Search This Blog

Showing posts with label Mobile Security. Show all posts

Thousands of Users Impacted in Revolut Data Breach

 

Financial technology firm Revolut has suffered a massive data breach that may have allowed hackers to access the private details of over 50,000 users. 

The fintech giant, which has a banking license in Lithuania, described the assault as “highly targeted” and stated the hacker only had access to 0.16% of customers’ data for a “short period” of time. 

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut spokesperson Michael Bodansky explained. To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”  

However, according to Revolut’s breach disclosure to the authorities in Lithuania, the firm says nearly 50,150 global customers, including 20,687 in the European Economic Area (EEA) and 379 Lithuanian citizens, may have been impacted by the data breach. The leaked data includes names, postal and email addresses, telephone numbers, partial card details, and bank account information.  

Soon after the attack, multiple Revolut users complained regarding obscene texts received via the application’s chat feature. Some customers also reported getting text messages directed to a Revolut phishing website. It’s unclear if these events are related to the breach. 

In its data breach notification to affected users, Revolut warned impacted users to be on high alert for follow-on phishing and fraud scams using leaked details. 

“Cyber-criminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation,” the company warned users. 

“Malicious persons and fraudsters may try, using the publicized information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.” 

According to Forbes, London-based Revolut is UK’s most valuable fintech startup currently valued at $33 billion. It has over 20 million customers in 200 nations but is most popular in Europe and the UK. The app-based bank was established in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.

Japanese Payment System Attacked By Fake Security App

A new malware has been observed by the Research team at McAfee Corp. This malware is found to be attacking NTT DOCOMO customers in Japan. 

The malware that is distributed via the Google Play Store pretends to be a legitimate mobile security app, but in reality, it is a fraud malware designed to steal passwords and abuse reverse proxy focusing on NTT DOCOMO mobile service customers. 

The McAfee Cell Analysis team informed Google regarding the notoriety of the malware. In response, Google has made the application unavailable in Google Play Store and removed known Google Drive files that are associated with the malware. In addition to this, Google Play Shield has now alerted the customers by disabling the apps and displaying a warning. 

The malware publishes malicious fake apps on Google Play Store with various developer accounts that appear like some legitimate apps. According to a tweet by Yusuke Osumi, a Security Researcher at Yahoo, the attacker lures the victims into installing the malware in their systems by sending them an SMS message with a Google Play Store link, reportedly sent from overseas. Additionally, they entice the users by displaying a requirement to update their security software. 

This way, the victim ignorantly installs the fraudulent app from Google Play Store and ends up installing the malware. The malware asks the user for a community password but cleverly enough, it claims the password is incorrect, so the user has to enter a more precise password. It does not matter if the password is incorrect or not, as this community password can later be used by the attacker for the NTT DOCOMO fee services and gives way to online funds. 

Thereafter, the malware displays a fake ‘Mobile Security’ structure on the user’s screen; the structure of this Mobile Security structure interestingly resembles that of an outdated display of McAfee cell security. 

How does the malware function

A native library called ‘libmyapp.so’ written in Golang, is loaded through the app execution. When the library is loaded, it attempts to connect with C&C servers utilizing an Internet Socket. WAMP (Internet Software Messaging Protocol) is then employed to speak and initiate Distant Process Calls (DPC). When the link is formulated, the malware transmits the community data and the victim’s phone number, registering the client’s procedural commands. The connection is then processed when the command is received from the server like an Agent. Wherein, the socket is used to transmit the victim’s Community password to the attacker, when the victim enters his network password in the process.

The attacker makes fraudulent purchases using this leaked information. For this, the RPC command ‘toggle_wifi’ switch the victim’s Wi-Fi connection status, and a reverse proxy is provided to the attacker through ‘connect_to’. This would allow connecting the host behind a Community Handle Translation (NAT) or firewall. With the help of a proxy, now the attacker can ship by request through the victim’s community network. 

Along with any other methods that the attackers may use, the malware can also use reverse proxy to acquire a user’s mobile and network information and implement an Agent service with WAMP for fraudulent motives. Thus, it is always advised by Mobile Security Organizations to be careful while entering a password or confidential information into a lesser-known or suspicious application.

US Law Enforcement Agencies Employ Obscure Phone Tech to Track People Movements

 

Multiple law enforcement agencies in Southern California and North Carolina are employing a powerful but relatively inexpensive cellphone tool dubbed ‘Fog reveal’ to track individual devices without a warrant based on data collected from apps installed on citizens’ smartphones. 

According to a detailed report published by the Associated Press based on documents extracted by the Electronic Frontier Foundation (EFF), the tool provided US police the ability to scan billions of records from 250 million mobile devices and harness the ensuing data to create “patterns of life” for each individual, which also included homes and workplaces locations. 

Fog Reveal was designed by Virginia-based Fog Data Science and is reportedly used extensively by law enforcement agencies in the US to solve criminal cases. 

According to AP, the surveillance software collected the data in a searchable way and designed software able to sift through it in a sophisticated way. Subsequently, the app makers sold the software in about 40 contracts to nearly 20 agencies, with prices starting at $7,500 a year. 

The technology is controversial as US courts are still weighing the use of location data, and the latest such ruling from the US Supreme Court held that law enforcement agencies would require a warrant in most cases, to access records of users’ movements and location. 

Additionally, mobile geolocation data of individuals should only be requested from Google (Android devices) or Apple (iPhones and iPads) by police forces in possession of a warrant released by a court.

The Virginia-based firm defended this claim by arguing that its data is anonymized, with the company not having any way of linking signals back to a specific device or owner. At the same time, some of the documents obtained by AP suggest police forces may be able to deanonymize the data to identify and locate specific individuals. 

The AP investigation primarily relied on public records (including GovSpend and Freedom of Information Act requests) and internal emails extracted by the local news outlet. The report comes days after the US military and intelligence agencies revealed a new monitoring operation to guard electoral procedures from hacking and fake news before and during the November midterms elections.

Over 1800 Mobile Apps Found Exposing AWS Credentials


Experts find hard-coded AWS credentials

Experts have found 1,859 applications across Android and iOS that contain hard-coded Amazon Web Services (AWS) credentials, becoming a major security threat. More than 77% of the apps contain valid AWS access tokens that allow access to private AWS cloud services. 

Mobile apps may contain vulnerabilities in the supply chain that can potentially cause exposure to sensitive data, which can be used by hackers for other attacks. Supply chain vulnerabilities in mobile apps are often added by app developers, intentionally or unintentionally. 

The developers don't know the downside of the security impacts, putting the app users' privacy, as well as the employer and organizations' privacy at risk too. 

Source of the Problem

Researchers at Broadcom Software looked into why and where exactly the AWS access tokens were inside the applications, and whether present in other apps too. They found over half (53%) of the apps were using the same AWS access tokens found in other apps. 

These apps, interestingly, were from different app developers and organizations. This way, the experts found a supply chain vulnerability, it could be traced to a shared library, third-party SDK, or other shared components used in making the apps. 

Why app developers are using hard-coded access keys?

  • Downloading or uploading assets and resources needed for the applications, generally large media files, images, or recordings. 
  • To access configuration files for the app and/or register the device or get device info for cloud storage. 
  • Access cloud services that need authentication, like translation services.
  • For no particular reason, the dead code was used for testing and never removed. 

In one incident discovered by Symantec, an unknown B2B company that offers an intranet and communication platform and also provides a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK to access the translation service. 

It led to the leak of all of its customers' personal information- corporate data and financial records that belonged to more than 15000 medium to large-sized firms. 

How can users stay safe from supply chain attacks?

It is possible to protect yourself from supply chain issues, one can add security scanning solutions to the app development lifecycle and if using an outsourced provider, you can review Mobile App Report Cards, which can notice any malicious app behaviors or vulnerabilities for every launch of the mobile app, can all be helpful in to highlight potential issues. 

If you're an app developer, you can look for a report card that both scans SDKs and frameworks in your apps and finds the source of any vulnerabilities or suspicious behaviors. 




Malicious Chrome Extensions Siphoning Data from 1.4 million Users

 

Threat analysts at McAfee unearthed five malicious Chrome extensions manufactured to track user's browsing activity and deploy code into e-commerce websites. 

