Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023.
The vulnerabilities are as follows -

CVE-2023-33063 (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP.
CVE-2023-33106 (CVSS score: 8.4) - Memory corruption in

Vulnerability / Mobile Security

Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023.

The vulnerabilities are as follows -

*   **CVE-2023-33063** (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP.
*   **CVE-2023-33106** (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL\_KGSL\_GPU\_AUX\_COMMAND.
*   **CVE-2023-33107** (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

Google's Threat Analysis Group and Google Project Zero revealed back in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks.

A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Project Zero have been credited with reporting the security vulnerabilities, respectively.

It's currently not known how these shortcomings have been weaponized, and who are behind the attacks.

The development, however, has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the four bugs to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the patches by December 26, 2023.

It also follows Google's announcement that the December 2023 security updates for Android address 85 flaws, including a critical issue in the System component tracked as CVE-2023-40088 that "could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed" and without any user interaction.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability.

**SUMMARY**

An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

GPSd 3.25.1~dev

**PRODUCT URLS**

GPSd - https://gpsd.gitlab.io/gpsd/

**CVSSv3 SCORE**

5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-191 - Integer Underflow (Wrap or Wraparound)

**DETAILS**

GPSd is a daemon used for monitoring, collecting and reporting GPS information to clients. In a typical configuration, the GPS data are provided by a serial device connected to the host machine. However, GPSd also supports aggregating GPS data from network sources. It is extensively used in Android as well as embedded systems such as drones, robot submarines, driverless cars, marine navigation and military systems.

GPSd can act as a client that gets GPS information from the network using the NTRIP protocol. As specified in the NTRIP documentation, the NTRIP client does an HTTP request to the NTRIP caster (as per NTRIP documentation) expecting a source table as a response. The source table defines a list of records describing the data provided:

    SOURCETABLE 200 OK
    Content-Type: text/plain
    Content-Length: 6999 
    STR;FFMJ2;Frankfurt;RTCM 2.1;1(1),3(19),16(59);0;GPS;GREF;DEU;50.12;8.68;0;1;GPSNet V2.10;none;N;N;560;Demo 
    ENDSOURCETABLE
    

In the example above, a stream record is defined under the FFMJ2 path, where the NTRIP client is expected to perform a standard HTTP request to get specific GPS data.

GPSd, acting as an NTRIP client, uses the following code to parse the response from the caster.

    #define NTRIP_BR                "\r\n"
    
    int ntrip_stream_get_parse(struct gps_device_t *device)
    {
    	    ...
        while (1) {
            lexer_getline(lexer);                                   [1]
    		          ...
            if ('\0' == *lexer->outbuffer) {
                // done, never got end of headers.
                break;
            }
    		
            if (0 == strncmp(obuf, NTRIP_BR, sizeof(NTRIP_BR))) {   [2]
                // done
                break;
            }
        }
        ...
    } The code performs a loop, getting one line from the response until there is a NULL byte or the delimiter `\r\n` is found at (2), denoting the main body of the response. To get one line, the `lexer_getline()` is used at [1] above.
    
    static void lexer_getline(struct gps_lexer_t *lexer)
    {
    	unsigned i;
    	
        for (i = 0; i < sizeof(lexer->outbuffer) - 2; i++) {
            unsigned char u = *lexer->inbufptr++;
    
            lexer->outbuffer[i] = u;
            lexer->inbuflen--;                                   [3]
    
            if ('\0' == u) {
                // found NUL
                break;
            }
            if ('\n' == u) {
                // found return
                i++;
                break;
            }
    
            if (0 == lexer->inbuflen) {                          [4]
                // nothing left to read,  ending not found
                i++;
                break;
            }
        }
    }
    

In lexer_getline(), the code parses a line from one character at a time, looking for either a NULL byte or the \n character. In each iteration, the lexer->inbuflen variable is decremented at \[3\]. At \[4\], when the lexer->inbuflen is 0, the loop exits, denoting that there are no other characters to parse in that line, assuming no NULL bytes or \n characters are found in the line.

Recall however that the code continues to execute in the outer loop, searching for the the \r\n characters at \[2\]. If the characters are not found, the loop continues, executing lexer_getline() once again. Then at \[3\], the lexer->inbuflen is decremented once again, leading to an integer underflow.

