This Hack Lets You Run Any Android App on Your Chromebook

Using a small JavaScript script, the hack, which is detailed in full on GitHub, allows any regular Android APK to be packaged up and, for want of a better term, side-loaded onto a Chromebook. It can then be run under the Android App Runtime in the same way as the ‘official’ Vine, Dulingo and Evernote. 

Restrictions mean that only one Android app can be run at a time.

To watch a Youtube video demonstration and the full original story follow this link to OMG Chrome.

Try It Out

If the thought of waiting for Google to partner up with the maker of your favourite app, game or utility is too much to bear, you could don your hard hat and try it out for yourself.

But be warned: it’s not a guide for the fainthearted or the technically averse. The developer behind the hack,
Vladikoff, cautions that his tool is for ‘proof of concept’ and is provided without any kind of warrant or assurance. The hack is also not endorsed by Google, Chromium or Android.

To follow along you’ll need a Chromebook with the Android Runtime plugin installed, the Android Vine app (which will be replaced during the course of the guide) and an OS X or Linux desktop from which to ‘package’ your app.

Applications tested and said to be working include Twitter, both tablet and mobile modes, and Flipboard (which was demoed running on a Chromebook at Google I/O).

Other apps tested but that crash include Google Chrome for Android (!), Spotify, SoundCloud and Swing Copters.

You can find more details and a download for the script on the project’s GitHub page, linked below.

‘Run Android APKs on Chromebooks’ Guide

Chinese Marketing Firm Spreads Adware to Promote Its App Portfolio

A Chinese company that markets itself as a mobile app promoter has been cheating its clients by deploying adware to install their apps on unsuspecting victims.

The company, named NGE Mobi/Xinyinhe, activating in China and Singapore, has been using popular apps, repackaged with the malicious adware code, which it distributes through unofficial Android app stores.

When users install these apps on their smartphones, the adware comes to life, collects information about the device, sends it to a C&C server, and then waits for new commands.

The adware can gain root access and boot persistence

When the server answers, the app moves to install a root backdoor and a series of system daemons that allow it to survive system reboots.

Here is where the fun begins, because once the adware is firmly implanted on the victim’s phone, it starts serving apps and ads, all from NGE Mobi/Xinyinhe’s portfolio.

As FireEye found out in their research, most of the times pornographic apps and ad interstitials are displayed on the user’s home screen, all harmless but very annoying.

Currently, the adware has been found on Android versions ranging from 2.3.4 to 5.1.1. with the most infected users in countries like Russia, China, Brazil, Argentina, Egypt, Spain, France, Germany, Sweden, Norway, Saudi Arabia, Indonesia, India, the UK, and the US.

The NGE adware campaign was first observed in August and has grown at a constant pace ever since.

The adware can be hijacked to deliver more dangerous malware

What’s even worse, as FireEye researchers point out, is that the adware’s creators were extremely careless when they put together the malicious code.

Because the C&C server communications are carried out via blind HTTP channels, a second attacker could easily intercept these transmissions.

Since the adware gains root privileges and boot persistence over all infected devices, another attacker could use this to serve much more dangerous apps compared to silly adult apps and ads.

The first example that comes to mind is when the second attacker adds infected phones to a botnet and uses them to carry out DDOS attacks. Worse scenarios are when attackers decide to go snooping through your private pictures or install ransomware on your phone.

For more information and more photos follow this link to Softpedia

Android SMS worm Selfmite returns, more aggressive than ever

A new version of an Android worm called Selfmite has the potential to ramp up huge SMS charges for victims in its attempt to spread to as many devices as possible.

The first version of Selfmite was discovered in June, but its distribution was quickly disrupted by security researchers. The worm—a rare type of malware in the Android ecosystem—spread by sending text messages with links to a malicious APK (Android Package) to the first 20 entries in the address book of every victim.

The new version, found recently and dubbed Selfmite.b, has a similar, but much more aggressive spreading system, according to researchers from security firm AdaptiveMobile. It sends text messages with rogue links to all contacts in a victim’s address book, and does this in a loop.

“According to our data, Selfmite.b is responsible for sending over 150k messages during the past 10 days from a bit more than 100 infected devices,” Denis Maslennikov, a security analyst at AdaptiveMobile said in a blog post Wednesday. “To put this into perspective that is over a hundred times more traffic generated by Selfmite.b compared to Selfmite.a.”

At an average of 1,500 text messages sent per infected device, Selfmite.b can be very costly for users whose mobile plans don’t include unlimited SMS messages. Some mobile carriers might detect the abuse and block it, but this might leave the victim unable to send legitimate text messages.

Unlike Selfmite.a, which was found mainly on devices in North America, Selfmite.b has hit victims throughout at least 16 different countries: Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela and Vietnam.

The first version of the worm used goo.gl shortened URLs in spam messages that pointed to an APK installer for the malware. Those URLs were hardcoded in the app’s code, so once they were disabled by Google, the operator of the goo.gl URL shortening service, Selfmite.a’s distribution stopped.

The worm’s authors took a different approach with the new version. They still use shortened URLs in text messages—this time generated with Go Daddy’s x.co service—but the URLs are specified in a configuration file that the worm downloads periodically from a third-party server.

“We notified Go Daddy about the malicious x.co URLs and at the moment both shortened URLs have been deactivated,” Maslennikov said. “But the fact that the author(s) of the worm can change it remotely using a configuration file makes it harder to stop the whole infection process.”

The goal of Selfmite is to generate money for its creators through pay-per-install schemes by promoting various apps and services. The old version distributed Mobogenie, a legitimate application that allows users to synchronize their Android devices with their PCs and to download Android apps from an alternative app store.

Selfmite.b creates two icons on the device’s home screen, one to Mobogenie and one to an app called Mobo Market. However, they act as Web links and clicking on them can lead to different apps and online offers depending on the victim’s IP (Internet Protocol) address location.

Fortunately, the worm’s distribution system does not use exploits and relies only on social engineering—users would have to click on the spammed links and then manually install the downloaded APK in order for their devices to be infected. Furthermore, their devices would need to be configured to allow the installation of apps from unknown sources—anything other than Google Play—which is not the default setting in Android. This further limits the attack’s success rate.

Source: Network World

BlackBerry Tumblr app Trapeez available in Beta Zone

The native Tumblr app Trapeez developed by Kisai Labs has a beta version, version 1.5.0.0 available in BlackBerry Beta Zone.

iOS Mobile Banking Apps Vulnerable to Man in the Middle Attacks

It’s mighty convenient to load up a mobile banking app with a slick interface as opposed to logging into the website via your smartphone’s web browser, but in doing so, you may inadvertently be putting yourself at a greater risk of so-called mail-in-the-middle attacks, hijack attempts, and other unfriendly behavior. A recent study suggests that mobile banking apps for iOS may be less secure than you think.

A researcher at IOActive tested 40 mobile apps from 60 of the leading banks from around the world. His various tests covered transport security, compiler protection, UIWebViews, insecure data storage, logging, and binary analysis. What he found is pretty alarming.

Some 40 percent of the audited apps did not validate the authenticity of SSL certificates presented, which makes them susceptible to man-in-the-middle attacks. Almost all of them — around 90 percent — contained several non-SSL links throughout the application. According to IOActive, this allows an attacker to intercept the traffic and inject arbitrary JavaScript and HTLM code in an attempt to create a fake login prompt or some other similar scam.

The list of vulnerabilities goes on, such as half of the apps being found susceptible to JavaScript injections via insecure UIWebView implementations.

“Home banking apps that have been adapted for mobile devices, such as smartphones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions,” the report concludes.

Source: Hot Hardware

Study finds most mobile apps put your security and privacy at risk

A report from HP claims apps lack security defenses, fail to encrypt data, and compromise personal information.

The average smartphone user has 26 apps installed. If recent research conducted by HP is any indication, approximately, well, all of them, come with privacy or security concerns of some sort.

The HP study focused purely on custom business apps, but there’s no reason to believe the issue doesn’t extend to commercial apps you find in the Apple App Store or Google Play. Many apps have access to data or permission to perform functions they shouldn’t.

If you want to play a game like Angry Birds, there’s no reason that it needs to have access to your contacts, and A a weather app probably doesn’t need to be able to send email on your behalf. The security risks in apps go beyond permissions, though. There are issues in how the apps integrate with core functions of the mobile operating system, as well as how they interact with and share information with one another.

In the HP study, 97 percent of the apps contained some sort of privacy issue. HP also found that 86 percent of the apps lack basic security defenses, and 75 percent fail to properly encrypt data. Assuming similar percentages across the hundreds of thousands of consumer apps in the app stores, it’s likely that you have a few security or privacy concerns floating around your smartphone or tablet.

But this isn’t about malicious apps designed to steal your data. It’s mostly a function of lazy coding. Developers write apps that access everything because it’s easier than writing more specific code, and it also paves the way for any future enhancements that might actually need it.

In a BYOD scenario these security and privacy risks are exaggerated for both the employer and the employee. In most cases, the line between business and personal is not clearly defined, and apps can easily blur that line and put both company and personal data at risk. The problem is exacerbated by the fact that apps are impulse purchases for many users, thanks to low prices and easy installation.

