Mobile Vulnerability Database (MVD)




The Android operating system is the most widely used operating system for mobile devices. Android has around 82.8% (IDC) market share and is a favourite  target for attackers. One of the latest vulnerabilities, StageFright, allows the attacker to execute arbitrary code on an Android device which takes advantage of a flaw that exists in media library stagefright. Considering other platforms such iOS, Windows, and Blackberry, Varutra is maintaining the vulnerabilities related to mobile operating systems in the Mobile Vulnerability Database (MVD). Varutra has developed the MVD application for the Android platform which identifies vulnerabilities on the Android operating system and provides detailed vulnerability reports, and which is freely available on Playstore for all Android users. The applications for other platforms are under development and will be available very soon for iOS, Windows and Blackberry.

MVD (Mobile Vulnerability Database):

Mobile Vulnerability Database, or MVD, is a unique place to find out about vulnerabilities reported worldwide for Mobile Platforms.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective of MVD is to give a common place for mobile users to get acquainted with the vulnerabilities that might exist on their devices. Users can choose to receive specific vulnerability details as a report via Email.

1. MVD

Platforms covered by MVD

At present MVD covers major mobile smartphone platforms such as Android, Blackberry, iOS and Windows Phone.

2.1 PlatformsMVD Web Application:

MVD is also available in web interface where users can search and gather information related to mobile operating system vulnerabilities by simply searching by the Common Vulnerabilities and Exposures (CVE ID) vulnerability category.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective is to give a common place for mobile users to get acquainted with what vulnerabilities might exist on their devices. Additionally, users can choose to receive specific vulnerability details as a report via Email.

Web Application

For more information: http://varutra.com/mvd/

MVD Platforms:

MVD is developed for mobile operating systems such as Android, iOS, BlackBerry and Windows

3.1 MVD PlatformsTerminologies related to MVD

What is KVID?

KALP Varutra ID (KVID) is a unique number assigned to each reported vulnerability; maintained in the MVD database by the Varutra team.

E.g. KVA01 for Android, KVB01 for Blackberry, KVI01 for iOS and KVW01 for Windows Phone

Note: KALP stands for Knowledge Attained Learn Process. It is a blog for information published on the World Wide Web and consisting of discrete entries (“posts”) typically displayed in reverse chronological order.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

For more information: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

What is CVSS?

Common Vulnerability Scoring System (CVSS) is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization.

For more information:


CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical).

E.g. BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

MVD Feature:

MVD feature How to get the Vulnerability Report on Email?

The user can register with their Name and Email ID on Register for Vulnerability Report and then select the required platform and version to receive the report. A module is being implementing where once a user is registered they will get automatic updates for any new vulnerabilities reported in the platform and version specifically chosen by the user.

4.1 Vulnerability Report

 Users can now access the MVD on their Android Smartphones, Tablets.

The MVD Android application covers major mobile smartphone / tablet platforms such as Android, Blackberry, iOS and Windows Phone. Users can register with their Name and Email ID on “Register for Vulnerability Report” and then select the desired mobile platform and version to receive the report. Users can also download the MVD Android application on your device from Google Play:



MVD very useful for mobile phone users who are interested in knowing the vulnerabilities in their Android phone and want to mitigate the vulnerabilities. Additionally, MVD is useful for security researchers interested in knowing the vulnerabilities present in multiple mobile operating systems.

For more Details reading Pentestmag


Mr. Chetan Gulhane

Security Consultant, Varutra Consulting Pvt. Ltd.


Android Malwares – An Overview

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of executable code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.

Mobile malware is a malicious software designed specifically to target a mobile device system, such as a tablet or smartphone to damage or disrupt the device and allow a malicious user to remotely control the device or to steal personal information stored on the device.

Android malwares are continuously spreading across the globe. The rate at which android malwares are targeting the mobile phones is increasing day by day. Users install android malwares knowingly or unknowingly when they install applications from untrusted sources. It is very important that Android user’s needs to be careful while installing applications from internet.

97% of mobile malware is on Android   by Forbes Report

In this article we will have overview of some well-known mobile malwares for android.

  • AndroRat
  • SandroRat
  • ZitMO (Zeus-in-the-mobile)
  • AcnetSteal
  • Cawitt
  • Gamex
  • PremiumSMS
  • KabStamper
  • Mania
  • SmsSpy
  • UpdtKiller

AndroRat: AndroRat is one of well-known open source proof of concept, which became an android remote access Trojan. AndroRat can bind with legitimate applications with the help of apk binder which is not freely available on internet which cost around $30-$40, available on underground hacking forums. AndroRat collects information from users mobile including contacts, call logs, messages, location, can take picture form camera, give call sends to the command and control center located at remote location.

