Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

Similar documents
Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

MRG Effitas Android AV review

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

TITLE FIELD OF THE INVENTION BACKGROUND OF THE INVENTION

The Android security jungle: pitfalls, threats and survival tips. Scott

What is Zemana AntiLogger?

Synchronized Security

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Cyber Resilience - Protecting your Business 1

INTRODUCING SOPHOS INTERCEPT X

Symantec Ransomware Protection

Protect Your Organization from Cyber Attacks

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Metricon 06. Leading Indicators in Information security. John Nye August 1, 2006

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Security Gap Analysis: Aggregrated Results

Man in the Middle Attacks and Secured Communications

MOBILE THREAT PREVENTION

Transparency report. Examining the AV-TEST January-February 2018 Results. Prepared by. Windows Defender Research team

Breaking and Securing Mobile Apps

CHECK POINT SANDBLAST MOBILE BEHAVIORAL RISK ANALYSIS

Kaspersky Security Network

MRG Effitas Online Banking Browser Security Assessment Project Q Q1 2014

Best Practical Response against Ransomware

Beyond Testing: What Really Matters. Andreas Marx CEO, AV-TEST GmbH

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

No Time for Zero-Day Solutions John Muir, Managing Partner

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

Sophos Central Admin. help

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Xerox Mobile Print Solution

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Topics. Ensuring Security on Mobile Devices

IBM Security Network Protection Solutions

SentinelOne Technical Brief

Zimperium Global Threat Data

Online (in)security: The current threat landscape Nikolaos Tsalis

MOBILE SECURITY OVERVIEW. Tim LeMaster

Internet of Things real life cases Alex Ahlberg

Xerox Mobile Print Solution

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Understanding the Dynamic Update Mechanism Tech Note

Dashlane Security Whitepaper

Next Generation Enduser Protection

ein wichtiger Baustein im Security Ökosystem Dr. Christian Gayda (T-SEC) und Ingo Kruckewitt (Symantec)

Behind the Yellow Curtain Symantec s Proactive Protection and Detection Technology

Lecture Embedded System Security Introduction to Trusted Computing

Phishing in the Age of SaaS

MODERN DESKTOP SECURITY

cs642 /introduction computer security adam everspaugh

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

The Mimecast Security Risk Assessment Quarterly Report May 2017

Agile Security Solutions

Comodo APT Assessment Tool

FIREWALL BEST PRACTICES TO BLOCK

BETTER Mobile Threat Defense (BMTD)

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Base64 The Security Killer

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

rat Comodo Valkyrie Software Version 1.1 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Sophos Mobile Security

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Security: The Key to Affordable Unmanned Aircraft Systems

Google Cloud Platform: Customer Responsibility Matrix. April 2017

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Authentication Methods

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Building Resilience in a Digital Enterprise

whitepaper ClickShare Security

SHA-1 to SHA-2. Migration Guide

Total Security Management PCI DSS Compliance Guide

October 2016 Issue 07/16

9 Steps to Protect Against Ransomware

Create Decryption Policies to Control HTTPS Traffic

McAfee Advanced Threat Defense

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Lecture Embedded System Security Introduction to Trusted Computing

File Reputation Filtering and File Analysis

:- IDBI /PCELL/ RFP/

McAfee MVISION Mobile Threat Detection Android App Product Guide

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

Certified Secure Web Application Engineer

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Survey Results: Virtual Insecurity

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

10 FOCUS AREAS FOR BREACH PREVENTION

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

Transcription:

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android 5.9.4.1

1 Executive summary Researchers of MRG Effitas tested the AVG AntiVirus Free Android application. During use, we came across implementation details, which might undermine the Vendor s efforts to provide a comprehensive mobile security solution with the potential to aid users in case of encounters with malware. Testing covered the following application version. Application name AVG AntiVirus Store URL https://play.google.com/store/apps/details?id=com.antivirus Version 5.9.4.1 We considered the situation and opted for a responsible disclosure approach to aid the Vendor in their efforts. In accordance with industry standards, we disclose the issues based on Google s 90-day policy. As a result, after a 90-day plus a 14-day grace period, we make the discoveries public. For further details, refer to the following URL. Disclosure date: 20. April 17 Grace period begins: 19 July, 2017 Grace period ends: 1 August, 2017 https://security.googleblog.com/2014/07/announcing-project-zero.html

