Security

We're all sick of Fortnite, but the flaw found in its downloader is the latest way to attack Android

Man-in-the-Disk technique able to add malicious files to a device's external storage


A newfound way to hack Android using a technique dubbed "Man-in-the-Disk" is central to the recent security flap about Fortnite on the mobile platform.

Man-in-the-Disk can circumvent sandboxes and infect a smartphone or tablet using shared external storage through a seemingly harmless Android application.

Sandboxing isolates applications from each other. The idea is that even if a malicious application found its way on to an Android device, it wouldn't be able to steal data associated with other apps.

Check Point researcher Slava Makkaveev explained, during a presentation at the DEF CON hacking jamboree in Las Vegas, how an application with no particularly dangerous or suspicious permissions can escape the sandbox.

The technique – named after the well-known Man-in-the-Middle type of attack – works by abusing calls to read or write to external storage, a routine function of mobile applications.

External storage is also often used for temporarily storing data downloads from the internet. An application may use the area to store supplementary modules that it installs to expand its functionality, like additional content or updates.

Ah, um, let's see. Yup... Fortnite CEO is still mad at Google for revealing security hole early

READ MORE

The problem is that any application with read/write access to the external storage can gain access to the files and modify them, adding something malicious. Google has already warned app developers to be wary of malfeasance in this area.

Makkaveev discovered that not all app developers, not even Google employees or certain smartphone manufacturers, follow the advice. Makkaveev demonstrated exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, and Google Text-to-Speech, as well as system applications by LG and the Xiaomi browser.

He warned that vulnerable apps are likely numerous, an observation evidenced by events over the last few days.

Google researchers recently discovered that the same Man-in-the-Disk attack can be applied to the Android version of the popular game Fortnite. To download the game, users need to install a helper app first. This, in turn, is supposed to download the game files.

But by using the Man-in-the-Disk attack, a crook can trick the helper into installing a malicious application.

Fortnite's developer, Epic Games, is aware of this vulnerability and has already issued a new version of the installer. Players should be using version 2.1.0 to stay safe. If you have Fortnite already installed, remove it then reinstall from scratch using the patched version of the software.

Epic Games is none too pleased that Google went public with the exposure of Fortnite to this class of vulnerability, as previously reported. Kaspersky Lab CTO Nikita Shvetsov noted on Monday that the flaw stemmed from the same "Man-in-the-Disk" attack some Google apps were revealed as being vulnerable to earlier this month.

Kaspersky Lab's explanation of the Man-in-the-Disk vulnerability – and how consumers can minimise their exposure to the problem – can be found here. ®

Send us news
51 Comments

Huawei CFO Meng Wanzhou admits lying about Iran deal, gets to go home

US puts charges on ice, extradition attempt halted

Updated Huawei finance chief Meng Wanzhou has reached a deal with the US Justice Department to drop the fraud and conspiracy charges against her in exchange for admitting that she made false statements about her company's business dealings with Iran.

The deferred prosecution agreement will end Uncle Sam's attempt to extradite Meng to the United States. It will allow her to depart Canada, where she has been detained since 2018, and return to China, easing a major source of diplomatic tension between Canada, China, and the US.

After Canadian authorities arrested Meng at the Vancouver airport in December, 2018, on behalf of the Americans, the US Justice Department indicted her and her manufacturing giant for violating US sanctions on Iran by misrepresenting Huawei's relationship with Hong Kong-based Skycom, which operated in Iran.

Continue reading

For the nth time, China bans cryptocurrencies

Coin prices drop after People's Bank reiterates crackdown

China has once again banned cryptocurrencies.

It's not even the first time this month Beijing's done so, let alone the first time ever, yet word of the reiterated crackdown sent coin prices tumbling, which may have been the ultimate goal. After all, China would prefer its citizens use its non-illegal digital yuan.

Bitcoin fell by 5.5 per cent, Ethererum by 7.4 per cent, and Dogecoin by 14.9 per cent, for instance, after this latest announcement and have since rebounded somewhat.

Continue reading

Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait

Security Bounty program slammed over 'broken promises'

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system.

The bug hunter, posting on Thursday to Russia-based IT blog Habr under the name IllusionOfChaos and to Twitter under the same moniker, expressed frustration with Apple's handling of vulnerability reports.

"I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

Continue reading

Yugabyte's double-decker DBaaS follows Cochroach in distributed RDBMS

Hopes to lure users with promise of relieving operational burden

Distributed relational database Yugabyte has launched a database-as-a-service product following a rush of inspiration from Facebook, Google and the world of FOSS.

While the open-source DBaaS impressed one analyst, it will have to cope with competition from well-funded CockroachDB, which has had its DBaaS on the market for nearly three years.

