Archive for the 'Recent Hacks in the News' Category


 

AlphaBay,  one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods — that mysteriously went dark earlier this month without any explanation from its admins has reportedly been shut down by the international authorities.

On July 4th, the dark web marketplace suddenly went down without any explanation from its admins, which left its customers who have paid large sums in panic.

Some customers even suspected that the site’s admins had pulled an exit scam to steal user funds.

However, according to the Wall Street Journal, the disappearance of the AlphaBay came after authorities in the United States, Canada, and Thailand collaborated to conduct a series of raids and arrest Alexandre Cazes, who allegedly was one of the AlphaBay’s operators.

Citing_ “people familiar with the matter,”_ the publication claims that Cazes, a resident of Canada, was arrested in Thailand and taken into custody in Bangkok on July 5th, the same day the police executed two raids on residences in Quebec, Canada.

The 26-year-old Canadian citizen was awaiting extradition to the United States when a guard found him hanged in his jail cell on Wednesday, the Chiang Rai Times confirms. Cazes is believed to have hanged himself using a towel.

AlphaBay Market — one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods — that mysteriously went dark earlier this month without any explanation from its admins has reportedly been shut down by the international authorities.

On July 4th, the dark web marketplace suddenly went down without any explanation from its admins, which left its customers who have paid large sums in panic.

Some customers even suspected that the site’s admins had pulled an exit scam to steal user funds.

However, according to the Wall Street Journal, the disappearance of the AlphaBay came after authorities in the United States, Canada, and Thailand collaborated to conduct a series of raids and arrest Alexandre Cazes, who allegedly was one of the AlphaBay’s operators.

Citing_ “people familiar with the matter,”_ the publication claims that Cazes, a resident of Canada, was arrested in Thailand and taken into custody in Bangkok on July 5th, the same day the police executed two raids on residences in Quebec, Canada.

The 26-year-old Canadian citizen was awaiting extradition to the United States when a guard found him hanged in his jail cell on Wednesday, the Chiang Rai Times confirms. Cazes is believed to have hanged himself using a towel.

Cazes had been living in Thailand for nearly 8 years. During his arrest, authorities also seized “four Lamborghini cars and three houses worth about 400 million baht ($11.7 million) in total.”

AlphaBay, also known as “the new Silk Road,” also came in the news at the beginning of this year when a hacker successfully hacked the AlphaBay site and stole over 200,000 private unencrypted messages from several users.

After the disappearance of Silk Road, AlphaBay emerged in 2014 and became a leader among dark web marketplaces for selling illicit goods from drugs to stolen credit card numbers, exploits, and malware.

Unlike dark web market ‘Evolution’ that suddenly disappeared overnight from the Internet, stealing millions of dollars worth of Bitcoins from its customers, AlphaBay Market was shut down by the law enforcement, suffering the same fate as Silk Road.

Silk Road was shut down after the law enforcement raided its servers in 2013 and arrested its founder Ross William Ulbricht, who has been sentenced to life in prison.

The FBI also seized Bitcoins (worth about $33.6 million, at the time) from the site. Those Bitcoins were later sold in a series of auctions by the United States Marshals Service (USMS).

Share

Personal details of some 120 Million customers have been allegedly exposed on the Internet in probably the biggest breach of personal data ever in India.

Last night, an independent website named Magicapk.com went online, offering Reliance Jio customers to search for their identification data (Know Your Customer or KYC) just by typing in their Jio number.

Reliance set up the Jio 4G network across the length and breadth of India in September last year and gained more than 50 million subscribers within a span of just 83 days. The company gave seven months of free internet, unlimited calls, unlimited music to its subscribers.

Although the website that claimed to have hacked into Jio database is no longer accessible, many users confirmed their personal data showed up on the website, displaying their names, email addresses and most alarmingly, in some cases, Aadhaar numbers.

Aadhaar is a 12-digit unique identification number issued by the Indian government to every resident of India. This number is also used for enrolling for a SIM.

In response to the breach, Reliance Jio released a statement, saying that the claims are unverified and that the leaked data appears to be “unauthentic.”

“We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic,” a spokesperson said.

“We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement.”

The Jio spokesperson said the company has “informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”

 

Breach Appears to be Authentic! But Doesn’t Affect All JIO Users

The Hacker News independently verified the leak for a few Jio numbers, and the data came out to be accurate for some Jio numbers, but not for all.Therefore, the data on the website seems to be authentic, but luckily some customers are spared–probably those who have been issued Jio SIM after the breach.

For obvious reasons, we are not naming the customers we tested on the website and found their identity leaked just by typing their mobile number. The leaked information includes:
First Name
Middle Name
Last Name
Mobile Number
Email-Id
Circle-Id
SIM Activation Date and Time
Aadhaar Number, in some cases Mobile numbers for other telecom operators in India, such as Vodafone and Airtel, did not work on the website.

 

Hackers Identity is Unknown Yet

The website was hosted by the web hosting company GoDaddy.com and was registered in May 2017, but so far it is not clear who owned the domain.

Also, it is not clear at this moment that how the hackers got access to sensitive data of Jio customers and was it Jio who got hacked or some third-party marketing company with whom the company shared its customer’s data.

Though there is very little victims (especially those who have exposed their Aadhaar number) can do to protect themselves from future attacks. Hackers holding their Aadhaar number can disguise their identities to carry out several frauds.

All Jio customers are highly recommended to be vigilant to unrequested calls asking for their further details or account passwords. No company asks for these details over phone calls or emails.

Victims should also particularly be alert of the Phishing emails, which are usually the next step of cyber criminals after a large-scale hack at any telecoms company. Phishing tricks users into giving up further personal details like passwords.

Share

Microsoft released its monthly security-patch bundle Tuesday, fixing 45 unique vulnerabilities, three of which are publicly known and targeted by hackers.

The top priority this month should be given to the Microsoft Office security update because one of the fixed flaws has been actively exploited by attackers since January to infect computers with malware. Over the past few days this vulnerability, tracked as CVE-2017-0199, has seen widespread exploitation.

The CVE-2017-0199 vulnerability can be exploited through maliciously crafted RTF (Rich Text Format) documents when such documents are opened with either Microsoft Word or WordPad. Because WordPad is bundled with Windows by default, a patch for this flaw is also included in the security updates for Windows.
According to security vendor Qualys, the next priority should go to the updates for Microsoft’s Internet Explorer and Edge browsers. These update address several remote code execution vulnerabilities.

One flaw patched in IE allows attackers to bypass the cross-domain policies enforced by the browser. The flaw makes it possible to take information from one domain and inject it into another, violating an important security barrier.

Microsoft’s notes for this vulnerability mention that it has already been exploited in the wild, but don’t include other details about the attacks.

Critical vulnerabilities have also been patched in Hyper-V, Microsoft’s virtualization hypervisor that’s included in Windows Server 2008, 2012 and 2016, as well as in Windows 8.1 and 10. These vulnerabilities can allow applications running inside a guest operating system to escape the virtual machine and execute malicious code on the host OS.

Finally, a remote code execution vulnerability has been fixed in the Microsoft .NET Framework. This flaw potentially can be exploited by attackers to take complete control of a system running a vulnerable deployment of the framework.

Microsoft has also released a defense-in-depth update for Microsoft Office that disables the Encapsulated PostScript (EPS) filter by default. That’s because the company is aware of limited, targeted attacks that try to take advantage of an unpatched vulnerability in this filter.

The Microsoft updates also include third-party critical patches for Flash Player, which is bundled with Internet Explorer 11 and Edge.

This Patch Tuesday bundle is also notable because it marks the end of support for Windows Vista, which will no longer receive security updates after this round of patches.

Share

IoT Teddy Bear Hacked

Author: Martin Voelk
March 1, 2017

Whilst this sounds funny at first, it’s yet another serious data breach of customer data. IoT is becoming hacker’s first choice even before web applications these days. So don’t forget to have your IoT devices Pen Tested.

https://arstechnica.com/security/2017/02/creepy-iot-teddy-bear-leaks-2-million-parents-and-kids-voice-messages/ 

Share

 

WordPress is one of the most used content management system (CMS) in the world. So when there is a security flaw in its system, it affects millions of users on the Internet. That is exactly what has been discovered by security researchers at Sucuri, an Internet security company which revealed that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.

Sucuri found a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site. However, there is good news since Sucuri discretely reported the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch before this became public.
If you are using WordPress on your website the only way you may be at risk is if you have not updated your WordPress to the latest version 4.7.2. The update was issued on January 26th.

In their blog post, Marc Alexandre Montpas from Sucuri stated that “This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”

Montpas further stated that “This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!”

