Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Apps. Show all posts

Experts Warn Criminals Could Exploit Jogging Apps for Targeting People

 

Experts caution that users of running apps should heighten their privacy settings to thwart potential stalkers and other malicious actors from accessing sensitive information regarding their activities. 

While platforms like Strava enable joggers and hikers to share route details and performance metrics with friends and followers, tech company Altia raises concerns about the possibility of criminals constructing a detailed profile of users' routines, including their start and end points, potentially exposing their home addresses. Altia advises users to review their security settings, ensuring that sensitive information isn't shared publicly by default and recommending a switch to private settings if necessary.

Highlighting the surge in stalking and harassment offenses, Altia underscores the significance of safeguarding personal data on fitness apps. These apps, utilizing GPS technology, can meticulously track users' movements, map out their routes, and gather various performance metrics, including pace, time, elevation gain, heart rate, and calories burned. 

With the popularity of apps like Strava soaring during the pandemic, Altia urges users to be vigilant, especially professionals in sensitive fields like security, law enforcement, banking, or the legal sector, who may inadvertently expose confidential information through their running activity.

Altia emphasizes the importance of maximizing app security settings and exercising caution regarding followers' activities and interactions. Users are advised to scrutinize their followers and assess whether their engagement seems genuine, as potential criminals could exploit the data for various purposes, including identifying secure or restricted locations like workplaces. 

By prioritizing privacy settings and remaining vigilant, users can mitigate the risk of their data falling into the wrong hands while enjoying the benefits of fitness-tracking apps safely.

Is Your Android Device Tracking You? Understanding its Monitoring Methods

 

In general discussions about how Android phones might collect location and personal data, the focus often falls on third-party apps rather than Google's built-in apps. This awareness has grown due to numerous apps gathering significant information about users, leading to concerns, especially when targeted ads start appearing. The worry persists about whether apps, despite OS permissions, eavesdrop on private in-person conversations, a concern even addressed by Instagram's head in a 2019 CBS News interview.

However, attention to third-party apps tends to overshadow the fact that Android and its integrated apps track users extensively. While much of this tracking aligns with user preferences, it results in a substantial accumulation of sensitive personal data on phones. Even for those trusting Google with their information, understanding the collected data and its usage remains crucial, especially considering the limited options available to opt out of this data collection.

For instance, a lesser-known feature involves Google Assistant's ability to identify a parked car and send a notification regarding its location. This functionality, primarily guesswork, varies in accuracy and isn't widely publicized by Google, reflecting how tech companies leverage personal data for results that might raise concerns about potential eavesdropping.

The ways Android phones track users were highlighted in an October 2021 Kaspersky blog post referencing a study by researchers from the University of Edinburgh and Trinity College. While seemingly innocuous, the compilation of installed apps, when coupled with other personal data, can reveal intimate details about users, such as their religion or mental health status. This fusion of app presence with location data exposes highly personal information through AI-based assumptions.

Another focal point was the extensive collection of unique identifiers by Google and OEMs, tying users to specific handsets. While standard data collection aids app troubleshooting, these unique identifiers, including Google Advertising IDs, device serial numbers, and SIM card details, can potentially associate users even after phone number changes, factory resets, or ROM installations.

The study also emphasized the potential invasiveness of data collection methods, such as Xiaomi uploading app window histories and Huawei's keyboard logging app usage. Details like call durations and keyboard activity could lead to inferences about users' activities and health, reflecting the extensive and often unnoticed data collection practices by smartphones, as highlighted by Trinity College's Prof. Doug Leith.

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."

Fear Grip Users as Popular Diabetes App Faces Technical Breakdown

 A widely used diabetes management software recently experienced a serious technical failure, stunning the users and leaving them feeling angry and scared. The software, which is essential for assisting people with diabetes to monitor and manage their blood sugar levels, abruptly stopped functioning, alarming its devoted users. Concerns regarding the dependability and security of healthcare apps as well as the possible repercussions of such failures have been raised in response to the occurrence.

According to reports from BBC News, the app's malfunctioning was first brought to light by distressed users who took to social media platforms to express their frustration. The app's sudden failure meant that users were unable to access critical features, including blood glucose monitoring, insulin dosage recommendations, and personalized health data tracking. This unexpected disruption left many feeling vulnerable and anxious about managing their condition effectively.

The Daily Mail highlighted the severity of the situation, emphasizing how the app's failure posed a potential threat to the lives of its users. Many individuals with diabetes rely on the app to regulate their insulin levels, ensuring they maintain stable blood sugar readings. With this vital tool out of commission, users were left in a state of panic, forced to find alternative methods to track their glucose levels and administer appropriate medication.

