This Week In Security: Nintendo Accounts, Pernicious Android Malware, And An IOS 0-day

A rash of Nintendo account compromises has made the news over the last week. Nintendo’s official response was that they were investigating, and recommended everyone enabled two factor authentication on their accounts.

[Dan Goodin] over at Ars Technica has a canny guess: The compromised accounts were each linked to an old Nintendo Network ID (NNID). This is essentially a legacy Nintendo account — one made in the Wii U and 3DS era. Since they’re linked, access via the NNID exposes the entire account. Resetting the primary account password doesn’t change the NNID credentials, but turning on two factor authentication does seem to close the loophole. There hasn’t yet been official confirmation that NNIDs are responsible, but it seems to fit the situation. It’s an interesting problem, where a legacy account can lead to further compromise.

Just Can’t Lose You: xHelper

xHelper, an Android malware, just won’t say goodbye. xHelper looks like a cleaner application, but once installed it begins rather stubbornly installing itself via the Triada trojan. The process begins with rooting the phone, and then remounting /system as writable. Binaries are installed and startup scripts are tampered with, and then the mount command itself is compromised, preventing a user from following the same steps to remove the malware. Additionally, if the device has previously been rooted, the superuser binary is removed. This combination of techniques means that the infection will survive a factory reset. The only way to remove xHelper is to flash a clean Android image, fully wiping /system in the process.

Is BGP Safe Yet?

BGP, or Border Gateway Protocol, is something of an unsung hero of the internet. It’s how the internet, a complicated mesh of interconnected networks, manages to correctly route packets between endpoints. Like many of the fundamental technologies of the ‘net, it wasn’t originally written with security in mind. This isn’t simply a hypothetical problem, real-world attacks have happened.

As one would expect, security enhancements have been designed, and if properly implemented, BGP is far more secure than in the past. The only problem is that many ISPs haven’t done much to protect their networks. A new tool is now available from Cloudflare, where you can run a rudimentary security test on your ISPs BGP security.


Git has been updated once again, fixing another security problem related to last week’s update. The essence is the same: a malicious URL can result in git credentials being sent to a host controlled by an attacker. This particular problem is slightly less dangerous, as the attacker can’t specify the credentials to expose.

This pattern of vulnerability discovery is common. A problem is discovered in a project, and before you know it, a handful of related bugs are also found. For a recent example, look at the Bluekeep vulnerability in Windows RDP, and the RDP bugs found since then. The discovery of the initial bug attracts attention to the code in question, leading to more problems getting fixed.

Typo-squatting and Cryptocurrency Theft

Between February 16 and February 25, 725 malicious Ruby libraries were added to RubyGems, the official Ruby library repository. The campaign was discovered and the libraries were removed only two days later, an impressively fast response time. These libraries were all copies of legitimate code, with lookalike names, but a malicious twist. The libraries all contained a portable executable named aaa.png. On windows machines, the install script renamed that file to a.exe and executed it.

The end result is the installation of a clipboard hijack script. This script watches the system clipboard for a value that looks like a bitcoin address, and automatically replaces it with an address controlled by the malware author. The idea is that when someone copies and pastes a bitcoin address to request or send payment, the attacker’s address is used instead.

The attack was discovered by researchers at Reversinglabs. Since the bitcoin address is known, they have been able to watch for transactions. So far, that address hasn’t seen any activity, so it appears this attack was stopped before it claimed any victims.

In contrast, a rash of malicious Google Chrome extensions have been a part of cryptocurrency theft for several months now. Discovered by MyCrypto, these extensions were distributed through a Google Ad campaign that targeted well known cryptocurrency wallets and services. Even once installed, they appeared legitimate up to the point where the user was prompted for their credentials. Those credentials were uploaded to the attackers, and the extensions reverted to their default state. According to the researchers, there have been multiple people that have lost currency as a result.

iOS Mail 0-day

A pair of related 0-day vulnerabilities for the iOS mail app were just released, and it’s a bad pair. First, in some cases the exploits requires no user interaction. On iOS 13, if the mail app is running in the background, simply receiving a malicious message is enough to trigger the bug. In other situations, a user has to attempt to view the malicious message in order to trigger it. In both cases, the flaw is improper handling of system call return values. A malicious email can use various techniques to cause a system call like mmap to fail, and once it does, the rest of the message overflows the allocated memory location.

The earliest incident found by researchers at ZecOps seems to date back to January 2018. This bug has been under exploit for over two years. It seems likely that this vulnerability was discovered originally by either a state actor, or an offensive firm like NSO Group. As iOS vulnerabilities are rather rare, whoever discovered this flaw took care to use it sparingly on important targets. A fix is already in the latest iOS beta, but has not currently made it to production iOS. While the earliest known exploit was January 2018, researchers are confident that the vulnerability has been in iOS since 2012, and quite possibly long before then.

This and That

One of the more popular 3rd party Android stores, Aptoide, had their database compromised, and their list of accounts and credentials were compromised. It looks like all that was exposed was usernames and hashed passwords.

Google Chrome minted a new stable release on the 15th, for a single critical bug. The bug report is still protected, but we know it’s a use-after-free in the speech recognizer. We can’t see the bug report yet, but the patch itself is relatively easy to find. If this sounds familiar, it’s because we covered the parent issue earlier in the year. This bug is essentially the same thing, and the pointer fix is just being applied across the board now.

Intel has published an advisory and a set of firmware updates for their NUC devices. The flaw can allow escalation of privilege, and they consider it high severity. Not many additional details are available yet, but if you have a NUC, it might be worth grabbing this update.

And finally, do you find yourself kept awake at night wondering about phishing attacks, and their statistics? If so, wonder no longer, as Check Point Software has your back. They published a report covering the first three months of 2020, and found that Apple is the most common spoofed brand in phishing emails. They show off a few interesting examples, so if phishing interests you, check out the report.

8 thoughts on “This Week In Security: Nintendo Accounts, Pernicious Android Malware, And An IOS 0-day

  1. “The process begins with rooting the phone, and then remounting /system as writable. ”

    Operative phrase. On some phones “getting root” is a real pain even for the owner of the phone.

    1. Totally agree, I’ve stopped rooting my phones since I found alternative methods to do what I did in the past with root apps.
      – Ad block with firefox and ublock origin.
      – Prevent the apps from connecting to the internet (so they can’t steal information or spent my data plan downloading banners and video ads) with local vpn solutions.
      – Uninstall pre-installed bloatware apps, using adb commands I can remove them without rooting.

      1. Thanks for the adb commands reference, fixed a LOT of issues for me. What “local vpn solutions” do you use, are you talking about DNS cache poisoning and running the DNS server on your phone or using an internet based vpn service?

    1. Anyone who can legitimately call themselves a “hacker” has already been “social distancing” since childhood, already has a job working from home. The people who exploit these vulnerabilities are well paid employees.

  2. Keeping support for legacy accounts is a path sided by many insecurities.
    This is generally true for all backwards compatibility and why supporting such isn’t always wanted.
    Though, not supporting backwards compatibility can lead to many customer complaints, and transition periods isn’t a silver bullet either.

    In regards to typo squatting, this is frankly rather annoying.
    And it is good that the library service does keep an eye on this, unlike most top domains….

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.