Innovative malware attacks
Security vulnerabilities are a major headache when providing secure digital services. With hundreds of vulnerabilities surfacing each year just on Android, it can be challenging to stay on top of the trends. Then, what channels can be used to stay up to date, and what are the current trends?
Reading the news there appears to be a new critical security issue almost every week. Some of these get a lot of attention, such as StrandHogg, while others go by almost unnoticed. Sadly, the reason that some security issues get a lot of attention is not solely due to the severity of the issue. Often the marketing of the issue is what determines the media attention. Some security researchers take the time to create a cool logo and some even create websites, which increases the chance of media exposure, regardless of the severity.
Even though not all of the malware attacks and security vulnerabilities that get attention are all that interesting, it is still worthwhile to look at the trends in vulnerabilities and how they can be examined. At Okay we have a particular focus on protecting transactions and authentications for the financial sector, but a lot is happening outside of that niche that it is valuable to pay attention to.
Over the last few months, there is one particular trend that has gotten more attention: There has been an increase in attacks on data communication protocols. One example is the attack on the Bluetooth chipset known as BlueFrag, an attack where; “On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known.” But it is not just Bluetooth that is under attack. A few days ago the “Kr00k” vulnerability was published. This is a new WiFi vulnerability which can affect the network security of as many as a billion devices.
Another trend that has gotten some attention lately is the activities of national state actors, such as when Jeff Bezos’ mobile phone apparently got hacked by the Saudi Government using a video file sent on WhatsApp. The use of malware for state espionage is in fact not a new development, and many reading this might remember the NSA ANT catalogue leaked in 2013. In October 2019 BlackBerry published a good overview that sheds light on how state and state-sponsored Advanced Persistent Threat (APT) groups have been, and still are, using malware for espionage.
Staying up to date on security issues and fixes
For the reported security issues, the most important source is the NIST National Vulnerability Database where the so-called CVE numbers are registered. This database can be a bit hard to navigate, but there are some aggregators out there that are more user-friendly. One example is CVE Details, which has reports for both Google and Apple that makes it easy to compare reported security issues. Looking at overviews such as these can give you an impression of how the different vendors are doing with regards to security.
Fixes to the issues can also be investigated. For Android, the official monthly security bulletins, such as this one from February 2020, is a good place to start. This is the official list of fixes in the latest version of Android, often with a lot of detail, even down to the changes in code to solve the issue. The official fixes for February include new issues which can be used to intercept touch events (do stuff like steal PINs and passwords), new vulnerabilities in Bluetooth which could be used to remotely gain access to a device (BlueFrag attack), and more. Apple does have a similar page, but here you have to click in on the individual product updates and look for the CVE numbers to see what is fixed.
Security issues opening doors for malware
The descriptions used in the security bulletins can be terse and too fond of acronyms, but one thing is clear: Most of the security fixes are for elevation of access, which can often let malware gain root access on a device. In addition, there are usually some which can be used for remotely running code on a device as well.
In other words: There are security issues which can be used to run code on a device remotely and there are other issues which can let that code run with full access to the device. Also, the exact modification in the code to solve the issue is reported in full. For any user that has a device that is still receiving updates this is not an issue, but how does this help people who have a device that is simply too old to run the latest security update?
In practice being open about security issues can also help criminals create new and innovative forms of malware, or let national state actors spy on their citizens or other governments. The lack of easy solutions to this issue is one of the reasons Okay made the conscious choice to focus on transaction security, with the hope that at least we can try to help within one single sector.