Detection of law enforcement malware (e.g. FinFisher)

Search This thread

SecUpwN

Senior Member
Jun 12, 2012
2,086
645
DEUTSCHLAND!
secupwn.github.io
Ladies and Gentlemen,

I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).

Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?

Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
 
Last edited:

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,307
15,757
Sequim WA
Ladies and Gentlemen,

I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).

Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?

Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?

Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.

Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
 

SecUpwN

Senior Member
Jun 12, 2012
2,086
645
DEUTSCHLAND!
secupwn.github.io
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.

Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.

Thanks for answering. So that means, in short words, buy a phone and only update official stuff. How boring, I wouldn't be here on XDA then! But I get your point. I'm especially interested in the question of detection. If such agencies have installed anything that would leak data (and I'm sure it's fairly easy to do for them), how would they hide that specific App from the list of TitaniumBackup? Also, how would they trick the Trust Even Logger created by @Dark3n to not show any installation?

Most importantly though, is there some way of detecting such installations or manipulations afterwards?
 
Last edited:

He3556

Member
Apr 18, 2012
20
9
smartphone-attack-vector.de
There is growing so called "Zero-Day-Exploit" Industry, with names like vupen or FinFisher , the one who are working for the German Gov. but also for countries like Saudia Arabia and Iran. They know how to find exploits, nobody knows about (zero-day) and program trojans for all kinds of platforms. So antivirus software can't help here. And it is easy to bypass security if you know one of the bugs - and we know there are many of them in firmware, operating systems, plugins, frameworks and so on... Beside this "white" marked there is also a grey and black marked. So if you need to track your woman or steal information from other companies, you will find somebody with a tool for that, i suppose.

You would need a "Intrusion Detection Software" - sorry but this won't work for Smartphones, because there is a lot of calculation, data and energy needed - you find this special hardware in big data centers.
Do not root and do not install Apps you don't really need is still a good advice, specially when people don't know so much about all this.

Another way to sneak in is to compromise the users pc, that is (maybe) connected to the phone sometimes (work with iphone sync but also with android to change DNS and get SMS with e-tan's - you will find more info it in the media)

Or if you have the "power" you can can use the cloud services (iOS, Google, Windows or other 3rd party services) to steal user data (sms, pictures, GPS history...) or just let it sync the malware to the phone. So you don't have to break in directly.



What would be the best way of preventing attacks of afforementioned groups and alike?
tomorrow i will have time, there are to many possibilities :)
 
Last edited:

SecUpwN

Senior Member
Jun 12, 2012
2,086
645
DEUTSCHLAND!
secupwn.github.io
Hey @He3556, if you've been following security news the past weeks, this topic here is becoming more relevant with each revelation. Since the trojan-coding company FinFisher has highly likely been hacked and some cool whisteblowers are publishing very sensitve data like price lists and handbooks on their Twitter account GammaGroupPR, more details of their secret software FinSpy Mobile is being revealed. And this is exactly the type of software that I am talking about here in this thread. I want to know how users can protect themselves from crap like that. According to the video that has been leaked, It is being installed through a fake update, or even through messages via E-Mail to "please" install this "very important update":


And just to make everyone more curious, FinSpy Mobile has been leaked on Twitter! It obviously works for all operating systems, including Android, Blackberry, Windows Mobile, and Symbian. Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. It is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. Regarding FinSpy Mobile and similar software: How would law enforcements possibly attack a cautious member of XDA (or any other site)? I mean, people that have been in the field of flashing new ROMs, updating their firmware and recovery themselves, not installing strange APKs sent via E-Mail and controlling installed Apps through TitaniumBackup should be somewhat immune to such type of attacks, right?

It appears to me as if their software might work for the general masses, but highly-likely not on people like @jcase or other Android security-gurus. Since I linked you, I'd be very happy if you could expand on that a little. I am sure such companies might even have the possibility of messing with the baseband of a target phone through only knowing the phone number of a target. But I am really curious what their "standard procedure" is if they face a target with thorough Android knowledge, maybe even a security-enthusiastic Android developer. Wouldn't their only option be to manually manipulate the handset?
 
Last edited:

He3556

Member
Apr 18, 2012
20
9
smartphone-attack-vector.de
There are two methods to keep away all kinds of trojan and malware...

1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.

2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
 

SecUpwN

Senior Member
Jun 12, 2012
2,086
645
DEUTSCHLAND!
secupwn.github.io
There are two methods to keep away all kinds of trojan and malware...

1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX. ;)
Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?

