Loan sharks are a horrible thing to encounter, but what about loan sharks that are actually malware on the Android Play Store? That, and we have Xerox printers that are leaking credentials via some vulnerabilities. We should talk about that in today’s episode.
Today, we’re facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount, and how little is noticed in our everyday lives? Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey guys, welcome back to another episode of Exploit Brokers.
I’m your host, Cipherceval. If you could do me a big favor because it helps the channel grow, if you’re on YouTube, if you could give us a like, subscribe, and bell notification icon, And if you’re on a podcast platform, like Apple Podcasts or Spotify, if you could please give us a subscribe, follow, and give us a 5 star review if you think we deserve it.
So guys, we have an article by Bleeping Computer titled, Spyland Android malware downloaded 100, 000 times from Google Play. When you have an Android device, you have apps that can either be downloaded from the Google play, which is the equivalent of the Apple app store.
You have side loading, which lets you load on whatever app or APK you want onto it. And then you have third party stuff like F droid and other pretty much play store equivalents, but not officially sanctioned by Google. And usually when you’re talking about malware, a lot of the malware comes from the side loading and from the unauthorized app stores.
And the reason is that because they’re not directly with Google, that a lot of hackers and malicious actors tend to submit either backdoored or fake apps to these different stores and hopes that users will download it. What we’re seeing here is an actual malicious app that bypasses some of the protections that Google play tends to try to put in.
And because they were able to bypass it, they were able to get downloaded a lot. And because they’re from the play store, they have this inherent trust. So as we dive into the article, I’ll break down some of the interesting things. It’s doing a bit of obfuscation. It’s doing some loading. That are nonconventional, but stuff that I’ve seen in different kinds of malware before in a quote unquote legitimate app that’s on the Play Store.
But in reality, it was just something that got past the filters and ended up being a malicious app that got taken down. An Android malware app called SpyLend has been downloaded over 100, 000 times from Google Play, where it masqueraded as a financial tool, but became a predatory loan app for those in India.
The app falls under a group of malicious Android applications called SpyLoan, which is interesting, I’ve never heard that term before. Spy loan, which pretended to be legitimate financial tools or loan services, but instead steals data from devices for use in predatory lending. So predatory lending, whenever you’re going into any of that, then you’re thinking loan sharks, payday loans, et cetera, things that.
On the surface, it looks like they’re helping somebody, right? There’s a loan, there’s money, but then you look at the terms and it’s 100%, 200%, 300 percent interest. It gets like ridiculous. When you talk about predatory, it becomes this vicious cycle that kind of preys on the people who fall victim to it.
These apps lure users with promises of quick and easy loans, often requiring little documentation and offering attractive terms. However, upon installation, they request excessive permissions, allowing the apps to steal personal data such as contacts, call logs, SMS messages, photos, and device location.
Now, this is something that I will caution as a general rule of thumb. If you download any kind of app from the play store or from the app store or whatever, because this also pertains to iOS. If you download any kind of app and it’s wanting a billion types of permissions for stuff that don’t seem like it would need, right?
If you’re talking about a note taking app; then, maybe it has to access your file so it can download and save stuff. Maybe it has to access your photos to be able to insert photos, right? But why would a note taking app need to see your contacts or your device location, or to be able to send SMS messages as you begin to think about your app, you got to think about what is it that this app is asking for.
Whether it’s legitimate or illegitimate because there are some legitimate apps that do tend to abuse the permissions I’m not gonna name which ones but it does happen So going on this harvested information is then exploited to harass extort and blackmail users Especially they fail to meet the apps repayment terms. This is where the predatory aspect comes in.
They will use whatever they have to try to make you pay, even if it hurts. So the cybersecurity firm, CYFIRMA, has discovered an Android app named Finance Simplified that claims to be a financial management application and has amassed 100, 000 downloads on Google Play. So just because this is the only app that they found doesn’t mean it’s the only app like it out there.
So always be careful. But we’ll keep going on. However, CYFIRMA states that the app displays more malicious behavior in certain countries like India, where it steals data from users devices to be used in predatory lending. The researchers say they also discovered additional malicious APKs that appear to be variants of the same malware campaign, namely KreditApple, PokketMe, and StashFur, although the app has now been removed from Google Play, it may continue to run in the background, collecting sensitive information from infected devices.
