Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Similar documents
Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Protect Your Organization from Cyber Attacks

Synchronized Security

MRG Effitas Android AV review

Security Gap Analysis: Aggregrated Results

TITLE FIELD OF THE INVENTION BACKGROUND OF THE INVENTION

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Symantec Ransomware Protection

Cyber Resilience - Protecting your Business 1

MRG Effitas Online Banking Browser Security Assessment Project Q Q1 2014

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

MOBILE THREAT PREVENTION

Breaking and Securing Mobile Apps

CHECK POINT SANDBLAST MOBILE BEHAVIORAL RISK ANALYSIS

Sophos Central Admin. help

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

What is Zemana AntiLogger?

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Topics. Ensuring Security on Mobile Devices

Man in the Middle Attacks and Secured Communications

INTRODUCING SOPHOS INTERCEPT X

The Android security jungle: pitfalls, threats and survival tips. Scott

Zimperium Global Threat Data

No Time for Zero-Day Solutions John Muir, Managing Partner

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

COMPARATIVE MALWARE PROTECTION ASSESSMENT

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

cs642 /introduction computer security adam everspaugh

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

Securing Your Microsoft Azure Virtual Networks

Transparency report. Examining the AV-TEST January-February 2018 Results. Prepared by. Windows Defender Research team

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Building Resilience in a Digital Enterprise

Xerox Mobile Print Solution

The Mimecast Security Risk Assessment Quarterly Report May 2017

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

McAfee MVISION Mobile Threat Detection Android App Product Guide

Beyond Testing: What Really Matters. Andreas Marx CEO, AV-TEST GmbH

Kaspersky Security Network

Authentication Methods

IBM Security Network Protection Solutions

MOBILE SECURITY OVERVIEW. Tim LeMaster

Total Security Management PCI DSS Compliance Guide

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Next Generation Enduser Protection

SentinelOne Technical Brief

Lecture Embedded System Security Introduction to Trusted Computing

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Intrusion Detection and Prevention in Telecommunications Networks

Who are we? Jonas Zaddach. Andrei Costin. Davide Balzarotti EURECOM. Aurélien Francillon EURECOM 2/54

Phishing in the Age of SaaS

Synology Security Whitepaper

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

MODERN DESKTOP SECURITY

Securing the Modern Data Center with Trend Micro Deep Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

with Advanced Protection

ANATOMY OF AN ATTACK!

Comprehensive Database Security

Agile Security Solutions

HP Sure Start Gen3. Table of contents. Available on HP Elite products equipped with 7th generation Intel Core TM processors September 2017

Base64 The Security Killer

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Advanced Security Tester Course Outline

PROTECTING THE ENTERPRISE FROM BLUEBORNE

The security challenge in a mobile world

Hello! we are here to share some stories

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

FIREWALL BEST PRACTICES TO BLOCK

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Security: The Key to Affordable Unmanned Aircraft Systems

October 2016 Issue 07/16

whitepaper ClickShare Security

Lecture Embedded System Security Introduction to Trusted Computing

Mastering The Endpoint

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Understanding the Dynamic Update Mechanism Tech Note

10 FOCUS AREAS FOR BREACH PREVENTION

McAfee Advanced Threat Defense

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

File Reputation Filtering and File Analysis

BUFFERZONE Advanced Endpoint Security

Securing Your Amazon Web Services Virtual Networks

Online (in)security: The current threat landscape Nikolaos Tsalis

2018 Edition. Security and Compliance for Office 365

Behind the Yellow Curtain Symantec s Proactive Protection and Detection Technology

Transcription:

