Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor

Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus?

If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance.

But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy?

With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24x7 in the background and reappeared even if you delete it.

Xiaomi is one of the world's largest smartphone manufacturers, which has previously been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and forked version of Android OS, and secretly stealing users' data from the device without their permission.

Xiaomi Can Silently Install Any App On your Device

After asking about the purpose of AnalyticsCore app on company’s support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours.

While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature.

If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction.

"I couldn't find any proof inside the Analytics app itself, so I am guessing that a higher privileged Xiaomi app runs the installation in the background," Broenink says in his blog post.

Now the question is, Does your phone verify the correctness of the APK, and does it make sure that it is actually an Analytics app?

Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole.

This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server.

"So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this App Installer gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed," Broenink said.

Hackers Can Also Exploit This Backdoor

Since the researcher didn't find the actual purpose of the AnalyticsCore app, neither on Googling nor on the company's website, it is hard to say why Xiaomi has kept this mysterious "backdoor" on its millions of devices.

As I previously said: There is no such backdoor that only its creator can access.

So, what if hackers or any intelligence agency figure out how to exploit this backdoor to silently push malware onto millions of Xiaomi devices within just 24 hours?

Ironically, the device connects and receive updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks.

"This sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any APK for your device specifically," Broenink said.

Even on the Xiaomi discussion forum, multiple users have shown their concerns about the existence of this mysterious APK and its purpose.

"Don't know what purpose does it serve. Even after deleting the file it reappears after some time," one user said.

Another said, "if I go to battery usage app, this app is always at the top. It is eating away at resources I believe."

How to Block Secret Installation? As a temporary workaround, Xiaomi users can block all connections to Xiaomi related domains using a firewall app.

No one from Xiaomi team has yet commented on its forum about the question raised by Broenink. We'll update the story as soon as we heard from the company.

Meanwhile, if you are a Xiaomi user and has experienced anything fishy on your device, hit the comments below and let us know.  

Continue Reading →

5 Types of Cyber Crime in Nepal You should know About

The internet is a medium which enables the spread of information and communication between people at a world-wide level. The internet is a ‘free’ medium, with no international laws and regulations upon it, therefore, it is extremely difficult to both monitor and prohibit transactions that occur within it. A Cyber Crime is an act of creating, distributing, altering, stealing, misusing and destroying information through the computer manipulation of cyberspace; without the use of physical force and against the will or interest of the victim.

5 Main Cyber Crime in Nepal

Social Media Related Cyber Crime

Social Media related cyber crime in Nepal includes using Porn Content in social Media or creating fake profiles to intentionally harm someone with the use of Facebook, Twitter, Instagram or any social Media Platform.

In the year 2070, a total of 19 cases of Social Media Cybercrimes were reported. With the trending use of Social Media, the number of cases has increased to 35 in 2072. It has been seen that the number of female victims is more. Using Naked Pictures in social Media to take revenge has been the most cases according to Crime Investigation Bureau (CIB) Nepal.

A Government staff name Raju Shah was under police custody when a comment against the contemporaneous home minister Bam Dev Gautam was tracked on Facebook. Raju Shah was found guilty when he demanded death sentence against Minister Bam Dev Gautam who was caught in a photo breaking a traffic rule.

Piracy Related crime

Any Content which has been copied to make a duplicate copy is considered as Piracy. Using unauthorized trademarks and copying source code without having the License to use it is considered Piracy Crime.

Example, the font used in Company logos can also be related to piracy crime, if the font is not listed free for business purposes. Even though this related crime is not a possibility in today’s context of Nepal, but we can see a various example of Font piracy. Read a story of Font Piracy.

Also, Source Code piracy case have been heard in Nepal lately. Since the case has not been solved, the whole story is an unsolved mystery. It has been allegedly reported that a software company filed a case against a Media House for copying their source code.

Fake Profile Marketing

Creating or using a fake profile, fake website or email to create a bad image or inappropriate marketing is also considered as cybercrime. We can see various examples of fake profiles, fake websites, and spam emails. Spreading unwanted and inappropriate message using fake profile is considered a Fake Profile Marketing. This rule also implies to businesses where a fake product is sold. Marketing of fake duplicate product using the name of a different brand also comes under the Fake Marketing Cyber Crime.

Threatening Using Email

Email threat is not much common cybercrime in Nepal. If an email contains a threat or warning in mentality to harm or disturb any individual or any organisation, this is considered as a cyber crime.

