This article is about a security feature bypass I reported in a mobile antivirus. As I sat at the airport, waiting for someone, I found myself with roughly two hours to kill. I decided to find some vulnerabilities using my phone. So, I started exploring the mobile antivirus of my phone.
The company behind the antivirus, which I’ll refer to as “Fiman Tech” for simplicity, is a market leader in cybersecurity, with millions of users worldwide. They had recently updated their software to include the ability to detect dangerous links in SMS messages. In other words, if an attacker sends a malicious URL via SMS, the antivirus would flag it and display a warning to the user.
I thought of finding a technique to evade this feature. Evasion would be successful only if I am (attackers) able to send a malicious URL in a way that User can open but NOT get warned by the antivirus.
The potential consequences of malicious links in SMS messages are severe. Cybercriminals have exploited this technique to distribute malware, steal personal information, and even gain control of users’ devices.
In 2020, the notorious Android malware “Flubot” spread through SMS messages, infecting thousands of devices and causing substantial financial losses. According to Europol, “The malware was installed via text messages which asked Android users to click a link and install an application to track a package delivery or listen to a fake voice mail message. Once installed, the malicious application, which actually was FluBot, would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials or cryptocurrency account details and disable built-in security mechanisms. “
To create a realistic scenario, I sent dangerous links to my friends, Sanjay Singh Jhala and Gaurav Chib, via WhatsApp, asking them to resend the same URLs to me via SMS. After experimenting with various strings, I discovered a method for crafting a malicious link that would bypass the antivirus warning and still function when clicked.
When a malicious URL like “malware-site.net” is sent via SMS, the antivirus would display a warning about the malicious link (as expected). However, if the same URL is altered to “malware-site.Net%“, with an uppercase letter and a % symbol, the warning would not be triggered.
The screenshot below illustrates the concept, although the actual dangerous URLs have been omitted for security reasons.
By exploiting this loophole, cybercriminals could potentially send seemingly innocuous links that users could click and open, thereby compromising their devices and personal information.
I reported the issue, and this Antivirus company immediately acknowledged it, fixed it, and rewarded me $$$ for reporting it.
Featured Image by Biljana Jovanovic
Ashutosh has found security issues that prevented leak of personal information belonging to 100 million+ people. He specialize in finding vulnerabilities in Web, Mobile applications, IT infrastructure, and consulting organizations on why, how, and when to fix them.
He is working with Deloitte since Jun 2017 as a Cyber Security Consultant/Engineer, Acknowledged by organizations like Google, Twitter, US Department of Defense, Symantec, United Nations, Rapid7, Trend Micro, Avira, United Airlines, IBM, Go Airlines, etc. for finding out security flaws in web applications.