In the past, we have often heard of some strings or files that you can send to other users to cause their iPhone/iPad to reboot. Now there’s a similar issue affecting some Android devices: a simple picture can soft-brick some Android phones if it’s set as the wallpaper.
In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence, analogously to copying and pasting a folder in order to extract data from a system.
So, this process will only copy files that the user can access and see: if any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.
The flaw affects Apple devices and also all android devices using Broadcom’s Wi-Fi stack: an attacker within the smartphone’s WiFi range could remotely execute malicious code on the Broadcom WiFi SoC.
The vulnerability allows attackers to send WiFi frames, crafted with abnormal values, to the Wi-Fi controller in order to overflow the firmware’s stack.
The researcher combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device’s memory until his malicious code is executed.
So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it:
We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations — including stack cookies, safe unlinking and access permission protection (by means of an MPU).
Gal Beniamini also published a proof-of-concept RCE exploit that successfully performs remote commands on a fully updated Nexus running Android 7.1.1:
According to the analysis made by security firm Kryptowire, some commercial firmware pre-installed on Android smartphone models sold in the US has been found to be secretly sending personal data to a third party company based in China, without users’ knowledge or consent. The stolen data include text messages, call logs, contacts, app usage data and user’s location.
The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.
The collected information was encrypted and transmitted over HTTPS to a server located in Shanghai:
The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data. The information was transmitted to the following back-end server domains:
– bigdata.adups.com (primary)
All of the above domains resolved to a common IP address: 188.8.131.52 that belongs to the Adups company. During our analysis, bigdata.adups.com was the domain that received the majority of the information whereas rebootv5.adsunflower.com with IP address: 184.108.40.206 was the domain that can issue remote commands with elevated privileges to the mobile devices.
A full list of affected devices is not available at this point, but Kryptowire says:
In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.
A new attack technique that exploits the Rowhammer hardware vulnerability on Android devices
Earlier last year, security researchers from Google’s Project Zero discovers Rowhammer, a hardware bug that allows attackers to manipulate data in memory without accessing it: by reading many times from a specific memory location, somewhere else in memory a bit may flip (a one becomes a zero, or a zero becomes a one).
As a result, hammering a memory region can disturb neighboring row, causing the row to leak electricity into the next row which eventually causes a bit to flip. And since bits encode data, this small change modifies that data, creating a way to gain control over the device.
Now, this designing weakness has been exploited to gain unfettered “root” access to millions of Android smartphones, allowing potentially anyone to take control of affected devices.
Researchers of VuSec has created a new proof-of-concept exploit, dubbed DRAMMER, that can alter crucial bits of data in a way that completely roots big brand Android devices like Samsung, OnePlus, LG and Motorola.
Drammer has the potential to put millions of users at risk, especially when combined with existing attack vectors like Stagefright or BAndroid: practically all devices are possibly vulnerable and must wait for a fix from Google in order to be patched.
We developed an Android app — not yet in Google Play, but available directly — to test your device for the Rowhammer bug. The app uses a native binary for which we also released the source code. After a successful run, the app uploads anonymized output. We will use this to get a better understanding of how widespread the Rowhammer bug is. Of course, you can opt out of sharing results.
Please note the following:
Currently, when finished its hammering session, the app does not give you a nice popup that tells you whether you are vulnerable or not. We will try to add this as soon as possible. Meanwhile, you can easily spot induced bit flips by glancing over the output and looking for the obvious keyword FLIP.
Your phone might still be vulnerable, even if the app detected zero flips! There are two main reasons for this. First, our current implementation of address selection is conservative: we recently discovered that the current code is only hammering half of the rows on a Nexus 5. On your device, the DRAM geometry might be different enough for our app to completely fail selecting addresses for double-sided rowhammer. Second, the app may only have tested a very small fraction of your DRAM. Ideally, a single run takes at least an hour and scans a couple hundred of MB. The current code already tries to free as much memory as possible to hammer (affected by the aggressiveness factor), but there are probably better ways of doing this.
VuSec has also developed a Rowhammer simulator that allows researchers and practitioners to simulate hardware bit flips in software, using bit-flip patterns (or fliptables) from a large set of DRAM chips.
The Android-IMSI-Catcher-Detector (short: AIMSICD) is an Android open-source based project to detect and avoid fake base stations (IMSI-Catchers) or other base-stations (mobile antennas) with poor/no encryption, born in 2012 on XDA.