Clickjacking leads Android ransomware to gain the administrative rights!

-
What is Ransomware?
Ransomware is one type of malware which prevents or limits users from accessing their system.
 File-encrypting ransomware which is also called as Cryptolocker applications that target Android devices are becoming increasingly sophisticated. One new such program is using clickjacking techniques to trick users into granting it administrator rights.

What’s this Clickjacking?
Clickjacking is a method that involves manipulating the UI in a way that allows attackers to hijack users' clicks and trigger unauthorized actions. It is mostly used in Web-based attacks, where various technologies allow creating invisible buttons and positioning them on top of seemingly harmless page elements.
Due to the restrictive application permissions system in Android, ransomware apps targeting the OS have historically been less effective than on Windows. For example, many of the early Android ransomware threats only displayed a persistent window on the screen with an alert intended to scare users into paying fictitious fines. Most of them impersonated law enforcement agencies and claimed that the devices were locked because illegal content was found on them.
Over time more aggressive variants appeared that also encrypted files on the storage partition and were much harder to uninstall. However, to work as intended, these variants need "device administrator" access.
Enabling this feature requires confirmation from the device owner through a special "activate device administrator" dialog shown after an app is installed. To get users' approval most ransomware apps which typically pretend as legitimate apps that rely on social engineering. for example by claiming that the higher access is needed for one of the functions they claim to provide.
According to researchers from Symantec, ransomware creators have now taken it to the next level. A new threat called Android.Lockdroid.E abuses the different types of windows that Android applications can trigger.
The Lockdroid.E ransomware triggers the device administrator activation dialog after installation, but also displays a TYPE_SYSTEM_ERROR window with a message claiming that an additional component is being unpacked. Android displays this particular window type on top of all others, therefore covering the device administrator dialog.
The app displays another window after few seconds, that uses TYPE_SYSTEM_OVERLAY and which also covers the device administrator dialog. This second window contains the message "Installation is complete" and a button called "Continue."

The "Continue" button is actually fake because TYPE_SYSTEM_OVERLAY windows are not designed to receive user interface inputs like taps. However, it is perfectly positioned on top of the "Confirm" button from the hidden device administrator activation dialog.
When users tap "Continue",  the action is actually transferred to the device administrator window underneath, and specifically its "Confirm" button because of this.

According to the latest statistics from Google Play, Starting with Android 5.0 (Lollipop) the two dialog types that this ransomware program abuses are no longer displayed on top of system permission dialogs like the one for device administrator. However, the bad news is that two thirds of Android devices still run versions older than 5.0, which amounts to almost 67 percent of android devices.
The Symantec researchers said,"The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites. Users who have Google Play installed are protected from this app by Verify Apps even when downloading it outside of Google Play.

"Android.Lockdroid.E poses as a porn app and tricks users into giving it admin rights. Almost 67 percent of Android devices are at risk." said Symantec researchers in their recent blog post.

How to get rid of this?
Symantec advisory includes the points to get rid of this:
      - Keep your software updated.
      - Use trusted app store.
      - Use verified and well-known security solutions
         to protect against mobile threats.

                                                                                                  -ASHISH CHHATANI


Comments

Post a Comment

Popular posts from this blog

Dresscode-Android malware that can infiltrate corporate networks is spreading

-
Image
According to Trendmicro, DressCode-a family of Android malware, has been found circulating in at least 3,000 Trojanized apps. An Android malware is spreading across app stores, including Google Play, and has the capability of stealing sensitive files from corporate networks. DressCode hides itself inside games, user interface themes, and phone optimization boosters. It can also be difficult to detect because the malicious coding only makes up a small portion of the overall app. On Google Play, Trend Micro found more than 400 apps that are part of the DressCode family, it said. That's 10 times more than what security researchers at Check Point observed a month ago. Trend Micro added that one these apps on Google Play had been installed 100,000 to 500,000 times. Once installed, Dress Code's malicious coding will contact its command and control servers and receive orders from its developers. The malware is particularly dangerous because it can infiltrate whatever internet
Read more

Importance of secure SDLC

-
Image
Time does require the change. Isn’t it? We’ll talk about the importance of securely software development life cycle in this story. We all know what exactly SDLC is? SDLC stands for Software Development Life Cycle. The developers builds the applications for certain purpose. The SDLC process has got certain pre-defined phases.  Requirement Gathering: What is the purpose and what’s it going to take for building the application. Plan and Design: Plan the phases of development. Prioritize the modules and finalize the design suitable. Implementation: Start implementing the modules. Coding takes place. Testing: Test the modules which are built Deploy: Deploy the application once the application is tested properly. Maintain: Check whether the application behaves exactly in the same way it was meant to. Eliminate the vulnerabilities identified if any. This is how the traditional SDLC process works. There are certain models to accomplish the pr
Read more