The incident has triggered an outpouring of anger and fear from the affected users, who feel let down by the app's developers. One user expressed their frustration, stating, "I have come to depend on this app for my daily diabetes management. Its sudden breakdown has left me feeling helpless and anxious about my health." Others echoed similar sentiments, emphasizing the app's importance in their daily routines and the detrimental impact of its sudden unavailability.

The situation has also raised broader concerns regarding the reliability and security of healthcare apps. As these digital tools increasingly become a fundamental part of managing chronic conditions, their dependability and robustness are of paramount importance. This incident serves as a reminder of the potential risks associated with relying solely on technology for critical health-related tasks.

Furthermore, the incident sheds light on the need for developers to prioritize thorough testing and regular maintenance of healthcare apps to prevent such disruptions. App developers and healthcare providers must collaborate closely to ensure the seamless functioning of these tools, considering the impact they have on the well-being of individuals with chronic conditions.

CoWIN App Data Leak Claims: Minister Denies Direct Breach

 

Amidst concerns over a potential data breach in India's CoWIN app, the Union Minister, Rajeev Chandrasekhar, has stated that the app or its database does not appear to have been directly breached. The CoWIN app has been widely used in India for scheduling COVID-19 vaccinations and managing vaccination certificates.

The clarification comes in response to recent claims of a data leak, where personal information of individuals registered on the CoWIN platform was allegedly being sold on the dark web. The Union Minister assured the public that the government is taking the matter seriously and investigating the claims.

According to the Ministry of Health and Family Welfare, preliminary investigations suggest that the data leak may not have originated from a direct breach of the CoWIN app or its database. However, the government has initiated a thorough inquiry to determine the source and nature of the alleged data leak.

Data security and privacy have been significant concerns in the digital era, particularly in the healthcare sector where sensitive personal information is involved. As the COVID-19 vaccination drive continues, ensuring the protection of citizens' data becomes paramount. Any breach or compromise in the CoWIN system could erode public trust and confidence in the vaccination process.

The CoWIN platform has been subject to rigorous security measures, including data encryption and other safeguards to protect personal information. Additionally, the government has urged citizens to remain cautious and avoid sharing personal details or vaccine-related information on unauthorized platforms or with unknown individuals.

It is important for individuals to stay vigilant and follow official channels for vaccine registration and information. The government has emphasized the importance of using the official CoWIN app or website, which are secure platform for vaccine-related activities.

As investigations into the alleged data leak continue, the government is working to enhance the security measures of the CoWIN platform. Strengthening cybersecurity protocols and regularly auditing the system can help prevent unauthorized access and potential data breaches.

The incident serves as a reminder of the ongoing challenges in maintaining data security in the digital age. It highlights the need for constant vigilance and proactive measures to safeguard sensitive information. The government's response to these claims underscores its commitment to addressing data security concerns and ensuring the privacy of citizens.

As the vaccination drive plays a crucial role in controlling the spread of COVID-19, maintaining public trust in the CoWIN platform is imperative. By addressing any potential vulnerabilities and reinforcing data protection measures, the government aims to assure citizens that their personal information is safe and secure during the vaccination process.

Despite worries about a data leak in the CoWIN app, the Union Minister's statement suggests that neither the app nor its database appears to have been directly compromised. The government's examination of the situation serves to underline its dedication to data security and privacy. Maintaining the integrity and security of systems associated with vaccines continues to be a high priority while efforts to battle the epidemic continue.

Three Commonly Neglected Attack Vectors in Cloud Security

 

As per a 2022 Thales Cloud Security research, 88% of companies keep a considerable amount (at least 21% of sensitive data) in the cloud. That comes as no surprise. According to the same survey, 45% of organisations have had a data breach or failed an audit involving cloud-based data and apps. This is less surprising and positive news. 

The majority of cloud computing security issues are caused by humans. They make easily avoidable blunders that cost businesses millions of dollars in lost revenue and negative PR. Most don't obtain the training they need to recognise and deal with constantly evolving threats, attack vectors, and attack methods. Enterprises cannot avoid this instruction while maintaining control over their cloud security.

Attacks from the side channels

Side-channel attacks in cloud computing can collect sensitive data from virtual machines that share the same physical server as other VMs and activities. A side-channel attack infers sensitive information about a system by using information gathered from the physical surroundings, such as power usage, electromagnetic radiation, or sound. An attacker, for example, could use statistics on power consumption to deduce the cryptographic keys used to encrypt data in a neighbouring virtual machine.  

