Researcher blames vulnerable code re-use for zero-day in Android's CyanogenMod

A security researcher claimed Android's CyanogenMod developers re-used vulnerable code that puts millions of users at risk of man-in-the-middle attacks.

CyanogenMod on Android
Credit: Danny Choo

If you installed CyanogenMod on your Android, then your device is purportedly vulnerable to a zero-day blamed on code re-use. At the Ruxcon Security Conference in Australia, an unnamed security researcher revealed that CyanogenMod developers “copy-pasted” Oracle’s “sample code for Java 1.5” and that’s what puts Android devices with CyanogenMod at risk of man-in-the-middle attacks.  

The Register reported that the security researcher does not want his name used, but he warned that CyanogenMod and a “ton of others” have reused code that was reported to have SSL vulnerabilities back in 2012. He said:

"If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the 'organization name' field you put the 'value,cn=*domain name*, it will be accepted as the valid domain name for the certificate."

"Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone's phone." 

There had been over 10 million installs as of December 2013, but that number was derived by users leaving the CyanogenMod stats enabled on their Android phones and tablets. The CyanogenMod stats map certainly is active, but there is no current stats number for how many total installs there have been in the last 10 months. Nevertheless, a zero-day vulnerability in the Cyanogen build of Android allegedly puts millions upon millions of users at risk. The newest version CM 11.0 M11 was just released last week on Oct. 8; the CyanogenMod blog has yet to respond to the zero-day allegation.

Although the security researcher “responsibly disclosed the flaw to affected vendors,” CyanogenMod did not respond; he then mentioned the zero-day that allows MitM attacks at Ruxcon. He described the fix as “fairly simple,” adding that “the exposure served as an academic exercise in the perils of code reuse.”

Code re-use is exceedingly common and some variation of repackaged code generally makes the top 10 list of cybersecurity threat predictions every year. According to The Stack, of the 3,000 previously “unidentified malware entities” that “flood the network every day, many are old ‘friends’ repackaged to generate hashes unfamiliar to the databases of BitDefender, Symantec and other anti-malware companies, and this guarantees them at least an hour in the wild, if not a whole ‘zero’ day.”

“But others are genuinely evolutionary” and "mimic the behavior patterns of benign software, in an attempt to avoid wasting its payload behavior on a sandbox or virtualized environment." Giovanni Vigna, CTO of Lastline and Director of the Center for Cybersecurity at the University of California, Santa Barbara, spoke about the evolution of evasive malware at IP Expo Europe. This “new” malware “wants to know is if it is running in front of a real user and in a real system, and to this end it has developed an ever-growing map of tell-tale signs that it might not be in Kansas after all.”

If you don’t analyze malware, then perhaps you are unaware that “most sandbox-based anti-malware approaches can be easily bypassed.” In fact, “there is nothing new in malware waiting out a specific period or awaiting a certain set of environmental conditions before acting. But this intelligent probing of the host environment is a phenomenon of recent years. If the malware in question cannot be convinced that it is in a worthwhile attack space, it may never act at all, and may therefore prove difficult to study, categorize or protect against.”

Vigna explained that increasingly-evasive malware “will look for hardware hooks indicating the connection of a keyboard and mouse, and most particularly it will seek to identify mouse movement as a sign that an actual end-user may be sitting in front of the malware on a ‘real’ computer. It will also check the color of a background pixel, Mutex names, the names of hardware connected to the system and for details of the Windows Product ID.”

That “evasive malware is increasing in quantity and sophistication” as well as the “need for novel techniques that can identify evasive behavior,” were described as key takeaways from Vigna’s talk.

“There are only ‘around 100’ cybercriminal kingpins behind global cybercrime,” according to Troels Oerting, the head of Europol's Cybercrime Center. Most of what he revealed to BBC echoed the 2014 Internet Organized Crime Threat Assessment report; however he suggested that the “increasing trend towards greater encryption of online communications is not acceptable.” He added that “backdoors” for law enforcement might be the answer. Another "key" for law enforcement is to "target the 'rather limited group of good programmers'."

That may be true, but wouldn't that mean more cybercriminals would likely repackage and “re-use” sophisticated and evasive malware code that works well?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.