Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Play. Show all posts
Versioning
Cyber Attacks Cyber-attacks Data Theft Google Play Versioning

Tricky Malware Uses Versioning to Outsmart Google Play Store Scanners

In recent developments, threat actors are using a technique known as "versioning" to evade Google Play Store's malware detection mechanisms, posing a significant risk to Android users. This method allows them to specifically target users and compromise their sensitive information, including credentials, data, and finances. Despite being a known tactic, versioning remains challenging to detect, making it a preferred choice for malicious developers. 

In May, cybersecurity firm ESET uncovered a screen recording app called "iRecorder - Screen Recorder." Surprisingly, the app remained undetected for almost a year on the Play Store before malicious modifications were made to enable covert spying on its users. 

SharkBot, a notorious malware utilizing the DCL method, has been consistently resurfacing on the Play Store. This malware disguises itself as security and utility apps to deceive users. Operating as a financial trojan, SharkBot executes unauthorized money transfers from compromised devices through the Automated Transfer Service (ATS) protocol. 

Here's how the versioning technique works: 

Innocent-looking Initial Release: Malicious developers begin by releasing an app's initial version on the Google Play Store, which appears harmless and successfully passes Google's pre-publication security checks. This initial version is designed to avoid detection by security measures. 

Introduction of Malicious Components: Subsequently, the developers push updates to the app. These updates introduce malicious components into the seemingly harmless app. These malicious components are cleverly hidden, allowing the initial version to pass the security checks while carrying hidden threats. 

Attackers' Controlled Servers: The updates containing the harmful code are delivered to users' devices from servers controlled by the attackers. These servers enable the attackers to dynamically load code (Dynamic Code Loading or DCL) onto the devices without raising any suspicion. 

App as a Backdoor: As a result of the malicious updates, the app effectively becomes a dangerous backdoor on the compromised devices. This grants the attackers unauthorized access and control over the compromised devices, enabling them to exploit sensitive information, compromise security, and carry out further malicious activities. 

According to a report from ThreatFabric, cybercriminals have been exploiting an Android bug to make malicious apps appear harmless. They achieve this by "corrupting components of an app" in a way that the app remains valid as a whole. This allows malicious apps to bypass detection and pose a threat to unsuspecting users. 
Read more »
TikTok
Americal Civil Liberties Apple's Store Cyber space Cyberattacks Cyberfrauds FBI Google Play Privacy TikTok

The Montana Legislature Banned TikTok

 


A bill introduced in Montana would prevent apps like TikTok from being listed for download on app stores such as Google Play and Apple's App Store. The bill is forwarded to Republican Governor Gianforte for signature. 

TikTok, owned by Chinese investors, continues to be the target of fierce battles. As part of their efforts to address short-form video apps, Montana lawmakers voted on Friday to ban the most popular app from the state. 

Reuters writes that a bill would prevent applications like TikTok from being listed on apps stores, like Google Play or Apple's App Store in Montana. A 54-43 vote in the Montana House of Representatives approved the bill, SB419. Upon signing the bill, Gianforte will ensure it comes into effect in January. Despite the potential for substantial legal challenges, the legislation may still pass. 

However, there is nothing in the bill that makes it illegal for people who already use the app. This is regardless of the enacted law. The bill's original version forced internet providers to block TikTok. However, that particular language was removed, and it is not part of the amended bill. 

A state government has taken the first step in restricting TikTok in response to perceived security concerns since the legislation was passed. A national ban on TikTok seems to be on the cards after some federal lawmakers have called for an end to the app. 

A bill has been introduced targeting TikTok. It outlines the potential penalties imposed on the company if it violates the law daily. In addition to app stores that violate the law, penalties would also apply. As a result, users who access TikTok as part of their routine will not be penalized for doing so. 

As a result of allegations that TikTok's Chinese owner, ByteDance, places US users' personal information at risk for marketing purposes, the app has come under significant scrutiny from US legislators in recent months. Several congressmen have called for American data sharing with the Chinese government at the federal and state level. Last month, a congressional committee grilled TikTok CEO Shou Zi Chew on the issues widely held by the general public on social media.  