Side-channel attacks can be difficult to mitigate because they frequently necessitate careful attention to physical security and may involve complex trade-offs between performance, security, and usability. Masking is a common defence strategy that adds noise to the system, making it more difficult for attackers to infer important information.

In addition, hardware-based countermeasures (shields or filters) limit the amount of data that can leak through side channels.

Your cloud provider will be responsible for these safeguards. Even if you know where their data centre is, you can't just go in and start implementing defences to side-channel assaults. Inquire with your cloud provider about how they manage these issues. If they don't have a good answer, switch providers.

Container breakouts

Container breakout attacks occur when an attacker gains access to the underlying host operating system from within a container. This can happen if a person has misconfigured the container or if the attacker is able to exploit one of the many vulnerabilities in the container runtime. After gaining access to the host operating system, an attacker may be able to access data from other containers or undermine the security of the entire cloud infrastructure.

Securing the host system, maintaining container isolation, using least-privilege principles, and monitoring container activities are all part of defending against container breakout threats. These safeguards must be implemented wherever the container runs, whether on public clouds or on more traditional systems and devices. These are only a few of the developing best practices; they are inexpensive and simple to apply for container developers and security experts.

Cloud service provider vulnerabilities

Similarly to a side-channel attack, cloud service providers can be exposed, which can have serious ramifications for their clients. An attacker could gain access to customer data or launch a denial-of-service attack by exploiting a cloud provider's infrastructure weakness. Furthermore, nation-state actors can attack cloud providers in order to gain access to sensitive data or destroy essential infrastructure, which is the most serious concern right now.

Again, faith in your cloud provider is required. Physical audits of their infrastructure are rarely an option and would almost certainly be ineffective. You require a cloud provider who can swiftly and simply respond to inquiries about how they address vulnerabilities:

NordVPN Identifies the Most Risky Websites for Users' Privacy and Security

When you browse the web on a regular basis, it can be quite dangerous, but it becomes even more dangerous when you access certain types of sites. It should come as no surprise that porn, streaming, and video hosting websites top the list of services posing the greatest risk to users' privacy and security. 

Malware attacks, invasive ads, and heavy web tracking were among the threats. That is the exclusive data gathered by NordVPN, one of the best VPN services available. In December 2022 alone, the VPN provider was able to block over 344 million web trackers, 341 million intrusive ads, and 506,000 malware infections thanks to its Threat Protection tool.

"The online world is challenging people in every single move they make," said NordVPN cybersecurity advisor Adrianus Warmenhoven.

"Want to read an article? Dozens of ads and pop-ups are ready to immediately cover your screen. Another privacy threat – malware – is lurking for you on websites and in files you are about to download. Websites you browse are also full of third-party trackers that analyze your browsing history to find out what you do online. It depends on you to stop it."

NordVPN researchers wanted to know how these cyber threats were getting to users. They did this by analysing aggregated data collected by their Threat Protection system. While this did not include any personally identifiable information about users, it did assist them in depicting the scenario that everyone faces on a daily basis online.

Malware is perhaps the most concerning of these threats. This is due to the ease with which such malicious software can infiltrate a device and damage or compromise tonnes of users' sensitive data. Adult content sites contain the most malware, including viruses, ransomware, spyware, and other threats. During the coverage period, over 60,000 domains were blocked. Cloud storage and entertainment platforms are next in line, with approximately 70,000 infected platforms discovered between the two categories.

Intrusive ads are any pop-ups or other ad pages that appear without being requested. These not only annoy people's online experiences, but they are also excellent at gathering information about users without their knowledge. As expected, free streaming platforms are the most involved, with more than 55 minion domains affected. Adult content and shopping websites appear to be close behind.

These findings highlight the importance of using a reliable ad-blocker every time you browse the web, especially when visiting certain types of websites.

"Ad blockers are essential for both security - because they block ads that can infect people’s devices - and privacy because annoying ads rely on collecting data from web activity and violating people’s privacy," explains Warmenhoven. "Also, if a website is loading slower than usual, you can blame intrusive ads. Free apps filled with unwanted ads could also drain your device’s battery faster.” 

Web trackers are another major cyber threat because they compromise users' online anonymity. Video hosting services were the sites with the most web trackers. The NordVPN Threat protection tool blocked over two billion domains. Tracking was also high in cloud storage, web email, and information technology sites. As per Nord, Hong Kong and Singapore have the most web trackers in the world, with an average of 45 and 33 trackers per website. Other countries with high tracking rates include the United States, Australia, the United Kingdom, Spain, and France.

NordVPN Threat Protection is a system that safeguards users from the aforementioned online threats. It accomplishes this by scanning all files you download and blocking all sites containing malware and dangerous ads before you open them.

Threat Protection is available on all NordVPN apps. This means that there is no additional cost to enjoy a safer online experience. All you have to do is follow these simple steps:
  • Launch the latest NordVPN app on your preferred device.
  • Click the shield icon on the left side of your screen.
  • Activate the Threat Protection toggle.

DoControl: Growing its SaaS Security Platform

DoControl offers an integrated, automated, and risk-aware SaaS Security Platform that protects apps and data which are essential to corporate operations promotes operational efficiency and boosts productivity. Protecting data and business-critical SaaS apps through automated remediation is DoControl's key strength.

DoControl's newest module adds shadow SaaS application identification, monitoring, and remediation to build on earlier advancements that target mission-critical use cases and better defend companies from SaaS supply chain assaults. By establishing machine identities that are frequently overprivileged, unapproved of, and unmonitored, SaaS application-to-application communication capabilities raise the risk. To address regulatory gaps and automatically close supply chain-based attack vectors, DoControl's SaaS Security Platform extension offers total control and transparency across all authorized and unauthorized SaaS apps.

One service platform that delivers unified security across various apps is required by the industry as a result of the rapid expansion of SaaS applications, the need to integrate them, or the economic pressures to integrate vendors. DoControl has established itself as the end-to-end SaaS security platform supplier, including CASB, DLP, Insider Risk, and Workflows, so now Shadow Apps enable security teams to accomplish more with less effort.

Extensive shadow application governance is aided by the DoControl SaaS Security Platform's expansion:

Facts and Awareness: All interlinked  SaaS applications within a company's estate can be found by organizations, both sanctioned and unsanctioned. Businesses can spot issues of non-compliance and comprehend the high-risk SaaS platforms, apps, or users vulnerable inside the SaaS estate with rigorous surveying and inventories.

Analyze and Operate: Utilizing pre-approval rules and workflows that demand end users present a business explanation for acquiring new apps, companies can conduct app reviews with business users. Security staff can also place suspect applications in quarantine, limit a user's access rights, and revoke such privileges.

Automated Cleanup: Organizations can automate the application of security policies throughout the entire SaaS application stack by using low-code/no-code solutions. Through automated patching of various threat vectors, DoControl's Security Workflows limit vulnerability brought on by third-party apps and stop unauthorized or high-risk app usage.

Data security is essential, but several systems lack the level of specificity and set of capabilities modern businesses require to secure sensitive data and operations, particularly in the intricate and linked world of SaaS apps. DoControl finds every SaaS user, partner company, asset, and metadata, as well as OAuth applications, groups, and activity events. Without hindering business enablement, DoControl helps to lower risk, prevent data breaches, and manage insider risk.


SpyNote Strikes: Android Spyware Targets Financial Establishments

 

Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics. 

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."

Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware. SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app. 

It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.

SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.

According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.

It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
  • Bank of America Confirmation (yps.eton.application)
  • BurlaNubank (com.appser.verapp)
  • Conversations_ (com.appser.verapp )
  • Current Activity (com.willme.topactivity)
  • Deutsche Bank Mobile (com.reporting.efficiency)
  • HSBC UK Mobile Banking (com.employ.mb)
  • Kotak Bank (splash.app.main)
  • Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.

Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.

ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.

"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.

The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.

This Unofficial WhatsApp Android App Caught Stealing Users’ Accounts

 

Kaspersky researchers discovered 'YoWhatsApp,' an unofficial WhatsApp Android app that steals access keys for users' accounts. Mod apps are promoted as unofficial versions of genuine apps that include features that the official version does not. 

YoWhatsApp is a fully functional messenger that supports extra features such as customising the interface and blocking access to specific chats. The tainted WhatsApp app requests the same permissions as the original messenger app, such as SMS access.

“To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.” reported Kaspersky. 

“Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are unaware of.”

This mod instals the Triada Trojan, which is capable of delivering other malicious payloads, issuing paid subscriptions, and even stealing WhatsApp accounts. More than 3,600 users have been targeted in the last two months, according to Kaspersky. The official Snaptube app promoted the YoWhatsApp Android app.

The malicious app was also discovered in the popular Vidmate mobile app, which is designed to save and watch YouTube videos. Unlike Snaptube, the malicious build was uploaded to Vidmate's internal store. YoWhatsApp v2.22.11.75 steals WhatsApp keys, enabling threat actors to take over users' accounts, according to Kaspersky researchers.

In 2021, Kaspersky discovered another modified version of WhatsApp for Android that offered additional features but was used to deliver the Triada Trojan. FMWhatsApp 16.80.0 is the modified version.