Later, since the lexer->inbuflen is now 0xffffffffffffffff, the code believes there are leftover characters in the buffer and attempts to do a memmove() using lexer->inbuflen as the size argument. This could lead to memory corruption.

    ...
    if (0 == lexer->inbuflen) {
    	packet_reset(lexer);
    } else {
    	// The "leftover" is the start of the first chunk.
    	if (lexer->inbufptr != lexer->inbuffer) {
    		// Shift inbufptr to the start.  Yes, a bit brutal.
    		memmove(lexer->inbuffer, lexer->inbufptr, lexer->inbuflen);       [5]
    		lexer->inbufptr = lexer->inbuffer;
    	}
    }
    

**Crash Information**

    ==470012==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x55e609056090 in __asan_memmove (/home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1.asan/gpsd/gpsd+0x122090) (BuildId: 80383c29e763009d8a7ae0dca6977ebdc5c8b497)
    #1 0x55e6091b8631 in ntrip_stream_get_parse /home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1/gpsd/net_ntrip.c:791:13
    #2 0x55e6091baf02 in ntrip_open /home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1/gpsd/net_ntrip.c:1124:15
    #3 0x55e6091b0c6d in gpsd_multipoll /home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1/gpsd/libgpsd_core.c:1978:19
    #4 0x55e60909b0d6 in main /home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1/gpsd/gpsd.c:2855:29
    #5 0x7f3ab3269d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f3ab3269e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x55e608fbb8a4 in _start (/home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1.asan/gpsd/gpsd+0x878a4) (BuildId: 80383c29e763009d8a7ae0dca6977ebdc5c8b497)
    
    0x55e609da436a is located 29450 bytes inside of global variable 'devices' defined in '/home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1/gpsd/gpsd.c:315' (0x55e609d9d060) of size 730512
    SUMMARY: AddressSanitizer: negative-size-param (/home/dtatsis/gpsd_fuzz/gpsd/gpsd-3.25.1.asan/gpsd/gpsd+0x122090) (BuildId: 80383c29e763009d8a7ae0dca6977ebdc5c8b497) in __asan_memmove
    

**Exploit Proof of Concept**

As a PoC, we act as a very simple NTRIP caster, functionally the same as an HTTP server. On a GET request on the root we send a source table with one record, indicating that we provide NTRIP stream data under the TEST path. When GPSd does a request on this specific path, we send a standard HTTP response that is not properly terminated as GPSd expects, resulting in a crash.

        r = s.recv(128)
        print(f"[+] Got request '{r[:16]}', ...")
    
        if len(r) == 0:
            return
    
        if r.startswith(b"GET / HTTP/1.1"):
            print("[+] Sending NTRIP sourcetable")
    
            s.sendall(b"Content-Type: gnss/sourcetable\r\n")
            s.sendall(b"\r\n")
            s.sendall(b"\r\n")
            s.sendall(b"SOURCETABLE\r\n")
            s.sendall(b"\r\n")
            s.sendall(b"STR;TEST;City;CMR+;\r\n")
            s.sendall(b"ENDSOURCETABLE\r\n")
    
        elif r.startswith(b"GET /TEST HTTP/1.1"):
            print("[+] Got stream data request ...")
    
            s.sendall(b"HTTP/1.1 200 OK\r\n")
    

**TIMELINE**

2023-11-22 - Initial Vendor Contact  
2023-11-23 - Vendor Disclosure  
2023-11-29 - Vendor Patch Release  
2023-12-05 - Public Release

Discovered by Dimitrios Tatsis of Cisco Talos.