Numerous claims are being made against TikTok, including accusations of data theft, data mining, piracy, and data collection. However, TikTok has repeatedly denied these claims. To gain respect among US legislators, TikTok poured more than $1 billion into establishing a database where American users' data would be archived exclusively on Oracle's servers.

As acknowledged by its champions, the bill's supporters have no practical plans for operationalizing this attempt to censor American voices and therefore have no chance of succeeding. It has also been confirmed by TikTok's spokesperson Brooke Oberwetter that a court will decide whether the bill's constitutionality can stand up in court. Brooke hopes that the government of Montana will continue to abuse the First Amendment to keep TikTok users and creators in Montana from earning a living and protecting their rights under the First Amendment. 

Currently, the bill is being sent to the governor to be signed into law. There is a high probability that Republican governor Greg Gianforte will sign it. In Montana, TikTok has been banned from government devices because he previously banned it. Similar executive orders have been enacted by other states to ban the use of the app on devices and networks owned and operated by the government. 

Data safety concerns, surveillance by the Chinese government, and the involvement of minors in "dangerous activities" resulting from TikTok use were cited in the bill, which included a claim that minors were cooking chicken in NyQuil and climbing milk crates as dangerous activities. Critics of the app say that these activities were part of a set of challenges that had become popular. 

As a result of the links that TikTok's parent company, ByteDance, has with TikTok's parent company, the Chinese government has been widely expressed as having a potential risk of accessing user data from TikTok. 

In addition, they worry that this kind of information could be used by Chinese intelligence agencies or propaganda campaigns for their benefit. It is unclear whether the Chinese government has accessed or used any data related to TikTok's US users to influence them, and there has been no public evidence of this. According to Christopher Wray, Director of the FBI, the FBI does not believe many signs would be at first glance if this were to happen if it did happen. 

To make TikTok safer and more sustainable, the US government has called on its Chinese owners to spin off TikTok. In the context of its Project Texas initiative, TikTok says it can address national security concerns by installing a "firewall" around US users' data covering a wide area of cyberspace. 

Despite the uncertainty surrounding Montana's legislation's future, there is still hope for it. TikTok is a member of an industry group called NetChoice, which also has other technology companies in its membership. The group declared Friday that SB419 violates the US Constitution by trying to punish a person without a trial, or so-called "bills of attainment." 

It has been alleged by other civil society organizations that SB419 violates Montanans' rights to free expression as well as their access to information under the First Amendment. Earlier this week, the American Civil Liberties Union sent a letter to members of state legislatures in which the organization made the argument that government restrictions on freedom of speech must meet a high constitutional standard. 

As a result of SB 419, Montanans would be better off without a platform where they could speak out freely and exchange ideas daily; this would be censorship. 

According to the letter, if this becomes a law, it will set a dangerous precedent that government bodies will hold excessive control over Montanans’ access to the internet. According to Lynn Greenky, a First Amendment scholar and associate professor of Communication Studies at Syracuse University, the legislation also refers to "dangerous content" and "dangerous challenges" to TikTok phrases, raising an immediate "red flag" that will trigger a more thorough review of the bill. 

The bill sponsor, Shelley Vance, did not respond to a request for comment immediately after receiving it. In response to a question about Gianforte's comments, Gianforte's spokesperson failed to respond immediately. If the law is passed, the app ban will be implemented before 2024 begins. Several Congressmen are expressing concerns about the app as security concerns rise due to Chinese owners. As part of the Biden administration's warning issued last month, TikTok's parent company ByteDance, based in China, was told to divest ownership of the service or face a ban by the federal government.
Read more »
User Data
Android Archived Apps Auto-Archive Google Play Personal Data Technology User Data

Users of Android can Now Save Space by Auto Archiving

 


In an announcement by Chang Liu and Lidia Gaymond, Google Play product managers announced that an upcoming auto-archive feature would be introduced later this month. This feature has been added to make device storage management easier for Android users. As a result of this feature, there is less chance of unintentional app uninstallations, and users can install updated apps without hassle. 

