iPhone exploits in hacked websites went unnoticed for years

13»

Comments

  • Reply 41 of 60
    This is more of a PR reaction from Google after the day before when an app (a document scanning app) spreading malware among Android but not iOS. The news was all over the places. And then the next day you hear this crap from Google. 
    edited August 2019 cornchipStrangeDays
  • Reply 42 of 60
    davgregdavgreg Posts: 838member
    Maybe Apple should spend less on stock buybacks and TV production and a little more on security auditing.
  • Reply 43 of 60
    gatorguygatorguy Posts: 23,006member
    This is more of a PR reaction from Google after the day before when an app (a document scanning app) spreading malware among Android but not iOS. The news was all over the places. And then the next day you hear this crap from Google. 
    Yeah CamScanner was a tricky one. It had always been a legit and malware free app. Then somewhere along the line a couple of updates ago one of the catalogs used by the developer was hijacked and replaced by an adware one as I understand it. That went on for a few months. Now it's back to being malware free after the developer was advised of the spy in his infrastructure, Google removed the app, and the developer went thru a couple more updates to rid his app of any further adware

    Google's reaction to a relatively new way of exploiting legitimate apps is to offer rewards to security researchers who find this stuff in even major 3rd party apps and not just Google software. Putting thousands more professional eyeballs in play looking for app problems is an excellent idea and offering up to a $100K in bug bounties will flesh a lot of these shadow-lurkers out. 
    edited August 2019 avon b7ravnorodomargonaut
  • Reply 44 of 60
    Or maybe a nice deflection that Chrome was easily hacked and could remotely exploit your PC/MAC etc ... and was NOT found by their crack team, as it was to busy looking at holes in iOS :-D

    regurgitatedcoprolitemdriftmeyer
  • Reply 45 of 60
    uraharaurahara Posts: 543member
    knowitall said:
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
     Nonsense. How is it related to the usage of the Facebook, Google, Microsoft? They could include the names of the biggest banks. And then not to use the banking system?
    Or if the full list includes Apple, iPhone as well? Than what are you going to use? Don't use any electronics. Go back to your cave. 
    fastasleepmuthuk_vanalingamargonaut
  • Reply 46 of 60
    bb-15bb-15 Posts: 281member
    lkrupp said:
    gatorguy said:
    kkqd1337 said:
    crosslad said:
    I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s. 
    Now THIS is a valid comment. 

    As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
    Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?

    If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment. 

    BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days. 

    So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches. 
    What you conveniently leave out, of course, is the fact that many Android device manufacturers other than Google itself rarely if ever push updates out to their customers.It’s usually months and months before a few manufacturers issue updates. And as you have stated elsewhere the Pixel is a tiny blip on the smartphone radar screen. Many Android devices never get an update during their lifespan and are therefore vulnerable to all the security flaws discovered. Apple, on the other hand, all but forces iOS users to update their devices on a regular basis. Some scream bloody murder about being annoyed by Apple’s persistent notices to update. So the Google emperor has no clothes when it comes to touting security updates and patches. In the real world Android is the leaky security risk, not Apple.  
    Adding to that; from Ars Technica;
    (apologies about the original post size of the font. It was copy & paste from the Ars website. 2nd edit; I fixed it on my Mac. Much easier than using an iPad.)

    “Google Play apps with 1.5 million downloads drained batteries and slowed devices

    Stealthy new click-fraud technique displayed ads that were invisible to users.

    DAN GOODIN -  8/29/2019, 3:00 AM”

    “Google Play app with 100 million downloads executed secret payloads

    The sad, impractical truth about Android app security in 2019.

    DAN GOODIN -  8/27/2019, 12:15 PM”

    85 Google Play apps with 8 million downloads forced fullscreen ads on users

    Banished apps used clever tricks to avoid detection and removal.

    DAN GOODIN -  8/19/2019, 1:05 PM”


    edited August 2019 mdriftmeyer
  • Reply 47 of 60
    gatorguygatorguy Posts: 23,006member
    bb-15 said:
    lkrupp said:
    gatorguy said:
    kkqd1337 said:
    crosslad said:
    I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s. 
    Now THIS is a valid comment. 

    As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
    Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?

    If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment. 

    BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days. 