The experts also discovered the advertisement for a software development kit (SDK), which included a malicious payload downloader. The FMWhatsapp was created to collect unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) as well as the name of the app package in which they are deployed.

To be protected, the researchers advise:
  • Only install applications from official stores and reliable resources
  • Remembering to check which permissions you give installed applications – some of them can be very dangerous
  • Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.
Kaspersky concluded, “Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources may still fall victim to them. In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam. The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”


Scylla: Ad Fraud Scheme in 85 Apps with 13 Million Downloads

 

Security researchers have exposed 85 apps involved in the ongoing ad frauds campaign that began in 2019. 75 apps of these apps are on Google Play, while 10 are present on the App store. The apps have collectively more than 13 million downloads to date. 
 
Researchers from HUMAN’s Satori Threat Intelligence have collectively named all the mobile apps that are being identified in the ad fraud campaign as ‘Scylla’.  
 
The malicious apps flooded the mobiles with advertisements, both visible and hidden ads. Additionally, the fraudulent apps garnered revenue by impersonating as legitimate apps in app stores. Although these apps are not seen as severe threats to the users, the adware operators can use them for more malicious activities.  
 
According to the researchers, Scylla is believed to be the third wave of an ad fraud campaign that came to light in August 2019, termed ‘Poseidon’. The second wave, called ‘Charybdis’ led up to the end of 2020. 

The original operation, Poseidon comprised over 40 fraudulent android apps, designed to display out-of-context ads or even ads hidden from the view of mobile users. 
 
The second wave, Charybdis, was a more sophisticated version of Poseidon, targeting advertising platforms via code obfuscation tactics. Scylla apps, on the other hand, expand beyond Android, to charge against the iOS ecosystem. In addition to this, Scylla relies on additional layers of code obfuscation, using Allatori Java obfuscator, making it hard for the researchers to detect or reverse engineer the adware. 
 
These fraudulent apps are engineered to commit numerous kinds of ad frauds, including mimicking popular apps (such as streaming services) to trick advertising SDKs into placing their ads, displaying out-of-context and hidden ads, generating clicks from the unaware users, and generating profit off ads to the operator. 
 
"In layman's terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they're pretending to be is worth more to an advertiser than the app would be by itself," states HUMAN security. 
 
According to the sources, the researchers have informed Google and Apple about these fraudulent apps, following which the apps are being removed from Google Play and App Store. Users are recommended to simply remove the apps if they have downloaded one of the suspected adware by any chance. 
  
Furthermore, with regards to the increasing frauds, the Satori researchers have suggested certain precautionary measures that could be taken into account for the user to not fall for the adware frauds. It includes examining their apps before downloading them, looking out for apps that you do not remember downloading, and avoiding third-party app stores that could harbor malicious applications.

Amazon Patches Ring Android App Flaw Exposing Camera Recordings

 

Amazon has patched a critical vulnerability in the Amazon Ring app for Android that could have enabled hackers to download saved camera recordings from customers. The flaw was discovered and disclosed to Amazon on May 1st, 2022 by security researchers at application security testing company Checkmarx, and it was fixed on May 27th. 

Because the Ring Android app has over 10 million downloads and is used by people all over the world, access to a customer's saved camera recordings could have enabled a wide range of malicious behaviour, from extortion to data theft. 

Checkmarx discovered an 'activity' that could be launched by any other app installed on the Android device while analysing the Ring Android app. An 'activity' on Android is a programme 0component that displays a screen that users can interact with to perform a specific action. When developing an Android app, you can expose that activity to other installed apps by including it in the app's manifest file.

Checkmarx discovered that the 'com.ringapp/com.ring.nh.deeplink.DeepLinkActivity' activity was exposed in the app's manifest, enabling any other install app to launch it.

"This activity would accept, load, and execute web content from any server, as long as the Intent's destination URI contained the string “/better-neighborhoods/”," explained a report by Checkmarx shared with BleepingComputer before publishing.

This meant they could start the activity and send it to an attacker-controlled web server to interact with it. However, only pages hosted on the ring.com or a2z.com domains were able to interact with the activity.

The Checkmarx researchers got around this restriction by discovering an XSS vulnerability on the https://cyberchef.schlarpc.people.a2z.com/ URL, which allowed them to compromise the system.

"With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings." - Checkmarx.

With a working attack chain in place, the researchers could have exploited the vulnerability by developing and publishing a malicious app on Google Play or another site. Once a user was duped into installing the app, it would launch the attack and send the Ring customer's authentication cookies to the attackers.

Analyzing videos with machine learning

However, as a threat actor, what would you do with the massive amount of videos that you could gain access to by exploiting this vulnerability?