Developers who use the App Bundle to publish their apps can only use auto-archive for their apps. To increase the chances of your app appearing in users' uninstall suggestions, ensure that your app supports archiving. 

If there is insufficient storage for an app to be installed, the device will prompt the user to enable auto-archive. Users can easily turn on auto-archive when opting in, freeing up space on their devices. 

There are several reasons why people uninstall applications, but the most common is to free up space on their devices. 

It has been customary to prompt users to manually uninstall apps when their device's storage nears capacity. This is so that they can make room for updated ones to be installed. Users can save up to nearly 60% of an app's storage space by using the enhanced auto-archiving feature, which allows the app to be deleted and the data is not lost when deleted. 

There was a time when an app would automatically be recommended to be uninstalled when there was not enough space on the device. Android is getting access to the ‘archive’ feature that was worked on by the tech giant.  

In addition to checking and removing unused apps manually from the phone settings, users can also remove them manually from their apps list. Despite this, the uninstallation of an application can lead to the data you entered into it being lost. 

A user installing an Android app will receive a prompt to use the app's auto-archiving feature when the device's storage is running low, and the app is installed on the device. By simply turning on the feature, users can archive all apps no longer in use. They can also delete permissions, temporary files, and alerts created in the past. 

Having app archiving enabled on your device will help you recognize when you lack storage. You can archive apps that you rarely use when it detects space shortage. Your device will automatically archive apps you do not use often if it detects that you don't have enough storage. Personal data will be saved if you download the app again. 

In addition to allowing users to partially remove infrequently used apps from their devices, the auto-archive feature allows the user to preserve the icon for those apps and the data the user has entered for them. It is a visual indication of archiving that the user can see cloud icons on their device when it comes to Archived Apps. As long as the app is still available on Google Play, users can re-download and use the archived app from where they left off by tapping the icon, provided that they wish to continue using the app from where they had left off. 

The process of opting into auto-archive is easy, and the user can do it with just a few clicks. When the user attempts to install a new app on the device, and the device is out of storage, a pop-up window appears asking if the user would like auto-archiving to be enabled. The user can opt-in to auto-archive the unused apps on their device if they wish, allowing the phone's storage to be freed up so that the updated application can be installed.   
Read more »
Kaspersky
App security Cyber Crime Cybercrime Actors Darknet Markets Google Apps Google Play Google Play Threats Kaspersky

Cybercriminals Set Android Apps For Sale for Up to $20K a Piece


Cyber threat actors have lately been targeting the official Google Play app store’s security by developing trojan malwares for existing Android apps, selling the malwares for up to $20,000 a piece on darknet markets. 

In a blog post published on April 10, Kaspersky researchers reported their findings of a thorough analysis of nine of the most well-known Dark Web forums. They discovered a booming market of buyers and sellers exchanging access to botnets, malicious Android applications, and app developer accounts for hundreds of dollars at a time by monitoring activities between 2019 and 2023. 

Some highly valuable products, such as source code that can let a threat actor hack into an existing cryptocurrency or a dating app on Google Play can cost several thousand dollars. 

"It's an infinite cat and mouse game[…]The attackers find a way to bypass security scanners. Then the people developing the security scanners deploy patches to ensure that doesn't happen again. Then the attackers find new flaws. And it goes on and on," says Georgy Kucherin, Kaspersky research with regards to Google’s app security. 

The Marketplace for Google Play Hacks 

Any program that is posted to the Apple or Google app stores undergoes a rigorous inspection. However, according to the Kaspersky researchers “just like any security solution that exists in the world, it's not 100% effective[…]Every scanner contains flaws that threat actors exploit to upload malware to Google Play." 