Website Hacking

Website Hacking means taking control from the website owner to a person who hacks the website. Nowadays most of the government websites are attacked by hackers. Many governmental websites including the president’s website were hacked. Any complaint on website hacking can be a serious offence in terms of the cyber law in Nepal.

Recently, a group of Nepalese hacker named Anonymous opnep breached into the server of Nepal Telecom. Hackers gained access to all the details of NTC users that include username, citizenship name, father’s name as well as other private information. Metropolitan Crime Division recently tracked the hackers down and arrested 18-year-old Bikash Paudel for hacking over 200 websites including the NTC website.

Unauthorized Access

Unauthorised access is one of the common issues in cybercrime world. Getting access to a website, programme, server, service, or other system using someone else’s account or other methods is called Unauthorized Access.

Examples of the unauthorised use of computers include an employee using a company computer to send a personal e-mail or someone gaining access to a bank computer and  performing an unauthorised transfer.

Online Business of Restricted Materials

The business involving the buying and selling of illegal or restricted materials can be a case of cyber crime. One interesting case had come up when a Nepali citizen named Kirtan Pokhrel was arrested for creating an event related to sexual tourism. The Event was named Bunga Bunga which promised to have girls of ages 13 to 17.

Continue Reading →

Nepal Telecom ADSL Users Username/Password Hacked

A group of Nepalese hacker has claimed to have breached the Nepal Telecom ADSL server and have gained access to user’s WiFi SSID and password. They claim that more than 47300 Nepal Telecom TP-LINK Routers are vulnerable to Hackers. TP-LINK is an electronics manufacturer famous for its budget-oriented ADSL and DSL routers.

Moreover, these hacker has published the list of ADSL username and their respective password in this link here. This is not the first time that the NTC’s server was hacked. Last month, a group called Anonymous ‪opnep gained access to all the details of NTC users that include username, citizenship name, father’s name as well as other private information which you have to fill up during new SIM registration. Metropolitan Crime Division recently tracked the hackers down and arrested 18-year-old Bikash Paudel for hacking over 200 websites including the NTC website.

The series of hacks points out to the fact on how insecure NTC’s server are. The hackers even mocked at the low security of NTC’s websites and had threatened of more such cyberattacks. If Nepal Telecom, the largest telecommunication service provider in Nepal, wants to enhance its digital advancement, it should also be prepared for the cyber battle and should be armed with security and cyber experts to avoid such breach. Please Wakeup NTC!

Continue Reading →

Enable this New Setting to Secure your Computer from Macro-based Malware

Do you deal with MS Word files on the daily basis?

If yes, then are you aware that even opening a simple doc file could compromise your system?

It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.

How Macros are Crippling your System?

The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."

A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.

Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.

Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.

Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.

All those actions would depend upon payload program defines inside the Macro.

Dridex and Locky are Warning Bells!!!

No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems.

Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.

How to Protect Yourself from Macro-based Malware?

Step 1: Configure Trusted Location

Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.

So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.

To configure the trusted location, you can navigate via:

User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations

Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.

Step 2: Block Macros in Office Files that came from the Internet

Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.

The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet.

The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:

User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center

It can be configured for each Office application.

By enabling this option, macros that come from the Internet are blocked from running even if you have 'enable all macros' in the Macros Settings.

Moreover, instead of having the option to 'Enable Editing,' you'll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.

The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.

Continue Reading →

Forensic Firm that Unlocked Terrorist's iPhone 5C is Close to Crack iPhone 6

The FBI didn't disclose the identity of the third-party company that helped them access the San Bernardino iPhone, but it has been widely believed that the Israeli mobile forensic firm Cellebrite was hired by the FBI to put an end to the Apple vs. FBI case.

For those unfamiliar in the Apple vs. FBI case: Apple was engaged in a legal battle with the Department of Justice over a court order that was forcing the company to write software, which could disable passcode protection on terrorist's iPhone, helping them access data on it.

However, Apple refused to comply with the court order, so the FBI hired an unknown third-party firm, most likely Cellebrite, who managed to successfully hack the locked iPhone 5C used by the terrorist in the San Bernardino shooting incident last year.

he new method helped the Federal Bureau of Investigation (FBI) to hack iPhone 5C, but that wasn't the FBI's victory as the method didn't work on iPhone 5S and later iPhone models.

Cellebrite is on its Way to Hack the Locked iPhone 6

Now, Cellebrite is reportedly "optimistic" about Hacking the more Secure iPhone 6.

CNN reports that an Italian architect, named Leonardo Fabbretti, met with Cellebrite last week whether the company could help him gain access to a locked iPhone 6 that belonged to his dead son.