The mobile operating systems have improved in terms notifying users about the permissions an app is requesting and providing the user with more control to allow or block access to specific functions. But the system still puts too much burden on the user, both to know those controls exist and how to use them, as well as to understand the implications and security concerns of the apps.

The better solution is for developers to build security and privacy into the apps from square one. Developers should be aware of the potential implications of how their apps access data and interact with other apps, and design them to be secure by default.

Via: Network World

Security experts warn against using LinkedIn app for Apple iPhone

App embeds link to an email sender's profile and could compromise security of the device

The new LinkedIn iPhone app that embeds a link to an email sender’s profile on the professional network presents a number of security risks and should not be used, experts warned.

Criticism of the app, called Intro, started soon after its release last week. The first to slam LinkedIn was security consultancy Bishop Fox, which accused the site of “hijacking email.”

Over the weekend, Jordan Wright, a security engineer at CoNetrix, said he was able to spoof  Intro profile information, using a technique that a criminal could easily replicate for a phishing attack.

On Monday, Neohapsis, which does penetration testing and risk assessment for mobile apps, got into the act, saying Intro users were taking on serious risks for a “marginal convenience feature at best.”

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange for the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client,” Gene Meltser, technical director at Neohapsis Labs, said.

LinkedIn has defended Intro, saying the criticism is based on “inaccuracies and misperceptions“.

Wright’s spoofing experiment started with the interception of the security profile Intro inserts into iOS. He then found the username and password used to log into the LinkedIn service and grabbed the first email to look closely at what LinkedIn injects.

His investigation found that he could remove the Intro data and replace it with his own, thereby commandeering the Intro profile tab to show whatever information he wanted.

While his proof-of-concept would be benign to an email recipient, “it would be just as easy to attach a malicious payload, request sensitive information, etc.,” Wright said.

Fox compared Intro to a “man-in-the-middle” attack, because all messages go through LinkedIn servers and are analyzed and scraped for data “pertaining to whatever they feel like it.”

Also, by pushing a security profile to the iOS device, so LinkedIn can re-route emails, posed the risk of having the profile used to wipe a phone, install apps, delete apps and restrict functionality.

“You are effectively putting your trust in LinkedIn to manage your users’ device security,” Fox said.

Continue reading by clicking the source link below.

Source: NetworkWorld

Attackers can slip malicious code into many Android apps via open Wi-Fi

A vulnerability mostly affecting older versions of Google’s Android operating system may make it possible for attackers to execute malicious code on end-user smartphones that use a wide variety of apps, researchers said.

The weakness resides in a widely used programming interface known as WebView, which allows developers to embed Web-based content into apps used for banking, entertainment, and other purposes. Many apps available on the official Google Play market don’t properly secure the connection between the WebView component on a phone and the Web content being downloaded, researchers from UK-based MWR Labs recently warned. That makes it possible for attackers who are on the same open Wi-Fi network as a vulnerable user to hijack the connection and inject malicious code that can be executed by the phone.

“The lowest impact attack would be downloading contents of the SD card and the exploited application’s data directory,” the researchers wrote in an advisory published earlier this week. “However, depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.”

Researchers from several other security firms said they are also aware of the weakness, which can affect apps that run on Android versions 4.1 and earlier and don’t make proper use of the secure sockets layer (SSL) encryption protocol. Elad Shapira, a researcher with antivirus provider AVG recently demonstrated how an app that has already been given permission to access SMS capabilities (a common setting with many legitimate apps) could be hijacked by malicious JavaScript code that sends expensive text messages to premium services.

Google representatives declined to comment for this story.

Cross-device attacks

Einar Otto Stangvik, a security consultant with Indev.no, said he has identified Android banking apps used in Norway that are also open to remote-code attacks that make users more susceptible to phishing attacks. He theorized that attackers might exploit the weakness by planting malware on a target’s PC that hijacks a smartphone when both devices are connected to the same network.

“I am confident that we’ll soon see many more cross-device attacks, where a compromised computer starts targeting cell phones on the internal network,” he wrote in an e-mail to Ars. “That is what makes the JavaScript interface leak scary, along with the amount of poor uses of SSL, or worse still: no SSL at all.”

The vulnerability stems from JavaScript-based programming interfaces exposed in many Android apps. The interfaces are the code equivalent of a highly restricted bridge that links sensitive parts of Android’s Dalvik virtual machine to the Web. If the interface isn’t fully contained inside an SSL connection, it’s possible for hackers to mimic the legitimate website and, in effect, gain unauthorized access to the bridge. From there, an attacker can inject malicious JavaScript into the app. MWR Labs researchers reverse engineered the 100 most popular apps on Google Play and found 62 of them that are “potentially vulnerable” to the exploit. Potentially vulnerable apps as defined by the researchers were those apps that were developed using libraries or programming interfaces known to expose unprotected JavaScript commands to a variety of third-party ad networks under many but not all circumstances.

