Iranian Government Hacking Android

The New York Times wrote about a still-unreleased report from Check Point and the Miaan Group:

The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said.

It looks like the standard technique of getting the victim to open a document or application.

Tags: , , ,

Posted on September 24, 2020 at 6:18 AM11 Comments

Comments

Sofakinbd September 24, 2020 12:01 PM

Bruce, you have a typo.

You have:
The New York Times wrote about a still-unreleased report from Chckpoint and the Miaan
Group:

You mean “Checkpoint” but you have “Chckpoint”

Sofa

Sofakinbd September 24, 2020 12:03 PM

Bruce, you have a typo.

You have:
The New York Times wrote about a still-unreleased report from Chckpoint and the Miaan
Group:

You mean “Check Point” but you have “Chckpoint”

I looked at the article again, it is 2 words.

-Sofa

Mr. H September 24, 2020 2:46 PM

MY government (USA) has been hacking my Android for quite some time now. I have been pretending not to know about it so far because it could be worse, and it probably will, fairly soon, unfortunately.

Clive Robinson September 24, 2020 4:06 PM

@ ALL,

These so called hacks are getting a little dull as they are almost entirely formulaic from last century…

From the article,

“… enabling them [the attackers] to steal the apps’ installation files. These files, in turn, allow the attackers to make full use of the victims’ Telegram accounts.”

So the playbook is as fairly normal,

Step1, Identify target and their email account etc.

Step2, Send a new phishing message to target.

Step3, If target does not respond to phish goto step2.

Step4, download files to targets device via the phish.

Step5, Do an endrun around the secure apps via the weak OS etc and steal information (in this case “instalation files”).

Step6, Use weakness present in many security apps provided for “user convenience” that allows users to have more than one device attach to account.

Step7, Take anyrhing of interest and everything else you can just incase it becomes usefull.

The real security failing is Step4 that alows Step5.

That is a weakness in the OS alowed code to be run that alowed files to be stolen that should never have been available to the device communications channel.

That is the security end point was before the communications endpoint alowing what in effect were “Authentication tokens” to be cloned.

This attack was entirely predictable befor any of these security apps were designed or written. And yes they will all fail to this attack as long as an attacker can “end run” the applications security end point to get at the plaintext side, be it to steal tokens or message content etc.

Thus the question,

When are people going to learn secure apps do not provide security on insecure systems?

If anyone can answer that with anything other than “not any time soon” I for one would like to know…

Ron Green September 24, 2020 4:32 PM

Good.

Checkpoint Security is a hostile anti-American terrorist organization, I hope they got hit themselves.

lurker September 25, 2020 1:53 AM

@Clive

The real security failing is Step4 that alows Step5.

What about Step 3? If the target is hardened and does not take the phish bait, doesn’t the exploit fail at Step 2? I know, in the real world only non-hardened targets are chosen…

Clive Robinson September 25, 2020 4:52 AM

@ lurker,

What about Step 3? If the target is hardened and does not take the phish bait,

Think of the attackers in the same way you would those debt collection agencies who buy up expired or non existant debt.

They will keep trying then “pass/sell it on” to the next bottom feeder in line…

It’s the way these people think at “step0”.

Winter September 25, 2020 5:19 AM

@Clive
“These so called hacks are getting a little dull as they are almost entirely formulaic from last century…”

I see 2 learning points in this case:
1) A practical point: (Spear) phishing is a principle entry point of the enemy. Its main risk seems to lie in communications with the non-initiated “public”.

2) A fundamental point: All communication is dangerous in the face of a powerful enemy. If you communicate, there will be a risk that this is intercepted. Risk mitigation will always a trade-off between bandwidth and security.

One strategy to reduce the risks was employed during the Hongkong protests. IIRC, activists used entirely separated systems on separated IP addresses (and networks) for receiving communication, email etc, and publishing it (outgoing messages, websites, maps etc.).

Cyber Hodza September 25, 2020 5:12 PM

Would these news increase the Iranian standing on the list of Cuber Power nations or would these be just a variant of the Chinese hacking tools used to spy on its Uyghur minority?
Lastly, Check Point is an Israeli based security firm so it may give them a better standing on the nation’s list

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.