Yugabyte is sort of a double-decker database. It is inspired by Google Spanner underneath and compatible with PostgreSQL on top. As Yugabyte founder and CTO Karthik Ranganathan, a former Facebook technical lead, explained to The Register earlier this year:

Continue reading

EurekAI... Neural network leads chemists to discover 'four new materials'

All said to conduct lithium atoms, may be useful for electric car batteries

Chemists have discovered four new materials based on ideas generated from a neural network, according to research published in Nature.

Uncovering new materials is challenging. Scientists have to search for combinations of molecules that lead to useful compounds that can be manufactured.

Traditional methods rely on fiddling around with known materials, and although these techniques narrow down the search for materials that work well, they don’t always produce something useful, according to Matt Rosseinsky, a chemistry professor at England's University of Liverpool who co-wrote the research paper.

Continue reading

Scientists took cues from helicopter seeds to invent tiny microchips that float on wind

'Microfliers' could carry sensors to monitor air pollution and more

Video As autumn arrives in the northern hemisphere, scientists have shown how tiny connected semiconductors can be distributed on the wind in a similar way to the seasonal spreading of airborne seeds.

Researchers led by Professor John Rogers of the US's Northwestern University designed printed circuits able to manifest rotational behaviours, as seen in helicopter and spinner seeds, that enhance the stability and flying behaviour.

In a paper published in Nature this week, they argue that simple electronics can be integrated into the designs, with one example containing a circuit to detect airborne particles.

Continue reading

With just over two weeks to go, Microsoft punts Windows 11 to Release Preview

What's that coming over the hill? Is it new hardware? Is it new hardware?

Microsoft has followed up a lacklustre Surface hardware event with a Windows 11 Release Preview for Windows Insiders.

Assuming, of course, those Insiders are possessed of an "eligible PC" – for Microsoft does not appear to be backing down on its vendor-delighting and customer-frustrating hardware requirements for the new operating system.

The build in question is 22000.194, which emerged last week in the Beta Channel to the disappointment of users trying to run Windows 11 on a virtual machine that is not to Microsoft's liking. Its arrival in Release Preview yesterday, just over two weeks from general availability on 5 October, is an indicator that fans should expect little more than patches and updates until then.

Continue reading

Fukushima studies show wildlife is doing nicely without humans, thank you very much

Biodiversity increasing, endangered species gradually returning despite radioactive terror pig presence

Studies of biodiversity around the former Fukushima nuclear power plant in Japan have shown that a decade after the nuclear incident there in March 2011, the local wildlife, at least, is mostly thriving.

The incident at the Fukushima Daiichi site – in which three of the site's six reactors suffered meltdowns due to damage from an earthquake-induced tsunami – was one of only two events in history to be rated at level 7 on the International Nuclear and Radiological Event Scale (the other being Chernobyl).

This scale is not related to the quantity of radioactive material released (although that was considerable), but by the number of people affected by the event. Following the incident, 154,000 people were evacuated from the area surrounding the plant due to the risk of radioactive contamination, a number second only to the 335,000 evacuated from the environs of the Chernobyl plant in 1986.

Continue reading

HPE campaigns against 'cloud first' push in UK public sector

Because HPE does not do public cloud? No, no, it is 'for the good'

Comment Hewlett Packard Enterprise has posted a "UK Public Sector Manifesto" with nine themes, alongside a campaign hyping the value of hybrid cloud.

The bugbear for HPE is that UK government introduced a "cloud first" policy in 2013.

The current version was revised in 2017 but it mandates that central government, when buying new IT services, must consider a cloud solution – and specifically a public cloud, rather than "a community, hybrid or private deployment model" – before any other option.

Continue reading

Tech contractors fume over payday outage at Giant Pay after it sniffs 'suspicious activity'

Technical difficulties, please stand by

Giant Pay – an umbrella company used by contractors across the UK – has confirmed "suspicious activity" on its platform is behind a days-long ongoing outage that has left folk fretting about whether they'll get paid this month.

In an update on its website today, the firm said: "Upon detection of suspicious activity on our network on 22nd September 2021, we immediately assembled a response team including IT data experts and specialist lawyers, and we are currently working with the highest priority to resolve this issue.

"As part of the investigation and as a measure of caution, we have proactively taken our systems offline and suspended all services temporarily." It also confirmed it had contacted regulatory authorities and assured contractors they would get paid.

Continue reading

Parking is expensive. It can cost an arm, a leg, and a Windows licence

Activate Windows and put up a parking lot

Bork!Bork!Bork! Sometimes only the freshest of borks will do, and sometimes the best laid plans of administrators can go awry.

Continue reading