Coordinated Disclosure of Vulnerabilities in McAfee Security Android 4.8.0.370

1 Executive summary Researchers of MRG Effitas tested the McAfee Security Android application. During use, we came across implementation details, which might undermine the Vendor s efforts to provide a comprehensive mobile security solution with the potential to aid users in case of encounters with malware. Testing covered the following application version. Application name McAfee Security Store URL https://play.google.com/store/apps/details?id=com.wsandroid.suite Version 4.8.0.370 We considered the situation and opted for a responsible disclosure approach to aid the Vendor in their efforts. In accordance with industry standards, we disclose the issues based on Google s 90-day policy. As a result, after a 90-day plus a 14-day grace period, we make the discoveries public. For further details, refer to the following URL. Disclosure date: 06 April 17 Grace period begins: 05 July 17 Grace period ends: 19 July 17 https://security.googleblog.com/2014/07/announcing-project-zero.html https://googleprojectzero.blogspot.hu/2015/02/feedback-and-data-driven-updates-to.html 2 Vulnerability description 2.1 No user warning on rooted/compromised devices Testing discovered that the application was normally installed and initialized on a rooted test device, provided with a dynamic hooking framework application (Xposed framework). This scenario is a highly insecure one, as the hooking framework can be utilized to bypass every security measure of the McAfee Security application. This is by no means something that an Android security suite can be properly prepared for, nevertheless no user warning has been displayed stating that the entire operation of the suite is compromised. As a result, a highly sophisticated piece of malware using dynamic hooking might even abuse the application to convince the user that there are no threats on the device. Note that no cloaking has taken place and as per the logs, the Xposed installer application has even been scanned by the application. Consider the following scenario. 1. The Android device with no preliminary protection, gets infected by a highly sophisticated piece of malware. 2. The users suspects that there might be something going on and opts for the suite to run a security scan on his device. 3. Upon installation and scanning, no warning is displayed and the user is reassured that his device is clean from malware.

Recommendation It is recommended to at least warn the user in such clear cases that there might be something going on with his device and that the scan results are not trustworthy in any way. Nevertheless, it is important to point out that reliable root detection is theoretically impossible in untrustworthy environments (such as a user controlled Android device). When it comes to root detection, false positive errors are rather uncommon, however false negatives are more dangerous from security perspective. It is possible to install readily prepared tools to fool common root detection methods (e.g. RootCloak), however, presence of the Xposed installer and the RootCloak application itself is a good indication that the device has been rooted. All in all, a comprehensive approach is recommended, where the user is notified at the slightest sign of deviation from a clean device state. As an alternate approach, it is possible to harden the application itself to detect tampering (both off-line patching plus re-packaging and runtime hooking) to some extent. Should any of the below checks fail, assume that the environment is tampered with and notify the user. Note that even a careful implementation of all below methods can only raise the bar in terms of attacker skill, motivation and expertise, it can deter and detect novice users, who solely rely on off-the-shelf tools. Upon startup, check if the package has debug mode enabled. Regularly check the signature and the signing key of the app package if it deviates from an expected value. List the calling stack of security related methods (such as certificate pinning, root detection etc.) Should the RootCloak tool be used, the calling stack contains elements that are clearly not from the originating application. Figure 1 Evidence of dynamic hooking based tampering For further information, refer to the following whitepaper (An Android Application Protection Scheme against Dynamic Reverse Engineering Attacks. Lim, Yeong et al. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, issue September 2016.) http://isyou.info/jowua/papers/jowua-v7n3-3.pdf

2.2 No certificate pinning Testing revealed that the application does not utilize certificate pinning. Instead, it utilizes the OS CA store. As a result, it is trivial to bypass certificate validation using various methods (e.g consider a social engineering attack, where the user is asked to install a certificate authority on his Android device). Considering the fact that mobile security suites are intended also for nonsecurity conscious users, this design consideration should be re-evaluated. When a new package is installed the hash of the package is checked from a reputational perspective within the cloud service. Testing revealed that an intercepting attacker or a piece of malware can avoid being detected in the cloud by changing the submitted hash values. Note that the risk is significantly decreased by the fact that the application does not solely rely on cloud based detection methods, off-line analysis also takes place.

2.3 Traces of user activity stored in plain-text format Testing revealed that the application maintains traces of user activity within the sandbox. For instance, the %sandbox%/databases/ap_sdk_db_ discloses applications that have been installed since the initialisation of the McAfee suite, even if the application has been removed from the device. Figure 2 Traces of user activity in plain-text format An analysis of the application sandbox reveals information regarding user activity (e.g. the names of installed applications). The risk is increased by the fact that the application maintains the log, even in case the device is rooted. Recommendation It is recommended to encrypt all trace of user activity, even within the sandbox. Furthermore, the user should be provided with options to delete all traces of his activity from the sandbox using the application GUI. 3 Timeline 2017.04.07 Vendor notified, no response received 2017.05.10 Vendor notified again 2017.05.29 Vendor responded 2017.07.26 Publication of the report

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback