patched it up as soon as they were made aware of it. It may take awhile for that type of security patch to hit devices in the wild, but like the Bluebox vulnerability, Google has done all they can to take care of things on their end.

If you want to read up on the specifics of the vulnerability, hit the links below. It’s a pretty small, complicated vulnerability that would be pretty tricky for malware to pull off on most devices, but it’s interesting nonetheless.

source: Sina Blog

via: Android Police

Exynos kernel exploit could open several Samsung devices to malware or worse

by Jeff Causey on
tagged , , , , , , , ,

Some bad news is surfacing this weekend for owners of several popular Samsung devices. Members of XDA Developers identified a kernel exploit for devices with certain Exynos processors that could provide root access without flashing the device. According to XDA member alephzain, the vulnerability was discovered on his Samsung Galaxy S III in /dev/exynos-mem. The weakness provides full read/write rights to all physical memory. » Read the rest

Skype officially responds to security vulnerabilities in Android app

by Dustin Karnes on
tagged , , , ,

We reported yesterday that there has been a major security hole discovered in Skype for Android. The vulnerabilities make it possible for third-party malicious apps to easily access your Skype files, including your profile info.

As of late yesterday, Skype officially responded on their blog with the following:

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

In other words: Yes, Skype is aware of the issue. Yes, they’re working on it. No, they don’t have a fix yet. However, with as relentless as the Android community is about their privacy (and rightfully so), you can bet that we’ll see an update with fixes soon. Be sure to keep it locked here for all the latest on this issue, and let us know what you think about it in the comments.

[via skype]

Android 2.3 Shows Security Bug, Can Gain Access To Content On microSD Cards

by Joe Sirianni on
tagged , , , , , , , ,

It looks like a bugs life can be pretty busy now a days, especially when they continue to infestate the Android OS.  In addition to still bearing some SMS issues, it looks like 2.3 Gingerbread has found a new gaping whole in the software.  According to Xuxian Jiang, a security researcher at North Carolina State University, the Android 2.3 firmware has revealed a new bug, one that could possibly allow malicious sites and attackers alike to gain access to the content of your microSD card.  Jiang is also an assistant professor with the school and has stated in an advisory that pertinent and vital content like banking info, photos and voicemails could be extracted and routed to a remote server of choice.  In an email sent to eWeek, Jiange also adds that his findings were not particularly difficult to implement and only requires basic knowledge of JavaScript and Android. » Read the rest

“Unhackable” Android phones can indeed be hacked

by Chris Moor on
tagged , , , , , , , , , , ,

Well we kind of already knew this, with the recent wallpaper fiasco, but here is a video interview with Anthony Leinberg (sorry if last name is misspelled!) who is a security researcher with Lookout Mobile Security. Anthony and his associates at Lookout have developed an exploit that can give them root access to a variety of Android phones, including some higher-end devices like the HTC EVO, Droid X and Droid Incredible. Just check out the video and watch for yourself:

» Read the rest