SandroRAT Figure: AndroRat Apk Binder

SandroRat: SandroRat has functionalities like AndroRat including collecting contacts, call logs, messages, location, can take picture form camera, give call and sends information to the command and control center located at remote location.
Recently samples of SandroRat received by McAfee Labs from customer in Poland with name Kaspersky_Mobile_Security.apk. Spammers use phishing techniques to spread this malware with threating emails pretending from antivirus companies.

Figure: SandroRat sample received via email

ZitMO: ZitMO is acronym of Zeus in the mobile. ZitMo is banking Trojan. ZitMo has capability to steal mobile transaction authorisation numbers (mTAN) sent by bank in text messages. ZitMo sends collected information remote server. A mobile version of Zeus also found on Blackberry smartphones.

ZitMoFigure: ZitMO

AcnetSteal: Acnetsteal gathers data and information from infected device. It collects information like email addresses, telephone numbers. AcnetSteal uses triple DES encryption to send collected information to remote location.

AcnetStealFigure: Acnetsteal

Cawitt: Cawitt silently runs the background and collects information and later forwards to server located at remote location. Information collected by cawitt includes device ID, IMEI, phone number, bot ID, Modules. Cawitt can also premium rate SMS messages from the device when it receives command from server.

cawittFigure: Cawitt

Gamex: Gamex hides its malicious components inside the package file. When gamex get root access by the user, it connects to command and control (C&C) server to download more applications and to forward device IMEI and IMSI numbers.

Figure: Gamex

PremiumSMS: PremiumSMS android sends SMS to premium numbers and generates profit.It has a configuration file that contains data on the content of the SMS messages and the recipient numbers. Example of the sent messages:

 Number: 1151 Content: 692046 169 BG QCb5T3w Number: 1161 Content: 692046 169 BG QCb5T3w

PremiumSMSFigure: PremiumSMS

KabStamper: KabStamper malware has capability to corrupt images available on the infected devices. Basically it overwrites the images on the devices with predefined image. KabStamper is a malware that circulated in Japan during the AKB48 ‘election.’ AKB48 is a Japanese pop group that consists of 48 members. KabStamper is distributed via trojanized applications that deliver news and videos about the AKB48 group. It destroys images found in the sdcard/DCIM/camera folder that stores images taken with the device’s camera. Every five minutes malware checks this folder and modifies a found image by overwriting it with a predefined image.

KabStamperFigure: KabStamper

Mania: Mania is SMS sending malware that sends out messages with content “tel” or “quiz” to number 84242. It pretends to perform to perform license checking to cover up its SMS-sending activities in the background. Mania is known for using the trojanization technique, where it is repackaged with another original application in order to dupe victims.

ManiaFigure: Mania

SmsSpy: SmsSpy logs incoming and outgoing SMS message to a certain file, and uploads the file to a FTP server. SmsSpy poses as an Android Security Suite application that records received SMS messages into a secsuite.db. This malware targets banking consumers in Spain where it is spammed via a message indicating that an extra Security Protection program that protects the device is available for download.

SmsSpyFigure: SmsSpy

UpdtKiller: UpdtKiller connects to command and control(C&C) server, where it forwards users data to and receives further commands. This malware is also capable of killing antivirus processes in order to avoid being detected.

UpdtKillerFigure: UpdtKiller

So how an android user can prevent himself / herself from such malwares and download authentic applications securely?

Android users should use Google play store to install application, all the application submitted to Google play store evaluated by Google Bouncer. Google Bouncer analyses the application to detect the malicious behavior in its cloud infrastructure.


  • Do not download android applications from untrusted sources.
  • Check the permissions of application before installing.
  • Always keep your operating system secure by downloading and applying any security patches released by your smartphone vendors (to check OS level vulnerabilities on your mobile download MVD application).

Conclusion: : Android is one of the popular mobile operating system and it holds around 80% of mobile market share; the reason Android is favorite target for attackers and so the increasing threat from android malwares. User needs to be alerted while downloading any applications from Internet and keep their phone OS up-to-date with security patches.



Author: Snehal Raut
Security Consultant, Varutra Consulting


Malware threatens Android, uses Remote Access Trojan

Android Malware

Android remains at number one Operating System worldwide so also getting targeted by Malware creators.

In 2013 about 98 percent of all malware detected were targeted android platform  making it as a prime target for malicious attacks.

Various techniques are being used to target android users. Spammers are using phishing technique to spread android malwares. Mobile Antivirus companies and their research labs are reporting several variants of android malwares.

SandroRAT is a new android malware variant of RAT (remote access trojan). Recently attackers spread SandroRAT using phishing techniques to target victim by sending email with subject like

“Caution! Detected malware on your phone!”