    So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches. 
    What you conveniently leave out, of course, is the fact that many Android device manufacturers other than Google itself rarely if ever push updates out to their customers.It’s usually months and months before a few manufacturers issue updates. And as you have stated elsewhere the Pixel is a tiny blip on the smartphone radar screen. Many Android devices never get an update during their lifespan and are therefore vulnerable to all the security flaws discovered. Apple, on the other hand, all but forces iOS users to update their devices on a regular basis. Some scream bloody murder about being annoyed by Apple’s persistent notices to update. So the Google emperor has no clothes when it comes to touting security updates and patches. In the real world Android is the leaky security risk, not Apple.  
    Adding to that; from Ars Technica (apologies about the size of the font. It was copy & paste from the Ars website.) Etc...

    It nearly always seems to be ad-clickers too. Not stealing user data, or tracking, or fraud....
    ... generally hidden from the user ads to collect per-click money. Adware. I think I remember something about a bitcoin miner hidden in one too a few months ago. 

    It's taken Google long enough but they're now slowing down the app approval process to use more real human teams to vet apps in a similar way to Apple, particularly so with new developers. It obviously can't stop all PUPS and malware, any more than Apple can prevent all of it in the App Store. Still it's the right move, combined with recently announced bug bounty's for discovering malformed apps, more thorough human reviews of app updates to already approved apps before pushing them out, and heavily restricting developers access to certain categories of permissions.

    A few devs are squawking of course
    https://www.theinquirer.net/inquirer/news/3080665/google-extends-android-app-approval-times
    but far too many were requesting unneeded permissions and access, or including unannounced "features"  and Google (finally) won't allow that to continue. That's the part I personally care about. The fact that a few million Google Play app downloads out of about 80 billion a year contains adware/malware makes it highly unlikely I'd ever encounter any of it myself and I never have, nor has anyone I personally know.

    Still, left to themselves people are inherently greedy and too many don't play well with others.  A relative few dishonest devs make it tough on the entire community. Rules had to be tightened and in the short-term there's going to be inevitable complaints about Google cracking down just as Apple has ( and for the same reasons). Open becomes less open because people can't abide rules. 
    https://android-developers.googleblog.com/2019/04/improving-update-process-with-your.html
    edited August 2019 muthuk_vanalingam
  • Reply 48 of 60
    gctwnlgctwnl Posts: 278member
    Why aren't the actual websites made public? That would at least give people information about them having been hacked before the fix.
  • Reply 49 of 60
    gatorguygatorguy Posts: 23,006member
    gctwnl said:
    Why aren't the actual websites made public? That would at least give people information about them having been hacked before the fix.
    Apparently very small and lightly visited sites since only "several thousand" visits were registered over the time they were being monitored by the security teams. Reading between the lines I get the impression most of these were Asian iPhone users, China, Russia, and maybe focused on sites of interest to potential "dissidents"  though that's not been stated. 
    joguargonaut
  • Reply 50 of 60
    fastasleepfastasleep Posts: 5,477member
    gatorguy said:
    gctwnl said:
    Why aren't the actual websites made public? That would at least give people information about them having been hacked before the fix.
    Apparently very small and lightly visited sites since only "several thousand" visits were registered over the time they were being monitored by the security teams. Reading between the lines I get the impression most of these were Asian iPhone users, China, Russia, and maybe focused on sites of interest to potential "dissidents"  though that's not been stated. 
    I'm curious about this too, and couldn't find any information beyond the implied dissident stuff:

    "This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."
    "
    To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group."

    and a link to a 2016 article about a UAE dissident being targeted.

    Which makes me think that this might be a state-sponsored actor, and perhaps being further investigated by whomever it might concern. They also implied there may be more out there: "
    Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen."

    ¯\(°_o)/¯ 


    joguargonaut
  • Reply 51 of 60
    fastasleepfastasleep Posts: 5,477member
    knowitall said:
    gatorguy said:
    knowitall said:
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
    Aren't those spoof sites? Com. or Net. before the website instead of after? 
    As answered below (by Asdasd): domain names read backwards.
    But spoofed or not my remark still stands.
    A) Using Facebook, Google, or Microsoft has absolutely nothing to do with this exploit beyond being additional data targets on the device, or the ability to access those services using that data by the attackers. and B ) They're not domain names read backwards, they're bundle identifiers for apps installed on the device, the list of which can be added to — so you might as well "don't use any apps on your iPhone" which would still not mitigate the threat of every other bit of data on your phone from being uploaded to the attacker.

