Security Week 09: who is responsible for Android security?

Just a few news last week related to the security platform Android. Of greatest interest is the Samsung Smartphone security study conducted by the Google Project Zero team. In the Samsung Galaxy A50 model (and possibly in others, too, but this has not been verified), the manufacturer integrated its own code in the Linux kernel, which is responsible for process authentication. The Process Authenticator system is designed to enhance the security of the smartphone: when starting applications and system services, it verifies the digital signature.

A relatively small number of processes are checked. According to the unique signature format, the researcher found only 13 pieces, among them - services for working with Bluetooth and Wi-Fi. An expert from Google created a scenario in which the Process Authenticator system is called to “check” a malicious application, and a number of vulnerabilities in Samsung code allow for extended rights. An example of reading data from the database of accounts authorized on the phone is given. The conclusion from this is the following: modifying the kernel from a provider (that is, from Google) is not always a good idea. And here a completely technical article goes into the plane of politics and raises the topic of interaction between participants in the Android ecosystem: who should be responsible for the security of software, and should smartphones developers restrict code modifications for this very security?

At least the media interpreted this study as a polite request from Google not to interfere with the code. In the study, it is formulated as follows: do not touch even the core. Ideally, use safe kernel interaction techniques when writing device drivers. It also provides another example of imperfect (to put it mildly) work of a particular vendor with the Android developer. In September 2018 , a bug was discovered in the Linux kernel and fixed quite soon , but the patch did not reach a specific Samsung phone with security updates from November 2019 (it was fixed only with the February update this year). That is, Samsung had information, a patch was available, but for some reason (possibly a patch conflict with the manufacturer’s own code) it was not used.

This interesting study shows in detail how fragmentation of the Android platform works and how it affects security directly (updates arrive late) and indirectly (custom code is added, which in itself may be vulnerable). Nevertheless, the solution to this problem, as well as an assessment of its seriousness, is no longer a technical discussion, but rather a matter of observing the interests of all parties.

The Android ecosystem’s traditional issue is malicious apps entering the official Play Store. Check Point Research recently found nine applications from the repository with a new kind of malicious code known as Haken. It allows you to spy on users and subscribes them to paid services. Google removed in Januaryfrom the Play Store 17 thousand applications using the malicious Joker platform: the code was well hidden, and the programs successfully passed the test before publication. Last week, Google removed more than 600 apps for annoying ads.

What else happened:
Another critical vulnerability in the plugin for WordPress. The Duplicator addon for backup and site transfer can be used for arbitrary file downloads from the server without authorization, including, for example, a database of user logins and passwords.

Adobe releasedan extraordinary update that covers two critical vulnerabilities in After Effects. An unexpected goal for an emergency update, but the vulnerabilities are serious - using a prepared file for this program, you can execute arbitrary code.

Fresh data leaks : MGM Resorts customer database has surfaced on a hacker forum. Over 10 million entries include visitor information for MGM Grand Las Vegas casino visitors. Personal information, contact information, but not payment data, became publicly available. Among the victims, as expected, many celebrities.

Interesting studyabout the BlueKeep vulnerability in Windows-based medical technology. This bug in Remote Desktop Protocol was closed a year ago, but, according to CyberMDX, more than half of the medical devices for Windows work on versions of the OS that are not updated.

Amazon Ring has introduced two-factor authentication for webcam users . The innovation is associated with a large number of attacks on weak (or reusable) user passwords, as a result of which crackers gain access to video data and can even contact victims directly. In December, several such hacks were also written in the traditional media.

Eclypse Research Raises VerificationFirmware updates for various devices, including, for example, touchpads, Wi-Fi modules for Lenovo, HP, and Dell laptops. The lack of a digital signature theoretically means that you can flash such a module without the user's knowledge, bypassing the standard update delivery system, and at the same time add malicious functions to the code.