With over 1.4 million installs, the malicious extensions can alter cookies on e-commerce platforms without the victim’s knowledge so that scammers can receive affiliate payments for the purchased products. The five malicious extensions that exploit affiliate marketing are as follows: 

• Netflix Party (800,000 downloads), 
• Netflix Party 2 (300,000), 
• Full Page Screenshot Capture (200,000), 
• FlipShope Price Tracker Extension (80,000), 
• AutoBuy Flash Sales (20,000). 

"The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole explained. "The latter borrows several phrases from another popular extension called GoFullPage."

All five extensions employ an identical methodology to target users. The web app manifest ("manifest.json" file), responsible for managing the extension behavior on the victim’s system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the hackers' control (“langhort[.]com”). 

The data is deployed via POST requests each time the victim visits a new URL. The stolen data includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. The researchers also disclosed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well. 

Additionally, the security firm identified the evasive mechanism that delays the malicious activity by 15 days from the time of installation of the extension to help keep its activity concerted and avoid raising red flags. 

McAfee recommends users extensively check extensions before installing them, even if they already have a large install base, and to pay close attention to the permissions the extensions ask for, such as the permission to run on any website the user visits. 

Last month, security researchers at Kaspersky estimated that more than 1.3 million users have been impacted by malicious browser extensions in just the first six months of this year alone. In fact, from January 2020 to June 2022, researchers unearthed that more than 4.3 million users had adware concealed in their browser extensions. Although Google is working rigorously to eliminate malicious extensions, new ones continue to pop up at a rapid pace.

Google Removes Several Apps From Play Store Distributing Malware

 

Earlier this week, Google blocked dozens of malicious Android apps from the official Play Store that were propagating Joker, Facestealer, and Coper malware families via the virtual marketplace. 

According to the findings from Zscaler ThreatLabz and Pradeo researchers, the Joker spyware exfiltrated SMS messages, contact lists, and device information and lured victims to sign up for premium service subscriptions. 

A total of 54 Joker downloader apps were unearthed by the two cybersecurity firms, with the apps installed cumulatively over 330,000 times. Nearly half of the apps belonged to communication (47.1%) category followed by tools (39.2%), personalization (5.9%), health and, photography. 

“The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group.” reads the blog post published by Zscaler. “Consistent with previous findings, ThreatLabz's latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques.” 

ThreatLabz experts also uncovered multiple apps compromised with the Facestealer and Coper malware. 

The Facestealer spyware was first unearthed in July last year by Dr. Web researchers, and was designed to steal Facebook users’ logins and passwords and authentication tokens. 

The Coper malware is a banking trojan that targets banking applications in Europe, Australia, and South America. The hackers distribute the apps by disguising them as legitimate apps in the Google Play Store. 

“Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server.” continues the report. 

The researchers recommended users to refrain from granting unnecessary permissions to apps and verify their authenticity by checking for developer information, reading reviews, and scrutinizing their privacy policies. If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app.

Security Bug Detected in Apple M1 Processor Chipsets

 

MIT researchers have unearthed an “unpatchable” hardware bug in Apple's M1 processor chipsets that could allow hackers to breach its last line of security defenses. 

The security loophole is rooted in a hardware-level security mechanism employed in Apple M1 chips called pointer authentication codes, or PAC. This mechanism restricts a hacker to inject malicious code into a device’s memory and it also shields against buffer overflow exploits, which is a form of assault that forces memory to leak into other locations of the chip and acts as the last line of defense.

Employing assault to identify vulnerability 

MIT researchers demonstrated a novel hardware assault dubbed PACMAN that combines memory corruption and speculative execution to bypass the security feature. The assault depicted that pointer authentication can be breached without leaving a trace, and as it employs a hardware mechanism that cannot be patched with software features. 

The attack works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered. This is done using speculative execution — a methodology employed by modern computer processors to enhance performance by speculatively guessing various lines of computation — to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.

According to the researchers, there are many possible values of a PAC, but with a device that reveals whether a guess is correct or false, one can try them all until they hit the right one. 

“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was,” explained MIT CSAIL Ph.D. student Joseph Ravichandran and co-lead author of the paper. 

“When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger”. 

Multiple chipsets are in danger 

Apple uses PAC on all its M1 chips, including the M1, M1 Pro, and M1 Max. In the coming months, other chip designers, including Samsung along with Qualcomm, are expected to launch new chips supporting PAC. 

If this exploit is not mitigated, it will impact the majority of mobile devices, and likely even desktop devices in the coming years, researchers warned. 