Commonly, there are two methods by with a hacker attempts to sneak malware onto an app store: 

  • The first method entails publishing a completely safe software to the app store. If it has been approved, or even better, if it has attracted a sizable enough audience, hackers will submit an update that contains the malicious code. 
  • The second involves hackers compromising legitimate app developers, accessing their accounts to upload malware to already-existing programs. With no two-factor authentication and strong password restrictions in place, app developer accounts are more vulnerable to hacking. Credential leaks occasionally enable hackers to accomplish the majority of their goals by giving them access to important company development systems and accounts. 

Moreover, depending on the developer, access to a Google Play account may only cost as little as $60, depending on the developer. However, other, more beneficial accounts, resources, and services have significantly greater costs. 

For example, considering the power they hold, loaders — the software necessary to deploy malicious code into an Android app — can cost big bucks on the darknet markets, ranging up to a whopping $5,000 each for an instance. 

A well-resourced criminal could well go with a premium package, like the source code for a loader. 

 "You can do whatever you want with that — deploy it to as many apps as you want[…]You can modify the code as much as you want, adapting it to your needs. And the original developer of the code may even provide support, like updates for the code, and maybe new ways to bypass security measures," Kucherin explains. 

How Can a Company Protect Itself from Google Play Threats 

The threats posed by Google Play are a cause of great concern to organizations, especially the ones with feeble enterprise security. Kucherin notes that many businesses still have lax bring-your-own-device arrangements in place, which extend the security perimeter outside of corporate networks and right into the hands of its employees. 

"Say an employee installs a malicious app on the phone[…]If this app turns out to be a stealer, cybercriminals can get access to, for example, corporate emails or sensitive corporate data, then they can upload it to their servers and sell it on the Dark Web. Or even worse: An employee might keep their passwords in, for example, their phone's notes app. Then hackers can steal those notes and get access to corporate infrastructure," he explains. 

In order to prevent such severe outcomes, Kucherin suggests two simple precautionary measures: 

One, you can teach the employees cyber-hygiene principles, like not downloading apps that are not trusted. However, this might not suffice, so "another thing you can do — though it's more expensive — is give your employees a separate phone, which they will use only for purposes of work. Those devices will contain a limited number of apps — just the essentials like email, phone, no other apps allowed,” he adds. 

Just as it is for the cybercriminals, you have to pay more to get more, he notes: "Using dedicated work devices is more effective, but more expensive."  

Read more »
Vulnerabilities and Exploits
AI Chatbot Apple Devices Artificial Intelligence Bitdefender ChatGPT Google Play Phishing Attack Scam Emails Vulnerabilities and Exploits

New Phishing Scam Targets User's With Fake ChatGPT Platform

The general population is fascinated with AI chatbots like OpenAI's ChatGPT. Sadly, the popularity of the AI tool has also attracted scammers who use it to carry out extremely complex investment frauds against naive internet users. Nevertheless, security experts warn that ChatGPT and other AI techniques may be used to rapidly and on a much wider scale produce phishing emails and dangerous code.

Bitdefender Antispam Labs claims that the most recent wave of "AI-powered" scams starts with a straightforward unwanted email. In reality, our researchers were instantly drawn to what seemed to be a harmless marketing ploy, and they went on to uncover a complex fraud operation that poses a threat to participants' wallets and identities.

The initiative is currently focused on Denmark, Germany, Australia, Ireland, and the Netherlands.

How does the Scam Operate?

In the past several weeks, fake ChatGPT apps have appeared on the Google Play and Apple App Stores, promising users weekly or monthly memberships to utilize the service. The con artists behind this specific scheme go above and beyond to deceive customers.

Users who click the email's link are taken to a clone of ChatGPT that tempts them with money-making chances that pay up to $10,000 per month 'just on an exclusive ChatGPT platform.'

The recipient must click on an embedded link to access further information because the email itself is short on specifics. They click on this link to be taken to a bogus ChatGPT chatbot, where they are prompted to invest at least €250 and provide their contact information, including phone number, email address, and card details.