So just because an app has been removed from the play store doesn’t mean it’s not still on the device. And that is something that for better, for worse people have seen, right? With the recent TikTok ban, that happened in the U.S. A lot of devices still kept that app on the device until the user uninstalled it or whatever.
If we think back several years, same thing happened with the Flappy Bird game. Even though they took it down from the Play Store, the app still resided on the device. So here, just because Google Play identified it and removed it, you still have to have the users remove it. Now where it gets tricky, is if a user is in repayment from this malicious app and then they delete it, could there be further consequences because it’s a predatory app to begin with.
That’s kind of going beside the point. We’re here to talk about mainly the app and kind of the Cyber security implications. one of the interesting things is that there was a review and I’m jumping to it. I’m going to paraphrase it just to keep this kind of family friendly, but the user who reviewed essentially said that they were given a low amount of money, but they payed a high amount of interest.
Otherwise, they were going to edit photos and blackmail the person. And this is where I’m talking about the predatory side. When you read stuff like that, that reads almost like something out of a movie. You have a loan shark who’s going to break kneecaps, if you will, if you don’t pay now to evade detection on Google play finance simplified loads, a WebView to redirect users to an external website from where they download a loan app APK hosted on an Amazon EC2 server.
So when you’re talking about a web view and you see this a lot on legitimate apps and you see this a lot on other kinds of apps. A web view is just a micro web browser that exists inside of an app, and that could happen for any reasons from like logging in to displaying certain kinds of information to sometimes there’s certain apps that are just a wrapper around a website while the web view is just a way to load up a website.
When we’re talking about Android and we’re talking about side loading and the other third party app stores; Whenever you download the APK, which is the file you need, that’s essentially the app in question, right? The APK is what kind of surrounds that you install the APK, which installs the app and the APK holds information like metadata and stuff like that.
It’s kind of to oversimplify a zipped up file of the app. So when you get the APK download installed, you’re installing other things outside of that app that you initially installed, and they’re hosting this and on Amazon EC2, which is a server that Amazon has, it’s a server offering they do.
The article even talks about how the location will dictate what gets served up to the user. The reason I find this kind of deceptive and the reason I find this concerning is users in India. We’ll get a display that shows a bunch of loan applications they can apply for and users outside, or if there’s no internet or et cetera it’ll show just calculators and stuff.
This is where it gets very interesting because we’ve seen different kinds of malware essentially do obfuscation, anti reverse engineering mechanisms, where if it detects that it’s in the sandbox, if it detects that it’s being ran somewhere it shouldn’t be, it doesn’t do the behavior that you want it to do.
The malicious behavior, and that’s to prevent researchers from trying to figure out what this malicious piece of software is doing. Well, in this case, it seems like they’re using a similar kind of mechanism. They’re trying to do some geolocation on the app and if it’s outside of India, for some reason, then they’re determining, Hey, we don’t want to bother going down the, the malicious side of this app, let’s just give them a calculator versus of the user is in India, they will push these malicious predatory apps.
Now I’m wondering if that’s because they have affiliations with these predatory lenders. I’m curious if this is because this is a network that they have up, or maybe it’s just because they know the laws well enough, or they operate within India. There is a lot of cybercrime and criminal organizations that understand certain kind of laws in certain countries, so they tend to stay in those areas.
Now, what is being stolen by the app? Stuff like contacts, call logs, SMS messages, and device details. photos, videos, and documents from internal and external storage, live tracking data up to every three seconds, historical location data, IP address, last 20 text entries copied into the clipboard, loan history, and banking SMS transaction messages.
Outside of just extorting and blackmailing victims, who knows what else they’re doing with this data? The article questions whether this is being sold to cyber criminals for a profit. Even if it’s not being sold for a profit, they’re probably using this to build up a profile on potential victims or cyber victims.
Everything gets sold or it gets leaked eventually. Whenever you have any kind of data on users, devices, or etc. It’s going to make its way to the internet, which is going to make its way into the hands of people who may want to use it to their advantage. It’s sad, it really is, if you felt this predatory scam, or this predatory loan, maybe you were short on money, maybe this was an easy way for you to get some cash, and now you’ve been thrown into a vicious cycle of lending.
