Tag Archives: mobile devices

“Accessibility Clickjacking” Puts 500 Million Android Devices at Risk

ANDROIDThe threat of malware on Android devices is nothing new or revolutionary. But the latest malware found could have the biggest impact. The malware is being dubbed as “accessibility clickjacking” and 500 million Android devices are at risk. It’s ok… take a second to read that again. That means 65% of Android devices are vulnerable.


Clickjacking is a technique attackers use to trick users into clicking on an element that is different than the one they are intending to click. It relies on the attacker’s capability to load a neutral webpage with an invisible overlay with the malicious content. Web browsers have mitigated against this type of attack, but it turns out Android is still vulnerable.

Recently, Symantec discovered a ransomware – Android.Lockdroid.E – that used the clickjacking technique to get admin rights for the device.

For more technical details and a video demonstrating the attack, check out the blog published by Skycure.


Skycure explains, “Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected device, as well as take automated actions via other apps or the operating system, without the victim’s consent. This would include all personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more.”

With the widespread range of vulnerable devices, the impact of this type of attack is pretty high. Any organization that has employees using Android devices to access work information or emails should take note.

Best Practices

Users of Android devices can take the following steps to be better protected against this malware:

Update: Update the operating system to the latest version. The clickjacking attack affects devices running anything from Android 2.2 Froyo to Android 4.4 KitKat. Update to Android 5.0 Lollipop or above is you haven’t already.

Third-Party Apps: Try to stay away from downloading apps from third-party app stores. To help, turn off the setting that allows third-party app installs:

  • Open “Settings” app
  • Find “Security” settings
  • Uncheck “Unknown sources”

Accessibility Permissions: Double check the apps you have installed that use accessibility permissions on the device. If you don’t need that functionality, turn it off:

  • Open “Settings” app
  • Find “Accessibility” settings
  • Make sure there is no group named “Services”
  • Or… make sure the group has no enabled entries

Password Recovery Scam!


Security firm Symantec is reporting an increase in a specific type of social engineering attack directed at mobile users to gain access to the victim’s email account. This simple attack method takes advantage of people’s willingness to trust authority figures.

The attacker uses the password recovery feature offered by email providers to gain access to the target’s account. All the attacker needs to know is the target’s email address and mobile number.

This video shows the attack in action.

Symantec also gave an example to describe the type of attack:

  • The victim, Alice, registers her mobile number with Gmail to recover her password through texting a verification code if she forgets it.
  • The attacker, Malroy, wants access to Alice’s account but doesn’t know the password. He knows Alice’s email address and mobile number though. Malroy visits the Gmail login page and enters Alice’s email address and then clicks on the “Need help?” link, which is used when people have forgotten their login credentials.
  • Malroy is offered several options, including “Enter the last password you remember” and “Confirm password reset on my phone,” but skips these until he is given the option “Get a verification code on my phone.”
  • Malroy chooses this option and an SMS message with a six-digit verification code is sent to Alice. Alice receives a message saying “Your Google Verification code is (six-digit code).”
  • Malroy sends Alice an SMS message saying something to the effect of “Google has detected unusual activity on your account. Please respond with the code sent to your mobile number device to stop unauthorized activity.”
  • Alice, believing the message is legitimate, replies with the verification code. Malroy then uses the code to get a temporary password and gains access to Alice’s email account.

Attackers can use this access for many different malicious activities. They can set up an alternate email on the account to receive copies of all messages and eavesdrop on the victim’s communications. The focus of these attacks seem to be around information gathering rather than financial gain like ripping off credit card numbers. Users need to be wary of all communications requesting verification codes – especially if they did not request one themselves. Legitimate password recovery messages will simply give the verification code and never ask for a response.

Massachusetts AG Fines Beth Israel Deaconess Medical Center $100,000

Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.

“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” AG Coakley said. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”

According to the complaint, in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

Although the hospital’s policy and applicable law required employees to encrypt and physically secure laptops containing personal information and protected health information, the physician and members of his staff were not following these policies. BIDMC did not notify patients about the data breach as required under state and federal data breach notification laws until August 2012.

The lawsuit was filed under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.

The AG’s Office is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.

Survey Results – One-Third of U.S. Businesses Suffer IT Failures Caused by Non-Work Related Use



A survey of U.S. businesses released by GFI Software indicates the use of company devices for personal use is leading to major downtime and loss of confidential data.

The employers of more than one-third of those surveyed (38.6 percent) had suffered a major IT disruption caused by staff visiting questionable and other non-work related web sites with work-issued hardware, resulting in malware infection and other related issues. Nearly half of those surveyed (48 percent) use a personal cloud-based file storage solution (e.g. Dropbox, OneDrive, Box) for storing and sharing company data and documents.

The blind, independent study, conducted for GFI Software by Opinion Matters, surveyed 1,010 U.S. employees from companies with up to 1,000 staff that had a company-provided desktop or laptop computer. Other key findings include:

  • 66.9 percent of respondents use their work-provided computer for non-work activities
  • More than a quarter (25.6 percent) have had to get their IT department to fix their computer after an issue occurred as a result of innocent non-work use, while almost 6 percent (5.8) had to do the same due to questionable use (porn, torrents, etc.)
  • 10 percent have lost data and/or intellectual property as a result of the disruption caused by the outage

“Data security and integrity is a big challenge for companies as a result of the widespread movement away from desktop computers to laptops. Since laptops are usually brought home, they frequently get used out-of-hours for both work and non-work activities. Without clear policies and guidelines in place on approved personal use boundaries – backed up with technology to limit access to the most challenging parts of the internet – the dividing line between work tool and personal device, can quickly become blurred,” said Sergio Galindo, general manager of GFI Software.

