Everyone’s talking juice-jacking – but has anyone ever been juice-jacked? Uber suffers yet another data breach, but it hasn’t been hacked. And Carole hosts the “AI-a-go-go or a no-no?” quiz for Dave and Graham.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.
Authored by SangRyol Ryu
McAfee’s Mobile Research Team discovered a software library we’ve named Goldoson, which collects lists of applications installed, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user’s consent. The research team has found more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea. While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains.
McAfee Mobile Security detects this threat as Android/Goldoson and protects customers from this and many other mobile threats. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Google has reportedly notified the developers that their apps are in violation of Google Play policies and fixes are needed to reach compliance. Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices.
Top 9 applications previously infected by Goldoson on Google Play
The Goldoson library registers the device and gets remote configurations at the same time the app runs. The library name and the remote server domain varies with each application, and it is obfuscated. The name Goldoson is after the first found domain name.
Mutating class names
Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers. The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability.
A response of remote configuration
The library includes the ability to load web pages without user awareness. The functionality may be abused to load ads for financial profit. Technically, the library loads HTML code and injects it into a customized and hidden WebView and it produces hidden traffic by visiting the URLs recursively.
Pages loaded without user perception
Collected data is sent out periodically every two days but the cycle is subject to change by the remote configuration. The information contains some sensitive data including the list of installed applications, location history, MAC address of Bluetooth and Wi-Fi nearby, and more. This may allow individuals to be identified when the data is combined. The following tables show the data observed on our test device.
Collected Data sent out in JSON format
Google Play considers the list of installed apps to be personal and sensitive user data and requires a special permission declaration to get it. Users with Android 11 and above are more protected against apps attempting to gather all installed apps. However, even with the recent version of Android, we found that around 10% of the apps with Goldoson have the permission “QUERY_ALL_PACKAGES” that allows them to access app information.
Likewise, with Android 6.0 or higher, users may be asked for permissions such as Location, Storage, or Camera at runtime. If user allows the location permission, the app can access not only GPS data but also Wi-Fi and Bluetooth device information nearby. Based on BSSID (Basic Service Set Identifier) and RSSI (Received Signal Strength Indicator), the application can determine the location of the device more accurately than GPS, especially indoors.
A demo of runtime permission request
The infected applications come from various Android application stores. More than 100 million downloads have been tracked through Google Play. After that, ONE store, Korea’s leading app store, follows with about 8 million installations.
As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information. McAfee Mobile Security products can also help detect threats and protect you from not only malware but also unwanted programs. For more information, visit our McAfee Mobile Security.
bhuroid.com
enestcon.com
htyyed.com
discess.net
gadlito.com
gerfane.com
visceun.com
onanico.net
methinno.net
goldoson.net
