Big Brother’s Malware | TechSNAP 169

Big Brother’s Malware | TechSNAP 169

It’s great to be a malware author, if your selling to the government, Bypassing PayPal’s two-factor authentication is easier than you might think. Plus a great batch of your questions and our answers and much, much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Flaw in mobile app allows attackers to bypass PayPal two-factor authentication

  • Researchers at Duo Security have produced a proof-of-concept app that is able to bypass the two-factor authentication when using the PayPal mobile app, allowing an attacker to transfer funds out of a PayPal account with only the username and password, without needing to provide the one-time password
  • The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team
  • “PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July”
  • Currently, the PayPal mobile apps do not support 2 factor authentication, meaning if you have 2FA enabled on your PayPal account, you cannot use the mobile app
  • The exploit tricks the PayPal app into ignoring the 2FA flag and allowing the mobile app to work anyway
  • The researchers found that in the PayPal mobile app, the only thing preventing a 2FA enabled account from working was a flag in the response from the server
  • After modifying that flag, it was found that the client could login, and transfer funds
  • The check to prevent 2FA enabled accounts from logging in without the one-time passwords appears to only be enforced on the client, not the server as it should be
  • Once logged in with a valid session_id, the proof-of-concept app is able to use the API to transfer funds
  • “There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing”
  • It is not clear how large the bug bounty on this vulnerability will be

“Hacking Team”

  • “Hacking Team” is an Italian company that develops “legal” spyware used by law enforcement and other government agencies all over the world
  • They originally came to light in 2011 after WikiLeaks released documents from 2008 where Hacking Team was trying to sell its software to governments
  • The software bills itself as “Offensive Security”, allowing LEAs to remotely monitor and control infected machines
  • The software claims to be undetectable, however when samples were anonymously sent to AV vendors in July of 2012, most scanners added definitions to detect some variants of the malware
  • In newly released research, Kaspersky has tracked the Command & Control (C2) servers used by “HackingTeam”
  • The countries with the most C2 servers include the USA, Kazakhstan, Ecuador, the UK and Canada
  • It is not clear if all of the C2 servers located in these countries are for the exclusive use of LEAs in those countries
  • “several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.”
  • The malware produced by Hacking Team has evolved to include modern malware for mobile phones
  • Although this is rarely seen, if it is only used by LEAs rather than for mass infection, this is to be expected
  • On a jail broken iOS device, the malware has the following features:
  • Control of Wi-Fi, GPS, GPRS
  • Recording voice
  • E-mail, SMS, MMS
  • Listing files
  • Cookies
  • Visited URLs and Cached web pages
  • Address book and Call history
  • Notes and Calendar
  • Clipboard
  • List of apps
  • SIM change
  • Live microphone
  • Camera shots
  • Support chats, WhatsApp, Skype, Viber
  • Log keystrokes from all apps and screens via libinjection
  • The Android version is heavily obfuscated, but it appears to target these specific applications:
  • android.calendar
  • com.facebook
  • The article also provides details about how mobile phones are infected. Connecting a phone to an already compromised computer can silently infect it. In addition, the research includes screenshots of the iOS “Infector”, that merely requires LEAs connect the phone to their computer, where they can manually infect it before returning it to the owner
  • Additional Coverage – ThreatPost
  • Additional Coverage – SecureList
  • Additional Coverage – SecureList – Original article on HackingTeam from April 2013


Round Up:

Question? Comments? Contact us here!