Kategorie

Posted by Eugene Liderman and Sara N-Marandi, Android Security and Privacy Team

Every year at I/O we share the latest on privacy and security features on Android. But we know some users like to go a level deeper in understanding how we’re making the latest release safer, and more private, while continuing to offer a seamless experience. So let’s dig into the tools we’re building to better secure your data, enhance your privacy and increase trust in the apps and experiences on your devices.

Low latency, frictionless security

Regardless of whether a smartphone is used for consumer or enterprise purposes, attestation is a key underpinning to ensure the integrity of the device and apps running on the device. Fundamentally, key attestation lets a developer bind a secret or designate data to a device. This is a strong assertion: "same user, same device" as long as the key is available, a cryptographic assertion of integrity can be made.

With Android 13 we have migrated to a new model for the provisioning of attestation keys to Android devices which is known as Remote Key Provisioning (RKP). This new approach will strengthen device security by eliminating factory provisioning errors and providing key vulnerability recovery by moving to an architecture where Google takes more responsibility in the certificate management lifecycle for these attestation keys. You can learn more about RKP here.

We’re also making even more modules updatable directly through Google Play System Updates so we can automatically upgrade more system components and fix bugs, seamlessly, without you having to worry about it. We now have more than 30 components in Android that can be automatically updated through Google Play, including new modules in Android 13 for Bluetooth and ultra-wideband (UWB).

Last year we talked about how the majority of vulnerabilities in major operating systems are caused by undefined behavior in programming languages like C/C++. Rust is an alternative language that provides the efficiency and flexibility required in advanced systems programming (OS, networking) but Rust comes with the added boost of memory safety. We are happy to report that Rust is being adopted in security critical parts of Android, such as our key management components and networking stacks.

Hardening the platform doesn’t just stop with continual improvements with memory safety and expansion of anti-exploitation techniques. It also includes hardening our API surfaces to provide a more secure experience to our end users.

In Android 13 we implemented numerous enhancements to help mitigate potential vulnerabilities that app developers may inadvertently introduce. This includes making runtime receivers safer by allowing developers to specify whether a particular broadcast receiver in their app should be exported and visible to other apps on the device. On top of this, intent filters block non-matching intents which further hardens the app and its components.

For enterprise customers who need to meet certain security certification requirements, we’ve updated our security logging reporting to add more coverage and consolidate security logs in one location. This is helpful for companies that need to meet standards like Common Criteria and is useful for partners such as management solutions providers who can review all security-related logs in one place.

Privacy on your terms

Android 13 brings developers more ways to build privacy-centric apps. Apps can now implement a new Photo picker that allows the user to select the exact photos or videos they want to share without having to give another app access to their media library.

With Android 13, we’re also reducing the number of apps that require your location to function using the nearby devices permission introduced last year. For example, you won’t have to turn on location to enable Wi-fi for certain apps and situations. We’ve also changed how storage works, requiring developers to ask for separate permissions to access audio, image and video files.

Previously, we’ve limited apps from accessing your clipboard in the background and alerted you when an app accessed it. With Android 13, we’re automatically deleting your clipboard history after a short period so apps are blocked from seeing old copied information.

In Android 11, we began automatically resetting permissions for apps you haven’t used for an extended period of time, and have since expanded the feature to devices running Android 6 and above. Since then, we’ve automatically reset over 5 billion permissions.

In Android 13, app makers can go above and beyond in removing permissions even more proactively on behalf of their users. Developers will be able to provide even more privacy by reducing the time their apps have access to unneeded permissions.

Finally, we know notifications are critical for many apps but are not always of equal importance to users. In Android 13, you’ll have more control over which apps you would like to get alerts from, as new apps on your device are required to ask you for permission by default before they can send you notifications.

Apps you can trust

Most app developers build their apps using a variety of software development kits (SDKs) that bundle in pre-packaged functionality. While SDKs provide amazing functionality, app developers typically have little visibility or control over the SDK code or insight into their performance.

We’re working with developers to make their apps more secure with a new Google Play SDK Index that helps them see SDK safety and reliability signals before they build the code into their apps. This ensures we're helping everyone build a more secure and private app ecosystem.

Last month, we also started rolling out a new Data safety section in Google Play to help you understand how apps plan to collect, share, and protect your data, before you install it. To instill even more trust in Play apps, we're enabling developers to have their apps independently validated against OWASP’s MASVS, a globally recognized standard for mobile app security.

