Search This Blog

Showing posts with label iOS. Show all posts

Apple Launches Passkey Feature For Password-less Verification

At WWDC 2022, Apple previewed and announced iPad OS 16, iOS 16, macOS 13, new MacBook Air and Pro, watchOS 9, new M2 chips, and other latest gadgets. With the improved functional features and new gadgets that have been added to these solutions, the aim is to strengthen user privacy and security. In May 2022, Google, Microsoft, and Apple announced to widen assistance for a common password-less sign-in standard developed by the FIDO Alliance, and the World Wide Web Consortium. 

According to the FIDO alliance, these companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use password-less functionality. The widened assistance means that users can automatically get their FIDO login credentials also known as "passkey" for their old and new devices without the need to re sign-up for every account. 

Besides this, the users can also use FIDO verification on their smartphones to log in to applications, websites, or any nearby devices. With Apple's new operating systems and tech, the extended support when practiced will lead to secure browsing in Safari and macOS Ventura, iOS and iPad 16, with passwords. Apple says passkeys are unique digital keys that stay on the device and are never stored on a web server, so hackers can’t leak them or trick users into sharing them. 

Made to replace the need for passwords, passkeys work using Face ID, Touch ID for biometric authentication, and iCloud Keychain to sync with iPad, iphone, Mac, and Apple TV via end-to-end encryption. Apple says "[Safety Check] includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand. It also helps users understand and manage which people and apps they’ve given access to."

Safeguarding Android Users From Zero-Day Attacks

 

The term "zero-day" refers to newly found security flaws that hackers can exploit to attack systems. It refers to the fact that the vendor or developer only recently discovered the fault, leaving them with "zero days" to repair it. A zero-day attack is when a zero-day exploit is used to harm or steal data from a system that has been exposed to a vulnerability.

Google's Threat Analysis Group (TAG) is always on the lookout for zero-day exploits. In 2021, it revealed nine zero-day exploits impacting Chrome, Android, Apple, and Microsoft, resulting in updates to safeguard consumers. Google believes that these attacks were bundled by a single commercial monitoring firm called Cytrox.

Cytrox is a North Macedonian firm with offices in Israel and Hungary that was exposed in late 2021 as the creator and maintainer of the spyware "Predator". 

According to new Google research, Cytrox offers new exploits to government-backed actors, who subsequently deploy them in three separate attack campaigns. Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are among the actors who purchased Cytrox services. 

The hackers take advantage of the time differential between when some significant problems were patched but not identified as security issues and when these fixes were fully propagated across the Android ecosystem, using 0-day exploits alongside n-day exploits. 

These findings highlight the extent to which commercial surveillance vendors have proliferated capabilities that were previously solely available to governments with the technical know-how to build and deploy exploits. TAG is actively tracking more than 30 vendors providing exploits or surveillance capabilities to government-backed entities, with different levels of sophistication and public exposure.

The three initiatives were all emailed to targeted Android users with one-time URLs that looked like URL shortener services. The campaign was small - researchers estimate that the number of users targeted in each case was in the tens of thousands. When the link was clicked, the target was sent to an attacker-controlled domain that provided the bugs before redirecting the browser to a legitimate website. The user was forwarded to a valid website if the link was not active. These ads are believed to be transmitted by ALIEN, a simple Android malware capable of loading PREDATOR, an Android implant first reported by CitizenLab in December 2021. 

  • Campaign 1 – Chrome redirection to SBrowser (CVE-2021-38000): In August 2021, the first campaign was discovered using Chrome on a Samsung Galaxy S21, and the webserver immediately responded with an HTTP redirect (302) pointing to the following intended URL. This URL took use of a logic issue in Chrome to force the Samsung Browser to load another URL without user intervention or warnings. 
  • Campaign 2 – Chrome sandbox escape: TAG discovered a campaign in September 2021, in which the exploit chain was sent to a fully updated Samsung Galaxy S10 running Chrome. The exploit that was utilized to get out of the Chrome Sandbox was retrieved, but not the original RCE exploit. The libchrome-embedded sandbox escape was loaded directly as an ELF binary. Libmojo bridge is also custom. The exploit was found to have two separate vulnerabilities in Chrome that are given below: 
  1. CVE-2021-37973: In the handling of Portals API and Fenced subframes, there is a use-after-free vulnerability. 
  2. CVE-2021-37976: A memory instrumentation. mojom. Coordinator information leak allows privileged programs to obtain Global Memory Dumps. These dumps contain sensitive data (addresses) that can be utilized to circumvent ASLR. After escaping the sandbox, the vulnerability downloaded another exploit to raise privileges and install the implant in /data/data/com.android.chrome/p.so. 
  • Campaign 3 – Android 0-day exploit chain in its entirety (CVE-2021-38003, CVE-2021-1048): A full chain exploits on an up-to-date Samsung phone running the newest version of Chrome in October 2021. Two zero-day exploits were included in the chain: CVE-2021-38003, a JSON renderer 0-day vulnerability. The whole value is leaked, allowing the attacker to totally exploit the renderer. The sandbox escape relied on a Linux kernel fault in the epoll() system call. The attacker can use this system call to escape the BPF sandbox and compromise the system by injecting code into privileged processes. 
Google hasn't been able to locate a copy of the exploit and will continue to keep the community informed as they learn more about these campaigns. To combat these issues, a robust, comprehensive approach will be required, involving collaboration between threat intelligence teams, network defenders, university researchers, and technology platforms.

