Monday, November 4, 2024
HomeAndroidAndroid Device Migration Tools Bug Let Hackers Steal App Data & Login...

Android Device Migration Tools Bug Let Hackers Steal App Data & Login to Your Accounts

Published on

Malware protection

Smartphones are frequently replaced by users when newer versions of smartphones with much more features are released.

The exchange of smartphones has a significant complication in transferring data to the new device.

To overcome this problem, Cloning applications were introduced to overcome this problem, which will clone the entire device to the new one.

- Advertisement - SIEM as a Service

This includes applications, photos, personal data, mail accounts, and even session data of applications.

However, CloudSEK’s researchers found that many applications do not invalidate or revalidate the session after this data migration to a new device.

Threat actors are aware of this and use this lack of validation with highly privileged migration tools to copy to their devices, which can result in impersonation.

Source: CloudSEK

List of Applications that do not Invalidate or revalidate the session cookies.

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay – BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

As per the migration experiment conducted by CloudSEK, WhatsApp transferred the secret keys to the new device, which resulted in the application not asking for 2FA.

“Researchers conducted an experiment using two Realme devices. After the data was transferred from the victim’s device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account.”

Even though the victim had activated WhatsApp 2FA, it wasn’t asked on the new (attacker’s) device, and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message; you can see the PoC video here.

A threat actor gaining access to this kind of vulnerability can impersonate a person and WhatsApp and send messages on the victim’s behalf.

Once the migration is completed, WhatsApp will receive messages on the device to which the last message was sent.

In such cases, the victims will only be able to know if they log on to Web WhatsApp and look for conversations.

Threat actors can bypass this easily if they delete the messages.

Meta owns WhatsApp. However, the same Meta-owned Instagram did not have this vulnerability, as it logged out all accounts when migrated to a new device.

Impact of this Vulnerability

As these applications do not invalidate or revalidate session cookies, threat actors can manipulate victims into installing Stealer Log malware that records users’ activities and sends them back to their servers which can be used to gain unauthorized access to victims’ accounts.

Once attacker steals the cookies not validated by the applications, they can use anonymous browsers to use stolen cookies resulting in the impersonation of network location and GPS.

Mitigation

  • Checking for unusual activity on their accounts and their device
  • Keeping the device locked when not in use
  • Do not leave the devices in the public places
  • Enable Two-factor authentication for the applications.

Building Your Malware Defense Strategy – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...