We’re working with a small group of developers and authorized lab partners to evolve the program. Developers who have completed this independent validation can showcase this on their Data safety section.

Additional mobile security and safety

Just like our anti-malware protection Google Play, which now scans 125 billion apps a day, we believe spam and phishing detection should be built in. We’re proud to announce that in a recent analyst report, Messages was the highest rated built-in messaging app for anti-phishing and scams protection.

Messages is now also helping to protect you against 1.5 billion spam messages per month, so you can avoid both annoying texts and attempts to access your data. These phishing attempts are increasingly how bad actors are trying to get your information, by getting you to click on a link or download an app, so we are always looking for ways to offer another line of defense.

Last year, we introduced end-to-end encryption in Messages to provide more security for your mobile conversations. Later this year, we’ll launch end-to-end encryption group conversations in beta to ensure your personal messages get even more protection.

As with a lot of features we build, we try to do it in an open and transparent way. In Android 11 we announced a new platform feature that was backed by an ISO standard to enable the use of digital IDs on a smartphone in a privacy-preserving way. When you hand over your plastic license (or other credential) to someone for verification it’s all or nothing which means they have access to your full name, date of birth, address, and other personally identifiable information (PII). The mobile version of this allows for much more fine-grained control where the end user and/or app can select exactly what to share with the verifier. In addition, the verifier must declare whether they intend to retain the data returned. In addition, you can present certain details of your credentials, such as age, without revealing your identity.

Over the last two Android releases we have been improving this API and making it easier for third-party organizations to leverage it for various digital identity use cases, such as driver’s licenses, student IDs, or corporate badges. We’re now announcing that Google Wallet uses Android Identity Credential to support digital IDs and driver’s licenses. We’re working with states in the US and governments around the world to bring digital IDs to Wallet later this year. You can learn more about all of the new enhancements in Google Wallet here.

Protected by Android

We don’t think your security and privacy should be hard to understand and control. Later this year, we’ll begin rolling out a new destination in settings on Android 13 devices that puts all your device security and data privacy front and center.

The new Security & Privacy settings page will give you a simple, color-coded way to understand your safety status and will offer clear and actionable guidance to improve it. The page will be anchored by new action cards that notify you of critical steps you should take to address any safety risks. In addition to notifications to warn you about issues, we’ll also provide timely recommendations on how to enhance your privacy.

We know that to feel safe and in control of your data, you need to have a secure foundation you can count on. Because if your device isn’t secure, it’s not private either. We’re working hard to make sure you’re always protected by Android. Learn more about these protections on our website.

Last Friday, Microsoft announced that they have discovered a new botnet that exposes both Windows and Linux computers and web servers to new threats. The botnet, known as Sysrv-K, takes advantage of unpatched computers by installing cryptocurrency miners.

Introduction

When the war in Ukraine broke out, many analysts were surprised to discover that what was simultaneously happening in the cyber domain did not match their predictions[1]. Since the beginning of the fighting, new cyberattacks taking place in Ukraine have been identified every week, which lead to a variety of interpretations – and indeed a global feeling of confusion. In this report, we aim to provide a strategic technical assessment of our understanding of current events.

Much of the debate around the situation concerns the question of whether or not a cyberwar is taking place. However, we find this question to be entirely irrelevant. While there is no question that a high number of cyberattacks have taken place and are still taking place in the country, we recognize that the overwhelming majority of cyber events thus far have been overshadowed by the kinetic aspects of the conflict. We nevertheless do still see value in attempting to interpret the data at hand, in alignment with Kaspersky’s constant commitment to understand more about threat actors and how they are organized.

Therefore, with this article, our core aim is to share a threat landscape overview, which Kaspersky cybersecurity researchers in its Global Research and Analysis Team (GReAT) are observing in relation to the conflict, with the wider international community and thus to contribute to broader ongoing cyber-stability discussions of threat-related insights.

Overview of cyber activities

Since the beginning of the war, the international community has observed a very high number of attacks of various kinds and degrees of sophistication. These attacks include:

• Destructive attacks such as:
  • Ransomware (IsaacRansom);
  • Fake ransomware (WhisperGate);
  • Wipers (HermeticWiper, CaddyWiper, DoubleZero, IsaacWiper); and
  • ICS/OT wipers (AcidRain, Industroyer2).
• Advanced persistent threats (APTs) and campaigns focused on intelligence gathering, such as:
  • Gamaredon;
  • Hades (Sandworm);
  • PandoraBlade; and
  • UNC1151.

