Beginning of new malicious campaign through fake apps targeting Indian android users

/in /by

SonicWall Capture Labs Threats Research Team identified few fake apps that have a worm-like spreading capability via WhatsApp messages. These applications were not seen to be present on the Play Store, based on our analysis these apps spread via WhatsApp messages or from third party app stores.

Initial Observations

During installation, these fake apps request following permissions:

  • ACCESS_COARSE_LOCATION
  • INTERNET
  • READ_CONTACTS
  • READ_PHONE_STATE
  • READ_SMS
  • SEND_SMS
  • WRITE_EXTERNAL_STORAGE
  • ACCESS_NETWORK_STATE
  • ACCESS_WIFI_STATE
  • READ_EXTERNAL_STORAGE

These applications use the icons, images and initial functionality of popular Indian Android applications namely Jio and Paytm. These factors indicate that this campaign is mainly targeting applications used in the Indian market with attractive promotional offers.

Below images show the applications post installation on the device:

As can be seen below, the navigation buttons on the top left corner in these apps are disabled (not clickable).

Functionality

Once installed the user is shown offers in the form of a popup. To avail the promotional offer, the user need to provide a 10 digit mobile number. Legitimate applications usually validate the user mobile number via either OTP or some other mechanism. On the contrary, these applications do not even care to validate the mobile number. The app accepts the number and direct the user to follow process to avail the offers.

In the background, the app sends user’s device information like location, IMEI number, Service provider, device manufacturer name to a remote server (hxxp://global.appnext.com). This data is used later to display advertisements.

Spreading capability

To increase distribution, the app requests the user to share download link over WhatsApp to at-least 10 of the contacts

On clicking the “SHARE ON WHATSAPP” button, below message is sent to the contacts chosen by the user. Fake App (Jio or Paytm offer) download link is also present in the message.

Even in the absence of WhatsApp on the user’s device, the share count could be reduced to zero by clicking the “SHARE ON WHATSAPP” button as shown below:

After the count approaches zero, the user is displayed congratulatory message and informed about the steps remaining to avail the offer.

The offer now appears to be a distant dream when the user is asked to click on advertisements. To monetize, random advertisements are displayed in the web browser, which keep changing at regular intervals.

The back navigation button is rendered non-functional. The user has to either kill the app or press the home button to come out of the application.

Few Indicators to identify fake apps

  • Look and feel of the app is similar to the actual JIO and Paytm applications but none of the controls in the application work. (Navigation bar on top left corner is disabled)
  • Lack of user input validation.
  • Inappropriate use of messaging apps like WhatsApp.
  • Enable the Unknown Sources setting to install the app.

 

SonicWALL Capture Labs provide protection against this threat via the following signature(s):  

  • AndroidOS.FakeAd

Indicators of compromise:   

op.voiice.a4g.anew.new4gvoicev – 7091d3b58d9680ab257ba328048d1e4142bbbade4e424062a1ed6af26b92005b

bhadva.chromva.jio4goffers – 7fb502ce2f6c8edcd4a801eeee4393c2b27d4988a7e1261df98facc7c72868ed

op.voiice.a4g.anew.new4gvoicev – 8c393609732d6f8cf2e10a75aebed11f3a869791461469a9a9927f8a77be94ed

bab.navi.newnavi – 9c574a77979532eb36c602b73cab9c627c79af38f9331736beba59a82d984d81

bhadva.chromva.jio4goffers – 991b4ded04820306eb59e3086c967e7473b5f547b0a0c1003ca3347a84b4bef6

bhadva.chromva.jio4goffers – d3d8a1505549d876dbf95df8b00f623cd3074873231b3374a7dd7812de8ecc06

sdffn.bobl.offerva.myjio_offers – daa7b780e7a2be97378f16376e89e9adc34e7cebb3a1d1e95f82e654a88bd83a

Dragonblood Vulnerability: Is your WiFi secure?

/1 Comment/in /by

It’s Game of Thrones season! And anything to do with dragons reminds me of GoT. The Dragonblood vulnerability recently exposed weak security of the WPA3 standard. It was just a year ago that KRACK exposed weaknesses in the WPA2 standard. In response, a stronger successor to WPA2 was announced by the Wi-Fi Alliance: WPA3.