Fabbretti's son, Dama Fabbretti, was passed away from bone cancer last September at the age of 13. However, before his death, the son added his father's thumbprint to allow him to access the phone.

Fabbretti was trying to access the messages, notes, and photos of his dead son on the iPhone 6, but unfortunately, the phone had a restart. It now required the passcode for unlocking, and his father doesn't know the code.

Fabbretti initially contacted Apple on March 21, and the company reportedly tried to help the grieving father, but they found that the iPhone was not backed up to the cloud. Expressing sympathy, the company told him that there was nothing they could do.

Hacking iPhone 6 for Free

After watching Fabbretti's story in the news, Cellebrite offered to help the man by hacking the iPhone 6 for free. Fabbretti met with the company employees last week at its office in northern Italy and said:

"The meeting went well. They were able to download the directories with the iPhone's content, but there is still work to be done in order to access the files."

According to the company, there are chances of accessing the files on locked iPhone 6 that contain photos and conversations of the son with the dad, along with a handful of videos taken just 3 days before his son died.

Both Cellebrite, as well as Apple, have yet to comment on the case.

If the Cellebrite gets the success in creating a new method to unlock iPhone 6, undoubtedly the company will sell its tool to the FBI agents to solve their several pending cases, in the same way, it helped the agency accessing the terrorist's locked iPhone 5C.

Continue Reading →

Hackers can spy on your calls and track location, using just your phone number

 IN BRIEF

The famous ‘60 Minutes’ television show shocked some viewers Sunday evening when ateam of German hackers demonstrated how they spied on an iPhone used by U.S. Congressman, then recorded his phone calls and tracked his movement through LosAngeles.

Hackers leverage a security flaw in SS7 (Signalling System Seven) protocol that allowshackers to track phone locations, listen in on calls and text messages.

The global telecom network SS7 is still vulnerable to several security flaws that could let hackers andspy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale, despite the most advanced encryption used by cellular networks.

All one need is the target's phone number to track him/her anywhere on the planet and eveneavesdrop on the conversations.

SS7 or Signalling System Number 7 is a telephony signaling protocol used by more than 800telecommunication operators around the world to exchange information with one another, cross-carrier billing, enabling roaming, and other features.

Hackers Spied on US Congressman's Smartphone

With US Congressman Ted Lieu's permission for a piece broadcast Sunday night by 60 Minutes, Karsten Nohl of German Security Research Labs was able to intercept his iPhone, record phone call made from his phone to a reporter, and track his precise location in real-time.

During the phone call about the cell phone network hacking, Lieu said: "First, it's really creepy, and second, it makes me angry."

"Last year, the President of the United States called me on my phone, and we discussed some issues," he added. "So if hackers were listening in, they'd know that phone conversation, and that is immensely troubling."

What's more awful is that the designing flaws in SS7 have been in circulation since 2014, when the same German researchers' team alerted the world to it. Some flaws were patched, but few apparently remain or intentionally left, as some observers argue, for governments to snoop on its targets.

The major problem with SS7 is that if any one of the telecom operators is hacked or employs a rogue admin, a large scale of information, including voice calls, text messages, billing information, relaying metadata and subscriber data, is wide open to interception.

The weakness affects all phones, whether it's iOS, Android, or whatever, and is a major security issue. Although the network operators are unwilling or unable to patch the hole, there is little the smartphone users can do.

How Can You Avoid this Hack?

The best mitigation is to use communication apps – that offers "end-to-end encryption" to encrypt your data before it leaves your smartphone – over your phone's standard calling feature.

Lieu, who sits on House subcommittees for information technology and national security, also argues for Strong Encryption that, according to the Federal Bureau of Investigation (FBI), make itharder to solve crimes.

Lieu strongly criticized the United States agencies, if any, that may have ignored such serious vulnerabilities that affect Billions of cellular customers.

"The people who knew about this flaw [or flaws] should be fired," Lieu said on the show. "You can't have 300-some Million Americans—and really, right, the global citizenry — be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data."

Few of such apps that are popular and offers end-to-end encryption are Signal, WhatsApp, and Apple's iMessage service that keep users communications safe from prying eyes and ears.

Continue Reading →

FBI Most Wanted — Three 'Syrian Electronic Army' Hackers Charged for Cyber Crime

Syrian Electronic Army (SEA) Hackers have made their place on the FBI's Most Wanted List.

The US Department of Justice and the Federal Bureau of Investigation (FBI) are willing to pay$100,000 reward for any information that leads to the arrest of the heads of the infamous hacking group Syrian Electronic Army.