dalefs.com
openwor.com
thervide.net
soildonutkiel.com
treffaas.com
sorrowdeepkold.com
hjorsjopa.com
dggerys.com
ridinra.com
necktro.com
fuerob.com
phyerh.net
ojiskorp.net
rouperdo.net
tiffyre.net
superdonaldkood.com
soridok2kpop.com
Package Name
Application Name
GooglePlay Downloads
GP
Status
com.lottemembers.android
L.POINT with L.PAY
10M+
Updated*
com.Monthly23.SwipeBrickBreaker
Swipe Brick Breaker
10M+
Removed**
com.realbyteapps.moneymanagerfree
Money Manager Expense & Budget
10M+
Updated*
com.skt.tmap.ku
TMAP – 대리,주차,전기차 충전,킥보 …
10M+
Updated*
kr.co.lottecinema.lcm
롯데시네마
10M+
Updated*
com.ktmusic.geniemusic
지니뮤직 – genie
10M+
Updated*
com.cultureland.ver2
컬쳐랜드[컬쳐캐쉬]
5M+
Updated*
com.gretech.gomplayerko
GOM Player
5M+
Updated*
com.megabox.mop
메가박스(Megabox)
5M+
Removed**
kr.co.psynet
LIVE Score, Real-Time Score
5M+
Updated*
sixclk.newpiki
Pikicast
5M+
Removed**
com.appsnine.compass
Compass 9: Smart Compass
1M+
Removed**
com.gomtv.gomaudio
GOM Audio – Music, Sync lyrics
1M+
Updated*
com.gretech.gomtv
곰TV – All About Video
1M+
Updated*
com.guninnuri.guninday
전역일 계산기 디데이 곰신톡–군인 …
1M+
Updated*
com.itemmania.imiapp
아이템매니아 – 게임 아이템 거래 …
1M+
Removed**
com.lotteworld.android.lottemagicpass
LOTTE WORLD Magicpass
1M+
Updated*
com.Monthly23.BounceBrickBreaker
Bounce Brick Breaker
1M+
Removed**
com.Monthly23.InfiniteSlice
Infinite Slice
1M+
Removed**
com.pump.noraebang
나홀로 노래방–쉽게 찾아 이용하는 …
1M+
Updated*
com.somcloud.somnote
SomNote – Beautiful note app
1M+
Removed**
com.whitecrow.metroid
Korea Subway Info : Metroid
1M+
Updated*
kr.co.GoodTVBible
GOODTV다번역성경찬송
1M+
Removed**
kr.co.happymobile.happyscreen
해피스크린 – 해피포인트를 모으 …
1M+
Updated*
kr.co.rinasoft.howuse
UBhind: Mobile Tracker Manager
1M+
Removed**
mafu.driving.free
스피드 운전면허 필기시험 …
1M+
Removed**
com.wtwoo.girlsinger.worldcup
이상형 월드컵
500K+
Updated*
kr.ac.fspmobile.cu
CU편의점택배
500K+
Removed**
com.appsnine.audiorecorder
스마트 녹음기 : 음성 녹음기
100K+
Removed**
com.camera.catmera
캣메라 [순정 무음카메라]
100K+
Removed**
com.cultureland.plus
컬쳐플러스:컬쳐랜드 혜택 더하기 …
100K+
Updated*
com.dkworks.simple_air
창문닫아요(미세/초미세먼지/WHO …
100K+
Removed**
com.lotteworld.ticket.seoulsky
롯데월드타워 서울스카이
100K+
Updated*
com.Monthly23.LevelUpSnakeBall
Snake Ball Lover
100K+
Removed**
com.nmp.playgeto
게토(geto) – PC방 게이머 필수 앱
100K+
Removed**
com.note.app.memorymemo
기억메모 – 심플해서 더 좋은 메모장
100K+
Removed**
com.player.pb.stream
풀빵 : 광고 없는 유튜브 영상 …
100K+
Removed**
com.realbyteapps.moneya
Money Manager (Remove Ads)
100K+
Updated*
com.wishpoke.fanciticon
Inssaticon – Cute Emoticons, K
100K+
Removed**
marifish.elder815.ecloud
클라우드런처
100K+
Updated*
com.dtryx.scinema
작은영화관
50K+
Updated*
com.kcld.ticketoffice
매표소–뮤지컬문화공연 예매& …
50K+
Updated*
com.lotteworld.ticket.aquarium
롯데월드 아쿠아리움
50K+
Updated*
com.lotteworld.ticket.waterpark
롯데 워터파크
50K+
Updated*
com.skt.skaf.l001mtm091
T map for KT, LGU+
50K+
Removed**
org.howcompany.randomnumber
숫자 뽑기
50K+
Updated*
com.aog.loader
로더(Loader) – 효과음 다운로드 앱
10K+
Removed**
com.gomtv.gomaudio.pro
GOM Audio Plus – Music, Sync l
10K+
Updated*
com.NineGames.SwipeBrickBreaker2
Swipe Brick Breaker 2
10K+
Removed**
com.notice.safehome
안심해 – 안심귀가 프로젝트
10K+
Removed**
kr.thepay.chuncheon
불러봄내 – 춘천시민을 위한 공공 …
10K+
Removed**
com.curation.fantaholic
판타홀릭 – 아이돌 SNS 앱
5K+
Removed**
com.dtryx.cinecube
씨네큐브
5K+
Updated*
com.p2e.tia.tnt
TNT
5K+
Removed**
com.health.bestcare
베스트케어–위험한 전자기장, …
1K+
Removed**
com.ninegames.solitaire
InfinitySolitaire
1K+
Removed**
com.notice.newsafe
안심해 : 안심지도
1K+
Removed**
com.notii.cashnote
노티아이 for 소상공인
1K+
Removed**
com.tdi.dataone
TDI News – 최초 데이터 뉴스 앱 …
1K+
Removed**
com.ting.eyesting
눈팅 – 여자들의 커뮤니티
500+
Removed**
com.ting.tingsearch
팅서치 TingSearch
50+
Removed**
com.celeb.tube.krieshachu
츄스틱 : 크리샤츄 Fantastic
50+
Removed**
com.player.yeonhagoogokka
연하구곡
10+
Removed**
* Updated means that the recent application on Google Play does not contain the malicious library.