Apple Launched a Safety Fix for a Zero-day Flaw

 

Apple released an emergency patch for iPhone, Mac, and iPad early last month that addressed two zero-day vulnerabilities in the various operating systems. Now, just days after the launch of iOS 15.5, Apple is asking Mac and Apple Watch owners to upgrade. 

Zero-day vulnerabilities are defects in software that the vendor is ignorant of and has not yet patched. Before a fix is released, this type of vulnerability may have publicly available proof-of-concept hacks or be actively exploited in the wild. Apple stated in security warnings released on Monday that they are aware of reports this security flaw "may have been actively exploited."

CVE-2022-22675 is a bug in AppleAVD, an audio and video extension that allows programs to run arbitrary code with kernel privileges. Apple patched the flaw in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with enhanced bounds checking after unknown researchers reported it. Apple Watch Series 3 or later, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD are all among the affected. 
  • In 2022, Apple had five zero-day vulnerabilities. Apple patched two more zero-day vulnerabilities in January, allowing hackers to execute arbitrary code with kernel privileges (CVE-2022-22587) and track online surfing habits and user identities in real-time (CVE-2022-22594). 
  • Apple also issued security upgrades to address a new zero-day vulnerability (CVE-2022-22620) that was used to compromise iPhones, iPads, and Macs.
  •  Two more actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD media decoder were discovered in March (CVE-2022-22675). The latter is also backported in older macOS versions, including watchOS 8.6 and tvOS 15.5. 

Apple did not previously disclose specifics about the flaw to prevent hackers from using the knowledge. While, throughout last year, Apple fixed a slew of zero-day vulnerabilities that had been discovered in the wild and targeted iOS, iPadOS, and macOS devices. 

How do I upgrade my Mac? 
  • In the corner of the screen, select the Apple menu, and 'System Preferences' will appear. 
  • Click 'Software Update' in the following menu. 
  • Then select 'Update Now' or 'Upgrade Now' from the menu. 
If you're still using an older version of the operating system, such as Big Sur, click 'Upgrade Now' to upgrade to the most recent version. Monterey is approximately 12GB in size. 

How to manually update your Apple Watch: 
  • Open the Apple Watch app on your iPhone, then tap the 'My Watch' tab. 
  • Select 'Software Update' from the General menu. 
  • Install the update. If your iPhone or Apple Watch passcode is requested, enter it. 
  • On your Apple Watch, wait for the progress wheel to display. The update could take anything from a few minutes to an hour to finish.

Apple Awards Bounty of $100,500 for Finding Flaws in MacBook

In 2021, Apple patched a set of MacOs vulnerabilities exposing the Safari browser to attack and letting threat actors hack users' online accounts, cameras, and mic. Cybersecurity expert Ryan Pickren, who found these vulnerabilities and reported back to company Apple, was given a $100,500 bug bounty, considering the critical scale of the vulnerabilities. These bugs exploit a set of security issues with iCloud sharing and Safari 15. 

It allows the hacker to control multimedia permissions and gain full access to all sites that the user has opened using the Safari browser. It also includes Gmail, iCloud, PayPal, and Facebook accounts. The problem is primarily concerned with ShareBear, it is an iCloud file-sharing platform that prompts users to open a shared document. Pickren noticed that the prompt doesn't ask the user to open a file after a user opened it once. 

Pickren concluded that this can allow a threat actor to play with the file's components if he has access to the files. "ShareBear will then download and update the file on the victim's machine without any user interaction or notification. 

In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment," explains Pickren in his writeup. In simpler terms, a .PNG format image file can have all its content and extension converted into an executable binary ("evil.dmg") once the user has opened the file. 

After this, one can launch the binary, which triggers exploit chain vulnerabilities that influence extra bugs found in Safari to control a system's mic and camera and steal local files stored in the device. It is not the first time Pickren disclosed bugs in iOS and macOS that allows a threat actor to gain access to a system and control its commands. 

The unauthorized access is gained when the victim opens a certain file type. He says "this project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous."

New Safari Vulnerability Could have given Attackers Access to Your Mac Webcam

 

Apple has awarded a cybersecurity student $100,500 (roughly Rs 75,54,000) in bounty rewards for finding a bug in Apple’s macOS, which enabled malicious actors to access the victims’ logged-in online accounts and even get into their webcams. 

Ryan Pickren, reported the flaw to Apple last summer, and was patched earlier this month. Pickren is no stranger to Apple bugs, as he uncovered an iPhone and Mac camera vulnerability earlier in April 2020. Now, he has exposed another Mac webcam bug that allows attackers to breach into the device and access sensitive user information. 

According to a report by AppleInsider, this Apple Mac webcam bug was related to a series of issues with iCloud and Safari browser. 

The vulnerability grants the hacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So, it does allow me to fully perform an account takeover on every website you visited in Safari," Pickren explained in a blog post. 

According to Pickren, it all began with exploiting the Safari browser (Safari v15 when he attempted this) and gaining access to the webarchive files. Webarchives are local storage for the Safari browser where it saves local copies of websites to open them faster. This wouldn’t be a problem, were it not for the simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious webarchive file. 

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well, today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post.

To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He used a fileloc to point to a local app (a technique known as Arbitrary File Execution) which was a great example of how even with macOS Gatekeeper enabled, an attacker could trick approved apps into performing malicious tasks 

Typically, researchers disclose the exploits after the company has fixed the issue, which explains why Pickren is posting about this now. The reason is to ensure that the flaw is patched before attackers can start exploiting it. 


Cisco SD-WAN Security Flaw Allows Root Code Execution

 

Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation flaw in the IOS IE operating system, which could result in arbitrary code execution. 

Cisco's SD-WAN portfolio enables enterprises of all sizes to link different office sites over the cloud utilising a variety of networking technologies, including standard internet connections. Appliances at each location allow advanced analytics, monitoring, application-specific performance specifications and automation throughout a company's wide-area network. Meanwhile, IOS XE is the vendor's operating system that runs those appliances. 

The vulnerability (CVE-2021-1529) is an OS command-injection flaw that allows attackers to execute unexpected, harmful instructions directly on the operating system that would otherwise be inaccessible. It exists especially in the command-line interface (CLI) for Cisco's IOS XE SD-WAN software, and it could permit an authenticated, local attacker to run arbitrary commands with root privileges. 

According to Cisco’s advisory, posted this week, “The vulnerability is due to insufficient input validation by the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” 

The alert further stated that the exploit method would comprise authenticating to a susceptible device and delivering "crafted input" to the system CLI. An attacker with successful compromise would be able to read and write any files on the system, execute operations as any user, modify system configurations, install and uninstall software, update the OS and/or firmware, and much more, including subsequent access to a corporate network. 

CVE-2021-1529 has a rating of 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) have advised organisations to fix the problem as soon as possible. 

Greg Fitzgerald, the co-founder of Sevco Security, cautioned that some firms may still have outdated machines connected to their networks, which might provide a hidden threat with issues like these. 

He stated in the email, “The vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about. The problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can’t patch a vulnerability for an asset they don’t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

This is solely the latest SD-WAN vulnerability addressed by Cisco this year. It patched many significant buffer-overflow and command-injection SD-WAN flaws in January, the most serious of which could be abused by an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected server.

Researchers Make Contactless Visa Payment Using iphone Flaw

 

Cybersecurity experts in a video showed how to make a contactless Visa payment of €1,000 from a locked iphone. These unauthorised payments can be made while the iPhone is locked, it is done via exploiting an Apple Pay feature built to assist users transaction easily at ticket barriers payments with Visa. 

Apple responded by saying the problem is concerned with a Visa system. However, Visa says that its payments are safe and the such attacks lie outside of its lab and are impractical. Experts believe that the problem exists in the Visa cards setup in 'Express Transit' mode in iPhone wallet. 

It is a feature (express transit) which allows users to make fast contactless payments without unlocking their phone. However, the feature turned out to be a drawback with Visa system, as experts found a way to launch an attack. While scientists demonstrated the attack, the money debited was from their personal accounts. 

How does the attack look? 

