Innovative Malware Attacks
First published: 16/03/2020
Security vulnerabilities are a major headache when providing secure digital services. With hundreds of vulnerabilities surfacing each year on Android alone, it can be challenging to stay on top of the trends. If that is the case, what channels can be used to stay up to date, and what are the current trends?
It's All About the Hype
Reading the news, there appears to be a new critical security issue almost every week. Some of these get a lot of attention, such as StrandHogg, while others go by almost unnoticed.
Sadly, the reason that some security issues get so much attention is not particularly due to the severity of the issue. Often, the marketing of the issue is what determines the media attention. Some security researchers take the time to create a cool logo, and some even create websites which increases the chances of media exposure, regardless of the severity.
Even though not all of the malware attacks and security vulnerabilities that get attention are all that interesting, it is still worthwhile to look at the trends in vulnerabilities and how they can be examined. At Okay, we have a particular focus on protecting transactions and authentications for the financial sector, but a lot is happening outside of that niche that it is valuable to pay attention to.
Over the last few months, there is one particular trend that has gotten more attention: the increase in attacks on data communication protocols. One example is the attack on the Bluetooth chipset known as BlueFrag.
“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known.”
But, it is not just Bluetooth that is under attack. A few days ago, the “Kr00k” vulnerability was published. This is a new WiFi vulnerability which can affect the network security of as many as a billion devices.
Another trend that has gotten some attention is the activities of national state actors, such as when Jeff Bezos’ mobile phone got hacked by the Saudi Government using a video file sent on WhatsApp.
The use of malware for state espionage is not a new development, as many reading this might remember the NSA ANT catalogue leaked in 2013. In October 2019, BlackBerry published a good overview that sheds light on how state and state-sponsored Advanced Persistent Threat (APT) groups have been, and still are, using malware for espionage.
Staying up to Date on Security Issues and Fixes
For the reported security issues, the most important source is the NIST National Vulnerability Database where the so-called CVE numbers are registered. This database can be a bit hard to navigate, but there are some aggregators out there that are more user-friendly.
One example is CVE Details, which has reports for both Google and Apple that makes it easy to compare reported security issues. Looking at overviews such as these can give you an impression of how the different vendors are doing with regards to security.
Fixes to the issues can also be investigated. For Android, official monthly security bulletins, like this one from February 2020, is a good place to start. This is the official list of fixes in the latest version of Android, often with a lot of detail, even down to the changes in code to solve the issue.
The official fixes for this February include new issues which can be used to intercept touch events (like steal PINs and passwords), new vulnerabilities in Bluetooth which could be used to remotely gain access to a device (BlueFrag attack), and more. Apple does have a similar page, but here you have to click in on the individual product updates and look for the CVE numbers to see what is fixed.
Security Issues Opening Doors for Malware
The descriptions used in the security bulletins can be terse and too fond of acronyms, but one thing is clear: most of the security fixes are for elevation of access, which can often let malware gain root access on a device. In addition, there are usually some which can also be used for remotely running code on a device.
In other words, there are security issues which can be used to run code on a device remotely, and there are other issues which can let that code run with full access to the device. Also, the exact modification in the code to solve the issue is reported in full. For any user that has a device that is still receiving updates, this is not an issue.
But how does this help people who have a device that is simply too old to run the latest security update?
In practice, being open about security issues can also help criminals create new and innovative forms of malware, or let national state actors spy on their citizens or other governments. The lack of easy solutions to this issue is one of the reasons Okay made the conscious choice to focus on transaction security, with the hope that at least we can try to help within one single sector.