Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

8
mins read time
CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.
Mudit Bansal
Published on
April 28, 2023
Blog Image

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.

This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.

In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.

In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.

Applications That failed to Invalidate Session Cookies

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay - BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

The Experiment

To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)

Screenshot depicting the accessibility of victim’s WhatsApp account on both devices

Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.

The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login. 

Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.

Impact

Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.

Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.

  • Unauthorized access: Attackers can use these hijacked sessions to gain unauthorized access to user accounts, sensitive data, and personal information.
  • Financial loss: Attackers can use these hijacked sessions to perform unauthorized transactions, leading to financial loss for the victim.
  • Reputation damage: Session hijacking can damage the reputation of the victim as threat actors could send inappropriate messages to the victim's contacts.

Mitigation Measures & Best Practices

  • Enable features like two-factor authentication to add an extra layer of protection to your accounts.
  • Regularly monitoring your device for unusual activity, this can help in detecting any potential security threats early on.
  • It's always a good idea to keep your devices locked when you're not using them, either by using a password, fingerprint or facial recognition.
  • You should also avoid leaving your devices unattended in public places where they could be accessed by others.

Conclusion

The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts. 

To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.

References

Related Posts

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

CVE-2023-20887 Leads to RCE in VMware Aria Operations for Networks

CVE 2023-20887 was discovered in the VMware Aria Operations with a CVSS score of 9.8 which leads to VMware Aria.

Blog Image
May 29, 2023

DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries

CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.