CVE-2023-43628: TALOS-2023-1860 || Cisco Talos Intelligence Group

In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

_Published December 4, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-12-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-12-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-12-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-40077

A-298057702

EoP

Critical

11, 12, 12L, 13, 14

CVE-2023-40076

A-303835719

ID

Critical

14

CVE-2023-40079

A-278722815

EoP

High

14

CVE-2023-40089

A-294228721

EoP

High

14

CVE-2023-40091

A-283699145

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40094

A-288896339

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40095

A-273729172

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40096

A-268724205

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40103

A-197260547

EoP

High

14

CVE-2023-45774

A-288113797

EoP

High

11, 12, 12L, 13, 14

CVE-2023-45777

A-299930871

EoP

High

13, 14

CVE-2023-21267

A-218495634

ID

High

11, 12, 12L, 13, 14

CVE-2023-40073

A-287640400

ID

High

11, 12, 12L, 13, 14

CVE-2023-40081

A-284297452

ID

High

11, 12, 12L, 13, 14

CVE-2023-40092

A-288110451

ID

High

11, 12, 12L, 13, 14

CVE-2023-40074

A-247513680

DoS

High

11, 12, 12L, 13

CVE-2023-40075

A-281061287

DoS

High

11, 12, 12L, 13, 14

**System**

The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-40088

A-291500341

RCE

Critical

11, 12, 12L, 13, 14

CVE-2023-40078

A-275626001

EoP

High

14

CVE-2023-40080

A-275057843

EoP

High

13, 14

CVE-2023-40082

A-290909089

EoP

High

14

CVE-2023-40084

A-272382770

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40087

A-275895309

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40090

A-274478807

EoP

High

11, 12, 12L, 13, 14

CVE-2023-40097

A-295334906

EoP

High

11, 12, 12L, 13

CVE-2023-45773

A-275057847

EoP

High

13, 14

CVE-2023-45775

A-275340684

EoP

High

14

CVE-2023-45776

A-282234870

EoP

High

14

CVE-2023-21394

A-296915211

ID

High

11, 12, 12L, 13

CVE-2023-35668

A-283962802

ID

High

11, 12, 12L, 13

CVE-2023-40083

A-277590580

ID

High

12, 12L, 13, 14

CVE-2023-40098

A-288896269

ID

High

12, 12L, 13, 14

CVE-2023-45781

A-275553827

ID

High

12, 12L, 13, 14

**Google Play system updates**

There are no security issues addressed in Google Play system updates (Project Mainline) this month.

**2023-12-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-12-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**System**

The vulnerability in this section could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-45866

A-294854926

EoP

Critical

11, 12, 12L, 13, 14

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

   

CVE

References

Severity

Subcomponent

CVE-2023-3889  

A-295942985 \*

High

Mali

CVE-2023-4272  

A-296910715 \*

High

Mali

CVE-2023-32804  

A-272772567 \*

High

Mali

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2023-21162  

A-292004168 \*

High

PowerVR-GPU

CVE-2023-21163  

A-292003338 \*

High

PowerVR-GPU

CVE-2023-21164  

A-292002918 \*

High

PowerVR-GPU

CVE-2023-21166  

A-292002163 \*

High

PowerVR-GPU

CVE-2023-21215  

A-291982610 \*

High

PowerVR-GPU

CVE-2023-21216  

A-291999952 \*

High

PowerVR-GPU

CVE-2023-21217  

A-292087506 \*

High

PowerVR-GPU

CVE-2023-21218  

A-292000190 \*

High

PowerVR-GPU

CVE-2023-21228  

A-291999439 \*

High

PowerVR-GPU

CVE-2023-21263  

A-305095406 \*

High

PowerVR-GPU

CVE-2023-21401  

A-305091236 \*

High

PowerVR-GPU

CVE-2023-21402  

A-305093885 \*

High

PowerVR-GPU

CVE-2023-21403  

A-305096969 \*

High

PowerVR-GPU

CVE-2023-35690  

A-305095935 \*

High

PowerVR-GPU

CVE-2023-21227  

A-291998937 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-32818  

A-294770901  
M-ALPS08013430, M-ALPS08163896 \*

High

vdec

CVE-2023-32847  

A-302982512  
M-ALPS08241940 \*

High

audio

CVE-2023-32848  

A-302982513  
M-ALPS08163896 \*

High

vdec

CVE-2023-32850  

A-302983201  
M-ALPS08016659 \*

High

decoder

CVE-2023-32851  

A-302986375  
M-ALPS08016652 \*

High

decoder

**Misc OEM**

This vulnerability affects Misc OEM components and further details are available directly from Misc OEM. The severity assessment of this issue is provided directly by Misc OEM.