Prevention tips 

To mitigate the risks, modification of the software is required so PAC verification results are never done under speculation, meaning a hacker couldn’t go incognito while attempting to breach. 

The second technique is to guard against PACMAN in the same way Spectre vulnerabilities are being mitigated. And finally, patching memory corruption bugs would ensure this last line of defense isn’t required.

Attackers Use Underground Hacking Forum to Strip Activation Lock from iPhones

 

Checkm8.info, an underground hacking forum is offering users a convenient way to strip ‘activation lock’ from iPhones with its pay-for-hacking service. However, iOS security analysts believe the hackers are tricking people to remove protections from stolen iPhones. 

Activation lock essentially prohibits anyone from activating the device until the owner enters the requested credentials. The lock is enabled when the administrator sets up Find My, the Apple service that allows people to track the location of their iPhone, Mac, or Apple Watch. 

“Activation Lock,” a text popup across the iPhone’s screen read. “This iPhone is linked to an Apple ID. Enter the Apple ID and password that were used to set up this iPhone.” 

The hackers are using checkra1n, an open-source jailbreaking tool published in 2019. Checkra1n employs an exploit called checkm8 designed by the developer known as Axi0mX. According to checkm8.info’s website, Checkm8 is only applicable for devices running iOS versions 12 to 14.8.1 because the latest iPhones have updated bootrom code that is not susceptible to checkm8. 

A video posted on checkm8.info’s website shows how smoothly the process of using the checkm8.info tool is. A user only needs to download the software, install it, open it up, and finally plug it into Mac or PC. Subsequently, the site charges $69.99 per license. 

“Done! You have successfully bypassed the iCloud activation lock on your device,” the video’s female narrator explains. 

Additionally, Checkm8.info provides a service called “Bypass iPhone Passcode.” This service tool is not identical to established iPhone unlocking services such as Cellebrite and GrayShift. “This service restores the device to factory settings and activates it as a new device using a saved activation ticket from the system. So basically, this method has nothing with brute-forcing or user data leak. Passcode phrase is a common name used by other tools for this service so we decided to give it the same name,” the checkm8.info administrator explained. 

Three years ago in 2019, security researcher axi0mX uncovered checkm8, an exploit that enabled the jailbreak of millions of iOS devices. The exploit lay in the bootrom of the compromised devices. Before 2019, the last iOS bootrom-based jailbreak was published way back in 2009, making the Checkm8 exploit even more astonishing feet since many believed the hardware avenue for rooting devices had long been shut down closed.

Twitter to Pay $150M Penalty for Selling Customers' Data

 

Twitter has agreed to pay $150 million to settle a federal privacy suit filed by the US government last week over privacy data violation. 

Between May 2013 and September 2019, Twitter asked users for private details to secure their accounts, but then used that information to target users with ads, the Federal Trade Commission (FTC) and Department of Justice, stated. 

"Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina Khan in a statement. "This practice affected more than 140 million Twitter users while boosting Twitter's primary source of revenue." 

This is not the first incident where Twitter violated the FTC Act, under which the agency is “empowered to prevent unfair or deceptive acts or practices in or affecting commerce.” In 2011, Twitter settled with the FTC, which had accused Twitter of serious loopholes in its data security that allowed attackers to secure unauthorized administrative control of the platform. 

The consent order between the Federal Trade Commission (FTC) and Twitter prevented the company from misrepresenting how it used individuals’ email addresses and phone numbers. 

The fine announced on Wednesday last week has been a couple years in the making. In August 2022, Twitter warned investors regarding an FTC probe and potentially a penalty of more than a hundred million dollars for both violating the FTC Act again and its 2011 settlement. 

“Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” the complaint, which was filed by the DOJ on behalf of the FTC, said. 

The social media giant said it will comply with the court’s decision, pay the fine and launch robust privacy and information security program, which will include independent security audits every two years until 2042. 

Further, Twitter will be required to notify all US users who joined its platform before September 17 2019 regarding the settlement and offer them options for guarding their privacy and security in the future.

Facestealer Trojan Identified in More than 200 Apps on Google Play

 

Cybersecurity researchers at TrendMicro have identified more than 200 applications on Google Play distributing spyware called Facestealer used to steal user credentials and other sensitive data, including private keys. The worrying thing is that the number and popularity of these types of applications are increasing day by day, with some even being installed over a hundred thousand times. 

