🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.
Schedule a DemoCloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.
This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.
In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.
In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.
To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)
Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.
The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login.
Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.
Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.
Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.
The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts.
To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.
Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.
This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.
Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
8
min read
CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.
CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.
This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.
In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.
In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.
To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)
Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.
The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login.
Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.
Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.
Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.
The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts.
To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.