   

CVE

References

Severity

Subcomponent

CVE-2023-45779  

A-301094654 \*

High

System UI

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-48456  

A-300376910  
U-1914157 \*

High

Kernel

CVE-2022-48461  

A-300368868  
U-1905646 \*

High

Kernel

CVE-2022-48454  

A-300382178  
U-2220123 \*

High

Android

CVE-2022-48455  

A-300385151  
U-2220123 \*

High

Android

CVE-2022-48457  

A-300368872  
U-2161952 \*

High

Android

CVE-2022-48458  

A-300368874  
U-2161952 \*

High

Android

CVE-2022-48459  

A-300368875  
U-2161952 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-28588  

A-285902729  
QC-CR#3417458

High

Bluetooth

CVE-2023-33053  

A-299146326  
QC-CR#3453941

High

Kernel

CVE-2023-33063  

A-266568298  
QC-CR#3447219 \[2\]

High

Kernel

CVE-2023-33079  

A-299146464  
QC-CR#3446191

High

Audio

CVE-2023-33087  

A-299146536  
QC-CR#3508356 \[2\]

High

Kernel

CVE-2023-33092  

A-299146537  
QC-CR#3507292

High

Bluetooth

CVE-2023-33106  

A-300941008  
QC-CR#3612841

High

Display

CVE-2023-33107  

A-299649795  
QC-CR#3611296

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-40507  

A-261468680 \*

Critical

Closed-source component

CVE-2022-22076  

A-261469325 \*

High

Closed-source component

CVE-2023-21652  

A-268059928 \*

High

Closed-source component

CVE-2023-21662  

A-271879599 \*

High

Closed-source component

CVE-2023-21664  

A-271879160 \*

High

Closed-source component

CVE-2023-28546  

A-285902568 \*

High

Closed-source component

CVE-2023-28550  

A-280341535 \*

High

Closed-source component

CVE-2023-28551  

A-280341572 \*

High

Closed-source component

CVE-2023-28585  

A-285902652 \*

High

Closed-source component

CVE-2023-28586  

A-285903022 \*

High

Closed-source component

CVE-2023-28587  

A-285903202 \*

High

Closed-source component

CVE-2023-33017  

A-285902412 \*

High

Closed-source component

CVE-2023-33018  

A-285902728 \*

High

Closed-source component

CVE-2023-33022  

A-285903201 \*

High

Closed-source component

CVE-2023-33054  

A-295020170 \*

High

Closed-source component

CVE-2023-33080  

A-299147105 \*

High

Closed-source component

CVE-2023-33081  

A-299145668 \*

High

Closed-source component

CVE-2023-33088  

A-299146964 \*

High

Closed-source component

CVE-2023-33089  

A-299146027 \*

High

Closed-source component

CVE-2023-33097  

A-299147106 \*

High

Closed-source component

CVE-2023-33098  

A-299146466 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-12-01 or later address all issues associated with the 2023-12-01 security patch level.
*   Security patch levels of 2023-12-05 or later address all issues associated with the 2023-12-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-12-01\]
*   \[ro.build.version.security\_patch\]:\[2023-12-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-12-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-12-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-12-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

December 4, 2023

Bulletin published

CVE-2023-45781: Android Security Bulletin—December 2023

By Waqas
Cyber Av3ngers, a group of hacktivists believed to be originating from Iran, conducted the cyber attack.
This is a post from HackRead.com Read the original post: Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm

The targets included the Equipment used by the Municipal Water Authority of Aliquippa, Pennsylvania and Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment.

U.S. officials have attributed a cyberattack on the Municipal Water Authority of Aliquippa, Pennsylvania, to the hacktivist group Cyber Av3ngers. This is the same group that previously claimed responsibility for targeting the Israeli oil refinery giant BAZAN with a series of DDoS attacks (distributed denial-of-service attacks).

According to Check Point Research and Google’s Mandiant reports, this group is believed to have ties to the Iranian government.

In its cyber attack on the Municipal Water Authority of Aliquippa on Saturday, Nov. 25, 2023, Cyber Av3ngers defaced the equipment used by the authority with a message of their own, stating that they were targeting Israeli-made equipment. Reportedly, the equipment that was targeted and disabled was manufactured by the Israeli company Unitronics.

Hackread.com can exclusively confirm that the group also targeted Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment. The company’s brewery control system experienced a cyber attack over the Thanksgiving weekend.

