Google Online Security Blog

OSS-Fuzz: Five months later, and rewarding projects

May 8, 2017

Posted by Oliver Chang, Abhishek Arya (Security Engineers, Chrome Security), Kostya Serebryany (Software Engineer, Dynamic Tools), and Josh Armour (Security Program Manager)announcedOSS-Fuzzfuzzing471,000264

Breakdown of the types of bugs we’re finding

Notable results 1017338102597CVE-2017-3732timeout and out-of-memory failuresAnnouncing rewards for open source projects ideal integrationPatch Rewardsfuzz targets

Fuzz targets are checked into their upstream repository and integrated in the build system with sanitizer support (up to $5,000).

Fuzz targets are efficient and provide good code coverage (>80%) (up to $5,000).

Fuzz targets are part of the official upstream development and regression testing process, i.e. they are maintained, run against old known crashers and the periodically updated corpora (up to $5,000).

The last $5,000 is a “l33t” bonus that we may reward at our discretion for projects that we feel have gone the extra mile or done something really awesome.

reach outThe future

Protecting You Against Phishing

May 5, 2017

Posted by Mark Risher, Director, Counter Abuse Technologyphishing campaignHow the campaign worked and how we addressed it

Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detection.

Providing Safe Browsing warnings about dangerous links, within Gmail and across more than 2 billion browsers.

Preventing suspicious account sign-ins through dynamic, risk-based challenges.

Scanning email attachments for malware and other dangerous payloads.

How users can protect themselves

Take the Google Security Checkup, paying particular attention to any applications or devices you no longer use, as well as any unrecognized devices.

Pay attention to warnings and alerts that appear in Gmail and other products.

Report suspicious emails and other content to Google.

How G Suite admins can protect their users

Review and verify current OAuth API access by third-parties.

Run OAuth Token audit log reports to catch future inadvertent scope grants and set up automated email alerts in the Admin console using the custom alerts feature, or script it with the Reports API.

Turn on 2-step verification for your organization and use security keys.

Follow the security checklist if you feel that an account may be compromised.

Help prevent abuse of your brand in phishing attacks by publishing a DMARC policy for your organization.

Use and enforce rules for S/MIME encryption.

tips and tools

Next Steps Toward More Connection Security

April 27, 2017

Posted by Emily Schechter, Chrome Security Teambegan our questIncognito mode

Treatment of HTTP pages in Chrome 62

Our planchange in Chrome 56

Treatment of HTTP pages with user-entered data in Chrome 62easier and cheaper than ever beforeset-up guides

New Research: Keeping fake listings off Google Maps

April 6, 2017

Posted by Doug Grundman, Maps Anti-Abuse, and Kurt Thomas, Security & Anti-Abuse ResearchGoogle My Businesscharge exorbitant service fees for services“Pinning Down Abuse on Google Maps” International World Wide Web ConferenceWhat is a fake listing?selling knock-off products onlineHow does Google My Business verify information?Keeping deceptive businesses out — by the numberspiloting an advanced verification process

We detect and disable 85% of fake listings before they even appear on Google Maps.

We’ve reduced the number of abusive listings by 70% from its peak back in June 2015.

We’ve also reduced the number of impressions to abusive listings by 70%.

An Investigation of Chrysaor Malware on Android

April 3, 2017

Posted by Rich Cannings, Jason Woloz, Neel Mehta, Ken Bodzak, Wentao Chang, Megan RuthvenPotentially Harmful Applications targeted attackWhat is Chrysaor?NSO Group Technologiesfirst identified on iOSCitizen LabLookoutVerify AppsWhat is the scope of Chrysaor?

How we protect you

Identify PHAs using people, systems in the cloud, and data sent to us from devices

Warn users about or blocking users from installing PHAs

Continually scan devices for PHAs and other harmful threats

What do I need to do?

Install apps only from reputable sources: Install apps from a reputable source, such as Google Play. No Chrysaor apps were on Google Play.

Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.

Update your device: Keep your device up-to-date with the latest security patches.

Verify Apps: Ensure Verify Apps is enabled.

Locate your device: Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA.

How does Chrysaor work? ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Installing itself on the /system partition to persist across factory resets

Removing Samsung’s system update app (com.sec.android.fotaclient) and disabling auto-updates to maintain persistence (sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0)

Deleting WAP push messages and changing WAP message settings, possibly for anti-forensic purpose.

Starting content observers and the main task loop to receive remote commands and exfiltrate data.

Repeated commands: use alarms to periodically repeat actions on the device to expose data, including gathering location data.

Data collectors: dump all existing content on the device into a queue. Data collectors are used in conjunction with repeated commands to collect user data including, SMS settings, SMS messages, Call logs, Browser History, Calendar, Contacts, Emails, and messages from selected messaging apps, including WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype by making /data/data directories of the apps world readable.

Content observers: use Android’s ContentObserver framework to gather changes in SMS, Calendar, Contacts, Cell info, Email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype.

Screenshots: captures an image of the current screen via the raw frame buffer.

Keylogging: record input events by hooking IPCThreadState::Transact from /system/lib/libbinder.so, and intercepting android::parcel with the interface com.android.internal.view.IInputContext.

RoomTap: silently answers a telephone call and stays connected in the background, allowing the caller to hear conversations within the range of the phone's microphone. If the user unlocks their device, they will see a black screen while the app drops the call, resets call settings and prepares for the user to interact with the device normally.

Via a command from the server

Autoremove if the device has not been able to check in to the server after 60 days

Via an antidote file. If /sdcard/MemosForNotes was present on the device, the Chrysaor app removes itself from the device.

