close

Security news

Range-R radar allows police to ‘see’ through walls and inside homes

range-r

Law enforcement agencies have been secretly equipping their officers with special Range-R radar devices that allow them to peer through the walls to detect movement on the other side, expanding the extent of government surveillance.

Agencies, including the FBI and the U.S. Marshals Service, have been deploying these radar systems for more than two years now with little fanfare in the news, the courts and absolutely no public disclosure of the manner in which these devices were used. This runs in the face of legal and privacy issues since the U.S. Supreme Court has said officers cannot use high-tech sensors to determine information about the inside of a person’s house without first obtaining a search warrant.

The radar devices operate like finely tuned motion detectors, using radio frequencies to zero in on movements as detailed as slight human breathing from a distance of more than 50 feet. They can detect whether anyone is inside of a house, where they are and whether they are moving.

Federal officials claim that the information from this device is essential for keeping officers safe if they need to storm buildings or rescue hostages. However, privacy advocates and judges have expressed concern about the unlawful circumstances in which law enforcement agencies may be using the radars and so far have done so without public scrutiny.

Christopher Soghoian, the American Civil Liberties Union’s principal technologist has quoted:

“The idea that the government can send signals through the wall of your house to figure out what’s inside is problematic, Technologies that allow the police to look inside of a home are among the intrusive tools that police have.”

Agents’ use of the radars was unknown until a incident in December 2014, when a federal appeals court in Denver released information on officers that had used the radar technology before they entered a house to arrest a man who was wanted for violating his parole. The judges expressed objection that officers had used the new radar technology without a search warrant, stating that

“the government’s warrant less use of such a powerful tool to search inside homes poses grave Fourth Amendment questions.”

Federal contract records show the Marshals Service began buying the radar device back in 2012, and to-date have spent at least $180,000 on the devices. The device is called Range-R, looks like a sophisticated stud-finder. Its display shows whether it has detected movement on the other side of a wall and, if so, how far away it is — but it does not show a picture of what’s happening inside. The Range-R’s maker, L-3 Communications, estimates it has sold about 200 devices to 50 law enforcement agencies at a cost of about $6,000 each.

Patrick Rodenbush, the Justice Department spokesman said officials are reviewing the court’s decision.

He said:

“The Marshals Service routinely pursues and arrests violent offenders based on pre-established probable cause in arrest warrants for serious crimes.”

 

Other radar devices have more advanced capabilities, which include three-dimensional displays of where people are located inside a building. Some are capable of being mounted on a drone. The Justice Department has even funded research to further develop these systems to map the interiors of buildings and locate the people within them.

Regardless of the legal issues, these devices are still being purchased and used while the courts are debating the legal ramifications of this device.

read more

GoDaddy patches CSRf vulnerability that could have comprised hosted sites

GoDaddy patches CSRf vulnerability that could have comprised hosted sites

GoDaddy has patched a CSRF vulnerability that could have allowed attackers to take over domains registered with GoDaddy

While Dylan Saccomanni was managing an old domain on registered on GoDaddy, he noticed that the domain did not have any protection against cross-site request forgery (CSRF) vulnerability on many of their domains. This loophole was so severe, that an attacker could have used it to take over the entire domain and the victim (domain buyer) will not even know what happened. The vulnerability has since been patched.

Flaw in DNS

Saccomanni said that he noticed the flaw in GoDaddy’s DNS management actions. The DNS management actions on GoDaddy website are state-changing POST requests (no CSRF token in request body or headers, and no enforcement of Referer or Content-Type).

POST requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, for example, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database. A POST request is used to send data to the server to be processed in some way, like by a CGI script. A POST request is different from a GET request in the following ways:

  • There’s a block of data sent with the request, in the message body. There are usually extra headers to describe this message body, like Content-Type: and Content-Length:.
  • The request URI is not a resource to retrieve; it’s usually a program to handle the data you’re sending.
  • The HTTP response is normally program output, not a static file.
    The most common use of POST, by far, is to submit HTML form data to CGI scripts.

POST messages, ironically are meant to provide security to the request.

