ZebrAttack Creates Data Breach via Mobile OS, App Vulnerabilities

At the AVAR conference in November, with the help of coauthor and independent security researcher Song Li, we will present our findings of an emerging mobile threat vector.

We have found that in a group of popular retail apps, such as Costco’s and Walgreens’ apps for Android, when a QR code is scanned using the app’s scanning feature, the app will pull content from the QR code’s URL. (Costco has recently released an updated app in which the QR code-scanning feature has been removed.) These apps are supposed to determine that the URL is from a trusted source. However, unlike browsers that enforce the same-origin policy, the policy validation implemented by these apps can be bypassed with a carefully crafted QR code. Such a QR code can trick the app into pulling malicious code and execute it within the app. We have posted a snippet of this research to demonstrate how sensitive user information–such as phone number, SIM card number, and user geolocation–can leak to attackers when the QR code is scanned.

As reported recently, Android has surpassed iOS as the largest operating system for mobile and tablet devices. And we’re not surprised that mobile threats are growing as well. As of today, McAfee has collected more than 6 million unique APKs (not counting inner components), of which 49% are potentially unwanted programs (PUPs) or malicious.

android-app-pie-chartandroid-app-pie-chartandroid-app-pie-chartandroid-app-pie-chart

These APKs are signed by 495,000 unique certificates, indicating a large community of Android developers from both the legit market and the underground economy. We expect to collect more than 4 million accumulated legit Android apps by end of 2014.

android-app-pie-chartandroid-app-trendingandroid-app-trending
Total number of Android apps, with projections for 2014.

As Google continues to raise the security bar, malicious apps may find it harder to sneak into Google Play or other app stores. Attackers have apparently aimed at alternative attack surfaces. First, more than 50% of Android devices are still running on Android 4.2 or earlier, without fixes for the majority of disclosed Android vulnerabilities. Second, OEM layer vulnerabilities have been discovered as well. Finally, apps such as the QR scanning attack we discuss have been observed as the chief security bottleneck. With each of these Android developers having to support multiple versions of the OS and to meet the time-to-market challenge in this fast-moving mobile space, it is hard for all app developers to make security their priority.

We in security industry try to raise customer and developer awareness and provide solutions. At AVAR we will share our insights, especially in app and device reputation. For more observations on mobile security, refer to the McAfee Labs Threats Reports.

Many thanks to my colleague Brad Stark for providing insightful Android malware statistical data.

The post ZebrAttack Creates Data Breach via Mobile OS, App Vulnerabilities appeared first on McAfee.