    You should really change your handle.
    edited August 2019 muthuk_vanalingamargonaut
  • Reply 52 of 60
    fastasleepfastasleep Posts: 5,477member
    Recommend reading the first and last pages of the report at the very least. This summary of the malware in action is absolutely terrifying. Literally everything on your device could be exfiltrated if you had visited one of these sites. Think about that for a moment.

    https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

    Literally everything is sent in plaintext over HTTP:
    This is just building a typical HTTP POST request body, embedding the contents of each file as form data.
    There's something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear. If you're connected to an unencrypted WiFi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server.
    This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.

    and
    This method takes a dictionary with a command and an optional data argument. Here's a list of the supported commands:
    systemmail  : upload email from the default Mail.app
    device      : upload device identifiers
                   (IMEI, phone number, serial number etc)
    locate      : upload location from CoreLocation
    contact     : upload contacts database
    callhistory : upload phone call history 
    message     : upload iMessage/SMSes
    notes       : upload notes made in Notes.app
    applist     : upload a list of installed non-Apple apps
    keychain    : upload passwords and certificates stored in the keychain
    recordings  : upload voice memos made using the built-in voice memos app
    msgattach   : upload SMS and iMessage attachments
    priorapps   : upload app-container directories from hardcoded list of
                    third-party apps if installed (appPriorLists)
    photo       : upload photos from the camera roll
    allapp      : upload container directories of all apps
    app         : upload container directories of particular apps by bundle ID
    dl          : unimplemented
    shot        : unimplemented
    live        : unimplemented

    and

    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. The command-and-control server can also query for a list of all 3rd party apps and request uploads of their container directories.
    These container directories are where most iOS apps store all their data; for example, this is where end-to-end encryption apps store unencrypted copies of all sent and received messages. 

    and
       
    The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server. The implant binary does not persist on the device; if the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again. Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.
    muthuk_vanalingamCarnageargonaut
  • Reply 53 of 60
    arlorarlor Posts: 528member
    All the "tu quoque" attacks on Google on this thread seem beside the point to me.

    iOS was vulnerable to some pretty serious exploits.

    I'm glad they were found. I'm glad they were patched.

    Thanks to Google for finding them and thanks to Apple for patching them. 

    Hopefully the next time this happens it will Apple finding the vulnerabilities instead of a third party. 
    muthuk_vanalingam
  • Reply 54 of 60
    arlorarlor Posts: 528member
    knowitall said:
    gatorguy said:
    knowitall said:
    Carnage said:
    isidore said:
    Obvious Question: Which websites?
    Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
    com.yahoo.Aerogram
    com.microsoft.Office.Outlook
    com.netease.mailmaster
    com.rebelvox.voxer-lite
    com.viber
    com.google.Gmail
    ph.telegra.Telegraph
    com.tencent.qqmail
    com.atebits.Tweetie2
    net.whatsapp.WhatsApp
    com.skype.skype
    com.facebook.Facebook

    com.tencent.xin

    ….

    Obvious: do not use Facebook, Google and Microsoft, whats new?
    Aren't those spoof sites? Com. or Net. before the website instead of after? 
    As answered below (by Asdasd): domain names read backwards.
    But spoofed or not my remark still stands.
    A) Using Facebook, Google, or Microsoft has absolutely nothing to do with this exploit beyond being additional data targets on the device, or the ability to access those services using that data by the attackers. and B ) They're not domain names read backwards, they're bundle identifiers for apps installed on the device, the list of which can be added to — so you might as well "don't use any apps on your iPhone" which would still not mitigate the threat of every other bit of data on your phone from being uploaded to the attacker.

    You should really change your handle.
    Colloquially, I think "knowitall" usually characterizes somebody who thinks they know it all, but doesn't. So maybe it's appropriate. 

    If the attackers had succeeded in compromising even one of the "sites" on that list, the number of people hit would not be in the "thousands," as the report indicated. So it should've been pretty obvious from the beginning that those were not the affected sites. 
    fastasleep
  • Reply 55 of 60
    tmaytmay Posts: 5,291member
    arlor said:
    All the "tu quoque" attacks on Google on this thread seem beside the point to me.

    iOS was vulnerable to some pretty serious exploits.