The reports of the weak apps come almost a year after two academic reports uncovered wide-ranging deficiencies in the cryptographic protections in smartphone software. One found that Android apps used by as many as 185 million people contained holes that leaked login credentials and other sensitive data even though they were supposed to be protected by SSL. The other revealed a variety of apps running on Android and PCs that were fooled by fraudulent SSL certificates. It’s possible that similar defects could fail to protect code exposed in WebView objects even when developers think they’re properly contained inside an SSL channel.

The good news

While the vulnerability is potentially serious, there are several limitations that minimize the damage attackers can do when exploiting vulnerable apps. Chief among them is the fact that Android’s permissions and sandboxing mechanisms prevent most Android apps from installing other apps without explicit permission from the end user. That will probably prevent the technique from being used to install malicious apps in most cases. As a backup, the “Verify Apps” setting available in all versions of Android could also be updated to stop malicious installations should attackers find a way to bypass the permissions and sandbox protections.

What’s more, Tim Wyatt, director of security engineering at smartphone security provider Lookout, said some researchers may be exaggerating the threat of attackers obtaining root privileges unless they can exploit a second, unknown vulnerability in Android’s permissions and sandbox protections.

Another mitigating factor: beginning with version 4.2 of Android, Google added new security enhancements that among other things introduced something called the @JavascriptInterface annotation. The function makes it easier for a developer to restrict the methods that can be called on a scriptable object. Unfortunately, it requires the developer to take explicit action to do so. If the developer fails to heed that advice, the app will remain vulnerable.

Still, while the weakness can largely be prevented in Android 4.2, users are protected only if developers of each app follow best practices. Additionally, the vast majority of users remain locked into carrier contracts that prevent them from upgrading. That means it’s up to app developers to follow best practices such as limiting the functionality exposed in JavaScript and securing communications channels for any WebView-exposing scriptable objects using SSL or its sister protocol, known as transport layer security (TLS). And as the MWR Labs researchers discovered, many widely used apps can’t be trusted to practice those common-sense guidelines.

“Exploiting this would require getting access to an exposed JavaScript object, and so in most cases, that would require hijacking content delivered by a server,” Tim Wyatt of Lookout told Ars. “It is therefore pretty critical that developers using JavaScript callbacks secure the delivery channels properly (e.g. using TLS with a proper certificate chain to prevent man-in-the-middle attacks).”

Source: Ars Technica

New ‘BadNews’ Malware Downloaded By ‘At Least 2m Android Users’

Malware that avoided detection and made its way onto the official Google Play store has been downloaded at least 2 million times, a security firm warned today.

Google was notified of the outbreak by Lookout and all affected rogue apps have been removed from the Android store. As many as 9 million could have downloaded the dirty code.

Lookout found 32 applications contained code from the “BadNews” software development kit, which masqueraded as a standard advertising network SDK.

But it was particularly aggressive, sending phone number and device IDs to their command and control servers, and prompting users to install applications, including AlphaSMS, a “well-known premium rate SMS fraud malware”, which can cost users plenty of money.

“It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network,” the company wrote in a blog post.

“However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetisation SDK.”

“Further, it is clear that a substantial amount of code in BadNews has previously appeared in other families associated with Eastern European toll fraud.”

Lookout identified three C&C servers, in Russia, Ukraine and Germany.

It’s another big outbreak of Android malware, which has been spreading rapidly in recent years. NQ Mobile reported earlier this week that mobile malware jumped 163 percent in 2012, with almost all threats aimed at Android.

Governments appear to be using mobile Trojans too. China was this month implicated in attacks on Tibetan activists, which sought to get malicious kit on Android devices.

Source: Tech Week Europe

Side-loading iOS Apps Now Possible Without Jailbreak

Whatever made the Hackulous team shut down Installous yesterday is surely giving a push to other even easier alternatives for side-loading (and, as is often the case pirating) iOS apps.

Two of them are getting quite a lot of attention since Installous shut down – Zeusmos and Kuaiyong. In fact the Zeusmos website is currently down and huge spike in interest could be one of the explanations.

Both services don’t require jailbreak and, of course, you can’t get them from the App Store. The installation process is reportedly quite easy, needing you to just visit a website and hit an Install button, though we cannot confirm that ourselves. Then your Installous replacement will appear on your home screen.

If anything happen to those two, surely another four will pop up in their place. It seems that even Apple will be unable to stop piracy, no matter how hard it tries and how tight a grip over the iOS ecosystem it holds.

Source: GSMArena