The cyberattack on the equipment used by Bewmation saw the same deface image that was left by the hackers on the equipment used by the Municipal Water Authority of Aliquippa.

Evidence suggests that the hackers deliberately targeted the facility due to the equipment’s Israeli origin. A photo from the targeted organization shows a message from the hackers that read, _“**Every equipment ‘made in Israel’ is Cyber Av3ngers legal target.”**_

The attack targeted a device used to control water levels at the authority’s tanks automatically. However, it did not disrupt water service to customers. Still, the incident has raised concerns about the vulnerability of critical infrastructure to cyber threats.

Cybersecurity experts had warned that the ongoing conflict between Israel and Hamas may cause a spike in cyberattacks in Western Pennsylvania and other regions. The Western Pennsylvania All Hazards Fusion Center issued an alert warning that anti-Israel threat actors could target any critical infrastructure or key resources in the region.

In response to the attack, area representative Congressman Chris Deluzio has called for a full investigation into this incident while emphasizing the need for all organizations, including small local governments and private actors, to step up their cybersecurity systems. Deluzio noted that implementing sophisticated cyber defences is the need of the day.

Three Pennsylvania lawmakers have urged for an investigation by the U.S. Department of Justice to warn other water and sewage treatment utilities about possible threats and risks involved with vulnerable industrial control systems.

In a letter to Attorney General Merrick Garland, Senators John Fetterman and Bob Casey, along with Representative Chris Deluzio, raised concerns over the vulnerable nature of drinking water and other critical infrastructure.

They emphasized the need to protect these systems from foreign adversaries and terrorist organizations, urging the DoJ to investigate the incident thoroughly and also calling for a broader assessment of the nation’s cybersecurity posture.

Federal agencies are also involved in the investigation. The Cybersecurity and Infrastructure Security Agency (CISA) released a statement revealing that it is aware of the intrusion and is working with partners to understand the situation and provide support. The FBI did not confirm or deny that an investigation was underway. 

The Aliquippa Water Authority chairman, Matthew Mottes, stated that federal officials informed him of more hacking attempts from the same threat actor, targeting four of their utilities and an aquarium.

Cyber Av3ngers claimed to have hacked 10 water treatment stations in Israel on October 30 in a separate development. It is unclear whether any equipment was shut down due to these attacks.

Cyber Av3ngers on Telegram

Nevertheless, the cyberattack highlights the capabilities and skills hacktivists possess to deliver their message to adversaries. Cyber Av3ngers vow to continue targeting Israel and any company or business utilizing equipment manufactured or provided by the State of Israel.

****_RELATED ARTICLES_****

1.  **Israel’s Channel 10 TV Station Hacked by Hamas**
2.  **Hackers deface Airport screens in Iran with anti-govt messages**
3.  **LG Smart TV Screen Bricked After Android Ransomware Infection**
4.  **Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers**
5.  **TV broadcasts in California interrupted to show “end of the world” alert**

Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm

Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.
"Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app

Mobile Security / Banking Security

Cybersecurity researchers have disclosed a new sophisticated Android malware called **FjordPhantom** that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023.

"Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon said in an analysis published Thursday.

Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components.

Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery (TOAD), which involves calling a bogus call center to receive step-by-step instructions for running the app.

A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use of virtualization to run malicious code in a container and fly under the radar.

The sneaky method, Promon said, breaks Android's sandbox protections as it allows different apps to be run on the same sandbox, enabling the malware to access sensitive data without requiring root access.

"Virtualization solutions like the one used by the malware can also be used to inject code into an application because the virtualization solution first loads its own code (and everything else found in its app) into a new process and then loads the code of the hosted application," security researcher Benjamin Adolphi said.

In the case of FjordPhantom, the host app downloaded includes a malicious module and the virtualization element that's then used to install and launch the embedded app of the targeted bank in a virtual container.

In other words, the bogus app is engineered to load the bank's legitimate app in a virtual container while also employing a hooking framework within the environment to alter the behavior of key APIs to grab sensitive information from the application's screen programmatically and close dialog boxes used to warn malicious activity on users' devices.