    I'm glad they were found. I'm glad they were patched.

    Thanks to Google for finding them and thanks to Apple for patching them. 

    Hopefully the next time this happens it will Apple finding the vulnerabilities instead of a third party. 
    https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#76b29f144adf

    "Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”

    Project Zero lacked so much context it became a social attack itself."

    Not a good look for Google either.
    edited September 2019 lkrupp
  • Reply 56 of 60
    bb-15bb-15 Posts: 281member
    tmay said:
    arlor said:
    All the "tu quoque" attacks on Google on this thread seem beside the point to me.

    iOS was vulnerable to some pretty serious exploits.

    I'm glad they were found. I'm glad they were patched.

    Thanks to Google for finding them and thanks to Apple for patching them. 

    Hopefully the next time this happens it will Apple finding the vulnerabilities instead of a third party. 
    https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#76b29f144adf

    "Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”

    Project Zero lacked so much context it became a social attack itself."

    Not a good look for Google either.
    Glad you brought this up. 
    As the true/complete story begins to unfold, it seems that Google’s Project Zero were part of a campaign involving lies of omission. 
    The pertinent details are beginning to be revealed; 
    1. The hacks in question were being done by the Chinese government against Muslim minorities in China. 
    2. The hacks by the Chinese government went through Windows, Google Android & Apple iOS operating systems. 

    * Rene Richie, through his YouTube website, outlines the controversy & media/tech enthusiast manipulation.
     
    edited September 2019
  • Reply 57 of 60
    IreneWIreneW Posts: 224member
    tmay said:
    arlor said:
    All the "tu quoque" attacks on Google on this thread seem beside the point to me.

    iOS was vulnerable to some pretty serious exploits.

    I'm glad they were found. I'm glad they were patched.

    Thanks to Google for finding them and thanks to Apple for patching them. 

    Hopefully the next time this happens it will Apple finding the vulnerabilities instead of a third party. 
    https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#76b29f144adf

    "Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”

    Project Zero lacked so much context it became a social attack itself."

    Not a good look for Google either.
    Recommended to read the article, which seems to help explain some of the mysteries around the sites and targets. But, at the same time, it doesn't really add any facts to the matter at all...
    "It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems. One source familiar with the hacks claimed Google had only seen iOS exploits being served from the sites."
  • Reply 58 of 60
    gatorguygatorguy Posts: 23,006member
    Well here's a pretty big surprise...

    Regular readers of AI should be familiar with Zerodium, the company who pays big bucks for exploits that can be used against iOS devices.
    https://appleinsider.com/articles/19/01/10/zerodium-hikes-bounties-for-apple-vulnerabilities-to-as-high-as-2m

    Well it seems they are now paying more for Google Android exploits than iOS, up to 25% higher. 
    https://twitter.com/Zerodium/status/1168862389262880768

    Quoting from an interview following the tweet:
    “The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”


    On the other hand: “it’s very hard and time consuming to develop full Android exploit chains.” He added that until Apple “re-improves the security of iOS components such as Safari and iMessage,” Android exploits are more valuable.

    edited September 2019
  • Reply 59 of 60
    gatorguygatorguy Posts: 23,006member
    Today Google got embarrassed by their own unpatched zero-day. No excuse for it to remain after 6 months. 
    https://www.zdnet.com/article/zero-day-disclosed-in-android-os/
  • Reply 60 of 60
    gatorguygatorguy Posts: 23,006member
    tmay said:
    arlor said:
    All the "tu quoque" attacks on Google on this thread seem beside the point to me.

    iOS was vulnerable to some pretty serious exploits.

    I'm glad they were found. I'm glad they were patched.

    Thanks to Google for finding them and thanks to Apple for patching them. 

    Hopefully the next time this happens it will Apple finding the vulnerabilities instead of a third party. 
    https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#76b29f144adf

    "Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”

    Project Zero lacked so much context it became a social attack itself."

    Not a good look for Google either.
    Would you have preferred Project Zero saying "those sites tried to exploit Android too but couldn't", because that's what the available facts are. One of the 11 appears to have tried and failed. Google closed the exploit the hackers were depending on... in 2017. 
    edited September 2019
Sign In or Register to comment.