If you or your friends are using WordPress, it is highly advisable to update your website and inform others about the issue so they can also update their WordPress to the latest version.

WordPress has also acknowledged the issue and published a blog post earlier today urging users to update their WordPress since it poses a “severe security risk” for users.

 

Share

November 14, 2016

pixel-safari-edgewindows-10-1

 

 

Google’s new Pixel smartphone was reportedly hacked by a Chinese team in just 60 seconds.

 

At PwnFest, a hacking competition in Seoul on Friday (11 November), a team of white-hat hackers called Qihoo 360 cracked Google’s new handset and won $120,000 (£95,670) in cash. The hackers took advantage of a vulnerability to gain remote code execution that is undisclosed.

 

The exploit launched the Google Play store before opening Chrome and displaying a web page reading “Pwned By 360 Alpha Team”.

 

Google said the Chrome bug that Keen Team found was patched within 24 hours of the event and the changes have already been released into the stable branch by the Chrome team.

 

It was the second time in as many weeks that the Pixel has been compromised.

 

Chinese hacking group, Keen Team of Tencent, a rival of Qihoo 360, discovered a zero-day vulnerability at the Mobile Pwn2Own event in Japan. The vulnerability is yet to be patched. Thankfully, these exploits have been found in hacking events, instead of being used in the wild by attackers.
While these exploits suggest Pixel phones are vulnerable to attackers, earlier this month Adrian Ludwig, the director of security at Android, told Motherboard that the Google Pixel and the iPhone are equal when it comes to security. Ludwig said Android would be soon better though. “In the long term, the open ecosystem of Android is going to put it in a much better place,” he said.

 

 
Apple’s updated Safari browser running on MacOS Sierra also fell. Respected Chinese hacker outfit Pangu Team renowned for releasing million-dollar persistent modern iOS jailbreaks for free, along with hacker JH, blasted Cupertino’s web browser with a root privilege escalation zero day that took 20 seconds to run, earning the team $80,000.
Qihoo 360 also breached Adobe Flash with a flick of the finger, digging up a combination decade-old, use-after-free zero day and a win32k kernel flaw to score $120,000.

 

It took four seconds for Flash to fall.

 

The hacks conclude the PwnFest whitewash, which saw Microsoft Edge hacked and the first-ever zero day exploits against VMWare Workstation on Thursday.

 

Qihoo 360 hackers walked away with $520,000 in prize money.

Share

Squid proxy server

 
Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.

 
The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.

 
“The attack enables cache poisoning of ANY unencrypted HTTP website,”.

 

Cache Poisoning issue in HTTP Request handling

 

Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers.

 

“The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker” before hitting a victim site. It’s not hard to stage the attack as “… attackers can readily obtain the necessary vantage point using techniques such as web ads.”

 
“For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:

 

GET http://victim.com/ HTTP/1.1 Host: attack.com
The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.

 

 

Protection

 

The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.

 

C51 Security researchers recommend enabling the host_verify_strict option which is disabled by default, and considering the Suricata intrusion detection system rules to detect exploitation attempts.

 

 

https://drive.google.com/file/d/0ByM36MBckzBaQUFES0VYRlZydUE/view

Share

imagetragick_logo-100659291-primary.idge

 

 

Researchers have discovered several vulnerabilities in the popular image processing suite ImageMagick, including a serious remote code execution flaw that has been exploited in the wild.

 
ImageMagick is a free and open-source software package that allows users to display, convert and edit image files. The ImageMagick library is used by many image-processing plugins, which means that the software is present in a large number of web applications.

 

The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

 

While analyzing a flaw found by a researcher who uses the online moniker “Stewie,” Nikolay Ermishkin from the Mail.Ru security team discovered a remote code execution vulnerability (CVE-2016-3714) related to insuficient filtering of shell characters.

 
The vulnerability, dubbed “ImageTragick,” can be exploited by uploading a specially crafted file to a website that processes images using ImageMagick.

 

An attacker can create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. ImageMagick determines the file type based on so-called “magic bytes,” the first few bytes of a file that are specific to each file type. Once it detects that it’s not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.

 

An exploit for this vulnerability is publicly available and experts say it has already been leveraged in the wild.

 
ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers say the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which are expected to become available by this weekend.

 
In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.

 

Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in ‘/etc/ImageMagick’.
Other vulnerabilities found in ImageMagick can be exploited to move, read or delete files (CVE-2016-3716, CVE-2016-3717 and CVE-2016-3715), and for server-side request forgery, or SSRF, attacks (CVE-2016-3718).

