Watch out: photo editor apps hiding malware on Google Play

By Mark Stockley

SophosLabs has discovered apps in Google Play harboring Guerilla ad clicker malware.

The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps.

SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google.

Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users.

The apps harboring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files.

That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realizing.

Read more at https://nakedsecurity.sophos.com/2018/05/10/watch-out-photo-editor-apps-hiding-malware-on-google-play/

The WhatsApp text bomb – no, it won’t destroy your phone!

By Paul Ducklin

You’ve probably seen the news already: there’s a text message going around that can cause WhatsApp to freeze or crash (if those `aren’t essentially the same thing).

Just how alarmed you are depends on where you’ve looked.

Some articles have been hedging their bets by urging you to watch out for “the text bomb that could destroy your phone“, which is dramatic without actually being definitive. (After all, you could win the lottery tomorrow, but you won’t.)

Other articles have insisted that the damage is more than just theoretical – the Birmingham Mail, for instance, headlined its article to state unequivocally that “this WhatsApp text bomb is destroying recipient’s phones“.

Fortunately, the article itself is a bit more conciliatory, noting that:

If you receive [the text bomb], your phone – whether it’s an iPhone or Android – could become unresponsive, forcing you to restart it.

As far as we know, that’s about as bad as it gets, and after restarting, you should be able to delete the offending message so it doesn’t disrupt you again.

Read more at https://nakedsecurity.sophos.com/2018/05/10/the-whatsapp-text-bomb-no-it-wont-destroy-your-phone/

Windows-crashing bug not patch-worthy, says Microsoft

By Maria Varmazis

When is a bug not a bug? That’s the question in play with a proof of concept (PoC) published by researcher Marius Tivadar, which can crash several versions of Windows, even if they’re locked, all within seconds of launching the code.

This PoC requires a USB key with a faulty NTFS image on it to be physically inserted into a Windows PC that also has autoplay enabled. Regardless of the privilege level currently active (from user to administrator), seconds after the target PC tries to read data on the USB stick, the dreaded blue screen of death (BSOD) occurs, crashing the computer.

That’s why Tivadar classifies this bug as a denial of service attack, but a crash is as far as this specific issue goes, and at no point does any privilege escalation or unauthorized data access occur.

Tivadar says he reached out to Microsoft in July 2017 to disclose his findings, all in the hope that Microsoft would officially give this security issue a CVE and start working on a patch to fix the problem.

But because this bug requires a USB key to be physically inserted into a machine to work, Microsoft responded that this finding didn’t “meet the bar” for issuing a security patch – so no CVE and no patch will be forthcoming.

Read more at https://nakedsecurity.sophos.com/2018/05/10/windows-crashing-bug-not-patch-worthy-says-microsoft/

Grade hacking may cost high school its valedictorian

By Lisa Vaas

As graduation day draws near for W.S. Neal High School in East Brewton, Alabama, the school is being quizzed, hard.

The questions:

Who hacked grades for the past two years, to the extent that the school can’t figure out if the top 10 students are legitimately the top 10 students? How did the perpetrator(s) hack the grade-reporting system? What is the school doing to prevent this from happening again?

Those questions came from Monica Fountain, just one of many parents who are furious that the school might not be able to find answers in time to pick a valedictorian or salutatorian for graduation in two weeks, on 22 May.

The issue was first reported by the Mobile, Alabama TV station WKRG.

Escambia County Superintendent John Knott confirmed to WKRG that when the school was finalizing the Top 10 students, staff discovered that somebody had altered students’ grades. Knott couldn’t comment on who was involved, nor how many students’ grades could have been affected. As far as whether the school can have a valedictorian or salutatorian, Knott said that it will depend on when the investigation is wrapped up.

To those of us familiar with cyber forensics, that’s not unreasonable. These things take time. It’s not necessarily easy, or fast, to trace hackers and quickly come up with suspects’ identities. What’s more, prematurely releasing details about an ongoing investigation can jeopardize the outcome, whether it’s by tipping off suspects so they can destroy evidence, or by falsely naming suspects before enough evidence has been amassed to form a solid case. People prematurely reported as suspects might well turn out to be innocent, but that hasn’t stopped people from prosecuting them in the court of public opinion and social media.

But those of us who might not be familiar with the time involved in finding hackers want answers, and they want them now.

As you can see by the reactions on a Facebook post Monica Fountain put up about the incident, the town is outraged. Some say it’s unfair to the kids who’ve worked so hard to get their good grades, that scholarships could be jeopardized, and even that the school is hiding the identity of the hacker(s) for some reason.

Read more at https://nakedsecurity.sophos.com/2018/05/10/grade-hacking-may-cost-high-school-its-valedictorian/

Patch now! Microsoft and Adobe release critical security updates

By John E Dunn

After time off in April, 0-days have returned with a small bang in May’s Patch Tuesday from Microsoft.

The loudest is a remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation state cybercriminals three weeks ago by Chinese security firm Qihoo 360.

Dubbed ‘Double Kill’ (CVE-2018-8174), it can be deployed in a number of ways, including by luring an Internet Explorer user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document.

Any one of these scenarios gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware, Microsoft said, hence the need to apply a patch as a high priority.

The next 0-day is CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2.

An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical.

Microsoft hasn’t said how it’s being exploited, but having this kind of vulnerability to hand is gold for cybercriminals, which is why it should also be on the immediate fix list for anyone running Windows 7.

Two others worth mentioning are CVE-2018-8141, a kernel information disclosure flaw affecting Windows 10 1709, and CVE-2018-8170, an elevation of privilege vulnerability in Windows 1709 and 1703 32-bit.

Read more at https://nakedsecurity.sophos.com/2018/05/09/patch-now-microsoft-and-adobe-release-critical-security-updates/

Critical bug in 7-Zip – make sure you’re up to date!

By Paul Ducklin

Two months ago, a cybersecurity researcher who calls himself LANDAVE, or just Dave for short, found a security vulnerability in the handy, popular, free utility 7-Zip.

7-Zip is a sort-of Swiss Army Officer’s Knife of file decompression tools that many users install as one of their main add-on Windows apps.

It not only supports its own brand of mega-compressed archive files with the extension .7z, but also knows how to extract data from most other archive formats, too.

Conventional ZIPs, gzip and bzip2 files, Unix tar and cpio archives, Windows CAB and MSI files, Macintosh DMG files, CD images (ISOs), and many more, along with an optional two-pane file management interface that’s perfect for old-school fans of Midnight Commander.

7-Zip also includes support for RAR files, and that’s where the vulnerability came from, apparently inherited from open source code from the standalone UnRAR utility.

Read more at https://nakedsecurity.sophos.com/2018/05/09/critical-bug-in-7-zip-make-sure-youre-up-to-date/