This is more of a PR reaction from Google after the day before when an app (a document scanning app) spreading malware among Android but not iOS. The news was all over the places. And then the next day you hear this crap from Google.
This is more of a PR reaction from Google after the day before when an app (a document scanning app) spreading malware among Android but not iOS. The news was all over the places. And then the next day you hear this crap from Google.
Yeah CamScanner was a tricky one. It had always been a legit and malware free app. Then somewhere along the line a couple of updates ago one of the catalogs used by the developer was hijacked and replaced by an adware one as I understand it. That went on for a few months. Now it's back to being malware free after the developer was advised of the spy in his infrastructure, Google removed the app, and the developer went thru a couple more updates to rid his app of any further adware
Google's reaction to a relatively new way of exploiting legitimate apps is to offer rewards to security researchers who find this stuff in even major 3rd party apps and not just Google software. Putting thousands more professional eyeballs in play looking for app problems is an excellent idea and offering up to a $100K in bug bounties will flesh a lot of these shadow-lurkers out.
Or maybe a nice deflection that Chrome was easily hacked and could remotely exploit your PC/MAC etc ... and was NOT found by their crack team, as it was to busy looking at holes in iOS :-D
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Obvious: do not use Facebook, Google and Microsoft, whats new?
Nonsense. How is it related to the usage of the Facebook, Google, Microsoft? They could include the names of the biggest banks. And then not to use the banking system? Or if the full list includes Apple, iPhone as well? Than what are you going to use? Don't use any electronics. Go back to your cave.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?
If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment.
BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days.
So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches.
What you conveniently leave out, of course, is the fact that many Android device manufacturers other than Google itself rarely if ever push updates out to their customers.It’s usually months and months before a few manufacturers issue updates. And as you have stated elsewhere the Pixel is a tiny blip on the smartphone radar screen. Many Android devices never get an update during their lifespan and are therefore vulnerable to all the security flaws discovered. Apple, on the other hand, all but forces iOS users to update their devices on a regular basis. Some scream bloody murder about being annoyed by Apple’s persistent notices to update. So the Google emperor has no clothes when it comes to touting security updates and patches. In the real world Android is the leaky security risk, not Apple.
Adding to that; from Ars Technica;
(apologies about the original post size of the font. It was copy & paste from the Ars website. 2nd edit; I fixed it on my Mac. Much easier than using an iPad.)
“Google Play apps with 1.5 million downloads drained batteries and slowed devices
Stealthy new click-fraud technique displayed ads that were invisible to users.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?
If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment.
BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days.
So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches.
What you conveniently leave out, of course, is the fact that many Android device manufacturers other than Google itself rarely if ever push updates out to their customers.It’s usually months and months before a few manufacturers issue updates. And as you have stated elsewhere the Pixel is a tiny blip on the smartphone radar screen. Many Android devices never get an update during their lifespan and are therefore vulnerable to all the security flaws discovered. Apple, on the other hand, all but forces iOS users to update their devices on a regular basis. Some scream bloody murder about being annoyed by Apple’s persistent notices to update. So the Google emperor has no clothes when it comes to touting security updates and patches. In the real world Android is the leaky security risk, not Apple.
Adding to that; from Ars Technica (apologies about the size of the font. It was copy & paste from the Ars website.) Etc...
It nearly always seems to be ad-clickers too. Not stealing user data, or tracking, or fraud.... ... generally hidden from the user ads to collect per-click money. Adware. I think I remember something about a bitcoin miner hidden in one too a few months ago.
It's taken Google long enough but they're now slowing down the app approval process to use more real human teams to vet apps in a similar way to Apple, particularly so with new developers. It obviously can't stop all PUPS and malware, any more than Apple can prevent all of it in the App Store. Still it's the right move, combined with recently announced bug bounty's for discovering malformed apps, more thorough human reviews of app updates to already approved apps before pushing them out, and heavily restricting developers access to certain categories of permissions.
A few devs are squawking of course https://www.theinquirer.net/inquirer/news/3080665/google-extends-android-app-approval-times but far too many were requesting unneeded permissions and access, or including unannounced "features" and Google (finally) won't allow that to continue. That's the part I personally care about. The fact that a few million Google Play app downloads out of about 80 billion a year contains adware/malware makes it highly unlikely I'd ever encounter any of it myself and I never have, nor has anyone I personally know.
Still, left to themselves people are inherently greedy and too many don't play well with others. A relative few dishonest devs make it tough on the entire community. Rules had to be tightened and in the short-term there's going to be inevitable complaints about Google cracking down just as Apple has ( and for the same reasons). Open becomes less open because people can't abide rules. https://android-developers.googleblog.com/2019/04/improving-update-process-with-your.html
Why aren't the actual websites made public? That would at least give people information about them having been hacked before the fix.