  • A small radio is placed beside the iPhone, the device thinks of it as a legit ticket barrier. 
  • Meanwhile an android phone runs an application to relay signals (developed by experts) from the iPhone to a contactless transaction platform, it could be in a shop or a place that is controlled by the criminal. 
  • As the iPhone thinks the payment is being done to a ticket barrier, it doesn't unlock. 
However, the iPhone's contact with the transaction platform is altered to make it think that the iPhone has been unlocked and an authorized payment is done which allows high value payments, without the need of fingerprint, PIN, or Face Id verification. 

The experts while demonstrating in a video did a €1,000 Visa transaction without unlocking the iPhone, or authorizing the payment. According to experts, the payment terminals and android phones used here don't need to near the targeted iPhone. 

As of now, the demonstration has only been done by experts in the lab and no reports of the feature exploit in the wild have been reported. "The researchers also tested Samsung Pay, but found it could not be exploited in this way.They also tested Mastercard but found that the way its security works prevented the attack. 

Co-author Dr Ioana Boureanu, from the University of Surrey, said this showed systems could be "both usable and secure". The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy," reports BBC.

New AdLoad Malware Circumvents Apple’s XProtect to Infect macOS Devices

 

As part of multiple campaigns detected by cybersecurity firm SentinelOne, a new AdLoad malware strain is infecting Macs bypassing Apple's YARA signature-based XProtect built-in antivirus. 

AdLoad is a widespread trojan that has been aiming at the macOS platform since late 2017 and is used to distribute a variety of malicious payloads, including adware and Potentially Unwanted Applications (PUAs). This malware can also harvest system information and send it to remote servers managed by its operators. 

According to SentinelOne threat researcher Phil Stokes, these large-scale and continuing attacks began in early November 2020, with a spike in activity commencing in July and early August. 

AdLoad will install a Man-in-the-Middle (MiTM) web proxy after infecting a Mac to compromise search engine results and incorporate commercials into online sites for financial benefit. 

It will also acquire longevity on infected Macs by installing LaunchAgents and LaunchDaemons, as well as user cronjobs that run every two and a half hours in some circumstances. 

According to SentinelLabs, “When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s ~/Library/Application Support/ folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called /Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the com. prefix.” 

During the period of this campaign, the researcher witnessed over 220 samples, 150 of which were unique and went unnoticed by Apple's built-in antivirus, despite the fact that XProtect presently comprises of dozen AdLoad signatures. 

Many of the SentinelOne-detected samples are also signed with legitimate Apple-issued Developer ID certificates, while others are attested to operate under default Gatekeeper settings. 

Further, Stokes added, "At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules." 

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." 

To effectively comprehend the significance of this threat, Shlayer's case can be considered which is another common macOS malware strain capable of bypassing XProtect and infecting Macs with other malicious payloads. 

Shlayer recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs. 

Even though these malware strains are just delivering adware and bundleware as secondary payloads, for the time being, their developers can, however, switch to distributing more serious malware at any point. 

Apple’s head of software, under oath, while testifying in the Epic Games vs. Apple trial in May said, "Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS."

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

Low-Risk iOS Wi-Fi Naming Issue can Compromise iPhones Remotely

 

According to recent research, the Wi-Fi network name issue that entirely disabled an iPhone's network connectivity had remote code execution capabilities and was discreetly patched by Apple earlier this year. 

On Monday, Apple released iOS 14.7 for iPhones, which includes bug fixes and security improvements as well as a remedy for the Wi-Fi denial-of-service issue. However, the company has not yet provided security information that may suggest whether its vulnerability has been fixed. 

The denial-of-service vulnerability, which was discovered last month, was caused by the way iOS managed string formats associated with the SSID input, causing any up-to-date iPhone to crash when connected to wireless access points with percent symbols in their names, such as "%p%s%s%s%s%n." 

While the problem could be solved by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is likely to provide a fix in iOS 14.7, which is currently accessible to developers and public beta testers. 

Researchers from mobile security automation business ZecOps discovered that the same flaw could be abused to accomplish remote code execution (RCE) on targeted devices by simply adding the string pattern " % @" to the Wi-Fi hotspot's name, which may have had far-reaching repercussions. 

The issue was termed "WiFiDemon" by ZecOps. It's also a zero-click vulnerability as it allows a threat actor to infect a device without needing user interaction, however, it does necessitate that the setting to automatically connect Wi-Fi networks is enabled (which it is, by default). 

"As long as the Wi-Fi is turned on this vulnerability can be triggered," the researchers noted. "If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack." 

