Welcome back to this week's Security Bulletin!

Over 4000 Android Apps Expose Users Data via Misconfigured Firebase Databases

All Android apps must request permission to access sensitive user data (such as contacts and SMSs) and certain system features (such as the camera and the Internet). Depending on the feature, the system may grant permission or persuade the user to accept the request. The purpose of this license is to protect the privacy of an Android user.

Over 4,000 Android apps using Google Firebase cloud databases contain leakage of confidential information, including email addresses, phone numbers, usernames, passwords, full names, chat messages, and location data.

An investigation lead by Microsoft's Security Officer Bob Diachenko, in partnership with Comparitech, is the result of an analysis of 15,735 Android applications, which compromise about 18% of all applications in the Google Play store. "4.8 percent of mobile applications using Google Firebase to store user data are not properly protected, which allows anyone to access databases containing user personal information, access tokens, and other data without a password or any other authentication." - said Comparitech.

In 2014, Google won a popular mobile app development platform offering a variety of tools to help third-party app developers to build apps, securely store app data and files, resolve issues, and engage with users through in-app messaging called Firebase. also it helps to find the exposed databases using known Firebase's REST API that's used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing "/.json" to a database URL (e.g. "https://~project_id~.firebaseio.com/.json").

Researchers have discovered that over 9,014 applications with write permissions aside from 155,066 apps have publicly exposed databases,thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.

This is made even more complicated by search engines like Bing, which indexes the Firebase Database URLs that expose weak endpoints to anyone on the Internet. However, a Google search does not yield any results. This is not the first time Firebase databases have leaked personal information. Researchers at mobile security firm AppTority found a similar case two years ago, revealing 100 million data records. Users are asked to stick only to trusted apps and beautifully curated information about the shared app.

New ComRAT Malware Uses Gmail to Receive Exfiltrate data and commands

The ComRAT Malware uses Gmail to Receive Commands and retrieve data. Cybersecurity researchers today discovered a new version of the Comrat Backdoor, one of the earliest backdoors used by the Turkla APT Group. This prompts Gmail's web interface to receive commands and eject sensitive data secretly.

ComRAT was seen in 2017. The ComRAT v4 (or "Chinch" by the malware authors), as the new successor is called, uses an entirely new code base and is far more complicated than its earlier variants, according to ESET. It is known still to be in use as recently as January 2020," cybersecurity firm ESET said in a report shared with The Hacker News. >>identified at least three targets: two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.

The researchers said that the primary use of ComRAT is discovering, stealing, and exfiltrating confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim's central MS SQL Server database containing the organization's documents. ComRAT is typically installed via Powershell, and it is executable via 3 main modules >>  persistence, decryption, and loading into memory of the embedded executable or library.

The PowerShell loader injects a module called ComRAT orchestrator into the web browser, which employs two different channels - a legacy and an email mode. These channels receive commands from a C2 server and exfiltrate information to the operators. All the files related to ComRAT, except the orchestrator DLL and the scheduled task for persistence, are stored in a Virtual File System or VFS. The VFS is an abstract layer on top of a more concrete file system. The purpose of a VFS is to allow client applications to access different types of concrete file systems uniformly.

The "mail" mode works by reading the email address and authentication cookies located in the VFS, connecting to Gmail's basic HTML view, and parsing the inbox HTML page (using the gumbo HTML parser) to get a list of emails with subject lines. This matches the contents of the "subject.str" file in VFS.

For each email that meets the above criteria, the comRAT proceeds by downloading the attachments (e.g. "document.docx," "documents.xlsx"), and deleting the emails to avoid processing them a second time. Despite the ".docx" and ".xlsx" format in the filenames, the attachments are not documents themselves, but rather encrypted blobs of data that include a specific command to be executed: read/write files, execute additional processes, and gather logs.

In the final stage, the results of the commands get encrypted and stored in an attachment (with the double extension ".jpg.bfe"). This stored attachment is then sent as an email to a target address specified in the "answer_addr.str" VFS file.

The exfiltrated data comprises user details and security-related log files to check if their malware samples were detected during a scan of the infected systems.

Based on the Gmail email distribution patterns over one month, ESET said the operators behind the campaign are working in the UTC+3 or UTC+4 time zones.

"Version four of ComRAT is a revamped malware family released in 2017," ESET researcher Matthieu Faou said. "Its most interesting features are the Virtual File System in FAT16 format and the ability to use the Gmail web UI to receive commands and exfiltrate data. Thus, it can bypass some security controls because it doesn't rely on any malicious domain."

It is now known that earlier versions of Agent.BTZ was responsible for infecting US Military Networks in the Middle East in 2008. In recent years, Turla is said to have been behind the compromise of French Armed Forces in 2018 and the Austrian Foreign Ministry early this year.