** Removed means the application is not available on Google Play as of the time of posting.
The post Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea appeared first on McAfee Blog.
Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu discovered that the TCP
implementation in the Linux kernel did not properly handle IPID assignment.
A remote attacker could use this to cause a denial of service (connection
termination) or inject forged data. (CVE-2020-36516)
Ke Sun, Alyssa Milburn, Henrique Kawakami, Emma Benoit, Igor Chervatyuk,
Lisa Aichele, and Thais Moreira Hamasaki discovered that the Spectre
Variant 2 mitigations for AMD processors on Linux were insufficient in some
situations. A local attacker could possibly use this to expose sensitive
information. (CVE-2021-26401)
Jürgen Groß discovered that the Xen subsystem within the Linux kernel did
not adequately limit the number of events driver domains (unprivileged PV
backends) could send to other guest VMs. An attacker in a driver domain
could use this to cause a denial of service in other guest VMs.
(CVE-2021-28711, CVE-2021-28712, CVE-2021-28713)
Wolfgang Frisch discovered that the ext4 file system implementation in the
Linux kernel contained an integer overflow when handling metadata inode
extents. An attacker could use this to construct a malicious ext4 file
system image that, when mounted, could cause a denial of service (system
crash). (CVE-2021-3428)
It was discovered that the IEEE 802.15.4 wireless network subsystem in the
Linux kernel did not properly handle certain error conditions, leading to a
null pointer dereference vulnerability. A local attacker could possibly use
this to cause a denial of service (system crash). (CVE-2021-3659)
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
It was discovered that the SCTP protocol implementation in the Linux kernel
did not properly verify VTAGs in some situations. A remote attacker could
possibly use this to cause a denial of service (connection disassociation).
(CVE-2021-3772)
It was discovered that the btrfs file system implementation in the Linux
kernel did not properly handle locking in certain error conditions. A local
attacker could use this to cause a denial of service (kernel deadlock).
(CVE-2021-4149)
Jann Horn discovered that the socket subsystem in the Linux kernel
contained a race condition when handling listen() and connect() operations,
leading to a read-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly expose sensitive
information. (CVE-2021-4203)
It was discovered that the file system quotas implementation in the Linux
kernel did not properly validate the quota block number. An attacker could
use this to construct a malicious file system image that, when mounted and
operated on, could cause a denial of service (system crash).
(CVE-2021-45868)
Zhihua Yao discovered that the MOXART SD/MMC driver in the Linux kernel did
not properly handle device removal, leading to a use-after-free
vulnerability. A physically proximate attacker could possibly use this to
cause a denial of service (system crash). (CVE-2022-0487)
It was discovered that the block layer subsystem in the Linux kernel did
not properly initialize memory in some situations. A privileged local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2022-0494)
It was discovered that the UDF file system implementation in the Linux
kernel could attempt to dereference a null pointer in some situations. An
attacker could use this to construct a malicious UDF image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2022-0617)
David Bouman discovered that the netfilter subsystem in the Linux kernel
did not initialize memory in some situations. A local attacker could use
this to expose sensitive information (kernel memory). (CVE-2022-1016)
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel, leading to use-after-free
vulnerabilities. A local attacker could possibly use this to cause a denial
of service (system crash). (CVE-2022-1205)
It was discovered that the tty subsystem in the Linux kernel contained a
race condition in certain situations, leading to an out-of-bounds read
vulnerability. A local attacker could possibly use this to cause a denial
of service (system crash) or expose sensitive information. (CVE-2022-1462)
It was discovered that the implementation of X.25 network protocols in the
Linux kernel did not terminate link layer sessions properly. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1516)
Duoming Zhou discovered a race condition in the NFC subsystem in the Linux
kernel, leading to a use-after-free vulnerability. A privileged local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-1974)
Duoming Zhou discovered that the NFC subsystem in the Linux kernel did not
properly prevent context switches from occurring during certain atomic
context operations. A privileged local attacker could use this to cause a
denial of service (system crash). (CVE-2022-1975)
It was discovered that the HID subsystem in the Linux kernel did not
properly validate inputs in certain conditions. A local attacker with
physical access could plug in a specially crafted USB device to expose
sensitive information. (CVE-2022-20132)
It was discovered that the device-mapper verity (dm-verity) driver in the
Linux kernel did not properly verify targets being loaded into the device-
mapper table. A privileged attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-20572,
CVE-2022-2503)
Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel’s Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)
Zheyu Ma discovered that the Silicon Motion SM712 framebuffer driver in the
Linux kernel did not properly handle very small reads. A local attacker
