Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mobile Security. Show all posts
User Privacy
Data Leak Location data Mobile App Breach Mobile Security User Privacy

Millions of People's 'Intimate' Location Data Compromised in Apparent Hack

 

Major apps worldwide are potentially being exploited by rogue members within the advertising sector to collect sensitive location data extensively, which subsequently is transferred to a location data firm whose subsidiary has previously sold global location data to US law enforcement agencies. 

The thousands of apps discovered in hacked files from location data firm Gravy Analytics range from games like Candy Crush to dating apps like Tinder, pregnancy tracking, and religious prayer apps for both Android and iOS. Because much of the data collection occurs through the advertising ecosystem rather than code developed by app creators themselves, it is likely that users or even app developers are unaware of it. 

After examining some of the data, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and an avid follower of the location data space, tells 404 Media, "For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream," instead of code embedded in the apps themselves. 

The data offers a rare peek into the realm of real-time bidding. Historically, location data providers compensated app developers to incorporate bundles of code that collected their users' location data. Numerous companies have instead moved to the advertising ecosystem, where firms bid to place ads within apps, to obtain location information. However, data brokers can listen in on that procedure and gather the location of people's mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards added. 

The hacked Gravy data includes tens of millions of mobile phone coordinates from devices in the United States, Russia, and Europe. Some of those files additionally list an app next to each piece of location data. 404 Media extracted the app names and created a list of mentioned apps. 

The list includes dating sites Tinder and Grindr; massive games like Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with over 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also includes a number of religious-focused apps, such as Muslim prayer and Christian Bible apps, as well as numerous pregnancy trackers and VPN apps, which some users may download, ironically, in order to safeguard their privacy.
Read more »
Sensitive data
CAPTCHA Mobile Security phishing Sensitive data

Executives Targeted by Advanced Mobile Phishing Attacks

 

Mobile phishing attacks have continued to advance, targeting corporate executives. A report from mobile security firm Zimperium describes these attacks as highly sophisticated means of exploiting mobile devices. Thus, there is an emerging need for awareness and security measures.

How the Attacks Function

One campaign uncovered by Zimperium’s research team (zLabs) impersonated Docusign, a widely trusted e-signature platform. The attackers sent fake emails designed to look like urgent communications from Docusign. These emails urged recipients to click on a link to review an important document, playing on trust and the sense of urgency.

Initial Stage: Clicking the link redirected victims to a legitimate-looking webpage, masking its malicious intent.

Second-level Credibility: Then it led to a phishing site with a compromised university website address, which gave it a third level of credibility.

Mobile Specific Ploys: The phishing site on mobile was a Google sign-in page, created to steal login credentials. Desktop users were taken to actual Google pages to avoid detection.

Using CAPTCHA: To gain user trust, attackers added CAPTCHA verification in the phishing pages, so it resembled a real one.

Why Mobile Devices Are the Target

Mobile devices are generally less secure than traditional computers, making them a preferred target. The attackers planned well and even registered domains and SSL certificates just days before sending phishing emails. This was very hard to detect, because of the time invested in preparation.

Steps to Stay Protected

Experts advise that businesses take several steps to protect themselves from these attacks:

  • Train Employees: Educate employees, especially executives, on how to detect phishing attempts and not to click on suspicious links.
  • Mobile Security: Strengthen security on mobile devices and update policies to address emerging threats.
  • Use Advanced Tools: Implement advanced detection systems that can identify these new, highly hidden attacks.

Mika Aalto, the CEO of the security company Hoxhunt, believes that organizations should think about early prevention and equip employees with the skills to identify phishing attacks. He also advocates for better technical tools to help detect and block schemes more effectively.

Therefore, with the understanding and preparation about these threats, organizations can ensure their executives and sensitive data are protected from this mobile phishing campaign danger.

Read more »
User Privacy
Google Mobile Security RCS Threat Landscape User Privacy

Here's Why You Need A New App After Google RCS Issue

 

Google Messages has suddenly gone haywire. After years of campaigning, the "seamless messaging" dream was finally realised, but it vanished as quickly as it arrived. Currently, the question is whether it has any prospect of ever returning. 

Like a slow-motion train crash, Google quickly appreciated Apple for its long-awaited adoption of RCS, but as soon as it went live, it was criticised for its awkward security flaw. Despite iMessage's constant praise of its end-to-end encryption, those green bubbles are still without it. 

Quick to react, Google and the GSMA said that end-to-end encryption for RCS is currently being developed. China comes along to ruin the fun, even though that might have won the day. Apple, Google, and other companies insist on end-to-end encryption since it appears that state-sponsored hackers have infiltrated US telco networks. 