But, was this really a strong successor as it was perceived? Apparently, no.

WPA3 incorporated Simultaneous Authentication of Equals (SAE) handshake, which was a huge improvement over WPA2 as it prevents dictionary attacks. The family of SAE handshakes is referred to as Dragonfly. This handshake is susceptible to password-partitioning attacks, which resemble dictionary attacks and leverages side-channel leaks to recover network passwords.

According to the researchers Vanhoef and Ronen, who published the paper on this vulnerability, WPA3 is affected by serious design flaws that could have been avoided with feedback from industry experts about secure WiFi. Among these flaws is the fact that WPA3 failed to introduce any new protocols, rather it only instructs which existing protocols should be supported.

WPA3 background

WPA3 made enhancements over WPA2 using the latest security methods, disallowing outdated legacy protocols and implementing the use of Protected Management Frames (PMF). It was designed with two types of networks in mind: protection for home networks with WPA3-Personal and for enterprise networks with WPA3-Enterprise.

WPA3-Personal provides increased network password protection, while WPA3-Enterprise provides higher security protocols for enterprise networks. In WPA3-Personal networks, the SAE handshake is the replacement for Pre-Shared Key (PSK) in WPA2-Personal networks. WPA3 includes natural password selection, ease of use and forward secrecy.

What is the Dragonfly handshake?

WPA3-Personal mandates the support of SAE handshakes, which is a balanced Password Authentication Key Exchange where two endpoints (AP and AP, or AP and client) store passwords in clear text. The input for the SAE handshake is a pre-shared secret and the output is a high-entropy Pairwise Master Key. After this execution, a four-way handshake takes place to generate a Pairwise Transient Key.

6 ways Dragonblood affects your wireless network

  1. Denial of Service (DoS) attack. WPA3’s anti-clogging mechanism that is supposed to prevent DoS attacks does not prevent it. Hence, this can bring down access points and cause disruption on your networks.
  2. Downgrade attack. WPA3’s transition mode is susceptible to dictionary attacks. In this mode, a WPA3-capable access point can accept connections from both WPA2 and WPA3 client devices. If an attacker uses a man-in-the-middle attack to modify the beacons of a WPA3-capable access point to fool the client into thinking it is a WPA2 access point, during the four-way WPA2 handshake the client detects the anomaly and aborts the transmission. However, enough frames are sent during the handshake that the attacker can pull off a dictionary attack. In addition, the researchers also discovered “implementation-specific downgrade attacks when a client improperly auto-connects to a previously used WPA3-only network.”
  3. SAE group negotiation attack. Client devices can prioritize groups in SAE handshake according to 802.11 specifications. With SAE, when a client connects to an access point it includes the desired group in the commit frame and this process continues. “Unfortunately, there is no mechanism that detects if someone interfered with this process. This makes it trivial to force the client into using a different group: simply forge a commit frame that indicates the AP does not support the currently selected group.” This results in a downgrade attack. This method can also be used to perform upgrade attacks.
  4. Timing-based side-channel attacks. SAE handshake is susceptible to timing attacks that leak password information, which could later be used in password-partitioning attacks leading to the recovery of the victim’s password.
  5. Cache-based side-channel attacks. SAE is further susceptible to vulnerabilities in the implementation of its algorithms, which could be leveraged in password-partitioning attacks leading to the recovery of the victim’s password.
  6. EAP-PWD. Affects the Extensible Authentication Protocol (EAP) that is supported in WPA2 and WPA standards. The researchers also “discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user’s password.”

How to protect against Dragonblood

The Dragonblood vulnerability can be fixed with software patches. While the Wi-Fi Alliance is communicating guidelines to vendors, ensure that your network is always patched with the latest security updates from wireless device manufacturers. In combination, use strong passwords on your networks.

Does the Dragonblood vulnerability affect SonicWave wireless access points?

No. This vulnerability does not affect SonicWall wireless access points. The SonicWave access points provide superior wireless security and a dedicated third radio for security scanning. Advanced security services like the Capture Advanced Threat Protection (ATP) sandbox and Content Filtering Service (CFS) can be performed by the APs, even when they are untethered from the firewalls. It gives you the ultimate flexibility to manage wireless from the cloud or via the firewalls — without compromising security.