2 Vulnerability description 2.1 No user warning on rooted/compromised devices Finding Testing discovered that the application was normally installed and initialized on a rooted test device, provided with a dynamic hooking framework application (xposed framework). This scenario is a highly insecure one, as the hooking framework can be utilized to bypass every security measure of the AVG application. This is by no means something that an Android security suite can be properly prepared for, nevertheless no user warning has been displayed. Risk As a result, a highly sophisticated piece of malware using dynamic hooking might even abuse the AVG application to convince the user that there are no threats on the device. Note that no cloaking has taken place and as per the logs, the Xposed installer application has even been scanned by the AVG application. Consider the following scenario. 1. The Android device with no preliminary protection, gets infected by a highly sophisticated piece of malware. 2. The users suspects that there might be something going on and opts for the AVG suite to run a security scan on his device. 3. Upon installation and scanning, no warning is displayed and the user is reassured that his device is clean from malware. Recommendation It is recommended to at least warn the user in such clear cases that there might be something going on with his device and that the scan results are not trustworthy in any way. Nevertheless, it is important to point out that reliable root detection is theoretically impossible in untrustworthy environments (such as a user controlled Android device). When it comes to root detection, false positive errors are rather uncommon, however false negatives are more dangerous from security perspective. It is possible to install readily prepared tools to fool common root detection methods (e.g. RootCloak), however, presence of the Xposed installer and the RootCloak application itself is a good indication that the device has been rooted. All in all, a comprehensive approach is recommended, where the user is notified at the slightest sign of deviation from a clean device state. As an alternate approach, it is possible to harden the application itself to detect tampering (both off-line patching plus re-packaging and runtime hooking) to some extent. Should any of the below checks fail, assume that the environment is tampered with and notify the user. Note that even a careful implementation of all below methods can only raise the bar in terms of attacker skill, motivation and expertise, it can deter and detect novice users, who solely rely on off-the-shelf tools. Upon startup, check if the package has debug mode enabled. Regularly check the signature and the signing key of the app package if it deviates from an expected value.

List the calling stack of security related methods (such as certificate pinning, root detection etc.) Should the RootCloak tool be used, the calling stack contains elements that are clearly not from the originating application. Figure 1 Evidence of dynamic hooking based tampering For further information, refer to the following whitepaper (An Android Application Protection Scheme against Dynamic Reverse Engineering Attacks. Lim, Yeong et al. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, issue September 2016.) http://isyou.info/jowua/papers/jowua-v7n3-3.pdf

2.2 No certificate pinning Finding Testing revealed that the application does not utilize certificate pinning. Instead, it utilizes the OS CA store. Risk As a result, it is trivial to bypass certificate validation using various methods (e.g consider a social engineering attack, where the user is asked to install a certificate authority on his Android device). Considering the fact that mobile security suites are intended also for nonsecurity conscious users, this design consideration should be re-evaluated. When a new package is installed the hash of the package is checked from a reputational perspective within AVG s cloud service. Request: Response: Testing revealed that an intercepting attacker or a piece of malware can avoid being detected by changing the returned HTTP response. Recommendation It is recommended implement certificate pinning on all SSL connections.

2.3 Traces of user activity stored in plain-text format Finding Testing revealed that the AVG application maintains traces of user activity within the sandbox. For instance, the %sandbox%/databases/google_analytics_v4.db discloses every application that has been installed since the initialisation of the AVG suite, even if the application has been removed from the device. Figure 2 Traces of user activity in plain-text format Risk An analysis of the application sandbox reveals information regarding user activity (e.g. the names of installed applications). The risk is influenced by the following factors. The risk is increased by the fact that the application maintains the log, even in case the device is rooted. Recommendation It is recommended to encrypt all trace of user activity, even within the sandbox. Furthermore, the user should be provided with options to delete all traces of his activity from the sandbox using the application GUI. 3 Timeline 2017.04.20 Vendor notified 2017.05.29 Vendor responded 2017.08.03 Report published

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback