Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Mudit Bansal
April 28, 2023
Green Alert
Last Update posted on
February 3, 2024
Ensure your mobile applications are safe and sound.

Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Rishika Desai
Coauthors image
Darshit Ashara
Coauthors image
Hansika Saxena

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.

This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.

In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.

In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.

Applications That failed to Invalidate Session Cookies

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay - BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

The Experiment

To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)

Screenshot depicting the accessibility of victim’s WhatsApp account on both devices

Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.

The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login. 

Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.

Impact

Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.

Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.

  • Unauthorized access: Attackers can use these hijacked sessions to gain unauthorized access to user accounts, sensitive data, and personal information.
  • Financial loss: Attackers can use these hijacked sessions to perform unauthorized transactions, leading to financial loss for the victim.
  • Reputation damage: Session hijacking can damage the reputation of the victim as threat actors could send inappropriate messages to the victim's contacts.

Mitigation Measures & Best Practices

  • Enable features like two-factor authentication to add an extra layer of protection to your accounts.
  • Regularly monitoring your device for unusual activity, this can help in detecting any potential security threats early on.
  • It's always a good idea to keep your devices locked when you're not using them, either by using a password, fingerprint or facial recognition.
  • You should also avoid leaving your devices unattended in public places where they could be accessed by others.

Conclusion

The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts. 

To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.

References

Author

Mudit Bansal

Threat Intelligence at CloudSEK

Predict Cyber threats against your organization

Related Posts

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Exposing the Exploitation: How CVE-2024-23897 Led to the Compromise of Github Repos via Jenkins LFI Vulnerability

This blog details how CVE-2024-23897, a Local File Inclusion (LFI) vulnerability in Jenkins, was exploited to breach Github repositories. Attackers accessed sensitive files, decrypted credentials, and used them to infiltrate private repositories. The article underscores the need for timely patching, strong authentication, and regular security audits to mitigate such threats.

Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Vulnerability Intelligence

8

min read

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Authors
Mudit Bansal
Threat Intelligence at CloudSEK
Co-Authors

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.

This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.

In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.

In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.

Applications That failed to Invalidate Session Cookies

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay - BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

The Experiment

To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)

Screenshot depicting the accessibility of victim’s WhatsApp account on both devices

Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.

The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login. 

Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.

Impact

Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.

Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.

  • Unauthorized access: Attackers can use these hijacked sessions to gain unauthorized access to user accounts, sensitive data, and personal information.
  • Financial loss: Attackers can use these hijacked sessions to perform unauthorized transactions, leading to financial loss for the victim.
  • Reputation damage: Session hijacking can damage the reputation of the victim as threat actors could send inappropriate messages to the victim's contacts.

Mitigation Measures & Best Practices

  • Enable features like two-factor authentication to add an extra layer of protection to your accounts.
  • Regularly monitoring your device for unusual activity, this can help in detecting any potential security threats early on.
  • It's always a good idea to keep your devices locked when you're not using them, either by using a password, fingerprint or facial recognition.
  • You should also avoid leaving your devices unattended in public places where they could be accessed by others.

Conclusion

The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts. 

To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.

References