Share

Cell-Phone-Spy-How-to-track-a-cell-phone call-listening hqdefault

 
IN FEBRUARY 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

 
The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.

 

A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.

 
The telecom industry has known for years that SS7 is vulnerable to spying, but did little about it because many assumed the risks were theoretical. This changed in the wake of the Ukrainian incidents, says Cathal McDaid, head of the threat intelligence unit for AdaptiveMobile, a mobile telecom security firm. His company and others devised ways to detect SS7 attacks, and since then they have discovered suspicious activity in the networks of multiple telecom customers, suggesting that SS7 attacks are very much real-and ongoing. AdaptiveMobile released a report in February highlighting some of those attacks.

 

SS7 is just now getting more public attention because of a 60 Minutes piece last week, which showed two German researchers using SS7 to spy on US Congressman Ted Lieu, with his permission. Lieu has called for a congressional hearing to look into SS7 vulnerabilities, and the Federal Communications Commission has plans to examine it, too.

 

 
So what is SS7 and why is it so vulnerable?

 

SS7, also known as Signaling System No. 7, refers to a data network-and the series of technical protocols or rules that govern how data gets exchanged over it. It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it’s a separate administrative network with a different function. Think of it like a passenger train system-SS7 is the maintenance tunnels workers use rather than the main tunnels through which passenger trains travel.
SS7 is often used now to set up roaming so that when you travel, say, from New York to Mumbai, you can make and receive calls and texts outside your carrier’s range. An outside carrier will send a request to your carrier via SS7 to obtain your phone’s unique ID to track your device, and also request that your communications be redirected to its network so that it can deliver calls and text messages to you. It’s a way of making sure calls and messages are delivered between networks.

 
The Problem

 

The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York.

 

This makes it possible for a remote attacker to spy on lawmakers, corporate executives, military personnel, activists and others. It should be noted that in grabbing your texts and calls in this way, an attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text so you can access your accounts. An attacker who already knows the username and password for an account can intercept these codes before you receive them in order to log in to your accounts.

 

 

 

Who has access to SS7?

 

Hundreds of telecoms around the world use it. Government intelligence agencies can also gain access to the network, either with the permission of telecoms or not. Commercial companies also sell SS7 phone tracking services to governments and other customers. Criminal groups able to purchase access from corrupt telecom workers can also use SS7, as can hackers who hijack unsecured SS7 equipment.

 
It wasn’t until December 2014 that telecoms began to implement ways to thwart SS7 attacks. That’s when Karsten Nohl of the Berlin-based Security Research Labs and an independent researcher named Tobias Engel gave presentations about SS7 at the Chaos Communication Congress in Germany, months after the Ukrainian incidents were discovered. Engel had demonstrated an SS7 method for tracking phones in 2008, but that method wasn’t as refined as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that carriers there implement measures to mitigate SS7 attacks by the end of 2015.

 

 

 

How Exactly Can SS7 Be Hacked to Track You?

 

To track you, an attacker could send what’s called an Anytime Interrogation request to your carrier to get the unique ID of your phone and identify which mobile switching center (MSC) your phone uses—usually one MSC covers an entire city. Carriers use this information to determine your location to route your calls and messages through the cell tower closest to you. By sending repeated Anytime Interrogation requests to get this and your GPS coordinates, an attacker can track your phone, and you, to the street block where you are standing, using Google maps.

 

Carriers could thwart this by blocking Anytime Interrogation requests coming from outside their boundaries, Nohl says. But there are other ways to get location information using different queries via SS7, and these are not as easily blocked, he says.

 

 

 

In Depth

 

In mobile networks, subscribers are identified by the international mobile subscriber identity (IMSI), which is considered confidential information.

 

This attack is based on requesting the Mobile Switching Center (MSC) Visitor Location Register (VLR) address, and the IMSI. The request is part of the SMS delivery protocol, which allows the source network to receive information about the subscriber’s location for further routing of the message. The initial data includes the target subscriber number.

 

In case of successful exploitation, an attacker obtains the following data:

 
+ Subscriber’s IMSI

+ Servicing MSC/VLR address

+ Home Location Register (HLR) address where the subscriber’s account data is located

 

The MSC/VLR address will determine the subscriber’s location down to the regional level. Moreover, the intruder can use the obtained data in more complex attacks.