Some malicious applications that users should uninstall immediately include: Daily Fitness OL, Enjoy Photo Editor, Panorama Camera, Photo Gaming Puzzle, Swarm Photo, Business Meta Manager, and Cryptomining Farm Your Own Coin. 

Facestealer, first identified by Doctor Web in July 2021, steals Facebook information from users via malicious apps on Google Play, then uses it to infiltrate Facebook accounts, serving purposes such as scams, fake posts, and advertising bots. Similar to the Joker malware, Facestealer changes its code frequently and has multiple variations. 

"Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Cifer Fang, Ford Quin, and Zhengyu Dong researchers at Trend Micro stated in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play." 

Since being denounced until now, the malicious apps have continuously appeared on Google Play under different guises. For example, Daily Fitness OL is ostensibly a fitness app, but its main goal is to steal Facebook data. Once the application is launched, it will send a request to download the encryption configuration. When the user logs into Facebook, the application opens a WebView browser to load the URL from the downloaded profile. 

Subsequently, a piece of JavaScript code is embedded in the web page to get the login data. After the user is successfully logged into the account, the application collects the cookie, then encrypts all the personally identifiable information (PII) and sends it to the remote server. 

In addition, TrendMicro researchers unearthed 40 fake cryptocurrency miner apps that are variants of similar apps that they discovered in August 2021. The apps trick users into subscribing to paid services or clicking on advertisements. 

To mitigate the risks, users should carefully read reviews from people who have downloaded them before. However, this is also not the optimal solution because many applications will hire highly appreciated services, for example, Photo Gaming Puzzle is rated 4.5 stars, and Enjoy Photo Editor is rated 4.1 stars. Enjoy Photo Editor surpassed 100,000 downloads before Google kicked it out of PlayStore.

Scammers Employ Instagram Stories to Target Users

 

Instagram is the fourth most popular social media platform in the world, with over one billion monthly active users. Almost everyone, from celebrities to your kids, has an Instagram account. This global success makes it a very lucrative target for threat actors. 

According to BBC, the scamming has worsened over the past year, with the Instagram fraud reports increasing by 50% since the coronavirus outbreak began in 2020. Scammers just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door. 

The latest scam involves Instagram backstories. Fraudsters will ask you for help, tell their backstory, and put their fate in your hands. Here are some of the Instagram stories that fraudsters employ to target users: 

  •  "I’m launching my own product line." 
  •  "I’m in a competition and need you to vote for me." 
  • "I’m trying to get verified on Instagram and need people to confirm my fanbase with a link."
  • "I need a help link to get into Instagram on my other phone." This is the most common tactic employed by scammers. 
  • "I’m contesting for an ambassadorship spot at an online influencers program." This one is surprisingly popular, with fake influencers everywhere. 

Scammers try to get access to your Instagram account by sending you a suspicious link, either as an Instagram direct message or via email. They will then ask you not to click the link but merely take a screenshot and send the image back to them. The link is a legitimate Instagram “forgotten password” URL for your account, and fraudsters want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out. 

Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages. If you think you’ve been scammed, report it to Instagram. Change your password and enable two-factor authentication. If you reuse passwords, a scammer could break into more of your accounts. Change those passwords.

Beware of New Phishing Campaign Targeting Facebook Users

 

Facebook users need to remain vigilant after researchers at Abnormal Security uncovered the new phishing campaign designed to steal passwords from admin that run company Facebook pages. The scam begins with a victim being sent a phishing email claiming to be from 'The Facebook Team’. 

The email warns that the user's account might be disabled or the page might be removed over repeatedly posting content that infringes on someone else’s rights. 

Once scaring a victim into thinking their Facebook profile could soon be taken down, the victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post, there's another link that directs users to a separate website. To file an ‘appeal’, a Facebook user is told to enter sensitive information including their name, email address, and Facebook password. 

All this information is sent to the threat actor, who can exploit it to log in to the victim's Facebook page, gather sensitive details from their account, and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency. 

“What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook. Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email,” researchers explained. 

“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.” 

If you have already been a victim of this campaign, or want to stay safe from any future threats, Facebook on its website has issued recommendations for its users. The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password, and make sure they log out of any devices they don’t recognize. Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security to their account.

Critical Chipset Flaws Enable Remote Spying on Millions of Android Devices

 

Three security flaws in Qualcomm and MediaTek audio decoders have been discovered, if left unpatched which might permit an adversary to remotely access media and audio chats from compromised mobile devices. According to Israeli cybersecurity firm Check Point, the flaws might be exploited to execute remote code execution (RCE) attacks by delivering a carefully prepared audio file. 

The researchers said in a report shared with The Hacker News, "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera. In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations." 

The flaws, termed ALHACK, are based on an audio coding system that Apple created and made open-source in 2011. The Apple Lossless Audio Codec (ALAC) or Apple Lossless audio codec format is used to compress digital music in a lossless manner. Since then, other third-party suppliers have used Apple's reference audio codec implementation as the basis for their own audio decoders, including Qualcomm and MediaTek. While Apple has constantly patched and fixed security problems in their proprietary version of ALAC, the open-source version of the codec has not gotten a single update since it was first uploaded to GitHub on October 27, 2011. 

Check Point revealed three vulnerabilities in this ported ALAC code, two of which were found in MediaTek CPUs and one in Qualcomm chipsets. – 
• CVE-2021-0674 (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction 
• CVE-2021-0675 (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in the ALAC decoder stemming from out-of-bounds write 
• CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of a number of frames being passed during music playback 

The vulnerabilities allowed Check Point to "grab the phone's camera feed" in a proof-of-concept exploit, according to security researcher Slava Makkaveev, who discovered the issues alongside Netanel Ben Simon. All three vulnerabilities were addressed by the individual chipset manufacturers in December 2021, following responsible disclosure. 

"The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone," Makkaveev explained.

Beware of iCloud Phishing Attacks, MetaMask Warns Apple Users

 

ConsenSys-owned crypto wallet provider MetaMask is warning its community regarding possible phishing attacks via Apple’s iCloud service. In a Twitter thread posted on April 17, the company warned its customers that the encrypted passwords for their accounts, called MetaMask vaults, will be uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app. 

 As a result, a phishing account that exploits a customer’s iCloud account will also compromise their passwords and hence their crypto wallets. This comes after an Apple user, who goes by “revive_dom” claimed on Twitter to have lost crypto assets worth $650,000 from his MetaMask crypto wallet. 

“This is how it happened. Got a phone call from Apple, literally from Apple (on my caller Id) Called it back because I suspected fraud and it was an Apple number. So, I believed them. They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped,” the user wrote in his thread. 

The phishing campaign involves certain default device settings in iPhones, iPads which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their application data. Metamask is an online crypto wallet that allows users to store their crypto assets such as Bitcoin, Ethereum, etc, as well as non-fungible-tokens (NFTs).

“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds,” the company tweeted. 

Serpent, the founder of a project called DAPE NFT, explained how the fraudsters stole from a victim. On April 15, the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.

During the call, the fraudsters said there was unusual activity on the victim’s Apple ID and asked for a one-time verification code. This is the six-digit verification code sent out to a user when they want to reset their Apple ID password or even login from a different laptop or iPhone, iPad, etc. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim's MetaMask.

 How to shut cloud backups?

Metamask in a warning tweet has requested users to disable iCloud backups by following the steps mentioned below: - 

Go to Settings > Profile > iCloud > Manage Storage > Backups, then turn off the toggle. 

To ensure that iCloud will not “surprise” you with backups you didn’t allow, go to Settings > Apple ID/iCloud > iCloud Backup and turn it off.

Google Strengthens Android Security With a New Set of Dev Policy Updates

 

Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service. 
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust. The following are the most important policy changes related to cybersecurity and fraud that will be implemented: 
  • New API level target requirements.
  • Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
  • Prohibiting the abuse of the Accessibility API.
  • New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022. Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store. 

Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable. This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features. 

According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer." 

App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change. 

Accessibility API abuse

The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications. However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge. As noted below, Google's new policies further restrict how this policy can be applied: 
  • Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
  • Workaround Android built-in privacy controls and notifications; or
  • Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission. Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store. Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background. 

Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated. Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.