could use this to cause a denial of service (system crash). (CVE-2022-2380)
David Leadbeater discovered that the netfilter IRC protocol tracking
implementation in the Linux Kernel incorrectly handled certain message
payloads in some situations. A remote attacker could possibly use this to
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)
Lucas Leong discovered that the LightNVM subsystem in the Linux kernel did
not properly handle data lengths in certain situations. A privileged
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-2991)
It was discovered that the Intel 740 frame buffer driver in the Linux
kernel contained a divide by zero vulnerability. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3061)
Jiasheng Jiang discovered that the wm8350 charger driver in the Linux
kernel did not properly deallocate memory, leading to a null pointer
dereference vulnerability. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-3111)
It was discovered that the sound subsystem in the Linux kernel contained a
race condition in some situations. A local attacker could use this to cause
a denial of service (system crash). (CVE-2022-3303)
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform bounds checking in some situations. A
physically proximate attacker could use this to craft a malicious USB
device that when inserted, could cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-3628)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
It was discovered that the NILFS2 file system implementation in the Linux
kernel did not properly deallocate memory in certain error conditions. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2022-3646)
It was discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a reference counting error. A local attacker could
use this to cause a denial of service (system crash). (CVE-2022-36879)
It was discovered that the infrared transceiver USB driver did not properly
handle USB control messages. A local attacker with physical access could
plug in a specially crafted USB device to cause a denial of service (memory
exhaustion). (CVE-2022-3903)
Jann Horn discovered a race condition existed in the Linux kernel when
unmapping VMAs in certain situations, resulting in possible use-after-free
vulnerabilities. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-39188)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that a race condition existed in the SMSC UFX USB driver
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A physically proximate attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41849)
It was discovered that a race condition existed in the Roccat HID driver in
the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-41850)
It was discovered that the USB core subsystem in the Linux kernel did not
properly handle nested reset events. A local attacker with physical access
could plug in a specially crafted USB device to cause a denial of service
(kernel deadlock). (CVE-2022-4662)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)
Mingi Cho discovered that the netfilter subsystem in the Linux kernel did
not properly initialize a data structure, leading to a null pointer
dereference vulnerability. An attacker could use this to cause a denial of
service (system crash). (CVE-2023-1095)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2023-26607)
Duoming Zhou discovered that a race condition existed in the infrared
receiver/transceiver driver in the Linux kernel, leading to a use-after-
free vulnerability. A privileged attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-1118)
Microsoft patched over 100 vulnerabilities this week in its products, including a zero-day privilege escalation flaw used in the wild by a ransomware gang. However, another critical vulnerability that can be easily exploited to take over Windows systems remotely over local networks and the internet is likely to be of more interest to attackers and see widespread exploitation in the future.
Dubbed QueueJumper and tracked as CVE-2023-21554, the flaw was discovered by researchers from security firm Check Point Software Technologies and is rated 9.8 out of 10 on the CVSS severity scale. Microsoft’s own advisory lists the attack complexity as low and the exploitability assessment as more likely. The impact is remote code execution.
dr_libs-0^20230324git4b3d078-0.1.fc37
Update to 4b3d078 (dr_wav 0.13.8): fix a possible null-pointer dereference and a crash when loading files with badly-formed metadata.
This week, Google launched a free API service that provides software developers with dependency data and security-related information on over 5 million software components across different programming languages. Today, the company also announced the general availability of its Assured Open Source Software (Assured OSS) service, which provides development teams with a Google-curated repository of security-tested packages for Python and Java.
Both services are part of Google’s efforts to reduce the software supply chain risks that exist in the open-source ecosystem by providing extensive security metadata, vulnerability information, and the needed information to build software bills of materials (SBOMs). One of the most common ways in which attackers can introduce malicious code into software projects is by compromising a popular open-source component or one of its many dependencies.
avahi-0.8-22.fc38
Fix possible DoS issue triggered by dbus
The guidelines aim to further the US federal government’s progress toward a zero trust approach
Kaspersky uncovered a shift in the attack’s targets and updated infection vectors in 2020
The malicious software tool is now second on the list, one spot up from February’s report