Checkmarx discovered that they could sift through the videos using the Amazon Rekognition service, an image and video analysis service. The service could use machine learning to find videos of celebrities, documents containing specific words, or even a password scribbled carelessly on a post-it note stuck to a monitor.

This information could then be relayed back to the threat actor, who could use it for extortion, network intrusion, or simply to be a voyeuristic observer. The good news is that Amazon quickly responded to Checkmarx's bug report and released a fix.

"It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process," concluded the Checkmarx report.

"We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," Ring told BleepingComputer.

This Android-wiping Malware is Evolving into a Constant Threat

 

The threat actors responsible for the BRATA banking trojan have refined their techniques and enhanced the malware with data-stealing capabilities. Cleafy, an Italian mobile security business, has been following BRATA activity and has discovered variations in the most recent campaigns that lead to extended persistence on the device. 

"The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern. This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information," explains Cleafy in a report this week.

The malware has also been modified with new phishing tactics, new classes for requesting further device permissions, and the inclusion of a second-stage payload from the command and control (C2) server. BRATA malware is also more focused, as researchers determined that it concentrates on one financial institution at a time and only switches to another when countermeasures render its attacks ineffective.

For example, instead of getting a list of installed applications and retrieving the appropriate injections from the C2, BRATA now comes pre-loaded with a single phishing overlay. This reduces harmful network traffic as well as interactions with the host device. 

In a later version, BRATA gains greater rights to transmit and receive SMS, which can aid attackers in stealing temporary codes such as one-time passwords (OTPs) and two-factor authentication (2FA) that banks send to their clients. After nesting into a device, BRATA retrieves a ZIP archive containing a JAR ("unrar.jar") package from the C2 server. 

This keylogging utility tracks app-generated events and records them locally on the device along with the text contents and a timestamp. Cleafy's analysts discovered that this tool is still in its early stages of development. The researchers believe the author's ultimate purpose is to exploit the Accessibility Service to obtain data from other apps. 

BRATA's development 

In 2019, BRATA emerged as a banking trojan capable of screen capture, app installation, and turning off the screen to make the device look powered down. BRATA initially appeared in Europe in June 2021, utilising bogus anti-spam apps as a lure and employing fake support personnel who duped victims and fooled them into handing them entire control of their devices. 

In January 2022, a new version of BRATA appeared in the wild, employing GPS tracking, several C2 communication channels, and customised versions for different locations. Cleafy has discovered a new project: an SMS stealer app that talks with the same C2 infrastructure as the current BRATA version and the shift in tactics. 

It uses the same structure and class names as BRATA but appears to be limited to syphoning brief text messages. It currently targets the United Kingdom, Italy, and Spain. To intercept incoming SMS messages, the application requests that the user designate it as the default messaging app, as well as authorization to access contacts on the device. 

For the time being, it's unclear whether this is only an experiment in the BRATA team' to produce smaller apps focused on certain roles. What is obvious is that BRATA continues to evolve at a two-month interval. It is critical to be watchful, keep your device updated, and avoid installing apps from unapproved or dubious sources.

Bored Ape & Other Major NFT Project Discords Hacked by Fraudsters

 

The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs. 

In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords. 

“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.

“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.” 

The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token. 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. 

“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.” 

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said. 

On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens. 

This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself. 

Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.

Cring Ransomware Attacks Industrial Organisations Using Outdated VPNs and Apps

 

The Cring ransomware group is constantly making a name by attacking outdated Coldfusion servers and VPNs after surfacing earlier in 2021. According to experts, what makes cring different is, as of now, it appears in specific targeting of outdated vulnerabilities in their campaigns. In an earlier incident, Cring threat actors abused a two year old Fortigate VPN vulnerability exploit "end-of-life" or different incompatible devices, exposed to the web in the wild. Meanwhile Cring has threat actors using Mimikatz on devices to get credentials, and there's also proof that native windows process work blending in other authorotized activities. 

ZDNet reports "positive Technologies head of malware detection Alexey Vishnyakov added that the group gets its primary consolidation through the exploitation of 1-day vulnerabilities in services at the perimeter of the organization like web servers, VPN solutions and more, either through buying access from intermediaries on shadow forums or other methods." It can often lead to more complex problems for network hunters and cybersecurity agents to find anything suspicious by the time it's already too late. 

The current and earlier campaigns have shown continuous implementation and exploit of Cobalt Strike beacons used by several threat actors, mostly using it for post-exploit phase that is easier for hackers to operate. Sophos did a research in September emphasizing one particular case where Cring threat actors exploited an 11 year old Adobe Coldfusion 9 installation 9 to take remote command over Coldfusion server. 