2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
 
  • Like
Reactions: ahvamaria

Dark3n

Recognized Developer
Sep 14, 2007
2,626
5,478
twitter.com
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.

Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
Maybe? But there are much easier ways if it is not desired to target specific persons.

I'll brain storm a bit for you:

I would divide the attack vectors into those that work with root and those that don't.
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.

If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.

While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.

Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?

Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.

Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.

A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.

Now those are all ways to target a broad mass of users.

If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
- My favorite plan yet, making a popular app themselves that they know you will try ;)

It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.

edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?

TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.

edit2: More specific answers to your questions.

You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?

Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?

How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.

And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.

This is the thing, with enough resources, there is always a way.

It seems as if the probability is high that most of the time they are selling a fake update to the target.
Exactly disguising as something legit is the cheapest way, "trojan horse".

Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
 
Last edited:

SecUpwN

Senior Member
Jun 12, 2012
2,086
645
DEUTSCHLAND!
secupwn.github.io
Whoa, this has to be the longest answer I've received since registering here. Huge thanks! Grab a coffee..

Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
Ok, fair. Will keep it anyhow.

Maybe? But there are much easier ways if it is not desired to target specific persons.

I'll brain storm a bit for you:

I would divide the attack vectors into those that work with root and those that don't.
Just to mention it here: An awesome site to see which attack vectors and vulnerabilities exist is Smartphone Attack Vektor by @He3556.

Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.

If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
Ok, I get the point. Also like @jcase already pointed out: If we root, we pwn ourselves. And if we don't, too.

While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.

Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
I only install trusted Applications.

Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Guess if I use the F-Droid Store I should be pretty safe, right? But don't worry, I don't rely on it - as for me, smartphones are huge bugs with touchscreens. That is why I also built a phone signal blocking pouch for myself and friends. Further good recommendations can be found on the bottom of my GitHub.


Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
Actually, no. I already have two or three. Or maybe even four? :cowboy:


A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.

Now those are all ways to target a broad mass of users.
Good to know we've come to an end here. Reading all this makes me want to throw my phone out of the window.


If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
I DON'T use public hotspots. Why? Because you can be almost certain that stuff will be logged and analyzed once you use that. Over here in my town, we've got a HUGE Apple Store. And guess what - FREE WIFI for everyone! Yeyyy... not.

- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
You are right, threats against family, friends and relatives are a no-go. If I remember correctly, something similar had happened to my beloved XDA developer @idcrisis who invented CrossBreeder. He left development of his toolset because starnge things occured in his life which he linked to his development. Shortly after leaving his project, he proposed a new license: The Aware License. Hope this guy is still living a happy life, though. Added to the above security-issues: Trust NOONE! How come? Well, just read this stunning story I discovered yesterday where a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet adn surfing cat videos. ^^

- My favorite plan yet, making a popular app themselves that they know you will try ;)
I don't quite get what you meanb by that. Please clarify, it sounds interesting.


It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
The way I see it: The only thing that we have no real access to, is the baseband. I am sure that these are full of backdoors and switches for agencies that they just need to trigger - just like the Samsung Galaxy Backdoor discovered by Replicant.

edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution...
Nope, I don't trust the manufacturer either. And I am SICK of bloatware! hence, I am a happy user of AOKP since several years - but regarding the binary blobs, I would certainly love to try out Replicant (sadly not yet available for the HTC One).

There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
Nothing is impossible, everything can be done. A wise man once said: Everything you can imagine, will happen.


TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
Good advice, I already do follow that one. As already said, if I were a spy company, I'd just team up with manufacturers of basebands..

You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
Highly-likely nothing. I already know that there is not much I can do to prevent them to get in, but at least I do want to detect them - and having such a detection mechanism raises the bar in disguising their actions even further - and who knows, maybe they're not interested anymore then?

How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
Not much.

This is the thing, with enough resources, there is always a way.
Exactly disguising as something legit is the cheapest way, "trojan horse".
Absolutely right. But what I am really curious of: How do people from the security-community really protect their phones? Do you have friends that are using their phones to just communicate via VPN and VOIP, not sending SMS and never calling people? Perfect place for @InvaderX to chime in, he told me before to really do a combination of that approach.

I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Sigh.. mobile phones are a total threat to humanity, I get it..
 

SecUpwN

Senior Member
Jun 12, 2012
2,086
645
DEUTSCHLAND!
secupwn.github.io
Last edited:

He3556

Member
Apr 18, 2012
20
9
smartphone-attack-vector.de
a tool against 0-day exploits

don't freak out to early - this tool is only for windows desktops.
But at least it shows how it could work for mobile devices, too.