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

GoDaddy however had no security in place so Saccomanni could easily exploit the vulnerability. Saccomanni said that, “In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers. ”

Proof of Concept (PoC)

The PoC given by Saccomanni is reproduced below :

Nameservers

Here is the POST request for saving an edit to nameservers:

POST /dcc50/Modals/DomainActions/NSManageWS.asmx/ValidateNameserver HTTP/1.1
Host: dcc.godaddy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 175
Cookie: [REDACTED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{‘request’:'{“isall”:false,”nsobjs”:[{“ns”:”foo.example.com”,”ips”: [],”index”:0,”add”:1,”status”:””}, {“ns”:”bar.example.com”,”ips”: [],”index”:1,”add”:1,”status”:””}]}’}

Auto-Renew

Here is a POST request for changing auto-renew to OFF:

POST /dcc50/Modals/DomainActions/AutoRenewWS.asmx/Commit HTTP/1.1
Host: dcc.godaddy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 71
Cookie: [REDACTED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{‘request’:'{“isAutoRenew”:false,”isExtendedAR”:false,”extARYears”:0}’}

DNS Zone File

Here is a POST request to edit DNS records on the classic manager:

POST /ZoneFile_WS.asmx/SaveRecords HTTP/1.1
Host: dns.godaddy.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
Content-Length: 922
Cookie: [REDACTED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{“sInput”:”< PARAMS >< PARAM name=\”domainName\” value=\”[REDACTED]\” >< PARAM name=\”zo

Patch

The timeline for the disclosure is

01/17/15 – Initial discovery and attempt to reach GoDaddy security.
01/18/15 – Further attempts to reach GoDaddy security, finally received word there was no timeline for a fix.
01/19/15 – GoDaddy implemented CSRF protection for sensitive account actions.

Saccomanni said that he tried to reach out to the GoDaddy security team but could not do so, “(I) tried [email protected] and [email protected] email addresses, also tried calling support. Eventually I reached someone through Twitter from @GoDaddyHelp. I was told there was no timeline for a fix.”

However now the vulnerability has been patched.

read more

Car Hacking Kits available on eBay for less than $150

Car Hacking Kits available on eBay for less than $150

eBay selling car entry kits for less than $150 with increasing problems to car hacking

With the rise in number of vehicles being stolen these days as many companies are now adopting keyless technology. However even the keyless technology is far from being same. Stolen car recovery and tracking services provider TRACKER has warned that thieves are able to hack the technology to steal a car without needing its key.

As keyless entry systems do not require a physical key, they are more vulnerable to hacking. Thieves can jam the lock signal, or read and retransmit it to gain access, using cheap and easily available devices sold online.

With the increasing popularity of keyless technology, the criminals have been buying such kind of equipment which is able to reprogramme the keys, online. TRACKER says that such equipment is available for less than $150/£100 at online stores like eBay.

Police_Nov_copy_png-320Swiss engineering college ETH Zurich showed that wireless key signals can also be used over long distances using a low-cost amplifier. Although the transmitting end needs to be close to the locks or ignition, the receiver can be up to eight meters away from the fob, which could be inside a house or office.

Out of the 10 cars tested, all could be opened and started when the signal was amplified through a seven-meters cable , while six could be stolen if the car was 50 meters from the receiver.

The ACPO figures shows that there has been a 76% decline in thefts over the last 10 years yet thieves are exploiting new technologies to reduce the risk of being caught as the earlier method includes manual key for access.

car-hackingAndy Barrs, police liaison officer for TRACKER  said: ‘Car hacking is a growing issue for motorists. Today’s sophisticated security systems mean thieves have to be smarter than ever and the latest trends show that criminal gangs have found a way to crack keyless cars. So the company needs to be one step ahead of the theives.’

“The challenge remains that the equipment being used to steal a vehicle in this way is legitimately used by workshops to carry out routine maintenance,” a spokesman said.

Jaguar Land Rover spokesperson commented that,”The criminal act of stealing vehicles through the re-programming of remote-entry keys is an on-going industry-wide problem”.

“The keys are still the weakest link in a car security chain. If someone has your keys, they have your car.”concluded by Ian Crowder from motorists group, AA.

read more

GCHQ captured emails of major media journalists

gchq

Edward Snowden files reveal GCHQ scooped up journalist e-mails

GCHQ’s bulk surveillance of electronic communications has scooped up emails to and from some of the largest media organizations including the BBC, Reuters, the Guardian, the New York Times, Le Monde, the Sun, NBC and the Washington Post. This was done as part of a test exercise by the signals intelligence agency.
Over 70,000 emails were harvested in the space of less than 10 minutes on one day in November 2008 by one of GCHQ’s numerous taps on the fibre-optic cables that make up the backbone of the internet.

The swath of these intercepted communications, were sometimes simple mass-PR emails sent to dozens of journalists but also included correspondence between reporters and editors discussing stories. These transmissions were retained by GCHQ and were available to all cleared staff on the agency intranet. It is not known if any journalists were intentionally targeted.

New evidence revealed by Snowden, from the UK intelligence documents, shows that a GCHQ information security assessment listed “investigative journalists” as a threat in a hierarchy alongside terrorists or hackers.

Senior editors and lawyers in the UK have called for the urgent introduction of a freedom of expression law amid growing concern over over reaching laws and concerns over the police use of surveillance powers linked to the Regulation of Investigatory Powers Act 2000 (Ripa).

Over 100 editors, have signed a letter, coordinated by the Society of Editors and Press Gazette, to the UK prime minister, David Cameron, protesting at snooping on journalists’ communications.

Since the terror attacks on the Charlie Hebdo offices and a Jewish grocer in Paris, Cameron has become emboldened to further bulk-surveillance powers.

Ripa has been used to access journalists’ communications without a warrant, including cases of police accessing the phone records of the Sun’s political editor, Tom Newton-Dunn, specifically over the Plebgate investigation.

GCHQ information security assessments, routinely list journalists between “terrorism” and “hackers” as “influencing threat sources”, with one matrix scoring journalists as having a “capability” score of two out of five, and a “priority” of three out of five, scoring an overall “low” information security risk.

Terrorists, listed immediately above investigative journalists on the document, were given a much higher “capability” score of four out of five, but a lower “priority” of two. The matrix concluded terrorists were therefore a “moderate” information security risk.

A spokesman for GCHQ said:

It is longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the parliamentary intelligence and security committee.

All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European convention on human rights.”

read more

Vulnerability in Snapshot, a Bluetooth device from Progressive Insurance can compromise more than 2 million car owners

Vulnerability in Snapshot, a Bluetooth device from Progressive Insurance can compromise more than 2 million car owners

Progressive Insurance’s Bluetooth tool to track driver data can be misused to compromise personal data of more than 2 million car owners and even hijack cars

Snapshot is a Bluetooth tool provided by one of United States largest car insurance firms, Progressive Insurance, to track driver habits for insurance purpose.  It is normally used to collect vehicle location, driving speeds and driving patterns to build custom car insurance policies or determine the premium on a car owner.

Corey Thuen, a security researcher at Digital Bond Labs says that the Snapshot is vulnerable to hacking and using the hacked Snapshot, a potential hacker can remotely hijack personal details of approximately 2 million car users in the United States who buy car insurance from Progressive Insurance. In extreme cases it can even be used to hijack the car itself says Thuen.

Thuen will present his findings at the S4 conference in a talk titled Remote Control Automobiles about the Snapshot vulnerabilities.

Thuen says the problem lies in Snapshot extremely insecure and vulnerable firmware,”The firmware running on the dongle is minimal and insecure,” Thuen told Forbes.

Thuen found out that Snapshot connects the vehicle’s onboard network via the OBD2 port. This provides opportunity for cyber criminals to hack Snapshot and allow the would be hacker, be they in the car or outside, to take control over core vehicular functions, he claims.

Thuen says that it has been theorized by many cyber security experts that such usage-based insurance dongles would be a viable attack vector, but now his exploit proves the same to be true. He gives reasons for his success because earlier hypotheses of attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes.

He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. Snapshot is manufactured by technology licensed from Xirgo Technologies and is completely lacking security department, says Thuen, “It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.”

The researcher told Forbes that for a remote attack to take place, the concomitant U-Blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too.

Thuen said that he didnt not ‘weaponise’ his exploit but says that a dedicated cyber criminal or gang with more complex infrastructure can use this threat vector for bigger attacks and even cause fatalities.

Forbes said that SnapShot manufacturer Xirgo Technologies did not respond to their queries about the vulnerabilities in the device, where Progressive Insurance said that it was not informed about the hack or the talk Thuen will deliver.  It said that it welcomed any input for security the vulnerabilities in the dongle.

“The safety of our customers is paramount to us. We are confident in the performance of our Snapshot device – used in more than two million vehicles since 2008 – and routinely monitor the security of our device to help ensure customer safety.” Progressive Insurance told Forbes in a emailed comment.  It added, “However, if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited. While it’s unfortunate that Mr. Thuen didn’t share his findings with us privately in advance, we would welcome his confidential and detailed input so that we can properly evaluate his claims.”

read more

Microsoft Outlook allegedly hacked by Chinese authorities during the weekend

Microsoft Outlook allegedly hacked by Chinese authorities during the weekend

Outlook email service allegedly hacked by Chinese authorities

Popular emailing service Outlook was down in China over the weekend. Microsoft Outlook which combines all email services including Hotmail since 2013 was allegedly hacked with a man-in-the-middle attack, reports Chinese Web monitoring site GreatFire.

GreatFire reports that Chinese users first noticed the outage when they attempted to access Outlook email using IMAP and SMTP protocols on desktop and mobile email clients on Jan 17. GreatFire notes that the MitM attack only affected the email clients and web interface of outlook.com and live.com were not affected.

Noting that Outlook was under MiTM attack, GreatFire states that “This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers.”

Alleged Chinese hand?

Though it is not known that Chinese authorities were behind the attack but GreatFire says that this hack was the work of  Cyberspace Administration of China.  The Cyberspace Administration of China which was earlier known as  State Council Information Office is the top Internet watchdog in China and is tasked with suppressing “disruptive” (anti-Chinese government) activity on the web and censuring any website that is deemed harmful to the state.

GreatFire conducted tests to try and access Outlook using the same IMAP port for the email service in a browser and found that a self-signed security certificate was being used to make the connection.

Microsoft Outlook allegedly hacked by Chinese authorities

According to the GreatFire, this is consistent with previous attacks that have taken place on websites in China.

GreatFire has recommended that Microsoft and Apple to revoke these certificates, “We have outlined CNNIC’s dubious history in a previous blog post. Given the dangerous nature of this attack on Outlook, we again strongly encourage organizations, including Microsoft and Apple, to immediately revoke trust for the CNNIC certificate authority.”

read more

Researcher tears apart a Android Password Manager App

Researcher tears apart a Android Password Manager App

Security Researcher tears apart an unknown Android Password Management App to show its vulnerabilities

A security researcher, Matteo Beccaro, aka bughardy has taken it upon himself to show exactly how secure Android password management system Apps are. Nowadays we have to use passwords for each and every online activity, more often than not, a different password for each service. To save these different and often complex passwords users often turn to services providing password management.

Many services offer such password management Apps for Android. Bughardy targeted one of those however he has chosen not to name it till the App publisher releases a patch fixing the vulnerability he discovered.  He says on his blog post, “Hello everyone, in this post I would like to analyze an Android application which purpose is to manage and generate passwords securely.”

Bughardy says the App he chose claimes to offer DES encryption on its Google Play listing.  Bughard first reverse engineered the App to get a first hand look at the coding. Bughardy says that even though the Apps developer used some sort of code obfuscation software, he was able to locate the Apps password decryption routine.

“I’ll try to rename some of them in order to make it more easy to understand.

We actually have two very interesting files:
com/#####/android/###/d/b.java com/#####/android/###/bj.java”

Further researching the first firle, Bughardy found that the software was using DES encryption but in ECB mode.  He says that using DES encryption in ECB mode has been known to have security issues and should not be used for password management services.