“Data protection is a big problem, and one that has been exacerbated by the casual use of cloud file sharing services that can’t be centrally managed by IT. Content controls are critical in ensuring data does not leak outside the organization and doesn’t expose the business to legal and regulatory compliance penalties. Furthermore, it is important that policies and training lay down clear rules on use and reinforce the ownership of data,” added Galindo.

“Emmental” Scheme Defeats Two-Factor Authentication

Trend Micro released a 20-page report (PDF) on “Operation Emmental” (as in a type of Swiss cheese). The scheme makes use of Android malware to defeat two-factor authentication used in online banking. In an interesting twist, this malware changes a computer’s DNS settings to point to attacker-operated servers. The malware is delivered through phishing attacks designed to appear to come from popular retailers, installs a rogue SSL root certificate, then removes itself. Malicious HTTPS servers are thus trusted by default with no security warning given. Hackers then direct victims to spoofed banking websites.

At the spoofed sites, users are instructed to both enter their logon credentials and install a smartphone app. The app is disguised to appear to be a session token generator for the bank, but actually intercepts SMS messages from the bank and forwards them to a command-and-control  server or another mobile phone. Thus the cyber criminal acquires not only the victims’ online banking credentials, but also session tokens which provide full control of the victims’ bank accounts.

See also Finding Holes in Banking Security: Operation Emmental.

Key takeaway – the battle between legitimate businesses and cyber thieves continues to escalate.  Using two-factor authentication strengthens security, but there are no data security “silver bullets”. Given enough desire and focus, virtually any scheme, in this case 2-factor authentication, can be defeated.

Article Outlines Potential Security Threat From USB Devices

In an article from Wired, Why the Security of USB Is Fundamentally Broken, Security researchers Karsten Nohl and Jakob Lell highlight potential problems with the security of USB devices. To demonstrate the issue, they created a special malware they call BadUSB that can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, and redirect the user’s internet traffic. Because BadUSB resides in the firmware that controls the USD device’s basic functions, the attack code can remain hidden after the contents of the device’s memory would appear to the average user to be deleted. ‘In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.’

Nohl and Lell reverse engineered the firmware that runs the basic communication functions of USB devices—the controller chips that allow the devices to communicate with a PC and let users transfer files. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,'” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

According to the researchers, the problem isn’t limited to thumb drives. USB devices including keyboards, mice, and smartphones have firmware that can be reprogrammed. Once a BadUSB-infected device is connected to a computer, it can replace software being installed with a corrupted or backdoored version. It can also impersonate a USB keyboard to type commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

According to the article, any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it, and any USB device could silently infect a user’s computer. “It goes both ways,” Nohl says. “Nobody can trust anybody.”

According to Nohl: The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, do not connect your USB device to computers you don’t own or don’t have good reason to trust – and don’t plug untrusted USB devices into your own computer. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”

Factory Reset Doesn’t Remove Data on Android Phones

AVAST Software analyzed 20 used smartphones whose previous owners had performed a factory reset or a “delete all” operation on their devices. AVAST was able to recover more than 40,000 personal photos, emails, text messages, and – in some cases – the identities of the sellers.

“The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form to more than 250 selfies of what appear to be the previous owner’s manhood,” according to Jude McColgan, President of Mobile at AVAST. “We purchased a variety of Android devices from sellers across the U.S. and used readily available recovery software to dig up personal information that was previously on the phones.”

Key Takeaway: A factory reset or a “delete all” operation does not remove data on Android devices. To remove all data, make sure it is overwritten.


SGP Technologies Begins Shipping Blackphone Pre-orders

SGP Technologies, a joint venture between Silent Circle and Geeksphone, has begun shipping Blackphone pre-orders. Blackphone is smartphone custom-built with privacy in mind. Blackphone runs a customized version of Android called PrivatOS and bundles Silent Circle’s secure messaging and calling services. For more information see Exclusive: A review of the Blackphone, the Android for the paranoid from Ars Technica.

CFPB Publishes Consumer Tips Sheet for Mobile Device Users

Using mobile devices for online banking introduces security risks. To help educate consumers about these risks, the Consumer Financial Protection Bureau (CFPB) has published Tips when using mobile devices for financial services. The 1-page document may be useful for financial institutions looking for materials to help educate their customers about the fundamentals of online security.

UK ICO Serves £80,000 Penalty for Missing USB Stick

The Information Commissioner’s Office (ICO) has served North East Lincolnshire Council with a monetary penalty of £80,000 for the July 2011 breach of the sensitive information of hundreds of children with special educational needs (ICO news release). The information was stored on an unencrypted memory stick left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop the memory stick was gone and it has never been recovered. While the council had introduced a policy of encrypting portable devices in April 2011, it failed to make sure all of the memory sticks currently being used by staff were encrypted.

ICO Head of Enforcement, Stephen Eckersley, said: “[t]his breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”

The ICO’s Group Manager for Technology has published a blog explaining the importance of encryption and encryption options. The ICO has also published best practice advice for schools explaining the key issues with processing people’s information.

Best practices – Having policies in place is not enough. Ensure that privacy and data security policies and procedures are reasonable, understood by staff, and followed in actual practice.