Month: March 2015

Roughly half of all Android handsets are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The “Android installer hijacking” vulnerability, as it has been dubbed by researchers from Palo Alto Networks, works only when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library. Technically, it’s based on what’s known as a Time-of-check to time-of-use vulnerability. Affected devices fail to verify that the app being installed at the time of use was the one the end user approved during the time of check, which occurs when a user approves app permissions such as network access or access to the contacts database. The bug involves the way the system application called PackageInstaller installs app files known as APKs.

“A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background,” Palo Alto Networks researcher Zhi Xu wrote in a blog post published Tuesday. “Verified with Android OS source code posted in AOSP [Android Open Source Project], it shows that the PackageInstaller on affected versions does not verify the APK file at the ‘time of use.’ Thus, in the “time of use’ (i.e., after clicking the ‘install button), the PackageInstaller can actually install a different app with an entirely different set of permissions.”

RadioShack is trying to auction off its customer data on some 117 million customers as part of its court-supervised bankruptcy.

The data in question, according to a legal challenge (PDF) launched by Texas regulators on Friday and joined by the state of Tennessee on Monday, includes “consumer names, phone numbers, mailing addresses, e-mail addresses, and, where allowed, activity data.”

The states say the sale breaches the 94-year-old chain’s promises to its in-store and online customers that it would not sell their personal identifying information (PII) data.

A malicious user exploited the somewhat open submission structure of Steam’s Greenlight section over the weekend to briefly hide malware links in cloned versions of legitimate game pages.

Polygon reports that a Steam user going by the handle bluebunny14 posted copies of pages for five games to the Steam’s Greenlight section over the weekend. The cloned pages copied the text, screenshots, and videos of existing Greenlight games, including Melancholy Republic and The Maze, to look exactly like legitimate titles seeking attention in Steam’s fan-voting area. But the cloned versions of the pages also included links to purported “beta version” links for the games that instead linked users to what Polygon calls “a known Trojan.”

After being posted Sunday, the malicious links were reportedly removed by early Monday, and the cloned game pages themselves reportedly removed by Monday afternoon. “Community members alerted us of the situation over the weekend by flagging the content,” said Valve’s Doug Lombardi in a statement. “Our Community Moderators responded quickly by removing all malicious links from the fake Greenlight material and then we banned the submissions. We are taking further steps to deal with anyone involved in posting the links. We’d like to thank those who reported the issue in addition to our Community Moderators, and we encourage everyone to report any suspicious activity in the future by using the flag icon located throughout the Steam Community.”

In the latest security lapse involving the Internet’s widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.

The bogus transport layer security certificates are trusted by all major operating systems and browsers, although a fall-back mechanism known as public key pinning prevented the Chrome and Firefox browsers from accepting those that vouched for the authenticity of Google properties, Google security engineer Adam Langley wrote in a blog post published Monday. The certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC). The Chinese domain registrar and certificate authority, in turn, is included in root stores for virtually all OSes and browsers.

The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential. In early 2012, critics blasted US-based CA Trustwave for doing much the same thing, and Langley noted an example of a France-based CA that has also run afoul of the policy.