Focusing on the destructive attacks, we cannot help but notice that many of the malicious programs discovered showcase vastly disparate degrees of sophistication. At one end of the spectrum, HermeticWiper is an extremely well-designed piece of software, which must have required weeks of development (at least) before it was released. At the other end, programs such as IsaacWiper appear to be the product of rushed development – as if their operators had been tasked with destroying data at the eleventh hour.

Contrary to some declarations, we have not noticed any particular coordination efforts, neither between separate instances of these attacks, nor with military operations occurring at the same time (with the notable exception of AcidRain). We have also been unable to identify any particular trends in the targeting involved. Our best guess is that separate groups decided to take advantage and wreak havoc immediately after the conflict erupted.

The overall limited operational impact of such attacks could certainly be viewed as surprising when we consider that some threat actors active in the region have demonstrated highly-disruptive capabilities in the past (e.g., BlackEnergy). We can only speculate as to why such capabilities were not used since late February, but our best guess is that the attacks were not coordinated, and each such attack with a more disruptive impact typically requires more effort for careful planning and execution from the threat actors. This supposition may be given more weight by ESET’s discovery of Industroyer2 in a Ukrainian energy company: the research reports that destructive actions were planned for April 8, but that “the attack had been planned for at least two weeks”. It is safe to assume that such an attack requires careful planning and that preparations for it only started after it became clear that the war would last longer than widely expected.

In this regard, summing up the above-mentioned discussions, these are our three key takeaways:

1. Attacks observed against infrastructure in Ukraine so far appear to be uncoordinated and conducted by groups of varying technical levels;
2. While these cyber activities hint at a role cyberspace could take during a military conflict, what we have seen so far can hardly be regarded as the full extent of threat actors’ capabilities; and
3. It is likely that as a clearer perception of the scale and duration of the war emerges, the various groups will find ways of coordinating better – possibly leading to highly disruptive impacts as outlined above.

The KA-SAT event and risks of spillover

On February 24, around 04:00 UTC – around the time of the start of the Russian invasion of Ukraine – several Viasat KA-SAT modems ceased functioning due to yet another wiper attack (AcidRain). This attack is officially reported to have affected Ukrainian military communications and is unlikely to be a coincidence considering the timing. No matter who orchestrated it, this is a rare example of a cyberattack providing operational support for a physical military operation, which in itself makes it significant in terms of understanding modern warfare. It is however unclear whether this provided any brief or lasting tactical value: as far as we are aware, other means of communication (e.g., 3G, 4G) remained available in the same timeframe.

This attack also disabled the remote control of wind turbines located in Germany, raising concerns about potential spillover of the conflict into other European countries. It is unclear why routers belonging to a German customer were affected: maybe the means of distribution used to spread the malware did not allow for granular targeting, or maybe the operators made a mistake. In any case, we have little reason to believe that there was any intent to provoke adverse effects outside Ukraine.

Whenever the spillover question comes up, it is usually associated with memories of the NotPetya incident (fake-ransomware distributed through a supply-chain attack in Ukraine in 2017). It is worth pointing out that NotPetya contained self-spreading code and its uncontrollable spread was powered by a very potent Windows exploit. No such thing has been observed in any of the malware families used in Ukraine recently. As such, we estimate the risk of witnessing another NotPetya-level event as very low.

One final point of interest is whether it is likely that similar events will take place during the remainder of the conflict. It is important to understand that ICS attacks are far from trivial to organize due to the complex nature of systems they affect and the fact that such machines are typically not connected to the internet. This means that an attacker would have to breach the victim’s network first, figure out where the target appliances are located, and finally devise an attack scenario involving specific equipment it likely does not own a copy of to conduct experiments. In other words, highly-disruptive attacks require meticulous preparation that range in the order of weeks – if not months. In conclusion such attacks would only be achievable a long time from now – unless attackers already present in strategic networks chose not to leverage this access to date.

Summing up the above-mentioned discussion, our key takeaways are the following:

1. The Viasat attack is a very significant cyber event. It is hard to tell whether others will take place in the near future, but that probability increases significantly as time passes.
2. The recent Industroyer2 discovery indicates that there may be a desire among threat actors to conduct highly-disruptive attacks soon.
3. The threat campaigns observed so far have been very focused on Ukraine.
4. Any observed spillover to date should be interpreted as accidental, and the potential for uncontrolled malware spread has so far been non-existent.