"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk," the company stated. "

After turning off the malicious access point, the user's Wi-Fi function will be normal. A user could hardly notice if they have been attacked.

The RCE variant was discovered to be exploitable in all iOS versions before iOS 14.3, with Apple "silently" fixing the problem in January 2021 as part of their iOS 14.4 release. The vulnerability was not issued a CVE identifier. 

Given the vulnerability's exploitability, iPhone and iPad owners must update to the most recent iOS version to reduce the risk associated with the flaw.

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS

 

During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not in the "best interests of users." Sideloading apps entails manually downloading and installing software over the Internet rather than from an app store. Apple's security and privacy would be ruined if it were compelled to enable side-loading programmes, as Android does, he stated on June 16 while speaking remotely at the VivaTech 2021 conference in Paris, France. 

When asked about the planned European law known as the Digital Markets Act (DMA), which attempts to prohibit big digital corporations from monopolizing their market position, Cook stated that Apple opposes it because it would require the company to allow consumers to install apps outside of the App Store. Cook also stated that Android has "47 times more malware" than Apple since iOS is created with a single app store. 

Explaining the reason, Cook added, "It's because we've designed iOS in such a way that there's one app store and all of the apps are reviewed prior to going on the store. And so that keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we're going to be standing up for the user in the discussions." 

Cook further claimed that the DMA's present language, which will compel side-loading on the iPhone, will "destroy the security" of the smartphone and many of the App Store's privacy measures. 

DMA targets firms with a huge user base, such as Apple, Google, and Amazon, and encourages them to open up their platforms to competitors. The proposed rule also intends to provide a more level playing field for businesses and individuals who rely on large "gatekeeper" online platforms to sell their goods and services in a single market. 

“We've been focusing on privacy for over a decade,” Cook stated when asked about Apple's commitment to privacy. “We see it as a basic human right. A fundamental human right. And we've been focused on privacy for decades. Steve used to say privacy was stating in plain language what people are signing up for and getting their permission. And that permission should be asked repeatedly. We've always tried to live up to that.”

Is Apple's Monopoly Making Its Security Vulnerable?


It's a well-known fact that Apple’s devices are undoubtedly way safer than any other company’s products, however, in recent research analysis, many reports claimed it to be a myth. 

According to the experts, Apple’s complex process of downloading apps has created a notion of added security but seemingly such is not the case, as revealed in deeper examinations. 

Reportedly, around 2% of the top-grossing iOS apps, are in some way, scams. Customers of several VPN apps, which protect users’ data, have complained against Apple App Store – saying that their devices are contaminated by a virus that tricks them to download and pay for software that they don’t need. 

An illegal QR code reader app that remains for a week on the store tricks users into paying $4.99. Moreover, some apps even mock themselves as being from big global organizations such as Amazon and Samsung. 

Apple always maintained its exclusive command on the App Store and describes this as its policy which is essential for customer’s sensitive personal credentials. Apple has a monopoly in the App market in terms of customer trust. However, some analysts said that this is indeed the biggest problem that there is no competition against this giant in the market, if some companies will come with alternatives then– as a matter of fact – Apple will invest more money in strengthening their security measures. 

“If consumers were to have access to alternative app stores or other methods of distributing software, Apple would be a lot more likely to take this problem more seriously,” said Stan Miles, an economics professor at Thompson Rivers University in British Columbia, Canada. 

As per the statistics, that Apple generates huge profit from the App store; around 30 percent of its revenue is constituted by the App store. 

Apple spokesperson Fred Sainz said in a statement that, “We hold developers to high standards to keep the App Store a safe and trusted place for customers to download software, and we will always take action against apps that pose a harm to users…” 

“…Apple leads the industry with practices that put the safety of our customers first, and we’ll continue learning, evolving our practices, and investing the necessary resources to make sure customers are presented with the very best experience.”

167 Fake iOS & Android Trading Apps Brought to Light by Researchers

 

Sophos, a worldwide leader in cybersecurity, has found 167 fake Android and iOS apps that criminals have been using to rob people who still believe they have a very well, trustworthy financial trading, banking, or cryptocurrency application. A research article titled, ‘Fake Android and iOS apps disguised as trading and cryptocurrency apps,’ illustrates how criminals utilized social technology, fake web pages like a fake iOS App Slot, and an iOS app tester to deliver the fake apps to unsuspecting customers. 

Fake applications were investigated and the results showed that all were very similar to each other, as stated by Sophos researchers. Many have included the "chat" option to integrate customer service. When researchers attempt to communicate by using chat with support teams, answers were almost alike. They also discovered a single server loaded with 167 counterfeit trading and cryptocurrency applications. In combination, this indicates that, according to Sophos, all fraud might be carried out by the same party. 

In one of the scenarios examined, the scammers approached the customers through a dating app by creating a profile and exchanging messages with specific objectives before attempting to encourage them to download and add money and cryptocurrency to a counterfeit application. The attackers blocked access when their targets later tried to withdraw funds or close the account. 

In other instances, websites built to resemble a reputable company, such as a bank, have been able to attract the targets. To persuade the users to install an app from the genuine App Store, they have even developed a fake "iOS App Store" download page with fabricated customer reviews. 

When the visitors pressed upon the links to install fake apps for Android or iOS, something like a smartphone web app was obtained but was only a shortcut icon connected to a fake website. 

Technicians have also delivered fake iOS applications via third-party websites to encourage developers towards testing new applications with a small number of Apple device users before applying to the official App Store. 

“People trust the brands and people they know – or think they know – and the operators behind these fake trading and cryptocurrency scams ruthlessly take advantage of that,” said Jagadeesh Chandraiah, a senior threat researcher at Sophos. “The fake applications we uncovered impersonate popular and trusted financial apps from all over the world, while the dating site sting begins with a friendly exchange of messages to build trust before the target is asked to install a fake app. Such tactics make the fraud seem very believable.”

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer. Last, but not least, if something seems risky or too good to be true – high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is,” he further added.

Sophos also recommends the user install an anti-virus program on the mobile device to defend Android and iOS devices from cyber attacks, like the Intercept X for Mobile.

'XcodeGhost' Malware Infected Around 128M iOS Users

 

In a recent malware attack over 128 million iOS customers have been targeted. The malware employed by the attackers goes by the name "XcodeGhost" which first came into the public domain in 2015. This attack is responsible for injecting malware into several Apple devices' app stores including iPhone and iPad apps that were subsequently uploaded to the App Store. 

During the Epic Games vs Apple trial, the internal Apple emails have warned that almost 128 million users downloaded approximately 2,500 apps that were infected by the malware which came into existence from the fake copy of Xcode. 

While Motherboard has also reported on the same issue saying over 2,500 infected apps have been downloaded over 203 million times in the App Store. 

Some employer has disclosed that around 55 percent users are Chinese and also 66 percent of downloads relates to China. According to the report, many developers have downloaded the infected Xcode as Apple’s servers were slow, hence they were looking for alternative download links. 

Notably, some of the widely popular apps have also been infected by this malware, including the game ‘Angry Birds 2′. 

When the malware was identified, Apple suggested developers immediately revise their apps with a legal version of Xcode, the report added. 

In the wake of the security incident, Apple has taken several security measures to fix the attack including malware scanning and the security of the Xcode execution process while submitting apps to the App Store. As the legal battle was going on between Apple and Epic Games in the USA this week, new technical details have surfaced, disclosing that Epic Games CEO Tim Sweeney had suggested Apple CEO Tim Cook open their devices to other app stores as early as 2015. 

Apple's AirDrop Comes with a Security Flaw

 

Due to its intriguing features, the much-hyped announcement of AirDrop at the Apple event drew a lot of attention. However, it has recently been discovered that AirDrop has a security loophole that allows users to see personal information such as email addresses and phone numbers. This may result in a data leak affecting over 1.5 billion Apple users, as well as other security concerns. 

According to a study citing researchers from Germany's Technische Universitat Darmstadt, everyone can reach Apple users' email addresses and phone numbers, even if they are strangers, by simply opening the sharing pane on the smartphone and initiating the sharing process. A secure Wi-Fi link and proximity between the two Apple devices are needed to complete this task. 

The researchers discovered a flaw in the Contacts Only setting. You use the iOS Sharing function and choose AirDrop as the method to share a file with anyone via AirDrop. If the other person's AirDrop is set to Contacts Only, Apple must check to see if you're on their contact list. The corporation does this by comparing the contact number and email address to entries in the other person's address book. 

Apple uses a hashing feature to obfuscate your phone number and email address during this process to keep it secure. However, university researchers have already found that this hashing would not effectively preserve the data's privacy. 

“As an attacker, it is possible to learn the phone numbers and email addresses of AirDrop users—even as a complete stranger," the researchers said in the report. "All they require is a Wi-Fi-capable device and physical proximity to a target that initiates the discovery process by opening the sharing pane on an iOS or macOS device.”

