Security company Curesec disclosed a vulnerability that disables the lock screen in Android 4.3 Jelly Bean. Android 4.3 is Google’s most widely distributed version of their mobile operating system — about 54.5 percent of Android users are on Jelly Bean.
Android has a few options when it comes to locking your device: PIN, pattern, or facial recognition. The security hole lies in the Java class that handles which lock type is used.
When a user changes the lock type, they are required to enter the lock/PIN of the previous one, if a malicious app were to target this vulnerability it could bypass this check altogether.
The Curesec’s blog discloses the bug, includes some proof of concepts (PoC) and code examples. One such PoC is an Android app that allows you to remove locks in one click or set on timer.
Curesec attempted to contact Google about this bug, but Google became unresponsive to their queries which led Curesec to publicly disclose.
The company said are also checking if vulnerability exists in other version of Android.
This is just another example of the lock screen challenges mobile device and operating system developers are running into. It seems every iteration has a new vulnerability introduced or an existing one uncovered.
This isn’t isolated to Android, iOS has had their share of screen lock issues.
Although there are some ways of bypassing the lock screen on your mobile device, we here at Malwarebytes still encourages using a security lock as a first line of defense.
Security researcher Oren Hafif recently uncovered a vulnerability that tricks Gmail users into giving away their passwords.
Walking through the Account Recovery process found at https://www.google.com/accounts/recovery/, Hafif discovered the vulnerability.
In Hafif’s blog post, he noted that Google could improve for Cross-Site Request Forgery (CSRF) protection to include consistent use of CAPTCHAs, or those obscure images used to tell bots and humans apart.
An example of a common CAPTCHA
Eventually, Hafif used a phishing email to launch a Cross-site scripting (XSS) attack. In the video below, Hafif demonstrates the exploit from start to finish.
The link in the phishing email first takes you to the hacker’s website, but this probably wouldn’t be noticed by the quick redirect.
The flaw has since been fixed by Google, taking 10 days to remedy according to Hafif.
Reports such as these only serve to confirm that no application is perfectly secure. However, it is still comforting to know there are white-hat researchers that are reporting those affecting major services like Google.
For responsibly disclosing the vulnerability, Hafif will be rewarded under the Google Vulnerability Reward Program (found here).
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell
Mobile devices have become targets for malware and researchers alike, the latest news is on how our devices can be exploited to capture PIN codes. Researchers Laurent Simon and Ross Anderson from the University of Cambridge have created an app, PIN Skimmer, using the camera and microphone to capture the codes. Continue reading
A lot of programs we install on our computer are automatically run when Windows starts and loads.
While this is not always necessary, there usually is not much harm in this.
But this behavior is also copied by malware writers to pass security checks. Their malicious program try to mimic legitimate programs that you might expect in your Windows startup programs.
Why hide when you can pretend to be something useful?
Copying the art of camouflage from the animal world, malware writers have been trying several methods over the years to hide their registry entries in the open. Sometimes by using (pseudo-)random names and sometimes by using locations that are relatively unknown to the general public. But also by pretending to be, or belong to, legitimate programs.
We’ve known for a while now about Microsoft’s decision to retire the very popular Windows XP operating system on April 8, 2014 –it’s part of the Redmond-based company’s lifecycle policy to offer a minimum of 10 years of support for the Windows and Office products suite–but here comes Google to XP users rescue?
Windows XP’s market share is still considerable both in end user and corporate environments. According to StatCounter, it represented roughly 20 percent of all operating systems as of September 2013: