Pre installed Backdoor found in Chinese Smartphones

Chinese smartphone manufacturers have again been critized for having Backdoor in their handsets. But this time a different vendor’s name has come up. Earlier the popular Chinese smartphone brands, Star N9500 and Xiaomi name came up but now the China’s third largest and world’s sixth largest mobile manufacturer ‘CoolPad’, has joined the list.

            Android smartphones sold by Chinese smartphone maker Coolpad Group Ltd contains an extensive “backdoor” that is able to track users, push unwanted pop-up advertisements and install unauthorized apps onto users phone without their permission, alleged a U.S. security firm.

MORE THAN 10 MILLION USERS at RISK

Researchers at Silicon Valley online security firm Palo Alto Networks discovered the backdoor “CoolReaper”, pre installed on 24 Coolpad Android handset models, including high end ones. The attackers can completely hijack users Android device by gaining their device information with the help of the backdoor.

Features of CoolReaper backdoor:

According to Ryan Olson, intelligence director at Palo Alto, CoolReaper backdoor has ability to:

Ø  Download, install aand activate any Android application without users knowledge.

Ø  Connect to number of command and control(C&C) servers.

Ø  Wipe user data, uninstall applications or disable system applications.

Ø  Send fake software updates to devices.

Ø  Send or insert arbitrary SMS or MMS messages into the phone.

Ø  Call arbitrary phone numbers.

Ø  Upload device information including its location, application, usage information, calling and SMS history to Coolpad servers.

On examination of Coolpad smartphone models of different country, researchers suspected that Coolpad smartphone come pre installed with Coolreaper backdoor on handsets which are sold exclusively in China and Taiwan.

Coolpad is the first malware that is built and operated by an Android manufacturer.China has been criticized many times for its products. Six months ago another handset which was popular and also cheap, Star N9500 smartphone came pre-installed with a Trojan that allowed manufacturerto spy on users including personal data and conversations without their knowledge.

            Their was another allegation against the popular Chinese smartphone manufacturer, “Xiaomi of secretly stealing users information and sending it back to a server in Beijing.

Crash friends WhatsApp with just a message

Two India based security researchers, Indrajeet Bhuyan and Saurav Kar, both 17-year old teenagers have found a vulnerability in the popular messaging app WhatsApp, which allows anyone to remotely crash WhatsApp by just sending a specially crafted message.

            In a demonstration, they showed how a 2000 words (2kb in size) message written in special characters can crash WhatsApp messenger app of the person who has received it and also who has send it. Previously also there was a similar vulnerability in WhatsApp in which if a person sends a huge message ( size greater than 7mb), it will crash victim’s device and app both immediately, but this new exploit allow attacker to send a very small size message(2 kb) to the victim.

            The user who receives the specially crafted message will have to delete his/her whole conversation with the attacker and will have to start a new one, because opening the message keeps on crashing the WhatsApp.

            According to the duo, the reported vulnerability has been tested on Gingerbread, Jellybean, Kitkat, and all the above Android Operating systems and it works successfully on them.

            Similarly in a WhatsApp group if a group member intentionally sends a specially crafted message, then everyone will have to exit from the group. Also for example, if I don’t want that someone should have records of my chat with them, then I can simply send the same message exploit to that person.

            This vulnerability has not been tested on iOS, but it is sure that all versions of WhatsApp are affected by this bug including 2.11.431 and 2.11.432. But the attack does not work on windows 8.1.

            WhatsApp which is bought by Facebook for $19 billion in February 2014, has over 600 Million while writing this post, and according to researchers no of users affected by this vulnerability could be 500 Million.

           

            Reecently WhatsApp was in news for making end-to-end encryption on all text messages as a default feature to boost online privacy and security of its users. The app maker describes this as the “largest deployment of end-to-end encryption ever”.

WhatsApp Adds End to end Encryption

Good news for all WhatsApp users. Finally the WhatsApp messenger has made End to End encryption a default feature, boosting online privacy of its users around the world. Earlier WhatsApp had no encryption and it was very easy for hackers to hijack the session and read personal messages.

WhatsApp, most popular messaging app with 600 Million users as of October 2014, has partnered with Open Whisper Systems to boost its privacy and security by implementing strong end-to-end encryption on all text messages.

The strong end-to-end encryption here means that even Mark Zuckerberg himself can't pry into your conversations, even if asked by law enforcement officials. The app maker describe this move as the "largest deployment of end-to-end encryption ever."

The Open Whisper System is a non-profit software organisation started by security researcher Moxie Marlinspike, who is behind the development of TextSecure app used for encryption. Over the past three years, his team has been in the process of developing a 'modern, open source, strong encryption protocol' for messaging service, which is now being incorporated into Whatsapp.

"We have a way to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default," Open Whisper System said in a blog post. 

"We're excited to incorporate what we've learned from this integration into our future design decisions, and to bring this experience to bear on integrations that we do with other companies and products in the future."

There are some limits to WhatsApp's end-to-end encryption, as so far, it only works on Android platform (with iOS coming soon) and covers only text messaging. Also the app is now open to potential man-in-the-middle (MitM) attacks because there's no way to check or verify the identity of the person you are messaging.

WhatsApp was bought by Facebook for $19 billion in February. The popular app has been criticized over the years for a series of security and privacy issues. But after the announcement of this rollout, it has been praised over the internet by security folks.

"WhatsApp deserves enormous praise for devoting considerable time and effort to this project," reads the post. "Even though we're still at the beginning of the rollout, we believe this already represents the largest deployment of end-to-end encrypted communication in history."

Other encryption messaging apps do exist currently, including Cryptochat, Silent Text and Telegram, but according to the Verge, WhatsApp will be the largest to implement this type of end-to-end encryption ever.

Open Whisper Systems is a company built from open source contributors and a dedicated team to advance "state of the the art" secure communication, and is best known as the developer of the Signal, Redphone, and TextSecure apps.