The researchers said they developed their own approach, called "PrivateDrop," to replace the insecure AirDrop design. Without needing to swap the insecure hash values, PrivateDrop can easily and safely verify whether you're in a fellow iPhone user's contact list using optimised cryptographic protocols. PrivateDrop is available for third-party review on GitHub.

For the time being, the researchers recommend that users disable AirDrop. To do so on an iPhone or iPad, go to Settings, General, and then press the AirDrop entry. Select Receiving Off from the drop-down menu.

CERT-In Issues "High" Severity Rating Advisory for WhatsApp Threats

 

The Indian Computer Emergency Response Team (CERT-In) has cautioned WhatsApp clients in India of various vulnerabilities it identified in the instant messaging platform, which could lead to a breach of sensitive client information and personal information. In a "high" severity rating advisory, the CERT-In said that the vulnerabilities had been recognized in specific versions of WhatsApp and WhatsApp Business for both Android and iOS platforms. 

The Indian Computer Emergency Response Team (CERT-In) is an office inside the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cybersecurity threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain. A memorandum of understanding (MoU) was endorsed in May 2016 between the Indian Computer Emergency Response Team (CERT-In) and the Ministry of Cabinet Office, UK.

With the MoUs, participating nations can trade technical data on Cyber assaults, respond to cybersecurity incidents, and discover solutions to counter the cyber assaults. They can likewise trade data on predominant cybersecurity policies and best practices. The MoUs help to strengthen the cyberspace of signing countries, capacity building and improving relationships between them. 

"Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system," the advisory said. Describing the risk in detail, it said that these vulnerabilities "exist in WhatsApp applications due to a cache configuration issue and missing bounds check within the audio decoding pipeline." 

"Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code or access sensitive information on a targeted system," it said. 

To forestall the danger, the government’s cybersecurity agency has requested that clients update their WhatsApp on Android and iOS to the most recent versions. This isn't the first occasion when that CERT-In has given a "high" severity rating advisory, cautioning clients of the presence of various vulnerabilities in the instant messaging platform.

In November 2019, CERT-In had cautioned WhatsApp clients about a buffer overflow vulnerability with the platform, which permitted an assailant to remotely target a system by sending a specially crafted MP4 audio or video file. The CERT-In had then cautioned that successful exploitation of this vulnerability would permit an attacker to cause remote code execution or denial of service condition for the clients.

Fleeceware apps earned over $400 million on Android and iOS

 

Researchers at Avast have found an aggregate of 204 fleece ware applications with over a billion downloads and more than $400 million in revenue on the Apple App Store and Google Play Store. The purpose of these applications is to bring clients into a free trial to "test" the application, after which they overcharge them through subscriptions which sometimes run as high as $3,432 each year. These applications have no unique functionality and are only conduits for fleece ware scams. Avast has reported the fleece ware applications to both Apple and Google for audit.

Fleece ware is a recently coined term that alludes to a mobile application that accompanies extreme subscription fees. Most applications incorporate a short free trial to attract the client. The application exploits clients who are inexperienced with how subscriptions work on cell phones, implying that clients can be charged even after they've erased the offending application.

The fleece ware applications found comprise predominantly of musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and ‘slime simulators’. While the applications for the most part satisfy their expected purpose, it is far-fetched that a client would purposely want to pay such a significant recurring fee for these applications, particularly when there are less expensive or even free options available. 

It creates the impression that part of the fleece ware strategy is to target more youthful crowds through playful themes and catchy ads on famous social networks with guarantees of ‘free installation’ or ‘free to download’. The information is alarming: with almost a billion downloads and hundreds of millions of dollars in revenue, this model is drawing in more developers and there is proof to recommend a few famous existing applications have updated to incorporate the free trial subscription with high recurring fees.

Regardless of whether a client erases the application after they notice outgoing payments, this doesn't mean their subscription stops - which permits the developer to cash in further. Google and Apple are not answerable for refunds after a specific time-frame, and keeping in mind that the organizations may decide to refund as a goodwill gesture in some cases however they are not obliged to do so. Along these lines, the lone choices might be to attempt to contact developers directly or to demand a bank chargeback.

Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users

 

Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets. 

The cross-platform capacities and the readiness to utilize almost a dozen zero-days in under a year signals a well-resourced threat actor with the ability to access hacking tools and exploits from related groups. In another blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains found in the wild last October and cautioned that the most recent disclosure is attached to a February 2020 campaign that incorporated the utilization of multiple zero-days. As per Stone, the threat actor from the February 2020 campaign went dark for a couple of months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained. 