Takeaways from Kaspersky for international discussions on stability in cyberspace

As we are still transitioning from one phase of the conflict to another, we expect that some of the observations outlined in this report will become less accurate. Though the various cyberattacks observed so far have been disorganized and uncoordinated, we consider that more structured activity may surface soon amid this constant background noise.

As the conflict drags on, we predict that more sophisticated threat actors will get involved and refocus their intelligence collection activities. For this reason, we advise companies all around the world to prepare for a resurgence of ransomware attacks.

Taking a broader perspective on the threat landscape these days in the light of ongoing inter-state negotiations at the UN, the international community more than ever needs to further advance the operationalization of the agreed non-binding cyber norms and confidence-building measures (CBMs), and extend them to relevant stakeholders. In particular, it is important to advance discussions on cross-border cooperation between the CERT/CSIRT community and relevant security experts to ensure that they can do their job – protecting victims of cyber incidents – despite any political or geopolitical context. And in this regard, one of the core aspects we at Kaspersky have continuously been advocating[2] for is developing effective interaction between national points of contacts (PoCs) as well as points of contacts from relevant stakeholders (such as the private sector, owners and manufacturers of ICTs, cybersecurity experts and others), which can be utilized during significant cyber events.

One of the open questions that remains for the international community is clarification on the protection of civilian infrastructure in cyberspace. In this regard, more information and transparency from states on how they interpret the application of international law and, particularly, international humanitarian law, is urgently needed to provide effective safeguards to civilian infrastructure in cyberspace. The ongoing efforts, such as those of the International Committee of the Red Cross (ICRC), to signal legal protection through digital emblems seems an important contribution in this regard.

Finally, the public core of the internet, whose security and availability is essentially vital for digitized societies and economies, needs to be discussed further and acknowledged by UN Member States and the larger international community. The current acute geopolitical tensions pose a serious risk of further fragmenting the baseline fundamental internet infrastructure, which was initially created and designed in a multistakeholder, decentralized spirit. These factors have the potential to create greater insecurity affecting many users of ICTs, and therefore, more than ever require international dialogue among all states to preserve cyberspace.

We have also previously shared our views to the UN cyber-dialogue (i.e. UN Open-Ended Working group) which can be found at the official web-page of the UN OEWG.

 

[1] For instance, https://www.politico.com/news/2022/01/28/russia-cyber-army-ukraine-00003051 or https://www.csis.org/analysis/russias-possible-invasion-ukraine

[2] Eight practical suggestions to the UN OEWG from a cybersecurity research perspective, Kaspersky’s submission in December 2021 https://documents.unoda.org/wp-content/uploads/2021/12/Kaspersky-submission-UN-OEWG_December-2021.pdf

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. "Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server," researchers from Jamf Threat

More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information.  "Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong said in a

The U.S. Justice Department on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit sharing arrangements. Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the

Traditional businesses migrating to the cloud need robust information security mechanisms. Gartner predicts that more than 95% of new digital workloads will continue to be deployed on cloud-native platforms by 2025. Robust cloud data security is imperative for businesses adopting rapid digital transformation to the cloud. While a traditional hosting model could be considered more secure, not all

Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.

"It's important for the industry to understand that open source development burnout is real and can have a significant impact upon those who depend on the projects they maintain. Incentivize and recognize efforts. Don't just take, but give back to the community."

Microsoft says the Sysrv botnet is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers.

Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems. The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020. "Sysrv-K scans the

You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.

Evropská unie i za současné situace nadále drží strategii digitalizovat Evropu. Posílení kybernetické bezpečnosti Evropy je klíčové, řekla v pondělí novinářům na konferenci ISSS v Hradci Králové místopředsedkyně Evropské komise Věra Jourová.

Image source: z3r00t The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw

An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot. What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the

The European Parliament announced a "provisional agreement" aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union. The revised directive, called "NIS2" (short for network and information systems), is expected to replace the existing legislation on cybersecurity that was established in July 2016. The revamp sets ground rules, requiring

A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme. Glib Oleksandr Ivanov-Tolpintsev, who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being extradited to the U.S. in September

Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome. "When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number," Google's Jen Fitzpatrick 

A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is "off." The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while