The victim is then given access to a copy of ChatGPT, which varies from the original chatbot in that it provides a limited number of pre-written responses to user inquiries. Only a domain that is blacklisted allows access to this chatbot.

It's nothing unusual for scammers to take advantage of popular internet tools or patterns to trick users. Use only the official website to test out the official ChatGPT and its AI-powered text-generating capabilities. Avoid clicking on links you get in unsolicited mail, and be particularly suspicious of investment schemes distributed on behalf of a corporation, which generally are scams.

Read more »
Privacy
Android Apps Data Privacy Section Data Safety Form Google Google Play Google Play Store Mozilla Mozilla Research Privacy

Mozilla Research Lashes Out Google Over ‘Misleading’ Privacy Labels on Leading Android Apps


An investigation, conducted by the Mozilla Foundation, into the data safety labels and privacy policy on the Google Play Store has exposed some severe loopholes that enable apps like Twitter, TikTok, and Facebook to give inaccurate or misleading information about how user data is shared. 

The study was conducted between the 40 most downloaded Android apps, out of which 20 were free apps and 20 were paid, on Google Play and found that nearly 80% of these apps disclose misleading or false information. 

The following findings were made by the Mozilla researchers: 

  • 16 of these 40 apps including Facebook and Minecraft, had significant discrepancies in their data safety forms and privacy policies. 
  • 15 apps received the intermediate rating, i.e. “Need Improvement” indicating some inconsistencies between the privacy policies and the Data Safety Form. YouTube, Google Maps, Gmail, Twitter, WhatsApp Messenger, and Instagram are some of these applications. 
  • Only six of these 40 apps were granted the “OK” grade. These apps included Candy Crush Saga, Google Play Games, Subway Surfers, Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman: 2020 Ninja. 

Google’s Data Privacy Section 

Google apparently launched its data privacy section for the Play Store last year. This section was introduced in an attempt to provide a “complete and accurate declaration” for information gathered by their apps by filling out the Google Data Safety Form. 

Due to certain vulnerabilities in the safety form's honor-based system, such as ambiguous definitions for "collection" and "sharing," and the failure to require apps to report data shared with "service providers," Mozilla claims that these self-reported privacy labels may not accurately reflect what user data is actually being collected. 

In regards to Google’s Data Safety labels, Jen Caltrider, project lead at Mozilla says “Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that[…]Unfortunately, they don’t. Instead, I’m worried they do more harm than good.” 

In one instance in the report, Mozilla notes that TikTok and Twitter both confirm that they do not share any user data with the third parties in their Data Safety Forms, despite stating that the data is shared with the third parties in their respective privacy policies. “When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties[…]Consumers deserve better. Google must do better,” says Caltrider. 

In response to the claim, Google has been dismissing Mozilla’s study by deeming its grading system inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects[…]The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information,” says a Google spokesperson. 

Apple, on the other hand, has also been criticized for its developer-submitted privacy labels. The 2021 report from The Washington Post indicates that several iOS apps similarly disclose misleading information, along with several other apps falsely claiming that they did not collect, share, or track user data. 

To address these issues, Mozilla suggests that both Apple and Google adopt an overall, standardized data privacy system across all of their platforms. Mozilla also urges that major tech firms shoulder more responsibility and take enforcement action against apps that fail to give accurate information about data sharing. “Google Play Store’s misleading Data Safety labels give users a false sense of security[…]It’s time we have honest data safety labels to help us better protect our privacy,” says Caltrider.  

Read more »
SharkBot
Data Google Play Hackers Login Credentials malware SharkBot

SharkBot Malware Returns to Google Play, to Steal Login Credentials

 

A new and updated version of the SharkBot malware has returned to Google's Play Store, targeting Android users' banking logins via apps with tens of thousands of installations. When submitted to Google's automatic review, the malware was found in two Android apps that did not contain any malicious code. SharkBot, on the other hand, is added in an update that takes place after the user installs and launches the dropper apps.