Sophos managed to link the group using Cring ransomware to threat actors in Belarus and Ukraine, these hackers used automated tools to hack into unnamed company servers in the service sector. "In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades," said Andrew Brandt, chief researcher at Sophos.

More Than 180 OAuth 2.0 Cloud Malware Apps Discovered

 

Researchers issued an alert to companies using cloud apps on Wednesday, revealing that in 2020, they discovered more than 180 different malicious open authorization (OAuth) applications targeting 55 percent of their customers with a 22 percent success rate. 

Although OAuth apps add business functionality and user interface improvements to major cloud platforms like Microsoft 365 and Google Workspace, the Proofpoint researchers said in a blog post that they're also a challenge because bad actors are now using malicious OAuth 2.0 apps or cloud malware to siphon data and access sensitive information. 

According to the researchers, several types of OAuth token phishing attacks and app misuse have been observed – techniques that attackers may use to perform reconnaissance, execute employee-to-employee attacks, and steal files and emails from cloud platforms. Many of the attacks made use of impersonation techniques like homoglyphs and logo or domain impersonation, as well as lures that persuaded people to click on COVID-19-related topics. 

Microsoft implemented a publisher verification system for apps to combat the issue of malicious third-party apps, but the researchers say it has achieved limited success. Bad actors may evade Microsoft's verification process for app publishers, according to Itir Clarke, senior product marketing manager at Proofpoint, by compromising a cloud account and using the legitimate tenant to create, host, and distribute malicious apps.

“Security teams can achieve this by limiting who can publish an app; reviewing the need, scope, and source of applications; and sanitizing the environment by revoking unused applications regularly, he added. Organizations should not only use Microsoft's "verified publisher" policy to protect customers, partners, and suppliers from these attacks, but they should also reduce their attack surface. 

Tim Bach, vice president of engineering at AppOmni stated, “Prioritize tooling that can integrate with existing security stacks so that teams don’t need to create new workflows and commitments to support newly critical SaaS deployments. Utilizing the newly-available automated solutions can free up your team to focus on the strategic shift to the cloud rather than needing to manually track every user and connected application.” 

OAuth device abuse campaigns are usually launched using malicious third-party software, according to Krishnan Subramanian, a security research engineer with Menlo Security. Microsoft Cloud App Security has a comprehensive page controlling permissions for third-party OAuth Applications for more details on how to query/audit third-party apps and organizations can also create social engineering training scenarios to create awareness amongst users about this specific type of attack, he added.

Another piece of advice for security professionals: The MITRE ATT&CK Framework technique T1550.001 details how threat groups have exploited OAuth application tokens in the past and lists mitigations against this particular technique. 

Doosra is Helping to Create an Alternative Digital Identity

 


Facebook, WhatsApp, Twitter, and other online media platforms have been approached to verify the identity of their users — this could be either through telephone numbers or government-provided IDs like the Aadhaar card. Putting your number online isn't only a danger even with expanding government observation. It is additionally about security and online safety since personal data can have in-real-life (IRL) outcomes like being targeted by stalkers, trolls, or individuals looking to hack into your account. “Where there is personal data, there is a great risk of hackers trying to steal it,” pointed out Mozilla in a statement. 

An Indian start-up situated in Hyderabad called Doosra has a potential solution. It will provide you with a 10-digit virtual telephone number (without another SIM card) that can be shared with shopping places, stores, and more arbitrary places. Along these lines, all the spam calls and messages with offers will be coordinated to the virtual number and your own number will stay liberated from spams. You will be able to stay hidden when you choose to call back an unknown incoming number without revealing your phone number.

“The only people that will have any kind of access to your primary number would be if we got an executive order from the official authorities,” Aditya Vuchi, founder and chief executive of Doosra said. This implies that if your social media handle is discovered to be a part of any activity, which abuses Section 69 of the IT Act, the government or Supreme Court will first have to issue an order to the social media platform. If and once they find that the mobile number given is a Doosra number, they should issue another order to Doosra to access your primary number. 

The six-month-old Doosra is the first such service to be accessible in India. It isn't that other such applications don't exist — like 2ndLine, Hushed, and Burner — however, you need an American or Canadian number to sign up for them. Doosra caters to numbers based out of India. You need your real number to sign up for the service, and it isn't free with plans beginning at ₹59 each month for essential services and ₹83 for the pro package.

Apps Generating Untraceable International Phone Numbers ?






Applications that generate international phone numbers that are super difficult to track are being employed by cyber criminals to rip people off.