On Tuesday, the DoJ unsealed charges against three suspected members of the alleged group:

1. Ahmad Umar Agha (aka The Pro), 22
2. Firas Dardar (aka The Shadow), 27
3. Peter Romar, 36

Agha and Dardar were allegedly involved in hacking Associated Press Twitter account in April 2013 and spreading a false rumor claiming that the White House had been bombed, injuring President Obama. This caused a temporary stock market dip.

The two hackers allegedly engaged in a long-running cyber-propaganda campaign in support of the Syrian President Bashar al‑Assad. They hacked into various Twitter accounts of the main news organizations from 2011 to 2013.

Their victims included Reuters, the Associated Press, E! Online, Time, CNN, The Washington Post, The Daily Dot, Vice, Human Rights Watch, Harvard University, NASA (which assisted on the investigation), US Marine, Microsoft and even The Onion.

"The conspiracy was dedicated to spear-phishing and compromising the computer systems of the US government, as well as international organizations, media organizations and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government," the US Department of Justice (DoJ) statement reads.

Once successful, spear-phishing efforts by the duo allowed them to allegedly use stolen usernames and passwords to deface various websites, redirect their domains to the sites controlled by the conspiracy, steal email as well as hijack social media accounts.

All three alleged SEA members were using Gmail and Facebook accounts to coordinate and pass around stolen data. The Feds managed to track their activities after obtaining court orders to search their online accounts, which helped them identify the hackers.

Agha and Dardar are each charged with multiple conspiracies related to computer hacking including:

• Engaging in a hoax regarding a terrorist attack
• Attempting to cause mutiny of the US armed forces
• Access device fraud
• Illicit of authentication features
• Unlawful access to stored communications
• Unauthorized access to, and damage of, computers

Dardar and Romar, another collaborator, are separately charged with more conspiracies related to:

• Unauthorized access to, and damage of, computers
• Receiving the proceeds of extortion
• Money laundering
• Wire fraud
• Violations of the Syrian Sanctions Regulations

"The tireless efforts of US prosecutors and our investigative partners have allowed us to identify individuals who have been responsible for inflicting damage on US government and private entities through computer intrusions," US Attorney Dana Boente said in a statement. "Today's announcement demonstrates that we will continue to pursue these individuals no matter where they are in the world."

Arrest warrants have already been issued for all three hackers. Agha and Dardar have been added to the FBI's Most Wanted list. The bureau is offering a reward of US$100,000 for any information that leads to their arrest.

All of the three alleged members are thought to be resident in Syria. The United States government is inviting tip-offs.

Source : Click here

Continue Reading →

Warning! Think Twice Before Using USB Drives

Security researchers have discovered a new data-stealing Trojan that makes special use of USB devices in order to spread itself and does not leave any trace of activity on the compromised systems.

Dubbed USB Thief ( or Win32/PSW.Stealer.NAI), the malware has the capability of stealthy attacking against air-gapped or isolated computers, warns ESET security firm.

The malware author has employed special programs to protect the USB Thief from being reproduced or copied, making it even harder to detect and reverse-engineer.

USB Thief has been designed for targeted attacks on computer systems that are isolated from the Internet, according to the ESET malware analyst Tomáš Gardoň.

The 'USB Thief' Trojan Malware

The USB Thief Trojan malware is stored either as a portable application's plugin source or as a Dynamically Linked Library (DLL) used by the portable application.

Since USB devices often store popular applications like Firefox, Notepad++ or TrueCrypt portable, once any of these applications is executed, the malware starts running in the background.

USB Thief is capable of stealing data from air-gapped systems – systems that are isolated from the Internet and other external networks.

"Well, taking into account that organizations isolate some of their systems for a good reason," explained Peter Stancik, the security evangelist at ESET. "Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous."

The malware runs from a USB removable device, so it don’t leave any traces of its activities, and thus, victims do not even notice that their data had been stolen.

Since the malware is bound to a single USB device, it prevents USB Thief from leaking from the infected computers.

Besides this, USB Thief utilizes a sophisticated implementation of multi-staged encryption that makes the malware harder to detect and analyse.

"This is not a very common way to trick users, but very dangerous," Stancik said. "People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy."

Here's How you can Protect from being Infected:

• Do not use USB storage devices from non-trustworthy sources.
• Turn off Autorun
• Regularly backup your data

More technical details are available on ESET Ireland’s official blog.

Source : Click Here

Continue Reading →