Issue 33: Google's Rust Success, ChatGPT's Memory Exploit and Malware In Popular Camera Apps

Top stories 27 September 2024:

1. Google's Shift to Rust Programming Cuts Android Memory Vulnerabilities by 52%
2. ChatGPT macOS Flaw Could've Enabled Long-Term Spyware via Memory Function
3. Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Google's Shift to Rust Programming Cuts Android Memory Vulnerabilities by 52%

Google has reported significant progress in reducing memory-safe vulnerabilities in Android by transitioning to memory-safe programming languages like Rust. Over six years, the percentage of such vulnerabilities dropped from 76% to 24%, attributed to the company’s secure-by-design approach and prioritisation of Safe Coding practices for new features.

Secure by design is a software development approach where security is integrated into the design and development process from the very beginning, rather than being added as an afterthought.

Even though there's more memory-unsafe code, vulnerabilities still decrease. This is because new vulnerabilities mostly come from recently changed code, while older code becomes more secure over time.

Since officially announcing support for Rust in April 2021 and shifting towards memory-safe languages in 2019, the number of memory safety vulnerabilities in Android has decreased from 223 in 2019 to under 50 in 2024. The decline is supported by new tools and strategies, like Clang sanitizers, that help prevent vulnerabilities from happening in the first place.

Incorporating secure-by-design principles and ensuring interoperability between Rust, C++, and Kotlin, means Google can gradually improve memory safety without extensive code rewrites. This transition allows for the natural decay of vulnerabilities, improving the overall security of their codebase. On top of this, the collaboration with Arm’s teams has led to the identification of multiple memory issues, including CVE-2023-48409, CVE-2023-48421, and CVE-2024-0153.

TLDR;

• Google has reduced memory safety vulnerabilities in Android by adopting memory-safe programming languages like Rust, dropping from 76% in 2019 to under 24% by 2024, thanks to secure-by-design practices and proactive mitigation tools.

ChatGPT macOS Flaw Could've Enabled Long-Term Spyware via Memory Function

A recently patched security vulnerability in OpenAI’s ChatGPT app for macOS could have enabled attackers to implant persistent spyware, termed SpAIware, into the AI tool’s memory. This vulnerability posed a risk of continuous data exfiltration, allowing attackers to capture any user input and responses from ChatGPT, including future chat sessions, according to security researcher Johann Rehberger.

The issue took advantage of a feature called memory, added by OpenAI in February, which lets ChatGPT remember things from one chat to the next, making conversations smoother. Users can ask ChatGPT to forget details, but the attack used this memory feature to store harmful instructions that stayed in place across different chats.

In a potential attack scenario, a user might be misled into visiting a malicious website or downloading a harmful document. If analysed by ChatGPT, the document could contain commands to covertly transmit all future conversations to an attacker-controlled server. Following responsible disclosure, OpenAI addressed this issue in ChatGPT version 1.2024.247 by closing the data exfiltration vector.

Users are advised to regularly review and clean up the stored memories for any suspicious or incorrect entries.

This is just one example of the ongoing challenges involved in securing large language models (LLMs) and AI systems.

TLDR;

• A recently patched vulnerability in ChatGPT's macOS app could have allowed attackers to implant persistent spyware in its memory, enabling data theft from future conversations, but OpenAI has since fixed the issue in the latest update.

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Altered versions of popular Android apps associated with Spotify, WhatsApp, and Minecraft have been found to distribute a new variant of a malware loader named Necro. Kaspersky reported that some of these malicious applications were available on the Google Play Store, amassing a total of 11 million downloads.

Notable examples include Wuta Camera - Nice Shot Always (com.benqu.wuta) with over 10 million downloads and Max Browser-Private & Security (com.max.browser), which has since been removed from the Play Store. Wuta Camera has been updated to version 6.3.8.148, released on September 8, 2024, to eliminate the malware.

The origin of the compromise is unclear, but a rogue software development kit (SDK) for advertising integration is suspected. Necro, first identified by Kaspersky in 2019, uses obfuscation techniques, including steganography, to conceal its payloads and evade detection. The malware can execute various harmful actions, such as displaying ads in hidden windows, downloading arbitrary files, and running scripts.

Necro’s delivery often relies on modified apps hosted on unofficial platforms. Once installed, it initialises a module named Coral SDK, which connects to a remote server, retrieves a Base64-encoded payload, and downloads additional malicious modules for further exploitation.

Between August 26 and September 15, 2024, Kaspersky reported blocking over 10,000 Necro attacks globally. Google has stated that all identified malicious apps were removed from the Play Store before the publication of the report, and that Android users are protected by Google Play Protect against known versions of this malware.

TLDR;

• A new Necro malware variant was found in altered Android apps with over 11 million downloads, prompting Google to remove the affected apps from the Play Store and protect users through Play Protect.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!