Vulnerability Intelligence
8
mins read

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Mudit Bansal
April 28, 2023
Green Alert
Last Update posted on
February 3, 2024
Ensure your mobile applications are safe and sound.

Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Rishika Desai
Coauthors image
Darshit Ashara
Coauthors image
Hansika Saxena

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.

This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.

In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.

In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.

Applications That failed to Invalidate Session Cookies

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay - BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

The Experiment

To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)

Screenshot depicting the accessibility of victim’s WhatsApp account on both devices

Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.

The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login. 

Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.

Impact

Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.

Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.

  • Unauthorized access: Attackers can use these hijacked sessions to gain unauthorized access to user accounts, sensitive data, and personal information.
  • Financial loss: Attackers can use these hijacked sessions to perform unauthorized transactions, leading to financial loss for the victim.
  • Reputation damage: Session hijacking can damage the reputation of the victim as threat actors could send inappropriate messages to the victim's contacts.

Mitigation Measures & Best Practices

  • Enable features like two-factor authentication to add an extra layer of protection to your accounts.
  • Regularly monitoring your device for unusual activity, this can help in detecting any potential security threats early on.
  • It's always a good idea to keep your devices locked when you're not using them, either by using a password, fingerprint or facial recognition.
  • You should also avoid leaving your devices unattended in public places where they could be accessed by others.

Conclusion

The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts. 

To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.

References

Author

Mudit Bansal

Threat Intelligence at CloudSEK

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Vulnerability Intelligence
April 10, 2024

Case Study: Uncovering a Critical Vulnerability in a Life Insurance App That Compromised User Privacy Through Exposed Sensitive Data and Live Activity

This detailed report which delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an Life Insurance Mobile Application for a prominent bank. 

Blog Image
Adversary Intelligence
January 17, 2024

Exposing Qwiklabs Email Misuse in Sneaky Payment Scams involving setting up UPI merchant accounts

CloudSEK’s Threat Intelligence team uncovered a new attack vector for soiling the brand reputation of organizations by supplementing existing scam infrastructure.

Blog Image
Adversary Intelligence
June 26, 2023

KYC Verification Evasions Leads to Exploitation of Virtual Cameras & App Emulators

CloudSEK's Threat Intelligence Team recently uncovered a comprehensive tutorial on bypassing selfie verification in a Russian-speaking Cybercrime Forum.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Vulnerability Intelligence

8

min read

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Authors
Mudit Bansal
Threat Intelligence at CloudSEK
Co-Authors
Rishika Desai
Darshit Ashara
Hansika Saxena

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another. Using a highly privileged device migration tool threat actors could move applications to a new Android device causing migration issues – which is why we warn against using other data migration apps: This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords. In certain applications such as WhatsApp, the actors can also bypass the 2FA mechanism.

This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on Whatsapp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.

In order to confirm and showcase our findings, CloudSEK researchers carried out a test on two Realme devices, namely RMX2170 and RMX3660, using the Clone Phone application. This application is a default feature that comes pre-installed on ColorOS-based devices such as Realme and Oppo. The same test was also verified on Oneplus and Oppo devices. However, it's worth noting that sharing app data from Samsung devices in a single click is currently not feasible. Hence, the test didn’t turn out successful on Samsung.

In summary, transferring data from an old phone to a new one includes the transfer of app data and sessions. Our investigation revealed certain applications that persist in running on the new device without invalidating session cookies. You can refer to the table below for a list of these applications.

Applications That failed to Invalidate Session Cookies

  • Canva
  • BookMyShow
  • WhatsApp
  • Snapchat
  • KhataBook
  • Telegram
  • Zomato
  • Whatsapp business
  • Strava
  • LinkedIn
  • Highway Drive
  • BlinkIT
  • Future pay - BigBazaar now owned by Reliance
  • Adani One
  • Clash of Clans, Clash Royal (Supercell)
  • Discord
  • Booking.com

The Experiment

To validate the process as mentioned earlier for account takeover via invalidated session cookies, CloudSEK researchers conducted an experiment using two Realme devices. After the data was transferred from the victim's device to the attacker’s device, the two applications (Whatsapp and Whatsapp Business) were accessible on both devices via the same account. (For Proof of Concept please refer to the References section)

Screenshot depicting the accessibility of victim’s WhatsApp account on both devices

Even though the victim had activated WhatsApp 2FA, it wasn't asked on the new (attacker’s) device and now both devices could send messages via the same account. However, the replies from the user on the other end will only be received on the device which sent the last message. The only way to identify if your app data is copied onto another device and if someone else is sending messages on your behalf is by using Whatsapp Web. When a new device is linked after the transfer, messages from both devices are loaded onto the WhatsApp Web system. A user can check if there are any irregular conversations made from their account. To bypass this check a threat actor can simply delete the conversations.

The researchers tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login. 

Note - This vulnerability was reported to Meta security, they considered this to be a social engineering scenario, thereby disregarding it as a security issue.

Impact

Stealer logs are frequently used by cybercriminals to steal login credentials and other sensitive data. Once the malware is installed on the victim’s system, it silently collects records about the user’s activities and sends them back to the attacker’s server. This information can be used to gain access to the victim’s accounts.

Threat actors have also been noticed for using anonymous browsers which enable them to use stolen cookies and impersonate user’s gps and network location along with device IDs.

  • Unauthorized access: Attackers can use these hijacked sessions to gain unauthorized access to user accounts, sensitive data, and personal information.
  • Financial loss: Attackers can use these hijacked sessions to perform unauthorized transactions, leading to financial loss for the victim.
  • Reputation damage: Session hijacking can damage the reputation of the victim as threat actors could send inappropriate messages to the victim's contacts.

Mitigation Measures & Best Practices

  • Enable features like two-factor authentication to add an extra layer of protection to your accounts.
  • Regularly monitoring your device for unusual activity, this can help in detecting any potential security threats early on.
  • It's always a good idea to keep your devices locked when you're not using them, either by using a password, fingerprint or facial recognition.
  • You should also avoid leaving your devices unattended in public places where they could be accessed by others.

Conclusion

The above scenario, closely resembling those portrayed in movies, is an alarming example of a data theft technique where a threat actor takes advantage of individuals who do not secure their devices with passwords. In some cases, an individual may hand over their phone to an executive in a restaurant or mall who asks them to download an app to receive free rewards. The executive then uses this opportunity to scan a QR code and transfer data from the victim's device onto their own. This data may include sensitive information such as financial credentials, allowing the threat actor to gain access to the victim's digital wallets and transfer funds. Additionally, the attacker may review the victim's WhatsApp message history, using the information to blackmail the victim or request money from their contacts. 

To mitigate this threat, it is essential to secure your phone with a password. If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access, and to revoke permissions when the task is complete. Though it may seem overwhelming, it is critical to take these measures to protect against the loss of life savings due to such scams.

References