"FjordPhantom itself is written in a modular way to attack different banking apps," Adolphi said. "Depending on which banking app is embedded into the malware, it will perform various attacks on these apps."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia

By Waqas
Thus far, the FjordPhantom malware has defrauded victims of around $280,000 (£225,000).
This is a post from HackRead.com Read the original post: Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Currently, the FjordPhantom malware appears to be active in Southeast Asia, covering countries including Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

Cybersecurity firm Promon has identified a novel Android malware named FjordPhantom that employs virtualization to target applications. This technique has not been observed in any malware previously. FjordPhantom propagates through messaging services and combines app-based malware with social engineering to deceive banking customers.

Promon indicated in its report published on November 30, 2023, that only one sample of FjordPhantom has been obtained. However, researchers suspect that the malware is operational in Southeast Asia, encompassing countries such as Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

“In discussions with banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht (approximately $280,000 – £225,000) at the time of writing,” noted the report author Benjamin Adolphi and shared with Hackread.com ahead of publication on Thursday.

Further probing revealed that the malware is distributed through emails, SMS messages, and messaging apps. Users are tricked into downloading a bogus banking app, which contains FjordPhantom.

When this app gets installed, the attackers, posing as customer service representatives, guide the users about the steps to run the app. The malware uses virtualization to create a virtual container to run this app and attackers can monitor the user’s actions and steal their credentials.

The malware integrates various open-source/free projects from GitHub, incorporating a virtualization solution and a hooking framework. FjordPhantom utilizes virtualization solutions to circumvent the Android sandbox, enabling different apps to operate within the same sandbox.

This facilitates attackers in gaining access to files and memory, conducting debugging, and injecting code into other apps. The approach involves virtualization solutions loading their own code into a new process before loading the hosted app’s code. Consequently, the malware can evade traditional code injection detection methods, as it doesn’t modify the original application.

The malware leverages the hooking framework to evade SafetyNet rooting detection, screenreader detection, and dismiss dialog boxes warning the user of ongoing malicious activity on the system. Additionally, the malware logs various actions performed by the targeted applications, signifying active development and suggesting potential targeting of other apps in the future.

Screenshot credit: Promon

Researchers believe that FjordPhantom is a sophisticated Android malware used to commit real-world fraud. Here are 5 tips for Android users to protect themselves from malware, especially banking trojan:

1.  **Download apps only from trusted sources:** The safest way to get apps for your Android device is to download them from the official Google Play Store. Apps in the Play Store have been reviewed by Google and are less likely to be malicious. If you need to download an app from a third-party source, make sure to do your research and only download apps from reputable websites.
2.  **Be careful about the permissions you give apps:** When you install an app, it will ask you for permission to access certain data or features on your device. Only give apps the permissions they need to function. For example, if you’re installing a banking app, it will need permission to access your contacts and call history. However, there’s no reason for it to need permission to access your photos or location.
3.  **Keep your device up to date:** Google regularly releases updates for Android that fix security vulnerabilities. Make sure to install these updates as soon as they become available. You can enable automatic updates in your device’s settings.
4.  **Install a mobile security app:** A mobile security app can help to protect your device from malware by scanning apps and files for threats. It can also block malicious websites and phishing attempts. There are many different mobile security apps available, so do some research to find one that’s right for you.
5.  **Be cautious about what you click on:** Be careful about clicking on links in emails or text messages, even if they appear to be from someone you know. These links could take you to malicious websites that could install malware on your device.

****_RELATED ARTICLES_****

1.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users**
4.  **Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots**
5.  **Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw**

Android Banking Malware FjordPhantom Steals Funds Via Virtualization

A fake antivirus alert may suddenly hijack your screen while browsing. This latest malvertising campaign hit top publishers.

ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.

Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.

The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.

ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.

**Forced redirects**

Mastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his phone when he was suddenly redirected to a fake security scan page:

Malicious redirect from APnews.com (credit Blair Strater)

This fake scanner is not run by McAfee, but the domain name _systemmeasures\[.\]life_ that we see in the address bar is the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues unabated.

