As we steadily adopt smart devices into our lives, we shouldn’t forget about keeping them secured and our data protected

The post 5 steps to secure your connected devices appeared first on WeLiveSecurity

Posted by Kylie McRoberts, Program Manager and Alec Guertin, Security Engineer

Android graphic

Google’s Android Security & Privacy team has launched the Android Partner Vulnerability Initiative (APVI) to manage security issues specific to Android OEMs. The APVI is designed to drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners.

Another layer of security

Android incorporates industry-leading security features and every day we work with developers and device implementers to keep the Android platform and ecosystem safe. As part of that effort, we have a range of existing programs to enable security researchers to report security issues they have found. For example, you can report vulnerabilities in Android code via the Android Security Rewards Program (ASR), and vulnerabilities in popular third-party Android apps through the Google Play Security Rewards Program. Google releases ASR reports in Android Open Source Project (AOSP) based code through the Android Security Bulletins (ASB). These reports are issues that could impact all Android based devices. All Android partners must adopt ASB changes in order to declare the current month’s Android security patch level (SPL). But until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs. The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs.

Improving Android OEM device security

The APVI covers Google-discovered issues that could potentially affect the security posture of an Android device or its user and is aligned to ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure recommendations. The initiative covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).

Protecting Android users

The APVI has already processed a number of security issues, improving user protection against permissions bypasses, execution of code in the kernel, credential leaks and generation of unencrypted backups. Below are a few examples of what we’ve found, the impact and OEM remediation efforts.

Permission Bypass

In some versions of a third-party pre-installed over-the-air (OTA) update solution, a custom system service in the Android framework exposed privileged APIs directly to the OTA app. The service ran as the system user and did not require any permissions to access, instead checking for knowledge of a hardcoded password. The operations available varied across versions, but always allowed access to sensitive APIs, such as silently installing/uninstalling APKs, enabling/disabling apps and granting app permissions. This service appeared in the code base for many device builds across many OEMs, however it wasn’t always registered or exposed to apps. We’ve worked with impacted OEMs to make them aware of this security issue and provided guidance on how to remove or disable the affected code.

Credential Leak

A popular web browser pre-installed on many devices included a built-in password manager for sites visited by the user. The interface for this feature was exposed to WebView through JavaScript loaded in the context of each web page. A malicious site could have accessed the full contents of the user’s credential store. The credentials are encrypted at rest, but used a weak algorithm (DES) and a known, hardcoded key. This issue was reported to the developer and updates for the app were issued to users.

Overly-Privileged Apps

The checkUidPermission method in the PackageManagerService class was modified in the framework code for some devices to allow special permissions access to some apps. In one version, the method granted apps with the shared user ID com.google.uid.shared any permission they requested and apps signed with the same key as the com.google.android.gsf package any permission in their manifest. Another version of the modification allowed apps matching a list of package names and signatures to pass runtime permission checks even if the permission was not in their manifest. These issues have been fixed by the OEMs.

More information

Keep an eye out at https://bugs.chromium.org/p/apvi/ for future disclosures of Google-discovered security issues under this program, or find more information there on issues that have already been disclosed.

Acknowledgements: Scott Roberts, Shailesh Saini and Łukasz Siewierski, Android Security and Privacy Team

ESET research unearths a previously unknown espionage gang and a new version of Android spyware – Elucidating connections between Latin American banking trojans

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

ESET researchers uncover a new APT group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011

The post XDSpy: Stealing government secrets since 2011 appeared first on WeLiveSecurity

A month teaching us that when everyone pitches in and does their part, then almost everyone is protected

The post Cyber Security Awareness Month is here! appeared first on WeLiveSecurity

ESET researchers discover surprisingly many indicators of close cooperation among Latin American banking trojans’ authors

The post LATAM financial cybercrime: Competitors‑in‑crime sharing TTPs appeared first on WeLiveSecurity

Microsoft resolves a service disruption that affected Office 365, Outlook.com, Teams and other cloud-based services

The post Microsoft 365 services back online after hours‑long outage appeared first on WeLiveSecurity

ESET researchers uncover a new version of Android spyware used by the APT-C-23 threat group against targets in the Middle East

The post APT‑C‑23 group evolves its Android spyware appeared first on WeLiveSecurity

Threat actors may spread false claims about compromised voting systems in order to undermine confidence in the electoral process

The post FBI, CISA warn of disinformation campaigns about hacked voting systems appeared first on WeLiveSecurity

Bug let hijack Firefox browsers on other phones over Wi-Fi – NIST’s new tool to help firms understand why staff fall for phishing – Almost 200 arrested in dark web crackdown

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity