This week, Android smartphones have been buzzing with strange pop-up notifications, and it is not yet completely clear where these notifications come from. However, some security researchers believe that a hacker might be behind these notifications. It appears that these notifications are limited to users of a handful of applications including Microsoft Teams and Google Hangouts. These notifications popped up alongside other legitimate alerts with the header FCM (Firebase Cloud Messaging) Messages. To be clear, Microsoft was not experimenting with notifications in the Android version of Teams.
Google’s FCM is a framework that helps to make it easier to deliver notifications via applications on almost any platform. Likely, most Android applications that deliver push notifications use FCM, and this includes applications from single hobbyist app developers to applications from tech giants such as Google and Microsoft. Users of apps like Hangouts and Microsoft Teams may have noticed random notifications, and these notifications might be from people taking advantage of improper configurations of FCM.
Sophos’ security team investigated and turned their attention to a blog post published by a security researcher using the handle Abss. The post was published last week, and Abss detailed the discovery of coding oversights that affected several Android applications. These security bugs could allow a hacker to hijack the Firebase Cloud Messaging service. Abss found that the code for several Android applications contained unique keys that FCM service checks to authenticate messages. With that key, a threat actor could craft push notifications and then send those notifications to users of the affected application. Furthermore, those notifications could have contained anything that the hacker wants including disturbing pictures.
On August 27, Microsoft issued a statement stating that their investigation has determined that this issue impacts Android smartphones particularly, and the company is working to apply mitigation. Microsoft recommends users to dismiss those notifications without interacting with these notifications. On August 28, the company tweeted that it has applied mitigation. On the other hand, Google’s spokesman told The Daily Swig that this flaw was ‘particularly related to app developers adding API (Application Programming Interface) keys in their code for services that shouldn’t be added.
However, it is still not known who was behind these mysterious alerts. Sophos researchers wondered that if an attacker might have been ‘inspired’ by the discoveries of Abss.
Read next: A Major Bug In Google Chrome Is Causing A Massive Load On Global Root DNS Servers
Google’s FCM is a framework that helps to make it easier to deliver notifications via applications on almost any platform. Likely, most Android applications that deliver push notifications use FCM, and this includes applications from single hobbyist app developers to applications from tech giants such as Google and Microsoft. Users of apps like Hangouts and Microsoft Teams may have noticed random notifications, and these notifications might be from people taking advantage of improper configurations of FCM.
Sophos’ security team investigated and turned their attention to a blog post published by a security researcher using the handle Abss. The post was published last week, and Abss detailed the discovery of coding oversights that affected several Android applications. These security bugs could allow a hacker to hijack the Firebase Cloud Messaging service. Abss found that the code for several Android applications contained unique keys that FCM service checks to authenticate messages. With that key, a threat actor could craft push notifications and then send those notifications to users of the affected application. Furthermore, those notifications could have contained anything that the hacker wants including disturbing pictures.
On August 27, Microsoft issued a statement stating that their investigation has determined that this issue impacts Android smartphones particularly, and the company is working to apply mitigation. Microsoft recommends users to dismiss those notifications without interacting with these notifications. On August 28, the company tweeted that it has applied mitigation. On the other hand, Google’s spokesman told The Daily Swig that this flaw was ‘particularly related to app developers adding API (Application Programming Interface) keys in their code for services that shouldn’t be added.
However, it is still not known who was behind these mysterious alerts. Sophos researchers wondered that if an attacker might have been ‘inspired’ by the discoveries of Abss.
Read next: A Major Bug In Google Chrome Is Causing A Massive Load On Global Root DNS Servers