Apparently very small and lightly visited sites since only "several thousand" visits were registered over the time they were being monitored by the security teams. Reading between the lines I get the impression most of these were Asian iPhone users, China, Russia, and maybe focused on sites of interest to potential "dissidents" though that's not been stated.
Why aren't the actual websites made public? That would at least give people information about them having been hacked before the fix.
Apparently very small and lightly visited sites since only "several thousand" visits were registered over the time they were being monitored by the security teams. Reading between the lines I get the impression most of these were Asian iPhone users, China, Russia, and maybe focused on sites of interest to potential "dissidents" though that's not been stated.
I'm curious about this too, and couldn't find any information beyond the implied dissident stuff:
"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years." "To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group."
and a link to a 2016 article about a UAE dissident being targeted.
Which makes me think that this might be a state-sponsored actor, and perhaps being further investigated by whomever it might concern. They also implied there may be more out there: "Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen." ¯\(°_o)/¯
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Obvious: do not use Facebook, Google and Microsoft, whats new?
Aren't those spoof sites? Com. or Net. before the website instead of after?
As answered below (by Asdasd): domain names read backwards. But spoofed or not my remark still stands.
A) Using Facebook, Google, or Microsoft has absolutely nothing to do with this exploit beyond being additional data targets on the device, or the ability to access those services using that data by the attackers. and B ) They're not domain names read backwards, they're bundle identifiers for apps installed on the device, the list of which can be added to — so you might as well "don't use any apps on your iPhone" which would still not mitigate the threat of every other bit of data on your phone from being uploaded to the attacker.
Recommend reading the first and last pages of the report at the very least. This summary of the malware in action is absolutely terrifying. Literally everything on your device could be exfiltrated if you had visited one of these sites. Think about that for a moment.
Literally everything is sent in plaintext over HTTP:
This is just building a typical HTTP POST request body, embedding the contents of each file as form data. There's something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear. If you're connected to an unencrypted WiFi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server. This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.
and
This method takes a dictionary with a command and an optional data argument. Here's a list of the supported commands: systemmail : upload email from the default Mail.app device : upload device identifiers (IMEI, phone number, serial number etc) locate : upload location from CoreLocation contact : upload contacts database callhistory : upload phone call history message : upload iMessage/SMSes notes : upload notes made in Notes.app applist : upload a list of installed non-Apple apps keychain : upload passwords and certificates stored in the keychain recordings : upload voice memos made using the built-in voice memos app msgattach : upload SMS and iMessage attachments priorapps : upload app-container directories from hardcoded list of third-party apps if installed (appPriorLists) photo : upload photos from the camera roll allapp : upload container directories of all apps app : upload container directories of particular apps by bundle ID dl : unimplemented shot : unimplemented live : unimplemented
and
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. The command-and-control server can also query for a list of all 3rd party apps and request uploads of their container directories. These container directories are where most iOS apps store all their data; for example, this is where end-to-end encryption apps store unencrypted copies of all sent and received messages.
and
The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server. The implant binary does not persist on the device; if the phone is rebooted then the implant will not run until the device is re-exploited when the user visits a compromised site again. Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Obvious: do not use Facebook, Google and Microsoft, whats new?
Aren't those spoof sites? Com. or Net. before the website instead of after?
As answered below (by Asdasd): domain names read backwards. But spoofed or not my remark still stands.
A) Using Facebook, Google, or Microsoft has absolutely nothing to do with this exploit beyond being additional data targets on the device, or the ability to access those services using that data by the attackers. and B ) They're not domain names read backwards, they're bundle identifiers for apps installed on the device, the list of which can be added to — so you might as well "don't use any apps on your iPhone" which would still not mitigate the threat of every other bit of data on your phone from being uploaded to the attacker.
You should really change your handle.
Colloquially, I think "knowitall" usually characterizes somebody who thinks they know it all, but doesn't. So maybe it's appropriate.
If the attackers had succeeded in compromising even one of the "sites" on that list, the number of people hit would not be in the "thousands," as the report indicated. So it should've been pretty obvious from the beginning that those were not the affected sites.
"Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”
Project Zero lacked so much context it became a social attack itself."
"Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”
Project Zero lacked so much context it became a social attack itself."
Not a good look for Google either.
Glad you brought this up. As the true/complete story begins to unfold, it seems that Google’s Project Zero were part of a campaign involving lies of omission. The pertinent details are beginning to be revealed; 1. The hacks in question were being done by the Chinese government against Muslim minorities in China. 2. The hacks by the Chinese government went through Windows, Google Android & Apple iOS operating systems.
* Rene Richie, through his YouTube website, outlines the controversy & media/tech enthusiast manipulation.
"Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”
Project Zero lacked so much context it became a social attack itself."
Not a good look for Google either.
Recommended to read the article, which seems to help explain some of the mysteries around the sites and targets. But, at the same time, it doesn't really add any facts to the matter at all... "It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems. One source familiar with the hacks claimed Google had only seen iOS exploits being served from the sites."