And having download link or attached apk of malware with mail. The sample received by McAfee Labs from customer in Poland with the name Kaspersky_Mobile_Security.apk Phishing mail with following attachment:


The body of the message states that the bank is providing the attached free mobile security application to detect malware that steals SMS codes (mTANs) for authorizing electronic transactions. However, the attached application is in fact a version of the Android RAT SandroRat, which was announced at the end of the last year in the Hacking Community HackForums. The RAT and its source code are for sale, making it accessible to everyone to create a custom version of this malware.

SandroRAT malware has functionality to decrypt WhatsApp encrypted chats, latest version of WhatsApp uses encryption scheme (crypt 7) so decryption routines of malware will not work with latest version of WhatsApp. WhatsApp user should update the app to latest version.

What Android RAT can do on your Android phone?

  1. Steal sensitive personal information such as contact list, SMS messages (inbox, outbox, and sent), call logs (incoming, outgoing, and missed calls), browser history (title, link, date), bookmarks and GPS location (latitude and longitude).
  2. Intercept incoming calls and record those in a WAV file on the SD card to later leak the file.
  3. Update itself (or install additional malware) by downloading and prompting the user to install the file update.apk.
  4. Intercept, block, and steal incoming SMS messages.
  5. Send MMS messages with parameters (phone number and text) provided by the control server.
  6. Insert and delete SMS messages and contacts.
  7. Record surrounding sound and store it in an adaptive multi-rate file on the SD card to later send to a remote server.
  8. Open the dialer with a number provided by the attacker or execute USSD codes.
  9. Display Toast (pop-up) messages on the infected device.

What precautions android users should take?

  • Ignore threatening security warning emails as antivirus companies do not send such emails.
  • Don’t download android applications from untrusted source.
  • Check the permissions of application before installing.
  • Always keep your operating system secure by downloading and applying any security patches released by your smart phone vendors.

Source: McAfee

Varutra has developed a mobile application for checking vulnerabilities on the mobile operating system of your smartphone. Access the MVD application from http://varutra.com/mvd/ or download MVD app android version from Google Play.

Author: Snehal Raut

Security Consultant, Varutra Consulting


Proxying HTTP/HTTPS traffic on android


There are several stages to perform thorough penetration testing on android based application including but not limited to Authentication, Authorization, session management, parameter manipulation, to name a few. One of the important steps to perform testing of an android application is intercepting, analyzing and modifying the traffic. In case of plain text (HTTP) traffic, the configuration to intercept the traffic is easy, but for the SSL enabled application, there are few challenges. Here, we shall be discussing about how to intercept HTTP (plain text) & HTTPS (encrypted) traffic through the proxy tools.

Android SDK (in case of Emulator based testing)
A proxy tool (Charles proxy, Burp, etc)

Steps to Execute:

Proxying on emulator is fairly simple technique. If the proxy (such as Burp, Charles proxy, Paros etc.) is configured at on port 8080, then entering the following command into the console will configure a HTTP proxy on the android virtual device (AVD)

# emulator -avd <Your AVD Name> -http-proxy

The –http-proxy setting used for the emulator tends to only work for the browser; other applications generally ignore this setting.

In case of SSL traffic proxying, the challenge is to make the Android device/emulator “trust” the SSL certificate issued by proxy. The simple solution would be to install the proxy’s certificate on the device/emulator.

Setting up Proxy for Android < 4.0

Prior to Android version 4.0, the way in which Android handled certificates is different than the latest android OS. To install certificates, perform below mentioned steps:

1. Launch the emulator with read-write permission for system partition
2. Pull out the “cacerts.bks” file from the filesystem located at /system/etc/security/
3. Add the SSL certificate of proxy into it using keytool (keytool is a utility that comes with java sdk and jre)
4. Push the updated “cacerts.bks” file back onto the device in the same folder
5. Make it persistent (so this works when the AVD reboots)

Adding Certificate
The procedure is same for all proxy tools.Em1

1. To start the AVD, open the command prompt/terminal and navigate to android sdk. Go to tools directory and run ‘emulator’ executable with “-partition-size 128” argument. This argument instructs the AVD to mount “/system” partition with read-write permission, which is not possible with remounting it.

# emulator –avd <avd name> -partition-size 128

2. Next, to pull cacerts.bks file from the emulator:

# adb pull /system/etc/security/cacerts.bks cacerts.bks

3. Now, to add the certificate of the proxy tools into the “cacerts.bks” file, pulled from the device:

# keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias somealias -file <your_proxy_certificate.crt> -noprompt

Obtain Charles proxy’s certificate from http://charlesproxy.com/charles.crt or for any other proxy, we can export the certificate by configuring proxy on the web browser on laptop/desktop.