Web traffic between malicious page and McAfee site

Based on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time bidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related to smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with malicious ads slipping by on top publishers (note: this data comes from VirusTotal):

**ESPN.COM (1.585B monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz3hbaiz7oz2&k=b47648817b492be8ba9c7dc97addefb6&country\_code=US&carrier=Verizon&country\_name=United%20States&region=New%20York&city=Bronx&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=en&ref\_domain=**www.espn.com**&os=**iOS**&osv=17&browser=Chrome&browserv=119&brand=Apple&model=iPhone&marketing\_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5

**APNEWS.COM (307.2M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=59z40b4g6z7oz2&k=506222e0611d62c3261b9ba847063faa&country\_code=US&carrier=-&country\_name=United%20States&region=Virginia&city=Alexandria&isp=Comcast%20Cable%20Communications,%20LLC&lang=en&ref\_domain=**apnews.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

**CBSSPORTS.COM (265.1M monthly visits)**

systemmeasures\[.\]life/avs/en/mob/**mcafee-2**.php?c=5uz16jptz7oz2&k=d2761f12fed2ce8472ab704fd55d49e1&country\_code=US&carrier=-&country\_name=United%20States&region=Colorado&city=Greenwood%20Village&isp=Charter%20Communications%20Inc&lang=en&ref\_domain=**www.cbssports.com**&os=**Android**&osv=10.&browser=Chrome&browserv=119&brand=unknown&model=unknown&marketing\_name=K&tablet=2&rheight=0&rwidth=0&e=5

Most of the public reports (\[1\], \[2\], \[3\]) indicate this campaign was at its peak around **November 19**. To be clear, AP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile campaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However, the other campaign we are also monitoring that is affecting smaller sites is still ongoing (via _eu\[.\]vulnerabilityassessments.life_ and _us.vulnerabilityassessments\[.\]life_).

**Connection with ScamClub**

We were able to connect this campaign to the ScamClub infrastructure because of another domain (_trackmaster\[.\]cc_) that was previously mentioned as belonging to the threat actor. We can see the relationship between _systemmeasures\[.\]life_ (the landing page) and _trackmaster\[.\]cc_ (the intermediary domain) in the urlscanio submission below:

urlscanio scan showing the relationship between two domains

**Fingerprinting**

Like other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.

Previously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.

ScamClub’s malicious JavaScript

**Malvertising and mobile users**

On this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and enterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.

ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.

Malwarebytes for Android protects users from this campaign:

**Indicators of Compromise**

**ScamClub URLs**

octob\[.\]azureedge\[.\]net/oc.js
lzi\[.\]azureedge\[.\]net/lz.js
tinlc\[.\]azureedge\[.\]net/pt.js
bm-rb\[.\]azureedge.net/rb.js
foluo\[.\]azureedge\[.\]net/fo.js
vpv-ger\[.\]azureedge\[.\]net/VpaidVideoAd1.js

**ScamClub JavaScript hashes**

c01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e  
899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad  
451b48c8f247f25cd09a1bf4a52fc195a74830d88bd2ffed7a5d4b7830e10621  
495304b489cecd33188ca2a7407d397996fd82ea99966e7c145f0dc67ab2dfb5  
a616fc2c1a075170d4decdb9d3c9ad15f2cfbcfda78dbe4c60d72132b9d006c9  
34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8  
a7a73d3bc716346808b2ee8070dfe5842bb01e10aee1fa9ba87fb975d71d0f4f  
de2f1745cdfbe58266b804961bdbd5be8f533843ed7fdf4b5fe6eb0060876b56  
1614786dd6ff4189975e8226ab7e68d258817b435c3c4e145951f5147699878e  
52cd9f2ff282354c77087b204d5cb32cee9066e8eea4e3c3b8f7cf4d3d3fa20f  
df03df284bfbbe006383f26c0c91394f4c4c8d915d04b868a00954f63e6163e0  
2f3867d33c448b941278671df9a2b8d3d6b29dec5d74b67654f5edfcc6771575  
243d9d70703644f3df148e7633f3ec461a9c43149ea58fd547e2e6fd0c47cce5