The first exploit server at first reacted distinctly to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google's researchers began recovering the hacking devices. This server included exploits for a distant code execution bug in the Google Chrome rendering engine and a v8 zero-day after the underlying bug was fixed. Stone said the first server momentarily reacted to Android user-agents, proposing exploits existed for every one of the significant platforms.

Stone noticed that the assailants utilized a special obfuscation and anti-analysis check on iOS gadgets where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead of requiring an active MITM on our side to rewrite the exploit on-the-fly.”

A Bug in iPhone Call Recording App Exposed Clients Data

 

A security vulnerability in a famous iPhone call recording application exposed thousands of users' recorded conversations. The flaw was found by Anand Prakash, a security researcher and founder of PingSafe AI, who tracked down that the aptly named Automatic Call Recorder application permitted anybody to access the call recordings from different clients — by knowing their phone number. 
 This application can track and record calls without an internet connection and can alter the voices of recordings, upload them to Dropbox, Google Drive, or One Drive, and also can translate in up to 50 dialects. All the client information gets stored in the company’s cloud storage on Amazon web services. This cloud storage has somewhere around 130,000 audio recordings that make up almost 300 GB. 

 Security circumstances like this are disastrous. Alongside affecting client's security, these issues likewise debilitate the organization's image and give an additional benefit to the contenders, said Anand Prakash. “This wasn’t just a violation of data privacy but also affected the users physically and at cyber risk, if their recorded conversations carry sensitive personal information. App makers that go wrong in investing in their cybersecurity must accept that the fines they could face for non-compliance with data privacy laws are extremely expensive – not to mention the cost of losing their customers' trust” he added. 

The bug was detected by Anand Prakash on the 27th of the last month when he was able to modify the web traffic and supplant the enlisted telephone number with someone else's number utilizing a proxy site called Burp, which gave him admittance to that person's call records and details. Fortunately, the bug was fixed by Saturday, March 6th, and the glitch-free version was launched in the Apple App Store. 

The call recorder clients were advised to uninstall the previous variant and download the latest rendition that is 2.26 or newer which is accessible on the Apple App Store. The paid variant is $6.99 for 7 days; additionally, they allow a three-day trial period. Their most basic monthly membership costs $14.99, with a 12 months advance, and has a few other options as well.

Malware Affecting Apple’s New M1 Chip Detected by Researchers

 

MAC malware has relatively been a less popular choice than its equivalents for Windows attacks, but the vulnerability to Apple computers has been more prevalent in the last few years. There are adware and even Mac-customized malware, and attackers still try to bypass Apple's new protections. Hackers have now made their debut in malware programmed to run Apple's latest M1 ARM processors, launched in November for MacBook Pro, MacBook Air, and Mac Mini. 

Apple's M1 chip is a divergence since 2005 from the Intel x86 architecture, which provides Apple a chance to bake some Mac security safeguards and functionality directly to its processors. This transition allowed legitimate developers to create the software version that runs on M1 "natively" and does not require translating via an Apple emulator named Rosetta 2. 

As per a blog published on 14th February by Mac security researcher Patrick Wardle, a Safari adware extension, originally written for Intel x86 chips, was modified to operate on new M1 chips. The malicious GoSearch22 extension has been traced to the Pirrit Mac adware family, according to Wardle. 

Researchers from the Red Canary along with the Pirrit Mac adware have written a blog on another strain of malware – Silver Sparrow – which varies from the one detected by Wardle. Although Silver Sparrow has not yet released malicious packages, the Red Canary researchers have confirmed that they are able to discharge malicious payloads at a time. Silver Sparrow compromised 29,139 macOS endpoints, including the high identification volumes in the U.S.A., the United Kingdom, Canada, France, and Germany, on February 17 in 153 countries, based on data from Malwarebytes given to Red Canary.

Kevin Dunne -President of Greenlight, said malware developers' capability to reverse engineer the M1 chip is only three months. Although the malware only has a minimum footprint, Dunne said that it will likely grow with time to harness more vectors of attack. 

“Once bad actors have control of the physical device, they can use that device as an access point to the networks that machine is connected to, either physically or via VPN,” Dunne said. “This reinforces the need for additional protection at the application layer, to constantly assess activity within those applications for unusual behaviour and mitigate potential risks in real time.”

Malware manufacturers and dealers are developing advanced devices and software with the way they produce and sell them, and so are the legal businesses, Jon Gulley, a security test application at nVisium added. 

For now, researchers have found that the native M1 malware doesn't appear to be an incredibly dangerous threat. However, the advent of these new strains is a sign of the future and of the need for detective devices to close the void.