Places like payday loans and, rental places, and I’m not talking about like you rent it for a week, but you rent furniture and it’s ultimately like a 5, 000 percent interest. A lot of these
tend to take advantage of some of the most disadvantaged. They take advantage of those who don’t have the money or maybe even the know how to understand what they’re getting themselves into. This app, not only is it doing that, but then it’s using very shady and illegal practices in a lot of instances where it’s blackmailing and it’s taking photos and doing all this stuff to try to make the user pay.
That sounds like something out of a movie. It really is sad. If you know someone who’s been through this, or if you’re just aware of people who don’t necessarily know this, please share this with them. You have a lot of people who I think would fall victim to this, and just because this one app is being used in India doesn’t mean that this isn’t gonna start making its way to other places.
Now the article does say that, Hey, if you think you were infected, remove it, scan it, reset permissions. As a general rule of thumb, if you ever install something that is iffy, yes, you do want to reset permissions. You want to change your passwords. You want to remove it. And if possible, maybe try to factory reset your device, clear out as much of that as possible.
There is always a possibility that there’s some really advanced stuff, but for the most part, a factory reset takes care of most things. I’m not going to say it takes care of everything, but it takes care of a lot of things. Now, if you’re also loading stuff outside of the Google play store, I’m going to caution you because unless you know where the app is coming from, or unless you trust the source that it’s coming from, Google play is generally your best bet to download non malicious stuff.
In this case, they were able to bypass the protections and that will happen. This isn’t going to be the last app that can bypass Google plays all see eye. The Google play store is a good first line of defense against malicious apps. Not always, as we saw with this, but it is a good starting point, versus other places, you don’t always know where that app is coming from.
From there you have to be a bit more tech savvy to make sure you understand what you’re getting yourself into with that. Let’s go ahead and jump into the printers. In an article by Dark Reading, Xerox printer vulnerabilities enable credential capture.
Attackers are using patched bugs to potentially gain unfettered access to an organization’s Windows environment under certain conditions. This is not a zero day. I will preface this because it sounds really cool, it sounds really interesting, but this is not a zero day. At least not anymore. This is a patched vulnerability, and there’s CVEs that are linked to it.
Something you’ll hear me say on this a lot, and I will always emphasize, is update your stuff. Update your neighbor stuff, update everybody. A lot of the times we see that vulnerabilities get exploited after they’ve been patched, because there is a time between the patch being released and admins understanding what needs to get updated.
Admins being able to get to the stuff that needs to get updated. When you’re talking about a printer, a printer is kind of like that one device that although everyone needs tends to be the most problematic on an environment. You always hear the jokes that the printer’s not working. There’s a, that movie office space where it references the printer and they hate the printer.
Whether users have a printer at home, printers are kind of like the very painful thing that no one wants to deal with. And the people that do dislike the printers because they cause the most technical issues. A lot of the times restarting it works. A lot of the times you got to figure out the IP address to be able to connect to it.
And you got to set up a user and there’s this whole lore, if you will, to printers with that, though, a popular small and mid range Xerox business printer contains two now patch vulnerabilities in its firmware. that allow attackers an opportunity to gain full access to an organization’s Windows environment.
The vulnerabilities affect firmware versions 57. 69. 91 and earlier in Xerox Versalink C7025 multifunction printers, MFPs. Both flaws enabled what are known as passback attacks, a class of attack that essentially allows a bad actor to capture user credentials by manipulating the MFPs configuration. So let’s summarize that and then we’ll go through the article.
Essentially, there’s these two vulnerabilities, these two flaws that allow an attacker to go in and change the configuration. It’ll try to do an authentication against the malicious server, which then leads to credentials being leaked.
If an app is trying to talk to malicious server asking, Hey, is user ABC with password one, two, three authenticated. Well, guess what? You just leaked that user and that password. In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for windows active directory.
According to researchers at Rapid7, who discovered the flaws, this means that they would move laterally Within an organization’s environment and compromise other critical windows, servers and file systems. That is something I didn’t mention, but it is a very key thing.