Alternatively, we can use Portecle. Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more.

Note: On the Mac, we may get an error about keytool not being able to find bouncycastle, which can be fixed by getting the latest provider from here and putting it in $JAVA_HOME/jre/lib/ext/. (On the Mac OSX Mountain Lion, the path is “/System/Library/Frameworks/JavaVM.framework/Home/lib/ext/”)

4. Now push the “cacerts.bks” file back to the device/emulator using adb

# adb remount
# adb shell rm /system/etc/security/cacerts.bks
# adb push cacerts.bks /system/etc/security/

5. e4In case of emulator, make this change persistent with the help of a new system.img file. This is done with a tool called, `mkfs.yaffs2.arm`. Download it here

6. To push the mkfs.yaffs2.arm tool to our android instance.

# adb push mkfs.yaffs2.arm /data/data/temp/mkfs.yaffs2
# adb shell chmod 777 /data/data/temp/mkfs.yaffs2


7. We will now make new system.img on sdcard

# adb shell
# /data/data/temp/mkfs.yaffs2 /system /sdcard/system.img

8. Quit the shell and download the newly generated system.img.

# adb pull /sdcard/system.img system.img

9. Close the emulator and boot the new system.img. Paste the new system.img in “path/to/.android/avd/<avdname>.avd/”

10. Boot your avd
# emulator -avd <avd name> -http-proxy <ip:port>

11. In case of actual rooted device, steps 5 to 10 will be skipped

Configure Charles proxy for SSL Proxying from here : http://www.charlesproxy.com/documentation/proxying/ssl-proxying/

Setup Proxy after Android 4.0
Proxying Application traffic changed significantly after Android 4.0 (Ice Cream Sandwich or “ICS”) was released.p1

Contrary to iOS, Android < 4.0 had no setting for proxying traffic.
Android 4.0 (ICS) Proxying could be done by long press on the currently-connected Wi-Fi network and then a check box for advanced options as seen below.

Even with this, Proxying application SSL traffic is not possible.

There are multiple solutions to this problem, one of them being installation of “ProxyDroid” app directly on a rooted ICS phone. This allows an analyst to easily forward all traffic from the real application through a proxy; the only problem becomes SSL certificates, since the proxy will need to use its own SSL certificate, which Android will not recognize as valid.

Next step would be to install FS CERT Installer app.

FS CERT Installer is an Android app by Foundstone used to install CA and site certificate when proxying Android applications.

Screenshot_2013-07-27-14-09-29 Installation and Usage Instructions:

1. Install the FS Cert Installer (Download:FS CERT Installer)

2. Push the certificates into the device sdcard:
# adb push PortSwiggerCA.cer /sdcard/

3. Change the certificate on Burp to generate a certificate with a specific hostname.

4. Install certificate by Settings -> Security -> Install from SD card.

5. Open Proxy and set intercept to off

6. Launch FS Cert Installer and test the certificate installations

7. Test Proxying of the target application.

After the process is complete, we are all set to start intercepting app SSL traffic on Android ICS.


Hacking Google account through Locked Android Devices


Varutra revealed an issue in the text message notification implementation of Google’s Android operating system which may lead to compromise of user’s Google account, associated with the mobile number of an Android device.

Varutra research team “KALP@Varutra” discovered that, by default, the contents of text messages (SMS) received are displayed on the notification area of the device even if the device is in locked mode. To reset the Google account password, Google sends a verification code on a text message to the mobile device of the user. In case of an Android device, this verification code can be read from the notification area, and thus be used to reset the victim’s account credentials. The only pre-requisite for such an act to be successful is for the malicious user to know the victim’s Gmail ID where victim has set his android phone number with the target Android device.

Consider a scenario where in, a malicious user wants to compromise the victim’s Google account and has visibility to the victim’s mobile screen:

  1. Attacker accesses the Google account page and clicks on “Can’t access your account?”
  2. On the “Having trouble signing in?” page, he opts for “I don’t know my password” and puts victim’s Gmail ID in the “Email address” field
  3. For account recovery options, he/she opts to receive verification code on the pre-registered mobile number and submits the request after entering the victim’s mobile number
  4. As a result, a verification code is received as a text message on the victims mobile and the attacker can read it on the notification area of the Android screen.
  5. Attacker submits the verification code and resets the password of Victim’s Google account The severity of this issue escalates by the fact that the Google’s verification code comprises of only 6 digit numeric value, which is easy to read and memorize. The same valid code can be resent to the device up to 5 times.

As per security best practices, the verification code must meet the necessary complexity requirements of being more than 8 digit alphanumeric code, making it difficult to memorize. Also, it should be made random i.e. should change on every new request.

The issue was tested and found to be affecting Android version prior to 4.0.