Android WebView Vulnerability (Android 4.1 or older) - Hacker can install malicious software, send SMSs by javascript code.

Android WebView Vulnerability  - Android 4.1 or older

AVG Security expert reported a critical vulnerability in Android's WebView feature that allows an attacker to install malicious software, send SMSs and performing more tasks.
Android WebView - A View that displays web pages, allows the user to view a web page as a part of an ordinary Android application.The WebView class is an extension of Android’s View class that allows you to display web pages as a part of the appication’s screen layout. It uses the WebKit rendering engine to display web pages and includes methods to navigate forward and backward through a history, zoom in and out, perform text searches etc. . It does not include any features of a fully developed web browser.if the web page you plan to load in your WebView uses JavaScript, you must enable JavaScript for your WebView.Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.

addJavascriptInterface (Object object, String name) method

  The addJavascriptInterface method injects a supplied Java object into WebView. The object is injected into the JavaScript context of the main frame, using a supplied name and this allows the Java object’s methods to be accessed from JavaScript. For applications running Android 4.1 or older, all public methods (including the inherited ones) can be accessed, so when a user’s installed application with addJavascriptInterface method loads an external webpage it can use WebView and javascript to call a java object (like a ‘Javascript pipeline’ and usage of reflection to invoke any other unregistered Java class) which allows attackers to call Android’s Java methods.

 The fix: 

 For applications running Android 4.2 all public methods that are annotated with JavascriptInterface can be accessed from JavaScript. So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript. If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher. What you should do? As developers you should not assign unsafe functions. As users you should try not to download suspicious mobile applications from third party markets and avoid clicking on suspicious links coming from strangers.

 Infection method:

 Users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page. The device will automatically perform the malicious actions that were ordered in the malicious web page that contain those JavaScript commands. The commands in the JavaScript code can enable attackers to install malicious software, send SMSs, steal personal information and more.

courtesy avg blog

Read More

Phishing Attacks Using the HTML5 Fullscreen API

Feross Aboukhadijeh (developer of www.ytinstant.com) was developed a Phishing  concept using HTML 5 FullScreen Api. 

Credit: http://feross.org

 

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. (http://en.wikipedia.org/wiki/Phishing)

                                    

Many of the people associate phishing via e-mail  that mimic , banks, credit card companies. These messages look authentic and attempt to get victims personal information.

HTML 5 Full Screen API- 

 The HTML 5 Full screen API  allows  developers show web content that fills  the user’s screen completely. eg: watch a fullscreen video on YouTube.

Feross explain how this  API can works, by  hide the interface elements of the users' browser.

Most of the browsers have  user-triggerable full-screen functionality . The HTML5 Fullscreen API is differ from this. this  allows the web developer to access the  same functionality ,  trigger it programmatically. 

Eg : elementToMakeFullscreen.requestFullScreen();

Developer can trigger full screen when user clicks on a link or button .

Eg: Trigger Full screen using Jquery

$('#button').on('click', function() {
  var doc = document.documentElement;
  if (doc.requestFullscreen) {
    doc.requestFullscreen();
  }
});

Browser Notification.

Apple's Safari browser, version 6.01 and later no sign ( little ) that full-screen  activated or not. 
Google Chrome, version 22 and later some notice.

Mozilla Firefox, version 10 and later, alerts the user with a conspicuous notification.

 

Phishing Using FullScreen Api

Look at the link given bellow
kerala-techies.blogspot.com

The user can check  the link , will show www.kerala-techies.blogspot.com , as expected its good but when you click on the link  the developer (hacker) can call event.preventDefault() to prevent the default action ie  navigating to the link and able to trigger  fullscreen,  and mimic the browser , OS  and go to the fake page . This fake page look like same as the original with a green padlock for HTTPS.

Credit: http://feross.org

$('html').on('click keypress', 'a', function(event) {

  // Prevent navigation to legit link
  event.preventDefault();
  event.stopPropagation();

  // Trigger fullscreen
 

  // Show fake OS and browser UI
  $('#menu, #browser').show();

  // Show fake target site
  $('#target-site').show();
});

Full Source Code

Credit: http://feross.org
DEMO

 

The content of - Phishing Attacks Using the HTML5 Fullscreen API in Kerala Techies  has taken from Various Sources  and Analysis of our Team. This Information given by Kerala Techies.

Read More

How to download torrent anonymously

How to download torrents safely

Before one month  AGENTJADOO an Anti Piracy Agent developed by Jadootech Solutions Pvt Ltd. They said that they track ip address and details of the persons who downloaded the torrents.

 Now torent downloaders in searching to make their torrent downloading anonymous , there are many methods to make a user anonymous such as use of VPN ,bt guard, seedbox to hide some one’s ip address but here is new one called anomos. Anomos is a pseudonymous, encrypted multi-peer-to-peer file distribution protocol.we know that transfer of data takes place in BitTorrent is by peer exchange.here the anomos make advantage of this peer procees in BitTorrent with onion routing anonymization and end to end encryption.by using this approach no one can know about the peers and what they are downloading. Anomos use a format known as atorrent so transfer rate is much slower than normal bittorrent downloading and this is not compatiable with all normal torrent format

The content of -How to download torrent anonymously in Kerala Techies  has taken from Various Sources  and Analysis of our Team. This Information given by Kerala Techies.

Read More

Bad Piggies - From the creators of Angry Birds

Bad Piggies -Flying Piggies - From the creators of Angry Birds

 From the creators of Angry Birds -(Rovio) latest game released - Bad Piggies. This is very interesting and funny puzzle game .

 Story

The Bad Piggies   at last found a map to the birds eggs, but unfortunately  now that maps parts are  in different parts of  Piggy Island. the King Pig give order to his subordinate to find and recover the map ,even from the the bottom of a cave or top of a mountain.

Now available only  in 

Google Play 

 App Store

 PC 

Mac download

But it has not yet made  Chrome application. this piggies  set a new record - top of the charts within  three hours after release.

FAKE BAD PIGGIES

The Rovio not publish any Google chrome version of bad piggies. now hackers added fake bad piggies to  Chrome Web Store  with  a phishing plug-in that may   injected an unwanted adware program into Chrome browsers.The lack of a free online version. Just few days after the game launched,we can  found seven free versions of the games in the Google Chrome web store(at the time of writing).

scientist from  Barracuda Networks finds that all these games are  distributed by the  playook.info. After the  installation, the fake games insert their own advertisements into  websites.

Read More

is ATM Machines secure???

            Some researchers in cambridge university found that the chip and PIN system employed in ATM Machines are also vulnerable to attack. A fault in the EMV protocol used in Point Of Sale (POS) terminals and Automated Teller Machine (ATMs), for authenticating credit and debit card transactions allows attackers to make fake transitions. EMV protocol is a joint venture of Europay, MasterCard and Visa to ensure security and global interoperability so that Visa and MasterCard cards can continue to be accepted everywhere.researchers make advantage of the poor encryption standards used in ATM Machines.Using the EMV protocol, atm machines and similar devices generate  a unique number for the transaction Here the researchers found a fault in the software which make the unique number in the machines and they prove that one can predict the random number generated for transactions.simply any one  who stolen your ATM Card can make transactions using your card.

Read Full research paper Click here 

Read More