According to a blog post by Fox IT, a division of the NCC Group, the two malicious apps are "Mister Phone Cleaner" and "Kylhavy Mobile Security," which have 60,000 installations combined. Although the two apps have been removed from Google Play, users who have installed them are still at risk and will require to uninstall them manually.

SharkBot has advanced now

SharkBot was discovered in October 2021 by malware analysts at Cleafy, an Italian online fraud management and prevention company. NCC Group discovered the first apps carrying it on Google Play in March 2022.

At the time, the malware was capable of performing overlay attacks, stealing data through keylogging, intercepting SMS messages, and granting threat actors complete remote control of the host device by abusing the Accessibility Services. 

ThreatFabric researchers discovered SharkBot 2 in May 2022, which included a domain generation algorithm (DGA), an updated communication protocol, and completely refactored code. On August 22, Fox-IT researchers discovered a new version of the malware (2.25) that adds the ability to steal cookies from bank account logins.

“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot. The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did,” Fox IT says.

When the dropper app is installed, it contacts the command and control (C2) server and requests the malicious SharkBot APK file. The dropper then notifies the user that an update is available and instructs them to install the APK and grant all necessary permissions. SharkBot stores its hard-coded configuration in encrypted form using the RC4 algorithm to make automated detection more complicated. 

About cookie-loving Sharkbot

SharkBot 2.25 retains the overlay, SMS intercept, remote control, and keylogging systems, but a cookie logger has been added on top of them. When the victim logs into their bank account, SharkBot uses a new command ("logsCookie") to steal their valid session cookie and send it to the C2.

Cookies are useful for account takeovers because they contain software and location information that help bypass fingerprinting checks or, in some cases, the user authentication token itself. Throughout the investigation, Fox IT personnel discovered new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, and Austria) and the United States. 

The researchers discovered that the malware uses the keylogging feature in these attacks to steal sensitive information directly from the official app it targets. Fox IT expects SharkBot campaigns to continue and the malware to evolve now that an improved version of the malware is available.

Read more »
Google Play
Data Breach Data Harvesting SDK Data Theft Google Play

Android Apps With 45 Million Installs Used For Data Harvesting SDK

 

Recently, Mobile malware researchers warned about a set of applications available on the Google Play Store that are stealing the private data of users from over 45 million installs of the apps. 

The apps consume credentials of the users through a third-party SDK in which it gets access to the users' capture clipboard content (store very sensitive data, such as crypto wallet recovery seeds, passwords, or credit card numbers), email addresses, GPS data, phone numbers, and even the user’s modem router MAC address and network SSID. This sensitive data could lead to significant privacy risks, the researchers said. 

The famous and most downloaded app applications to be using this SDK to send sensitive data of users are enlisted below:

• Al-Moazin Lite – 10 million installations (phone number, IMEI, router SSID, router MAC address) 
• Speed Camera Radar – 10 million installations (phone number, IMEI, router SSID, router MAC address) 
• WiFi Mouse – 10 million installations (router MAC address) 
• Qibla Compass Ramadan 2022 – 5 million installations (GPS data, router SSID, router MAC address) • QR & Barcode Scanner – 5 million installations (phone number, email address, IMEI, GPS data, router SSID, router MAC address) 
• Handcent Next SMS-Text w/MSS – 1 million installations (email address, IMEI, router SSID, router MAC address) 
• Smart Kit 360 – 1 million installations (email address, IMEI, router SSID, router MAC address) 
• Simple weather & clock widget – 1 million installations (phone number, IMEI, router SSID, router MAC address) 
• Al Quran mp3 – 50 Reciters & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address) 
• Audiosdroid Audio Studio DAW – 1 million installations (phone number, IMEI, GPS data, router SSID, router MAC address) 
• Full Quran MP3 – 50+ Languages & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address) 

In the wake of the security incident, Google removed many applications from the Google Play store after discovering that they contain data harvesting software. Several Muslim prayer apps, a highway-speed-trap detection app, and a QR-code reading app, were installed more than 45 million times, as per the researchers. 
Read more »
Subscribe to: Posts (Atom)