Another point he noticed was the App used a eight digit PIN as a encryption key.  Bughardy says that using a eight digit PIN throws up a possible 100 million combinations, which, he says may seem a lot to users but not to a fast computer.

The third problem with the App was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.

So, if for example my PIN code is: 1111 to encrypt my passwords the application will use DES/ECB with key 1111 + 0742 ? 11110742, which, in my honest opinion is not enough.
Let’s make some math, for a real random DES key we have 2^64 possible combinations ( which in real are just 2^54[2] ). But as we saw before the application uses only digits to generate our key, which reduces the possible combinations to 10^8.

? 2^54 = 18014398509481984
? 10^8 = 100000000

Bughardy says that his Python Proof of Concept would take approximately 35 minutes to break all possible combinations.

The second file he researched showed that the App stored the passwords in plain text.

private boolean K()
{
return c().getSharedPreferences(,0).getString(“manager_pin”, “invalid”).equals(ab.getText().toString());
}

This is a very interesting function. The application when we generate a PIN code save it in clear-text into an xml file, located in the data folder of app. Then, when you want to see your saved passwords, it will check if the PIN you write is correct, comparing it to the one saved in the file. Very secure.

Bughardy has not named the specific Android App in his blogpost but by the looks of it, it seems to a popular one.  We reached out to him for the name of the App as the developer is pushing out the patch but apparently the patch is not ready yet.

Maybe you can identify the App in question!

read more

N.S.A. was snooping on North Korean networks much before the Sony Hack

N.S.A. was snooping on North Korean networks much before the Sony Hack

How the U.S. Knew North Korea Was Behind the Sony Hack

United States of America’s premier spying agency National Security Agency (NSA) broke into the North Korean computer network way back in 2010.  This is the reason United States and top honchos of its investigative agencies could pinpoint North Korea as the main culprit behind the massive Sony hack attack.

Report published by New York Times on 18th Jan gives detailed information about how NSA managed to breach the impregnable fortress of North Korean computers. The The New York Times article cites unnamed “officials and experts,” and states that the NSA penetrated the China-based networks and systems belonging to North Korea’s military and its cyber warfare unit and had been tracking the evolution of their capabilities starting from 2010.

NSA took the help of South Korea and ‘Five Eyes’ allies to break into the North Korean systems as per the newly documented NSA leaks.

The leaked documents which can be read here (PDF) state that this was a highest possible confidential operation with the docket marked as TOP SECRET / SI /TK /REL TO USA, FVEY.

It is because of this operation that President Barack Obama had no hesitation in blaming North Korea for the Sony hack. President Obama had said that he had “no doubt” North Korea was responsible because the information came through “early warning radar,” the Times said.

“The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation.”

Apparently the fear of exposing the NSA dark and deep operation in North Korea kept a lid on the law enforcement agencies from blaming North Korea directly in the first instance. It was only after many deliberations and investigations that the official line of blaming North Korea was taken by the US authorities.

The leaked documents however raise question of why USA did not alert the Sony officials and security team of the impending hack attack if the NSA indeed had footprints in the North Korean computer networks. The Sony-North Korea war of words had began as early as June last year when North Korea had warned Sony that release of its movie “The Interview” would be seen as a act of war by them.

“The speed and certainty with which the United States made its determinations about North Korea told you that something was different here — that they had some kind of inside view,” James A. Lewis, a cyberwarfare expert at the Center for Strategic and International Studies in Washington, told the Times. “Attributing where attacks come from is incredibly difficult and slow.”

The US government or the NSA has not yet officially confirmed the leaks or commented about it.

 

read more

Steam has a Linux bug that Steamrolls (erases) all your personal files on your Linux PC

Steam

A bug on the Steam version for Linux has a complication with the rm (remove command) on the BASH (Born Again Shell) that will remove everything from your root directory on.

On Valve’s GitHub Steam for Linux page there are complaints about serious bug that has the potential to wipe out every single personal file on your Linux PC. It will also wipe out documents on USB connected drives, ouch.

The main problem if you are running Steam on Linux is to be careful of their program. It would be wise, not to connect to any local external hard drives while you’re running Steam. Users complaining of this bug appear to have moved their .steam or ~/.local/share/steam directories, or invoked Steam’s Bash script with the —reset option enabled.