This is not something that attackers can take advantage of to get into a system. But this is something that attackers that are in the system can use to move laterally, to figure out higher value credentials, admin credentials, database credentials, pretty much to figure out ways to get into other systems or elevate the privileges on the existing system. Xerox describes Versalink C7025 as a multifunction printer featuring connect key is Xerox technology that allows customers to interact with printers over the cloud and via mobile devices.
The two vulnerabilities that Rapid7 discovered in the printer and which Xerox has since fixed are CVE 2024 12510 with a CVSS score of 6. 7. And that is an LDAP passback vulnerability and CVE 2024 12511 CVS score 7. 6 an SMB FTP passback vulnerability.
LDAP is essentially a lightweight directory protocol that allows a service to figure out where different users are, where different resources are. It’s a directory. And part of that does key into different authentication stuff because you have to know where the user is there, etc. And then you have SMB, which is Server Message Block, and FTP, which is File Transfer Protocol and these are ways to share files and resources, or to transfer files up, things like that. I’m oversimplifying. These are different ways that the printer interacts with other resources on the network. The passback comes into effect where, essentially, You get the service or whatever to talk to a malicious server and try to authenticate and when it tries to authenticate, it leaks the credentials. The vulnerabilities, according to Rapid7, allow an attacker to change the MFPs, which is the printers, configuration so as to cause the printer to send a user’s authentication credentials to an attacker controlled system. The attack would work if a vulnerable Xerox Versalink C7025 printer is configured for LDAP and or SMB services.
In such a situation, CVE-2024-12510 would allow an attacker to access the MFP’s LDAP configuration page and change the LDAP server IP address in the printer setting to point to their own malicious LDAP server. If an attacker is able to change the server in question to something that they control, a malicious server, then all the requests that the LDAP would be doing are going to them, they can then use that to take advantage of some of the clear text stuff that gets pushed across the network and they can read credentials and understand more about the users that have access in that environment. Now, CVE-2024-12511 has a similar credential capture when the SMB or FTP scan function is enabled. An attacker with admin level access can modify the SMB or FTP’s server IP address to their own malicious and capture SMM or FTP authentication credentials. These two specific CVEs are able to manipulate the configuration via some vulnerability that occurs and then from there, with the control of whatever server they’re going to, the malicious server, the authentication requests leak information that shouldn’t be leaked. Generally the idea is whoever configures it is a trusted source. They’re configuring it to a valid LDAP or SMB server. The problem here is that the vulnerabilities allow an attacker to modify those configurations, which then makes it so they can point to a malicious server, which then means they can send authentication requests to their malicious server and try to harvest credentials. Once they’ve harvested these credentials, they can go and figure out, Hey, there’s other servers.
This credential is admin. This credential has access to a database, et cetera, et cetera, et cetera. Because even if they get read only access to a database, that’s still horrible. Because if an attacker gets read only access to the database, they can dump everything and get a copy of it. If they have admin level to some other service, whether that’s a web server, where they can mess with files and spread other mayhem, whether that’s write access to a server that contains, the version control or whatever, pretty much any way that they can move laterally or escalate their privileges is going to be a bad day for the company.
Now, the part that’s good, right? There is patches for this. So, if you’re an admin, if you know someone who’s an admin, go, go patch this. At the end of the day, a lot of the problems that come out of these kind of problems, whether that’s, something that’s been patched for a week or something that’s been patched for a year or something that’s been patched for 10 years, if you don’t update it, then the patch doesn’t do you any good.
That’s kind of this in a rough nutshell. There’s always going to be vulnerabilities. There’s always going to be issues that are cropping up and popping up with this kind of environment, but ultimately it’s up to us both to spread the information and to keep our stuff and our system as updated as possible.
But guys, this has been your host Cipherceval. I want to thank you for tuning in and I’ll see you in the next one.
Note: This is a transcript of the episode.
📢 Connect with us:
Newsletter: https://follow.exploitbrokers.com
Twitter: @ExploitBrokers
Medium: https://medium.com/@exploitbrokers
TikTok: https://www.tiktok.com/@exploitbrokers
🔗 References & Sources
- Xerox: https://www.darkreading.com/iot/xerox-printer-vulnerabilities-credential-capture
- Malicious App: https://www.bleepingcomputer.com/news/security/spylend-android-malware-downloaded-100-000-times-from-google-play/
Leave a Reply