Quoting from an interview following the tweet: “The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”
On the other hand:“it’s very hard and time consuming to develop full Android exploit chains.” He added that until Apple “re-improves the security of iOS components such as Safari and iMessage,” Android exploits are more valuable.
"Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity.”
Project Zero lacked so much context it became a social attack itself."
Not a good look for Google either.
Would you have preferred Project Zero saying "those sites tried to exploit Android too but couldn't", because that's what the available facts are. One of the 11 appears to have tried and failed. Google closed the exploit the hackers were depending on... in 2017.
Comments
Google's reaction to a relatively new way of exploiting legitimate apps is to offer rewards to security researchers who find this stuff in even major 3rd party apps and not just Google software. Putting thousands more professional eyeballs in play looking for app problems is an excellent idea and offering up to a $100K in bug bounties will flesh a lot of these shadow-lurkers out.
Or if the full list includes Apple, iPhone as well? Than what are you going to use? Don't use any electronics. Go back to your cave.
DAN GOODIN - 8/29/2019, 3:00 AM”
“Google Play app with 100 million downloads executed secret payloadsDAN GOODIN - 8/27/2019, 12:15 PM”
85 Google Play apps with 8 million downloads forced fullscreen ads on usersDAN GOODIN - 8/19/2019, 1:05 PM”
... generally hidden from the user ads to collect per-click money. Adware. I think I remember something about a bitcoin miner hidden in one too a few months ago.
It's taken Google long enough but they're now slowing down the app approval process to use more real human teams to vet apps in a similar way to Apple, particularly so with new developers. It obviously can't stop all PUPS and malware, any more than Apple can prevent all of it in the App Store. Still it's the right move, combined with recently announced bug bounty's for discovering malformed apps, more thorough human reviews of app updates to already approved apps before pushing them out, and heavily restricting developers access to certain categories of permissions.
A few devs are squawking of course
https://www.theinquirer.net/inquirer/news/3080665/google-extends-android-app-approval-times
but far too many were requesting unneeded permissions and access, or including unannounced "features" and Google (finally) won't allow that to continue. That's the part I personally care about. The fact that a few million Google Play app downloads out of about 80 billion a year contains adware/malware makes it highly unlikely I'd ever encounter any of it myself and I never have, nor has anyone I personally know.
Still, left to themselves people are inherently greedy and too many don't play well with others. A relative few dishonest devs make it tough on the entire community. Rules had to be tightened and in the short-term there's going to be inevitable complaints about Google cracking down just as Apple has ( and for the same reasons). Open becomes less open because people can't abide rules.
https://android-developers.googleblog.com/2019/04/improving-update-process-with-your.html
"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."
"To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group."
and a link to a 2016 article about a UAE dissident being targeted.
Which makes me think that this might be a state-sponsored actor, and perhaps being further investigated by whomever it might concern. They also implied there may be more out there: "Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen."
¯\(°_o)/¯
You should really change your handle.
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
Literally everything is sent in plaintext over HTTP:
and
and
and
iOS was vulnerable to some pretty serious exploits.
I'm glad they were found. I'm glad they were patched.
Thanks to Google for finding them and thanks to Apple for patching them.
Hopefully the next time this happens it will Apple finding the vulnerabilities instead of a third party.
If the attackers had succeeded in compromising even one of the "sites" on that list, the number of people hit would not be in the "thousands," as the report indicated. So it should've been pretty obvious from the beginning that those were not the affected sites.
Not a good look for Google either.
As the true/complete story begins to unfold, it seems that Google’s Project Zero were part of a campaign involving lies of omission.
The pertinent details are beginning to be revealed;
1. The hacks in question were being done by the Chinese government against Muslim minorities in China.
2. The hacks by the Chinese government went through Windows, Google Android & Apple iOS operating systems.
* Rene Richie, through his YouTube website, outlines the controversy & media/tech enthusiast manipulation.
"It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems. One source familiar with the hacks claimed Google had only seen iOS exploits being served from the sites."
Regular readers of AI should be familiar with Zerodium, the company who pays big bucks for exploits that can be used against iOS devices.
https://appleinsider.com/articles/19/01/10/zerodium-hikes-bounties-for-apple-vulnerabilities-to-as-high-as-2m
Well it seems they are now paying more for Google Android exploits than iOS, up to 25% higher.
https://twitter.com/Zerodium/status/1168862389262880768
Quoting from an interview following the tweet:
“The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due to a lot of security researchers having turned their focus into full time iOS exploitation. They’ve absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we’re starting to refuse some of them.”
On the other hand: “it’s very hard and time consuming to develop full Android exploit chains.” He added that until Apple “re-improves the security of iOS components such as Safari and iMessage,” Android exploits are more valuable.
https://www.zdnet.com/article/zero-day-disclosed-in-android-os/