UPDATE: Valve gave us the following statement: “So far we have had a handful of users report this issue, after they manually moved their Steam install. We have not been able to reproduce the reported issue, but we are adding some additional checks to ensure this is not possible while we continue to investigate. If anyone else has experienced this or has more information, they should email [email protected].”

The bug appears to be caused by a line in the Steam.sh Bash script:

rm -rf “$STEAMROOT/“*.

This rm command tells the computer to remove the STEAMROOT directory and all its sub-directories (folders).

The core of the issue is that if the STEAMROOT folder is not there then the computer interprets the command as rm -rf “/“*, which tells the Linux system to delete everything on your hard drive starting from the root directory.

The saving grace for Linux users is that one can only erase files they have write permissions over. That usually means the system itself can’t be erased, but pretty much all of a user’s files—including photos and personal documents—would be at risk.

Ironically, the instruction at issue is preceded by a comment from the developer: # Scary!.

Indeed.

read more

Micromax Remotely Installing Adware on its Smartphones causing unwanted downloads and popups

Micromax Remotely Installing Adware on all its Smartphones

Micromax is hijacking the smartphone by installing unwanted bloatware

We had informed you about Xiaomi, the Chinese smartphone manufacturer using the smartphone as a spy post by installing unwanted spyware.  Now we would inform you that even the homemade Micromax is installing unwanted adware which more often then not, hijacks the smartphone from the user.

The Micromax is number two producer of smartphones in India just behind Samsung and large number of mid end buyers and budget smartphone buyers are Micromax customers.

The adware issue was first noticed by a Redditor who had bought a Micromax Canvas A093 and found that his smartphone was installing Apps without his permission or knowledge

I use a Micromax A093 Canvas fire, and have been since August of last year.

I knew what I was buying from day one, and I didn’t have very high expectations. However, the phone has performed brilliantly so far – none of the usage problems I had expected – I guess the credit goes to the fact that it comes with KitKat preloaded which makes it fast and smooth despite having just 512 MB RAM.

The only slight drawback I felt was the internal memory being only 4 GB and KitKat has this limitation that you can’t install apps direct to SD card without rooting. Never mind, I just managed my app space and lived with it.

For the last month or so, I’ve noticed apps that I never installed – apps like newshunt, snapdeal, amazon.in etc. These aren’t exactly light apps, mind you – they’re atleast 7-8 MB each. Space is really short. I need to uninstall games if I want to update Whatsapp, it’s that bad. Meanwhile, looks like Micromax is installing apps without my permission, using up precious space and my 3G! Apps reappear after uninstalling them. This is ridiculous! Many times, instead of downloading apps, it creates 8-10 notifications which are advertisements for online stores and other apps. All of this happens immediately after connecting to the internet which I mostly do using airtel 3g.

I did the “long press on notification” thing and it says the app responsible for generating these notifications is SoftwareUpdate which is a System app and can’t be uninstalled and restarts automatically when disabled.

I am absolutely outraged and want to know what I can do to make Micromax stop highjacking my 3g and my internal storage space for their profit. Please help!

This was not a single smartphone issue but it was affecting many Micromax smartphones.  Many users of certain devices by  Micromax noticed apps being silently installed without their consent or permission.

As said above and as researched by a XDA Forum member the App which installs the adwares  is found to be installed in Micromax system.  Therefore this particular type of Apps cant be installed.  If you even succeed in uninstalling them, they may simply re-appear.

XDA Forum member Diamondback has analysed this rouge App in Micromax by tearing down the App:

The Evidence

When starting to tear down the application (which is actually called FWUpgrade.apk on your filesystem), the first thing you notice is that it’s a third-party application. A Chinese company named Adups developed it as a replacement for the stock Google OTA service. Apparently, Micromax decided to use it instead of the stock one. The first hurdle you need to take for further analysis is the byte code level obfuscation, and most of the sources are really not a pleasure to read. However, if you know what you’re looking for, the app can’t hide its true nature. The evidence presented here starts out with a bit of code that shows you the potential abilities of this app and closes off with something even more interesting.