 

 

Screenshot from 2016-04-30 00:12:46

 

 

 

Discovering a subscriber’s location

 

Received data is commonly used for real-time tariffing of the subscriber’s incoming calls. The initial data is the IMSI and current MSC/VLR address.

 

The intruder obtains the CGI, which consists of:

 

+ Mobile Country Code (MCC)

+ MNCMobile Network Code (MNC)

+ Location Area Code (LAC)

+ Cell Identity (CID)

 

 

There are a number of services available on the Web that allow determining a base station’s location using these identifiers. In cities and urban areas, the accuracy of a subscriber’s location can be determined within a few hundred meters.

 

Screenshot from 2016-04-30 00:31:19

 

 
Intercepting incoming SMS messages

 

After registering the subscriber with the fake MSC/VLR, SMS messages intended for the subscriber are instead sent to the attacker’s host.

 
The attacker is able to:

 

+ send a confirmation that the message was received (it will look to the sender as if the message was delivered)

+ re-register the subscriber to the previous switch so that he/she also gets the message.

+ send a confirmation to the sender, re-register the subscriber to the previous switch and send him/her an altered message

 

 

The attack can be used to:

 

+ steal one-time mobile banking passwords delivered as SMS messages

+ Intercept or recover passwords used for various internet services (email, social networks, etc.)

 

 

Screenshot from 2016-04-30 00:16:06

 

 
Intercepting outgoing calls

 

An attacker substitutes a billing platform address with their equipment address, in the subscriber’s profile. When the subscriber makes a call, the billing request along with the number of the destination subscriber are sent to the attacker’s equipment. The attacker can then redirect the call and create a three-way (destination subscriber, calling subscriber and an attacker) conference call.

 

Screenshot from 2016-04-30 00:30:16

 

 

 

 

What Can Be Done?

 

That kind of attack should be easy to thwart with an algorithm that knows it’s illogical for a subscriber to move back and forth between the US and Germany every five minutes. “But, again, nobody has implemented these smart checks,” Nohl says.

 

There’s not much you can personally do. You could try to protect your communications by using an encrypted service like Signal, WhatsApp or Skype, but McDaid says an attacker could send a request to your carrier to disable data use for your phone, preventing you from using these services.

 

“So all you’re left with then is text messages and phone calls if you’re in an area with no Wi-Fi,” he says, leaving you vulnerable to an SS7 interception attack.

 

Share

313095-android-trojan

 

An evolutionary malware, known as the “Accessibility Clickjacking”, has been discovered by SkyCure, a US-based global mobile threat Security Company, and revealed to the world at the 25th annual RSA conference, which is the world’s biggest cyber-security event, that just ended on Friday the 4th of March.

 

The Accessibility ClickJacking” malware is a critical and dangerous discovery

 
In their study, the company discovered that the start of the advanced mobile malware had already impacted more than half a billion Android devices globally. This very modern mobile malware had the capability to not be detected in scanner detection, which is usually based on signatures, static and dynamic analysis approaches, the company had pointed out in its report.

 
“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent.

 
If you want to see accessibility clickjacking in action, just watch the video from Skycure below, which utilizes a free ‘Rick and Morty’-themed game to get users to unknowingly enable certain accessibility features:

 

 

A number of functions and capabilities had been put into web browsers and web servers in order to limit the clickjacking risk, the mobile platform was still a vulnerable platform and, therefore, it showed that Android is still susceptible to similar kinds of threats.

 

Smartphone users of the Android operating system were advised to be careful when playing games or running applications, as hackers were able to create simple so-called “benign” games that could automatically trigger the “Accessibility ClickJacking” in the background unbeknownst to the owner of the device.

 

The malware could allow malicious apps to get hold of all text based sensitive information on the affected Android devices and take automated actions via other apps or even the operating system. Malicious apps include emails, text messages, data from messaging apps, and important business applications such as CRM software, marketing automation software and more. This makes Android users vulnerable to the games and applications they download.

 

When let inside the victim’s device, the hackers could, therefore, change passwords. However the security did mention that the malware was only active on older versions of the Android operating system accounting for 65 percent of these devices and said that there was no reason to worry for users of the latest operating systems, Lollipop and Marshmallow platforms. Anything between Android 2.2 Froyo to Android 4.4 KitKat was most likely to be affected by ClickJacking, SkyCure noted.

Share