Friday, December 6, 2024
HomeAndroidAndroid Device Migration Tools Bug Let Hackers Steal App Data & Login...

Android Device Migration Tools Bug Let Hackers Steal App Data & Login to Your Accounts

Published on

SIEM as a Service

Smartphones are frequently replaced by users when newer versions of smartphones with much more features are released.

The exchange of smartphones has a significant complication in transferring data to the new device.

To overcome this problem, Cloning applications were introduced to overcome this problem, which will clone the entire device to the new one.

- Advertisement - SIEM as a Service

This includes applications, photos, personal data, mail accounts, and even session data of applications.

However, CloudSEK’s researchers found that many applications do not invalidate or revalidate the session after this data migration to a new device.

Threat actors are aware of this and use this lack of validation with highly privileged migration tools to copy to their devices, which can result in impersonation.

Source: CloudSEK

List of Applications that do not Invalidate or revalidate the session cookies.

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay – BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

As per the migration experiment conducted by CloudSEK, WhatsApp transferred the secret keys to the new device, which resulted in the application not asking for 2FA.

“Researchers conducted an experiment using two Realme devices. After the data was transferred from the victim’s device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account.”

Even though the victim had activated WhatsApp 2FA, it wasn’t asked on the new (attacker’s) device, and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message; you can see the PoC video here.

A threat actor gaining access to this kind of vulnerability can impersonate a person and WhatsApp and send messages on the victim’s behalf.

Once the migration is completed, WhatsApp will receive messages on the device to which the last message was sent.

In such cases, the victims will only be able to know if they log on to Web WhatsApp and look for conversations.

Threat actors can bypass this easily if they delete the messages.

Meta owns WhatsApp. However, the same Meta-owned Instagram did not have this vulnerability, as it logged out all accounts when migrated to a new device.

Impact of this Vulnerability

As these applications do not invalidate or revalidate session cookies, threat actors can manipulate victims into installing Stealer Log malware that records users’ activities and sends them back to their servers which can be used to gain unauthorized access to victims’ accounts.

Once attacker steals the cookies not validated by the applications, they can use anonymous browsers to use stolen cookies resulting in the impersonation of network location and GPS.

Mitigation

  • Checking for unusual activity on their accounts and their device
  • Keeping the device locked when not in use
  • Do not leave the devices in the public places
  • Enable Two-factor authentication for the applications.

Building Your Malware Defense Strategy – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...