Cuttlefish Catches Cloud Credendtials, Call Center Crackdown, Dirty Stream Android Malware

The Daily Decrypt

00:00 /

In today’s episode, Microsoft reveals the “Dirty Stream” attack impacting Android apps, recognizing vulnerabilities in apps with over four billion installations like Xiaomi’s File Manager and WPS Office. Meanwhile, a new SOHO router malware named Cuttlefish targets cloud accounts and enterprise resources, allowing criminals to steal credentials and establish persistent access to cloud ecosystems. Law enforcement shuts down 12 fraudulent call centers in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, arresting 21 suspects and preventing thousands of scam calls. Find more information using these URLs: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-dirty-stream-attack-impacting-android-apps/, https://www.helpnetsecurity.com/2024/05/02/cuttlefish-soho-routers/, https://www.bleepingcomputer.com/news/security/police-shuts-down-12-fraud-call-centres-arrests-21-suspects/

tags: Dirty Stream attack, Microsoft, Android apps, developers, Cuttlefish, malware, SOHO routers, cybercriminals, law enforcement, call centers, fraud, apprehended

search phrases:

Preventing Dirty Stream attack in Android apps
Cuttlefish malware and SOHO routers
Protect devices from Cuttlefish malware
Law enforcement crackdown on fraudulent call centers
Stopping fraudulent calls in Europe
Cybersecurity measures against malware attacks
Securing Android apps from malicious attacks
Preventing data theft in Android applications
Law enforcement actions against cybercrime
Measures to apprehend cybercriminals

May3

Law enforcement officials in Europe

shut down 12 call centers that were behind thousands of daily scam calls. They apprehended 21 individuals and seized assets of over 1 million euros.

How will this affect the amount of spam calls you get on a day to day basis?

The Cuttlefish Malware is infiltrating SOHO routers and stealing account credentials for cloud services.

Creating a potential gateway. For cybercriminals into company resources.

If you work from home,. How can you prevent this malware from expanding throughout your own network?

And finally, the dirty stream attack discovered by Microsoft poses a threat to Android apps by allowing malicious apps to overwrite files in other applications home directories.

How can Android developers

prevent this type of attack? You’re listening to The Daily Decrypt.

Law enforcement conducted coordinated raids in Albania, Bosnia,

Kosovo, and Lebanon. Resulting in the closure of 12 fraudulent call centers responsible for thousands of scam calls each day.

German authorities, alongside international counterparts, arrested 21 individuals and seized approximately 1 million euros worth of evidence, including data carriers, documents, and cash.

This operation was named Operation Pandora, and it targeted a criminal network. engaged in various fraudulent activities,

but most notably fake police calls, investment fraud, and romance scams.

There have been over 28, 000 fraudulent calls that have been traced back to the arrested suspects, all within a 48 hour time frame, which just highlights the scale of this criminal enterprise.

so this whole project started back in december of 2023

When someone came into a bank and attempted to withdraw 100, 000 euros. The bank teller was slightly suspicious, so they reported it to the actual police,

and it was later discovered that the individual attempting to withdraw that money was involved in a fake police officer scam.

From there, more than a hundred German investigators

got down to work and intercepted and monitored conversations in real time. They secured over 1. 3 million conversations and blocked 80 percent of all financial fraud attempts,

which they claim could have led to damages of up to 10 million euros.

So I’m sure we all hate scam calls just as much as I do, but I often forget the motives behind these scam calls are to cheat you out of money, usually. It’s become so easy to just Grab a list of numbers and create robot calls to just see who bites.

But this is proof that there is a lot of money out there to be had by just calling people and asking for Certain things or pretending to be a police officer and saying well, I can actually let you go for a thousand bucks which has actually happened to me before or

Unpaid fines at the courts things that generally have confusion around them and Involve money and urgency people are more likely to pay But I don’t know what this guy was getting into with a hundred thousand euros. He must have been really rich or something I’m not sure but I’m Glad this is getting more and more attention.

Because I would love for scam calls to be a thing of the past.

Alright, we’re back with some more news on SOHO routers. And if you don’t remember what that is, that stands for small home Nope. I can never get it right. That stands for small office, home office. Which is where I work every day.

So I’m going to be paying particular attention to this one. But criminals are utilizing a new malware. called Cuttlefish to target SOHO routers to steal account credentials for various cloud based services like AWS, Cloudflare, and Docker, just to name a few.

And like I had mentioned, if you’re working from home like I do, your router is the gateway to your office or whatever resources you need to access to get the work done.

And what this malware will essentially do is listen for any time you’re entering in credentials to a cloud service, most likely part of your company’s infrastructure and they’re going to harvest those credentials and use them against you or against the company. Up until this point, the only SOHO vulnerabilities we were reporting on was botnets and Being part of something that doesn’t particularly affect your data, . It was mostly being used for the resources offered by the router, but attackers got smart and they’re starting to realize that double edged sword, right? They have access to the router, they might as well leverage the data that’s flowing through it, as well as

Holding onto it for the potential of creating a botnet or DDOSing one of their targets.

And the article by HelpNet Security linked in our show notes will have some more specifics about how the attack works and how you can prevent it. So, I highly encourage you to check that out. But, if you’re a SOHO router user, which you likely are to some degree,

Make sure you change the password on your router. Don’t just use the one that came with it. Go in there, set it up, store it in a password manager for later.

And a lot of these SOHO routers make it pretty tough to use persistent storage, so this malware is likely living in RAM or a temporary storage, so if you just restart your router from time to time, it will decrease the odds that this affects you long term.

These routers are notoriously bad for security, and leave it up to the consumer almost entirely. So, if you’re listening to this, make sure you take this seriously because it is a very easy attack vector.

Especially if your router is public facing, like has an open port to the internet. Which I’d highly recommend once you change your password, go check to make sure that you can’t access your router from the internet.

And finally, Microsoft has identified a new attack known as DirtyStream that targets Android apps, allowing malicious apps to overwrite files in another app’s home directory, potentially leading to code execution and data theft.

This vulnerability stems from improper use of Android’s content provider system, which manages access to shared datasets among different apps.

And this system is supposed to incorporate security measures like data isolation or path validation to keep each app sort of self contained, kind of like a virtual machine or a docker instance so that it’s really hard for other apps to talk to each other. Because in most cases, they shouldn’t need to.

So incorrect implementations of Custom intents, messaging objects facilitating communication between app components, can bypass these security measures, tricking apps into executing or storing files from malicious sources.

Now if you’ve made it this far in the episode, I likely don’t have to explain to you more use cases for this vulnerability or why it’s bad. But the Google Play Store can be a little bit more Wild Wild West y than the Apple App Store. it’s much more common for Android users to download apps they found on the internet that weren’t through the Play Store.

Which leads to these malicious apps being now able to communicate with your bank app, or your social media app, or your password manager, etc. Like, all these things that should not be touched by other apps.

Now, for the end users, there’s not much you can do other than making sure your apps are up to date and you’re not downloading sketchy apps for any reason from unknown developers or anything.

And keep listening to the Daily Decrypt for your updates. It looks like Google has added a section to their risks documentation for Android app developers that outlines this risk.

But nothing has been done about it so far. So I’m sure Google will get on this and push out a fix, so remember to make sure your device stays up to date so you can receive that security patch.