Tag Archive for: OpenSource

RiskInDroid: Open-source risk analysis of Android apps


RiskInDroid (Risk Index for Android) is an open-source tool for quantitative risk analysis of Android applications based on machine learning techniques.

RiskInDroid

How RiskInDroid works

“A user should be able to quickly assess an application’s level of risk by simply glancing at RiskInDroid’s output, and they should be able to compare the app’s risk with others easily,” Gabriel Claudiu Georgiu, developer of RiskInDroid, told Help Net Security.

Unlike other tools, RiskInDroid does not take into consideration only the permissions declared into the app manifest but carries out reverse engineering on the apps to retrieve the bytecode and then infers (through static analysis) which permissions are used, extracting four sets of permissions for every analyzed app:

1. Declared permissions – Extracted from the app manifest.
2. Exploited permissions – Declared and used in the bytecode.
3. Ghost permissions – Not declared but with usages in the bytecode.
4. Useless permissions – Declared but never used in the bytecode.

“The precision and reliability of RiskInDroid have been tested on a large dataset made of more than 6,000 malware samples and 112,000 apps. We released everything to the public so our results could be easily reproduced and verified,” Georgiu added.

Future plans and download

“Currently there are no future versions planned, I just make sure everything works with the latest versions of Python and occasionally update the underlying libraries. Probably the most straightforward improvement would be to include other features in the analysis. Now, only permissions are considered, but we could also consider API calls and URLs that can be extracted through static analysis as we did for permissions, Georgiu concluded.

RiskInDroid is available for free on GitHub.

Must read: 15 open-source cybersecurity tools you’ll wish you’d known earlier

More open-source tools to consider:

Source…

Ransomware campaign targets popular open-source packages with cleverly hidden payload


An ongoing ransomware campaign hides its payload in an uncommon way by targeting popular open-source packages that typically receive nearly 15 million installations per week, according to new findings by Checkmarx and Phylum.

In a blog post, Checkmarx researchers said the campaign uses a form of typosquatting to target the popular “requests” package on Pypi and the “discord.js” package on NPM, and includes embedded ransomware. When executed, the ransomware encrypts files on the victim’s computer and demands payment of $100 in cryptocurrency to unlock them.

Unlike most open-source attacks where malicious packages are being executed upon installation, Alik Koldobsky, security researcher at Checkmarx, told SC Media that the payload is hidden in multiple strategic locations and only executes when the victims use the actual functions of the packages, which makes the campaign hard to detect by many security scanners.

 The malware payload supports multiple operating systems, allowing the campaign to target a wider audience. In addition, attackers named the ransomware messages and infrastructure after the U.S. Central Intelligence Agency.

A detailed attribution has yet to be done, but researchers discovered clues through further investigation that imply the attacker is Russian — the Telegram user account associated with the attack has a Russian phone number, and the attacker interacts with researchers directly in Russian.

Screenshot of a conversation with the attacker in Russian (credit: Checkmarx)

Even after Checkmarx reported the attacks, the offender’s account is still able to publish potentially malicious packages on NPM and PyPi, where software supply chain attacks are rampant. Researchers say they will continue to monitor for any new activity.

Koldobsky warned that there would be more attacks from the same actors as well as copycats, simply because the method is easy and impactful.

Besides the campaign’s uncommon way of hiding its payload, it is rare yet not unknown for ransomware attackers to use open source as a delivery system, said Mike Parkin, senior technical engineer at Vulcan Cyber. In August, Sonatype discovered multiple malicious Python packages that embedded…

Source…

Open-source software risks persist, according to new reports


Open-source software (OSS) has become a mainstay of most applications, but it has also created security challenges for developers and security teams, challenges that may be overcome by the growing “shift left” movement, according to two studies released this week.

More than four out of five organizations (41%) don’t have high confidence in their open-source security, researchers at Snyk, a developer security company, and The Linux Foundation reveal in their The State of Open Source Security report.

It also notes that the time to fix vulnerabilities in open-source projects has steadily increased over the last three years, more than doubling from 49 days in 2018 to 110 days in 2021.

The open-source debate: Productivity vs security

The report, based on survey of more than 550 respondents, also notes that the average application development project has 49 vulnerabilities and 80 direct dependencies where a project calls open-source code. What’s more, the report found that less than half of organizations (49%) have a security policy for OSS development or usage. That number is worse for medium- to large-sized companies: 27%.

“Software developers today have their own supply chains,” Snyk Director of Developer Relations Matt Jarvis explains in a statement. “Instead of assembling car parts, they are assembling code by patching together existing open-source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns.”

Shifting security left reveals vulnerabilities sooner

Another survey—the AppSec Shift Left Progress Report—suggests better OSS security can be achieved by moving security “left” or closer to the beginning of the software development lifecycle. The report, based on the users’ experience of ShiftLeft’s Core product, found that 76% of new vulnerabilities were fixed within two sprints.

Source…

Secure Your Android Phone | Protect Your Digital Life | Mobile Security