back to article Ho ho hosed: Asian biz malware pwns air-gaps, thousands of Androids

CloudSek security bod Rahul Sasi says an Asian software development company is stealing sensitive defence software source code from air-gapped computers while also using a malicious Christmas app to hose thousands of Android handsets. The penetration tester found the onslaught from an unnamed software company that was actively …

  1. gollux
    Trollface

    Pretty dang cool! Don't we just live in interesting times?

    Things will get better as time goes on!!! I just know it will!

  2. adnim
    Meh

    Degrees of naughtyness

    "It's malicious Android Santa game app is still hosted on the Google Play Store and is capable of stealing "basically everything" from phones"

    Just like every other Android App that requests access to contacts, sms, wifi, radio, sdcard contents etc. etc.

    If a malicious app can jump air gapped systems, the system is not air gapped. Wifi, Blutooth indeed any connectivity to a device that accesses the Internet access does not constitute an air gapped system. Or does the term air gapped simply mean a box without a cat5 cable attached?

    Don't these people realise that Santa will put them on the naughty list.

    1. Anonymous Coward
      Anonymous Coward

      Re: Degrees of naughtyness

      I understand your overall point, and it's also impossible to tell the accuracy of that claim from the scant details in the reg article, but jumping a gap has been demonstrated (with very specific circumstance).

      https://en.wikipedia.org/wiki/Air_gap_malware

    2. Robert Helpmann??
      Childcatcher

      Re: Degrees of naughtyness

      Or does the term air gapped simply mean a box without a cat5 cable attached?

      The writers of the Stuxnet virus would probably disagree... about the air gap part. I doubt they care much about Santa's list.

      "Air-gapped" means that the computers in question are not directly connected to outside networks. This does not mean that information cannot be moved to or from them (via sneakernet for example) or that the implementation was without flaw (e.g. it might be vulnerable to cross-talk attack through parallel copper cabling).

      1. Little Mouse

        Re: Degrees of naughtyness

        Tom Cruise was hacking air gapped computers twenty years ago...

    3. VinceH

      Re: Degrees of naughtyness

      "If a malicious app can jump air gapped systems, the system is not air gapped. Wifi, Blutooth indeed any connectivity to a device that accesses the Internet access does not constitute an air gapped system."

      If you read the linked post on the cloudsek.com site, it's explained more fully. The key part:

      "One of the features was a USB module that is capable of collecting data from air-gapped systems [No internet access] . This module copies important data from an infected system to a plugged-in USB device till it reaches an infect machine that has got internet access."

    4. Vic

      Re: Degrees of naughtyness

      Just like every other Android App that requests access to contacts, sms, wifi, radio, sdcard contents etc. etc.

      Indeed. Many apps are clearly asking for stuff they've no business having.

      But you want to see something really scary? Take a look at this page :-

      If an app requests a dangerous permission listed in its manifest, and the app already has another dangerous permission in the same permission group, the system immediately grants the permission without any interaction with the user

      I'm really not comfortable with that...

      Vic.

      1. cbars

        Re: Degrees of naughtyness

        Wank!

        There was we relying on the old "This app does not require any new permissions".

        Does it tell you in that prompt screen? I assume that is hidden as a "helpful" enabler.

        1. Vic

          Re: Degrees of naughtyness

          Does it tell you in that prompt screen?

          I found something at the bottom of the box when installing stuff from the Play Store. I forget the exact wording.

          For many groups, this isn't the end of the world. But for some - like phone access - it can turn "app may look at your phone ID" into "app can make phone calls and use SIP"[1]. That's a worry...

          Vic.

          [1] "Phone" group access. Grant any permission, the rest come without your say-so.

  3. x 7

    "the separate desktop malware was hopping air-gapped machines"

    I'd have a lot more belief in this report if it was explained just how the malware was jumping the gap.......as it stands (given the failure to actually name the offending company) the impression is rather that of an attention-seeking kiddy in class jumping up and down and saying "listen to me, listen to me". It all comes across as a small company - possibly a fake company - trying to attract attention and finance.

    I don't doubt that air-gapped capable malware exists. But I don't believe the details in this report

    1. Naich

      Sounds like utter bollocks to me. I could have all the malware in the world on my phone, blasting out sounds, heating and cooling itself, or any other method of crossing an air gap, but unless the air-gapped device has associated receiving malware already on it, nothing is going to happen,

      1. cbars

        "the separate desktop malware was hopping air-gapped machines"

        It's a company that, get this, produces multiple products. (I reluctantly use the word product)

        Not that it even had to be. What happens if you connect your little android handset to that air gapped machine to charge it up? Yea. Nice gap you've got there.

  4. sixit
    WTF?

    Why is the malware title masked?

    Why the hell would The Reg obscure the malware title? Shame on you!

    1. dotdavid

      Re: Why is the malware title masked?

      The original report from Cloudsek also obscures the title and doesn't mention the app's name, which I agree is unhelpful. El Reg evidently just used the same screenshots.

      1. mythicalduck

        Re: Why is the malware title masked?

        I assumed it would just be from the source material, but I also couldn't figure out why it was obscured.

        It's almost like - "Hey beware of this app - but to not let on to the crims, I'm not telling you which one it actually is"

  5. Nifty Silver badge

    Lets assume the vector is when someone connects their Android phone to an 'airgapped' machine via a USB cable, e.g. to charge it. Suddenly I begin to wonder if the Apple 'stupid tax' I'm paying might be worth the money after all.

    1. Anonymous Coward
      Anonymous Coward

      Are you saying that air-gapped machines actually have active USB ports available? All of ours have the front ones disconnected and the rear ones have a plate locked over them.

      1. Dadmin

        Check the wikipedia link above, I was as clueless about this as anyone and I've heard most all forms of hacking. It has nothing to do with USB, or wifi, or bluetooth, rather the malware can use those for storage or for additional vectors. The cute thing about this new Air Gap covert communications channel is that it's relying on high frequency sounds emenating from the speaker for a return channel, and the open mic to provide the send channel to the hacked device. Apparently it can work up to 60' away. You just need some air for the sounds to travel in and another device capable of doing the dirty work nearby, and for the victim to not put a dummy plug into the mic-in or headphone ports. Unless this naughty santa app is using this uber sophisticated comm setup, me thinks our writer may be overusing this term. :)

        I was thinking it had to with breaking into wifi-only devices for some reason, but this is much more interesting. It looks like these commhack boffins are also capable of using a standard computer's internal systems bus to generate cellphone-capable frequencies, again all without extra communications kit onboard.

        Kind of reminds me of an older Casio(?) watch that had a light sensor in it and you could feed the watch data via flashing light coming out of the monitor. Also how the Nintendo Duck Hunt light gun worked via feedback from the monitor. Light and sound hacking, I love it! Hope my young user has not downloaded this naughty santa app! Good time of year for another talk about online safety.

        Happy Holiday Hacking!

  6. razorfishsl

    A company smart enough to have air-gapped computers but too dumb to prevent mobile devices near it, deserve what they get.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021