Samples uploaded to VirusTotal

Additional digests with links to Chrysaor

here

Updates to the Google Safe Browsing’s Site Status Tool

March 29, 2017

Posted Deeksha Padma Prasad and Allison Miller, Safe BrowsingGoogle Safe BrowsingSite Status ToolSafe Browsing Transparency ReportTransparency Report,Site Status Tool

Site Status Toolmalware dashboard section of the reportSafe Browsing’s Transparency ReportSearch Console

Reassuring our users about government-backed attack warnings

March 24, 2017

Posted by Shane Huntley, Google Threat Analysis GroupSince 2012here

In order to secure some of the details of our detection, we often send a batch of warnings to groups of at-risk users at the same time, and not necessarily in real-time. Additionally, we never indicate which government-backed attackers we think are responsible for the attempts; different users may be targeted by different attackers.

Security has always been a top priority for us. Robust, automated protections help prevent scammers from signing into your Google account, Gmail always uses an encrypted connection when you receive or send email, we filter more than 99.9% of spam — a common source of phishing messages — from Gmail, and we show users when messages are from an unverified or unencrypted source.

An extremely small fraction of users will ever see one of these warnings, but if you receive this warning from us, it's important to take action on it. You can always take a two-minute Security Checkup, and for maximum protection from phishing, enable two-step verification with a Security Key.

Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review

March 22, 2017

Posted by Adrian Ludwig & Mel Miller, Android Security Teamfull Year in Review reportwebinar
Protecting users from PHAsPotentially Harmful Apps (PHAs)

Now 0.016 percent of installs, trojans dropped by 51.5 percent compared to 2015

Now 0.003 percent of installs, hostile downloaders dropped by 54.6 percent compared to 2015

Now 0.003 percent of installs, backdoors dropped by 30.5 percent compared to 2015

Now 0.0018 percent of installs, phishing apps dropped by 73.4 percent compared to 2015

New security protections in Nougatvariety of new protections in Nougatstrengthen the security of the Linux Kernel

Encryption improvements: In Nougat, we introduced file-based encryption which enables each user profile on a single device to be encrypted with a unique key. If you have personal and work accounts on the same device, for example, the key from one account can’t unlock data from the other. More broadly, encryption of user data has been required for capable Android devices since in late 2014, and we now see that feature enabled on over 80 percent of Android Nougat devices.

New audio and video protections: We did significant work to improve security and re-architect how Android handles video and audio media. One example: we now store different media components into individual sandboxes, where previously they lived together. Now, if one component is compromised, it doesn’t automatically have permissions to other components, which helps contain any additional issues.

Even more security for enterprise users: We introduced a variety of new enterprise security features including “Always On” VPN, which protects your data from the moment your device boots up and ensures it isn't traveling from a work phone to your personal device via an insecure connection. We also added security policy transparency, process logging, improved wifi certification handling, and client certification improvements to our growing set of enterprise tools.

Working together to secure the Android ecosystem.launched our monthly security updates program

More than 735 million devices from 200+ manufacturers received a platform security update in 2016.

We released monthly Android security updates throughout the year for devices running Android 4.4.4 and up—that accounts for 86.3 percent of all active Android devices worldwide.

Our carrier and hardware partners helped expand deployment of these updates, releasing updates for over half of the top 50 devices worldwide in the last quarter of 2016.

A/B updatespaid researchers nearly $1 million dollars

Detecting and eliminating Chamois, a fraud botnet on Android

March 13, 2017

Posted by Security Software Engineers—Bernhard Grill, Megan Ruthven, and Xin Zhao

Potentially Harmful Applications

Generating invalid traffic through ad pop ups having deceptive graphics inside the ad

Performing artificial app promotion by automatically installing apps in the background

Performing telephony fraud by sending premium text messages

Downloading and executing additional plugins

Interference with the ads ecosystem

We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems.

Verify Apps

Under Chamois's hood

Chamois was one of the largest PHA families seen on Android to date and distributed through multiple channels. To the best of our knowledge Google is the first to publicly identify and track Chamois.

Multi-staged payload: Its code is executed in 4 distinct stages using different file formats, as outlined in this diagram.

Self-protection: Chamois tried to evade detection using obfuscation and anti-analysis techniques, but our systems were able to counter them and detect the apps accordingly.

Custom encrypted storage: The family uses a custom, encrypted file storage for its configuration files and additional code that required deeper analysis to understand the PHA.

Size: Our security teams sifted through more than 100K lines of sophisticated code written by seemingly professional developers. Due to the sheer size of the APK, it took some time to understand Chamois in detail.

Google's approach to fighting PHAs

Verify Apps protects users from known PHAs by warning them when they are downloading an app that is determined to be a PHA, and it also enables users to uninstall the app if it has already been installed. Additionally, Verify Apps monitors the state of the Android ecosystem for anomalies and investigates the ones that it finds. It also helps finding unknown PHAs through behavior analysis on devices. For example, many apps downloaded by Chamois were highly ranked by the DOI scorer. We have implemented rules in Verify Apps to protect users against Chamois.

VRP news from Nullcon

March 2, 2017

Posted by Josh Armour, Security Program ManagerNullconGoogle Vulnerability Rewards ProgramTougher bugs, bigger rewardsAndroidChromeVRP siterescue.orgCloud Security ScannerGrowing the security research community in India2016’s VRP Year in Review

interesting trends

content

Security Blog

OSS-Fuzz: Five months later, and rewarding projects

Protecting You Against Phishing

Next Steps Toward More Connection Security

New Research: Keeping fake listings off Google Maps

An Investigation of Chrysaor Malware on Android

Updates to the Google Safe Browsing’s Site Status Tool

Reassuring our users about government-backed attack warnings

Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review

Detecting and eliminating Chamois, a fraud botnet on Android

VRP news from Nullcon

Archive

Feed

Company-wide

Products

Developers