A recent victim that had called the cyber-crime branch complained that they received a call from two spate numbers one with 001 and the other with 0063 as the country codes.

Per sources the app stores happen to contain 40 to 60 such apps through which cyber-cons could easily get these numbers.

Sources mentioned that allegedly “Dingtone” is an app via which a user can easily sift through a variety of country codes which are absolutely untraceable.

These cases according to the cyber-crime branch aren’t categorized separately but these are surely being registered and deliberated upon.



According to the cyber-security researchers a minimum of 500 cases come into existence per day in India alone with 40 cases pinning on major cities.

The police lack the technological efficiency as well as resources to possibly track the users of such applications. There is also a matter of jurisdiction.

Mostly, the above-mentioned apps are ‘not’ developed by Indian initiators but ironically originated from countries that have strict laws on removal of apps.

Information of the caller could seemingly be obtained by requesting the telecom service providers as such services are always linked together.

However, requesting the details of the callers from a telecom service provider abroad is extremely time-consuming. Besides, the CBI would require Mutual Legal Assistance Treaty with that very country.

As of now, such treaties exist with only 39 countries. In addition some countries could also demand a court order and furthermore the procedure in itself takes six to eighteen months.

Google removes 16 apps infected by 'Agent Smith' malware

Every now and then, Android keeps getting visited from deadly malware attacks that put user and their data at lots of risks. This time, it's a new malware called Agent Smith and like its name, this malware is sneaky in what it's designed to do - bombard your phone with ads. Agent Smith also has properties to stick to other apps installed on the phone and ensure that the malware infection stays the same. The malware was first detected by Check Point and after working with Google, the infected apps have been removed from Google Play Store.

After it was informed of the infection, Google has identified and removed 16 apps from the Play Store that are known to be infected by Agent Smith. These apps are no longer available for download from the Play Store and there won't be further updates for these apps via the Play Store. However, Google can only remove the app from the Play Store but it can't wipe these apps from an individual's Android phone. Hence, if you have the following apps installed on your Android phone, you should uninstall them immediately.

Ludo Master - New Ludo Game 2019 For Free

Sky Warriors: General Attack

Color Phone Flash - Call Screen Theme

Bio Blast - Infinity Battle Shoot virus

Shooting Jet

Photo Projector

Gun Hero - Gunman Game for Free

Cooking Witch

Blockman Go: Free Realms & Mini Games

Crazy Juicer - Hot Knife Hit Game & Juice Blast

Clash of Virus

Angry Virus

Rabbit Temple

Star Range

Kiss Game: Touch Her Heart

Girl Cloth Xray Scan Simulator

However, Agent Smith can cling on to other popular apps and make it difficult for users to identify which app has been affected by it. Two most popular apps in India include WhatsApp - through which it has infected 1.5 crore Android phones, and Flipkart.

Over 2,000 malicious apps exists on Play Store

If you thought that the quality control issues plaguing the Google Play Store for Android were finally being ironed out, it couldn't be further from the truth. A two-year-study by the University of Sydney and CSIRO’s Data61 has come to the conclusion that there are at least 2,040 counterfeit apps on Google Play Store. Over 2,000 of those apps impersonated popular games and had malware. The paper, a Multi-modal Neural Embedding Approach for Detecting Mobile Counterfeit Apps, was presented at the World Wide Web Conference in California in May documenting the results.

The study shows that there is a massive number of impersonated popular gaming apps available on Play store. They include fake versions of popular games such as Temple Run, Free Flow and Hill Climb Racing. The study investigated around 1.2 million apps on Google Play Store, available in Android, and identified a set of potential counterfeits for the top 10,000 apps.

Counterfeit apps impersonate popular apps and try to misguide users`. “Many counterfeit apps can be identified once installed. However, even a tech-savvy user may struggle to detect them before installation,” the study says.

It also points out that fake apps are often used by hackers to steal user data or infect a device with malware. “Installing counterfeit apps can lead to a hacker accessing personal data and can have serious consequences like financial losses or identity theft,” reads a blog post by the university.

The study also found that 1,565 asked for at least five dangerous permissions and 1407 had at least five embedded third-party ad libraries.

To investigate these applications on Google Play store the researchers used neural networks.

Google has acknowledged the problem of “malicious apps and developers” in a blog post by Google Play product manager Andrew Ahn on February 13, 2019.

According to Google, the company now removes malicious developers from Play store much faster when compared to previous years. The company says that in 2018 it stopped more malicious apps from entering the store than ever before.

A Google spokesperson, in response to a TOI email, said, “When we find that an app has violated our policies, we remove it from Google Play.”