SharkBot Android Trojan Resurfaces On Google Play Store

 

Check Point researchers have unearthed multiple malicious Android apps on the Google Play Store posing as an antivirus applications to deploy the SharkBot Android trojan. 

The malicious banking trojan was initially spotted in November last year when it was only being deployed via third-party application stores. The primary motive was on initiating illegal money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in authentic applications. 

Last month, NCC Group reported that multiple SharkBot droppers had infiltrated Google Play, all of which showed similar code and behavior. The first SharkBot dropper discovered in Google Play masqueraded as antivirus solutions. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date. 

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was identified. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery. 

According to Check Point researchers, they identified a total of seven droppers in Google Play, published from developer accounts that were active in late 2021, and which had some of their applications removed from the store. However, these malicious apps have been already installed more than 15,000 times before the takedown from the store. 

Once installed on an Android device, SharkBot exploits Android's Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. Thus, when victims enter their usernames and passwords in the windows that mimic benign credential input forms, the stolen data is sent to a malicious server. 

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group stated. 

The malicious Android trojan also employs geofencing features and bypassing techniques, which makes it unique from other mobile banking viruses. The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The majority of victims reside in Italy and the United Kingdom.

New Android Spyware Linked to Russia Hacking Group Turla

 

A new Android spyware application has been spotted and detailed by a team of cybersecurity experts that records audio and tracks location once planted in the device. The spyware employs an identical shared-hosting infrastructure that was previously identified to be employed by a Russia-based hacking group known as Turla. 

However, it remains unclear whether the Russian hacking group has a direct connection with the recently identified spyware. It reaches through a malicious APK file that works as Android spyware and performs actions in the background, without giving any clear references to users. 

Researchers at threat intelligence firm Lab52 have discovered the Android spyware that is named Process Manager. Once installed, the malware removes its gear-shaped icon from the home screen and operates in the background, exploiting its wide permissions to access the device's contacts and call logs, track its location, send and read messages, access external storage, snap pictures, and record audio. 

The spyware collects all the data in JSON format and subsequently transmits it to a server located in Russia. It is not clear whether the app receives permissions by exploiting the Android Accessibility service or by luring users to grant their access. 

According to Lab52 researchers, authors of the Android spyware have exploited the referral system of an app called Roz Dhan: Earn Wallet Cash which is available for download on Google Play and has over 10 million downloads. The spyware attempts to download and install an application using a goo.gl that eventually helps malicious actors install it on the device and makes a profit out of its referral system.

It seems relatively odd for spyware since the cybercriminals seem to be focused on cyber espionage. According to Bleeping Computer, the strange behavior of downloading an app to earn commissions from its referral system suggests that spyware could be a part of a larger scheme that is yet to be uncovered. 

"The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by the malware," the researchers said. "The attacker installs it on the device and makes a profit." 

To mitigate the risks, Lab52 researchers have recommended Android users avoid installing any unknown or suspicious apps on their devices. Users should also review the app permissions they grant to limit access of third parties to their hardware.

Trojanized Apps are Being Employed to Steal Cryptocurrency From iOS and Android Users

 

ESET, an antivirus manufacturer and internet security firm has unearthed and backtracked a sophisticated malicious cryptocurrency campaign that targets mobile devices using Android or iOS operating systems (iPhones). 

According to ESET, malware authors are distributing malicious apps via fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Subsequently, attackers use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these malicious wallet apps. 

Additionally, intermediaries have been recruited via Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps. While the primary motive of the campaign is to exfiltrate users' funds, ESET researchers have mainly noticed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm's researchers expect the methodologies used in it to spread to other markets. 

The campaign tracked since May 2021, seems to be controlled by a single criminal group. The malicious cryptocurrency wallet apps are designed in such a manner that they replicate the same functionality of their original counterparts, while also incorporating malicious code changes that enable the theft of crypto assets. 

"These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers' server using an unsecured HTTP connection," Lukáš Štefanko, senior malware researcher at ESET stated. "This means that victims' funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network." 

The Slovak cybersecurity firm said it also uncovered dozens of groups promoting malicious apps on the Telegram messaging app that were, in turn, shared on at least 56 Facebook groups in hopes of landing new distribution partners for the fraudulent campaign. 

