Cyber crooks are actively taking advantage of a serious flaw affecting most Android users, which allows attackers to add malicious code to a legitimate app without altering the app’s cryptographic signature, a security company warned today.
Whilst purported exploit code had been released online, no truly malicious apps had been found taking advantage of the “master key” vulnerability until now.
Android master key
Details on the flaw are due to be expanded on by startup BlueBox at BlackHat later this month, but one clear way to exploit the flaw is to somehow tamper with an app by adding an extra file into an Android application package (APK).
To exploit the flaw, attackers add two files of the same name to an APK subdirectory called META-INF, which contains signed checksums for all the other files in the package.
But Android only validates the most recently-added file where two files have the same name. Yet it installs the second one, as Sophos explained in a blog post. That’s how hackers can sneak in infected files (a similar exploit was uncovered in China recently).
And it appears that is what hackers have now done in their attempts to steal user data.
The so-called “Skullkey” apps, two of which were uncovered by Symantec, look like legitimate applications distributed on Android marketplaces in China to help users make doctor appointments.
“An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,” Symantec said in a blog post.
“We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.
“We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices.”
A program from Duo Security and the System Security Lab at Northeastern University claims to patch the master key flaw.
Many popular Facebook apps are obtaining sensitive information about users—and users’ friends—so don’t be surprised if details about your religious, political and even sexual preferences start popping up in unexpected places.
Not so long ago, there was a familiar product called software. It was sold in stores, in shrink-wrapped boxes. When you bought it, all that you gave away was your credit card number or a stack of bills.
Apps on Facebook may be grabbing and sharing more personal information than many users realize. And even if people understand that they’re sharing personal data, they often can’t envision the ways it may be used in the future. WSJ’s Julia Angwin explains.
Now there are “apps”—stylish, discrete chunks of software that live online or in your smartphone. To “buy” an app, all you have to do is click a button. Sometimes they cost a few dollars, but many apps are free, at least in monetary terms. You often pay in another way. Apps are gateways, and when you buy an app, there is a strong chance that you are supplying its developers with one of the most coveted commodities in today’s economy: personal data.
Some of the most widely used apps on Facebook—the games, quizzes and sharing services that define the social-networking site and give it such appeal—are gathering volumes of personal information.
A Wall Street Journal examination of 100 of the most popular Facebook apps found that some seek the email addresses, current location and sexual preference, among other details, not only of app users but also of their Facebook friends. One Yahoo service powered by Facebook requests access to a person’s religious and political leanings as a condition for using it. The popular Skype service for making online phone calls seeks the Facebook photos and birthdays of its users and their friends. Read More
Nokia Phi Pops Up On WMBench with Windows Phone 8(Photo: WMPoweruser)
Nokia is the leading manufacture for Windows Phone, and the Finnish giant has only been selling devices only since November of 2011, that’s a full six months ago. The Lumia 800 was the first of many Windows Phone 7.5 devices. However, the company is not slowing down, and it now appears a Windows Phone 8-based Nokia is already in the works.
The device that is simply called the Nokia Phi according to WP Bench, a tool that allows users to benchmark their Windows Phone. The device showed up on the tool with Windows Phone 8 as the OS of choice, which leaves us wondering if we will see this device at Microsoft’s Windows Phone Developer Summit next month. It would make sense for Microsoft to use a Nokia branded Windows Phone 8 handset as its test device at the summit since both companies are tied in bed together. Read More
Facebook, on the heels of buying Instagram, launched a new camera app for iPhone on Thursday to “share photos in a snap.”
When you open the app, it recognizes you if you’re already logged in to the Facebook app and asks you if you want to continue under that login. And it asks for your permission to stalk you and geolocate your photos.
Facebook launched its fourth iOS app Thursday, called Facebook Camera. (Facebook / May 24, 2012)
It’s very clear from the start that this app is about photos and photos only. Across the top of the home screen you get a camera at top left of a small preview of your phone’s album. Just below you see a feed of your friends’ photos, with the likes and comment tally overlaid.
The edges of horizontal photos extend past the white background of the feed, but you can tap and turn the image to get the full effect. For collections of photos, you see the edge of the next one extending past the white background and you just swipe your finger from right to left to scroll through the album.
The app doesn’t refresh the same way you drag the screen to refresh the main Facebook app. If you try to do it that way, you’ll just reveal your own camera album. The refresh button is under the camera icon. That actually drove me a little nuts. As a Facebook addict, my thumb automatically moves to swipe to refresh the screen.
The app allows you to shoot directly from it and do some minor editing including making slight adjustments to the photo’s orientation. As with every single photo app coming out these days, yes, you’ve got filters — over a dozen of them.
To publish, you tap to create a post and write your text description. You can add more photos, set or remove the location and select what pre-determined group you’ll allow to see your upload.
When it comes to adding more photos to a post, it’s not enough to just select the photo if you shoot it while in mid-post. After you’ve finished tweaking, you actually have to tap the grayed-out checkmark at the top right of the screen when the photo is full screen. Once it turns green, you’re good to go. Read More