It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.

  • These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
  • SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).

Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.

Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html

And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/


Does anybody know a APP for Android, iOS, WP8 or BB?
 
  • Like
Reactions: E:V:A and SecUpwN

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
Just a small side note:

In regard to device security vs. rooting.

There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
 

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,307
15,757
Sequim WA
I trust neither the ODMs, nor the custom roms. However I KNOW the average custom rom is just as if not MORE vulnerable than current stock roms, add su into the mix and it is without a doubt more vulnerable. Show me a custom rom dev that claims he ships a secure firmware, and I'll show you someone ignorant of the facts. Ask most of them what CTS is, and they will look at you like you are referencing 18th century medical terms.

That is my stance. In regards to root making a device more vulnerable, I can back that statement time and time again. From key compromises of the superuser apps, to vulnerabilities in the app, to vulns in the su binaries, to vulns in apps that typical make su requests, to stupid users who will grant it to anyone. Having any access point to "root" makes turning a small vuln to a complete compromise relatively easy.



Just a small side note:

In regard to device security vs. rooting.

There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.

To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,222
-∇ϕ
Reading all this, it makes me wonder if the antivirus apps help at all..
Let's put it this way.

In 6 years of heavy 24/7 PC use, my anti-virus have prevented me from a "possible" remote exploit exactly once, while having annoyed me with lengthy uninterruptible scans and ignoring my ignore settings about a 1000 times, due to adware and various other false positives. Then only god knows how many different countries governments are already present in my PC. Go figure. And yes, I have tweaked every possible setting and tried multiple well know AV's.

Forget AV's and get a good FW and with a well tuned host file, and well tuned common sense.
 

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,307
15,757
Sequim WA
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.

To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.

Really, I dont want to do this again, this conversation.

Most stupid people don't realize they are stupid, they assume they are smart. (We are all stupid in some regards).

I think I could endanger a user from root, pretty sure I can either screw the phone up, or possibly catch it on fire. If it had a sim in it, and was on the network I am certain I could make them regret ever rooting their device.

Here is a question, how many of you understand how these unlocks/exploits work?

I sometimes leave messages hidden in mine, and have only had ONE person reply to the hidden message, out of 100,000s of runs. People don't even know what they are running to gain root, let alone any idea what these "rom devs" do.

Open source is the answer right? Everyone can read the code, and everyone does! Thats why no backdoors or vulns have ever been in open source projects. Every open source project gets a line by line audit by a team of security professionals.</sarcasm>

I'll join back in when someone shows me a custom rom/open device that has the same or better security precautions taken by leading ODMs. Until then, it is generally just as easy or (generally) easier to abuse and exploit one of these custom roms floating around.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    Trust is not a security app!
    If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
    There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
    It is just not build to withstand such attacks.

    Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
    Maybe? But there are much easier ways if it is not desired to target specific persons.

    I'll brain storm a bit for you:

    I would divide the attack vectors into those that work with root and those that don't.
    Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.

    If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
    Basicly do what the hell he wants.

    While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
    A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.

    Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?

    Abusing trust in existing apps is probably the biggest danger.
    The most obvious danger here is downloading apps you usually trust but from unknown sources.
    Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
    The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.

    Want a botnet?
    Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
    While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
    It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.

    A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.

    Now those are all ways to target a broad mass of users.

    If a single user is the target, it would be more difficult, but there are still plenty of options:
    - MITM attacks at public hotspots,
    - Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
    - My favorite plan yet, making a popular app themselves that they know you will try ;)

    It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.

    edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?

    TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.

    edit2: More specific answers to your questions.

    You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?

    Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?

    How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.

    And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.

    This is the thing, with enough resources, there is always a way.

    It seems as if the probability is high that most of the time they are selling a fake update to the target.
    Exactly disguising as something legit is the cheapest way, "trojan horse".

    Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
    I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
    2
    At least I am not the only one paranoid about this kind of thing. LOL
    2
    a tool against 0-day exploits

    don't freak out to early - this tool is only for windows desktops.
    But at least it shows how it could work for mobile devices, too.

    It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.

    • These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
    • SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).

    Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.

    Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html

    And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/


    Does anybody know a APP for Android, iOS, WP8 or BB?
    1
    There are two methods to keep away all kinds of trojan and malware...

    1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
    You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
    I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX. ;)
    Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?

    2. Web browser, Apps, e-mail client and all other connection must be use VPN.
    But there is one more stepp to take.
    The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
    More details about this you can find here: http://itwatch.info/Products/ReCAppS
    But i am sure there are more projects about this out there...
    Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?