The investigation also showed that there are 13 unearthed applications that masquerade as the Jxx Liberty Waller on the Google Play store, all of which have since been removed from the Android app marketplace. However, before the takedown in January, these applications were installed more than 1100 times. "Their goal was simply to tease out the user's recovery seed phrase and send it either to the attackers' server or to a secret Telegram chat group," Štefanko concluded.

Scammers are Using Novel Technique to Target iPhone and Android Users

 

Cybersecurity researchers have unearthed a new methodology employed by fraudsters to target iPhone and Android users by tricking them into installing malware via dubious apps and use it to swipe thousands of dollars.

According to researchers at cybersecurity firm Sophos, a scam campaign dubbed CryptoRom typically begins with social-engineering attack, in which a scammer befriends a victim through dating apps like Tinder, Bumble, or Facebook Dating.

The scammer then moves their conversation to messaging apps such as WhatsApp and asks the victim to install a cryptocurrency trading application that's designed to mimic popular brands and lock people out of their accounts and freeze their funds. In some cases, victims are forced to pay a “tax” to withdraw their money, which they learn by chatting with an in-app customer service representative who is part of the malicious campaign. 

"This style of cyber-fraud, known as sha zhu pan — literally 'pig butchering plate' — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," stated Sophos analyst Jagadeesh Chandraiah. 

The malicious campaign exploits iOS TestFlight and Apple WebClip to deploy fake mobile apps and websites onto victims’ phones without being subject to the rigorous app store approval process. The malicious campaign was initially used in Asia but has hit the U.S. and European victims since October 2021. 

TestFlight is used for testing the beta version of apps before they head to the App Store. It is used for small internal tests, sent out to 100 users by email, and public beta tests distributed to up to 10,000 users. But the scammers exploit the TestFlight feature, which provides a way for users to download bogus apps outside of the App Store, researchers explained. 

Sophos researchers said some victims installed malicious versions of the legitimate BTCBOX Japanese crypto exchange app that were made available through the TestFlight feature. 

The fraudsters also employed iOS WebClips to trick iPhone users, as they were sent malicious URLs via the service. WebClips offers fast access to favorite webpages or links, as Apple highlights, with researchers stating that it can be employed to design fake apps to appear more authentic.

Android Trojan Spotted in Multiple Applications on Google Play Harvesting User Credentials

 

Cybersecurity researchers at Dr. Web monitoring the mobile app ecosystem have spotted a major tip in trojan infiltration on the Google Play Store, with one of the applications having over 500,000 installations and available to download. 

The majority of these applications belong to a family of trojan malware used in a variety of scams, resulting in money losses as well as the theft of sensitive private details. Additionally, a new Android trojan called ‘Android.Spy.4498’ designed as a WhatsApp mod has been discovered in the wild. The trojan is spreading via malicious websites promoted by social media posts, forums, and SEO poisoning.

According to Dr. Web's report published in January 2022, the ‘Android.Spy.4498’ was identified in some of the unofficial WhatsApp applications (mods) named GBWhatsApp, OBWhatsApp, or WhatsApp Plus. These mods provide Arabic language support, home screen widgets, separate bottom bar, hide status options, call blocking, and the ability to auto-save received media. These mods are popular in the online communities because they offer additional features not available in the vanilla WhatsApp.

The Trojan is also capable of downloading apps and offering users to install them in order to display dialog boxes with the content it receives from malicious actors. During the attack, Android.Spy.4498 requests access to manage notifications and read their content. 

Additionally, the threats identified on the Play Store include cryptocurrency management applications, social benefit aid tools, Gasprom investment clones, photo editors, and a launcher themed after iOS 15. The majority of fake investment apps trick the victims to design a new account and deposit money supposedly for trading, which is simply transferred to the fraudster’s bank account. Other apps attempt to trick the user into signing up for expensive subscriptions. 

The user reviews under the app describe tactics that resemble subscription scams, charging $2 per week for verification or ad removals, yet offering nothing in return. As the report details, apps discovered by security analysts will load affiliate service sites and enable paid subscriptions through the Wap Click technology after tricking the user into entering their phone number.  

To mitigate the risks, researchers advised installing the apps from trustworthy sources, checking user reviews, scrutinizing permission requests upon installation, and monitoring battery and internet data consumption afterward. Also, to monitor the status of Google Play Protect regularly and add a second layer of protection by using a mobile security tool from a reputable vendor.