Security Week-in-Review: Popular apps have holes, too


It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore Android banking trojans, brute force attacks, and clickjacking schemes. Check back every Friday to learn about the latest in security news.

Facebook patches Instagram for Android brute force vulnerabilities

This week, Facebook plugged two holes in Instagram that would have allowed an attacker to brute force her way into a victim’s account. The attack is executed against the “authentication domain used by the Instagram app for Android,” as reported by SecurityWeek. Brute forcing is the act of guessing a password to an account until the correct one is reached. It is often run by a script that can guess passwords at rapid rates. Facebook paid a bug bounty hunter $5,000 for the vulnerabilities.

Get more information about the vulnerability here.

Runkeeper patches Android app after code found leaking location data

Popular running application Runkeeper released a blog post explaining that its app had been inadvertently sending location data to a third-party advertiser. Jason Jacobs, the company’s CEO, explained in a blog that, “Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.” He went on to say that the bug only impacts iOS, but that the company is updating both iOS and Android apps to patch the hole and remove the third-party service.

Learn more on RunKeeper’s blog.

Internet Service Providers hit with worm

Ubiquiti Networks, which provides wireless networking solutions alerted customers this week about a malware attack impacting unpatched versions of “airOS,” the firmware installed on its devices. The attack is an “HTTP/HTTPS exploit that doesn’t require authentication.” It uses vulnerabilities patched in July, as noted by Ars Technica, but it seems a number of ISPs are still running unpatched systems. “Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected,” the company wrote on its forum.

Read more about the attack on Ars Technica and get the Ubiquiti forum post here.

Banking trojan in Google Play steals credentials from financial and social apps

The malicious app, discovered by Lookout, is an instance of the mobile malware family Acecard and was able to evade Google Play’s security mechanisms to get into the official app store. Once installed on a device, Acecard downloads a secondary app that displays overlay windows over legitimate banking apps and some other popular apps such as Facebook and Skype. It tricks people into entering their online banking credentials and credit card information. Google quickly removed the malware four days after it initially appeared.

Get more information about Acecard.

Android clickjacking proof-of-concept concerning, but limited

This week we saw a proof-of-concept attack in which a malicious app, skinned to look like a fun game, actually guides victims through a flow to turn on the accessibility service on an Android device, using clicks. Presumably from there the attacker could abuse the accessibility service to collect data. The POC is legitimate, but an attacker would need to be dedicated in order to efficiently execute it. Depending on the device model, there are many different click-sequences a user would need to follow in order to turn on the accessibility service. Additionally, the changes in screen sizes and resolutions of these devices will also affect the placement of the overlay “game”.  An attacker can certainly achieve these things, but it’s extra work, and attackers are economic actors. They want to get the biggest bang for their buck with the lowest tax on resources.

Read more about the POC here.

Image via Ben Sutherland/Flickr