Let’s start with the silently installed apps. To do this from within another app, you either need to use the Android PackageManager API directly, or issue the installation commands from a shell. The second case is true here, as the following pieces of code show (note: this is simplified java code, the actual code looks a bit different due to the obfuscation):

StringBuilder sb = new StringBuilder(“pm install -r “);
sb.append(s2);
String cmd = sb.toString();

Here you can see a newly created StringBuilder containing the command pm install, followed by s2, which in this case is a string variable containing a file system path to a downloaded apk file. The finished string then gets passed to a new method doing something like this:

ProcessBuilder processbuilder = new ProcessBuilder(cmd);
Process process = processbuilder.start();

Here you can see that the string with the shell command is used to start-up a process which executes said command and in fact silently installs the apk file. At this point we can be fairly certain that the OTA check service in Micromax ROMs can not only download and flash system OTAs but also has the ability to silently install apps. This in itself doesn’t mean too much as it’s not necessarily a bad thing, but there’s more to come.

The Adups advertorial advertises the following which Diamondback linked to the processes

Micromax Remotely Installing Adware on its Smartphones causing unwanted downloads and popups

There you have it, in the company’s own words. App push service. Device Data Mining. Mobile advertising. That matches pretty nicely the initial report on reddit, don’t you think? So, the bad guy here is in fact Micromax since these are official features of the app by Adups, and it’s more than likely that Micromax is getting revenue from the forced app installs and notification ads. They also chose to go with this provider and not use their own servers together with Google’s stock OTA service, so they were fully aware of what impact this would have on their users.

Temporary Solution

Diamondback has also given a temporary solution to get rid of this bloatware and data mining App server.

1. Root your device

The first and most important step is to root your device. A rooted device allows you to do much more than your stock phone would allow, and is a critical step in all system modifications. Since there are quite a few different Micromax devices out there, I won’t link to any specific root exploits in this article. Instead, head over to XDA:India and search for a root exploit or guide for your device. Make sure to read everything thoroughly and follow the instructions precisely to not damage your device in the process. Also note that this will most likely void your warranty.

2. Get ADB set up

In order to continue, you’ll need to have a working ADB connection to your device. There are many guides on XDA that detail how to achieve exactly this, but for starters, here is a fairly up-to-date guide on how to download the necessary binaries and how to establish a connection to your device.

3. Disable the Software Update application

Now that you have gained root access and ADB is up and running, you can continue with disabling the dreaded application responsible for the silent installs and unwanted ads. All you need to do now is to fire up a command prompt, make sure the prompt is at the directory of your ADB binary, and execute the following command:

adb shell pm disable com.adups.fota

You can read more about the usage of this command in this tutorial about disabling apps with root access. Please be aware that this process will remove the ability for your device to search for software updates and might generate an error when trying to open the Phone update section in the settings. In case you need the app back (for example when a new update is ready) you can easily enable it again with this command:

adb shell pm enable com.adups.fota

If you cannot root your App it is better to switch to a different smartphone because such kind of Apps can cause following problems

  • Having no control over which apps are installed on your device poses a huge security risk, as you don’t get to check the permissions of the apps and you have no idea if these apps are indeed the original apps (or potentially modified in a malicious way)
  • Micromax devices don’t tend to be the highest end you can find, so storage space is still considered a luxury (at 4GB total) and having the device’s storage filled up with random apps is certainly not the best use of that precious space
  • The downloads also happen when using a mobile network, so your expensive full-speed data will reduce significantly if your phone is constantly trying to download apps you don’t even want to have

Though such kind of App behaviour is not expected of any device or any smartphone manufacturer, some manufacturers keep pushing such kind of bloatware under the envelope to avoid scrutiny.  It is hoped that there is a distinct mechanism like the legislation Canada enacted yesterday which says that no manufacturer will install software/updates without explicit approval of the user.

Long way to go till we have that kind of legislation covering all parts of the world, till then we will always have a Samsung, Sony, Xiaomi, Micromax who continue to take advantage of its buyers by installing unwanted Apps.

Resource : Diamondback’s post on XDA Forum.

read more