**Redirectors**

trackmaster\[.\]cc  
protectsystemtools\[.\]life  
securitypatch\[.\]life  
real-time-system-monitoring\[.\]life  
threatdetectorhub\[.\]life  
threatdetectorhub\[.\]online  
vulnerabilityassessments\[.\]life  
strike-it-lucky\[.\]space  
golden-opportunity\[.\]xyz  
stroke-of-luck\[.\]xyz  
blessed-with-luck\[.\]space  
system-scan-tool\[.\]space  
system-security-scan\[.\]buzz  
system-security-scan\[.\]net  
system-scan-tool\[.\]online  
trk6\[.\]kokamedia\[.\]com  
tracklinker\[.\]space  
trackmenow\[.\]life  
trackify\[.\]world  
trackinghub\[.\]info  
trkmyclk\[.\]xyz  
trk-server\[.\]xyz

34.74.68\[.\]195

**Scam landing pages**

systemmeasures\[.\]life
xyzcreators\[.\]xyz

 Associated Press, ESPN, CBS among top sites serving fake virus alerts 

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

No Iranian bank customers are safe from financially motivated cybercriminals wielding convincing but fake mobile apps.

Source: Stephen Barnes/Finance via Alamy Stock Photo

A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets.

Four months ago, researchers from Sophos detailed a lengthy campaign involving 40 malicious banking apps designed to harvest credentials belonging to unwitting customers. By imitating four of the Islamic Republic's most significant financial institutions — Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran — hackers were able to install and hide their copycat apps on victims' phones, harvesting logins, intercepting SMS messages with one-time passcodes, and stealing sensitive financial information, including credit cards.

Apparently, that was just the opening salvo. A new blog post from Zimperium has revealed 245 more apps associated with the same, clearly ongoing campaign, 28 of which had not previously been recorded on VirusTotal.

And this new trove isn't just bigger — it's more diverse, and more sophisticated than the first 40 were, featuring new kinds of targets, and tactics for stealth and persistence.

**285 Fake Banking Apps**

The 245 new apps discovered since the summer extend beyond the bounds of the original 40 by actively targeting four new Iranian banks, with some evidence that they have another four more in their sights.

Besides banks, the attackers have also started probing for data relating to sixteen cryptocurrency platforms, including such popular ones as Metamask, KuCoin, and Coinbase.

To facilitate the targeting of a dozen banks and 16 crypto hubs, the attackers have also added some new tools to their arsenal. For example, one little trick they use to avoid infrastructure takedowns involves a command-and-control server with the lone purpose of distributing phishing links. As the researchers explained, this "allows for the server URL to be hardcoded on the application without the risk of being taken down."

The group's most notable new tactic, however, is how its apps abuse accessibility services. 

"While using the accessibility API, they get a way to programmatically access the UI's elements," explains Nico Chiaraviglio, chief scientist of Zimperium. He explains that attackers can invisibly interact with the device in some of the same ways a user can, to malicious effect. For example, "they can request for dangerous permissions (such as reading SMS) and when the user is prompted to accept the permission, they click on 'Accept' before the user even sees the notification. Or they prevent uninstallation by clicking on 'Cancel' when the user tries to uninstall the app."

Thus far the fake apps have been limited to Android devices. But among the attackers' belongings, the researchers did uncover phishing websites mimicking banking apps' Apple App Store pages, indicating that the campaign may expand to iPhones in the near future.

Long before that happens, the campaign will have touched thousands. "Based on the information obtained from one of their Telegram channels, we know that there are thousands of victims. But we could only access one of the channels used (since one of them is private) and there is no guarantee that they didn't use other channels in the past." 

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector

Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to set it to update automatically, but you have to make sure to close your browser for the update to finish. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome** (on Windows) or **Google Chrome > About Google Chrome** (on Mac).

If there is an update available, Chrome will start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Google Chrome is up to date_

After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later.

**The technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the actively expoited zero-day is:

CVE-2023-6345: Integer overflow in Skia. Google notes it is aware that an exploit for CVE-2023-6345 exists in the wild. This vulnerability could lead to a range of risks, from crashes to the execution of arbitrary code.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, so that interested criminals remain none the wiser.

The fact that the vulnerability is listed with a severity rating of High, indicates that the scope of the flaw is limited to the browser, but this could mean successful exploitation could provide the attacker with information about visited websites and so on.

Skia is an open source 2D graphic library for drawing Text, Geometries, and Images. Skia works across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

That’s why users of other Chromium based browsers and software that uses Skia should keep their eyes open for similar updates.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#android