Cross-platform RCS has suffered severely as a result of the FBI and CISA are now both cautioning the public to utilise encrypted platforms properly. There is no security when texting from an Android phone to an iPhone, as Samsung has warned customers. 

Google and the GSMA were quick to respond, promising that end-to-end encryption for RCS is in the works. But, although that might have won the day, China arrives to spoil the fun. It appears that state-sponsored hackers have broken into US telco networks, highlighting why Apple, Google, and others advocate for end-to-end encryption in the first place. With the FBI and CISA now warning citizens to use appropriately encrypted systems, cross-platform RCS has taken a significant knock. Even Samsung has advised consumers that texting from Android to iPhone is not secure. 

Apple has never denied that iMessage is only secure within its own walled garden. Google, not Apple, pushed for cross-platform RCS. When it finally arrived with iOS 18, Google sent out public messages about non-blurry images and other new capabilities, whereas Apple said little, if anything at all. 

So now it's up to Google Messages to pick up the pieces of this security catastrophe and figure out what to do next. How quickly can RCS be beefed up to meet the "responsible encryption" standard specified by the US government officials? Given the official warnings, how do Google and Apple encourage consumers to send basic RCS/SMS texts? How quickly will network confidence get better? 

However, with timing being everything, the ultimate impediment to that RCS train could be Apple's upcoming iPhone update—iOS 18.2. To everyone's surprise, the iMaker has chosen to provide all of its users—not just those in controlled Europe—the ability to choose their default apps. For the first time, choose an over-the-top service like WhatsApp or Signal as your primary call and message provider. 

The 2024 RCS dream has suffered a setback, though whether it has been buried beneath the waters remains to be seen. What is evident is that this benefits Meta, which owns the world's largest end-to-end encrypted messaging systems, WhatsApp and Facebook Messenger, even if they are not "responsibly" encrypted, as defined by the FBI, which requires authorised access to content when necessary. 

Google Messages customers who use that platform to text friends, family, and colleagues will now require a new app. If you don't already have WhatsApp, Messenger, or Signal, you should download them right now. WhatsApp is the clear winner, striking the ideal combination between security, functionality, and scalability. Many of the people you communicate with will already have the app installed.

In keeping with the security theme, you must take two steps to guarantee the integrity of end-to-end encryption. Start by correctly configuring WhatsApp (or a substitute). This includes passkeys when they are available and two-factor authentication. Second, make sure you avoid taking any chances when installing apps, downloading files, or clicking links. It's as if you haven't secured your stuff at all if an attacker uses malware to take over your phone or lures you into installing malicious software, regardless of the messenger you use. 

The irony for Google has continued with the announcement that Samsung is discontinuing RCS for millions of Galaxy users who are still using Samsung Messages and advising they migrate to Google Messages. The Galaxy maker told Verizon customers that "Samsung Messages will no longer support RCS after 1.6.2025." Switch to Google Messages to keep the more robust messaging you're accustomed to.”
Read more »
User Security
Data Privacy Mobile Security Threat Landscape User Security

Turn Your Phone Off Daily for Five Minutes to Prevent Hacking

 

There are numerous ways in which critical data on your phone can be compromised. These range from subscription-based apps that covertly transmit private user data to social media platforms like Facebook, to fraudulent accounts that trick your friends into investing in fake cryptocurrency schemes. This issue goes beyond being a mere nuisance; it represents a significant threat to individual privacy, democratic processes, and global human rights.

Experts and advocates have called for stricter regulations and safeguards to address the growing risks posed by spyware and data exploitation. However, the implementation of such measures often lags behind the rapid pace of technological advancements. This delay leaves a critical gap in protections, exacerbating the risks for individuals and organizations alike.

Ronan Farrow, a Pulitzer Prize-winning investigative journalist, offers a surprisingly simple yet effective tip for reducing the chances of phone hacking: turn your phone off more frequently. During an appearance on The Daily Show to discuss his new documentary, Surveilled, Farrow highlighted the pressing need for more robust government regulations to curb spyware technology. He warned that unchecked use of such technology could push societies toward an "Orwellian surveillance state," affecting everyone who uses digital devices, not just political activists or dissidents.

Farrow explained that rebooting your phone daily can disrupt many forms of modern spyware, as these tools often lose their hold during a restart. This simple act not only safeguards privacy but also prevents apps from tracking user activity or gathering sensitive data. Even for individuals who are not high-profile targets, such as journalists or political figures, this practice adds a layer of protection against cyber threats. It also makes it more challenging for hackers to infiltrate devices and steal information.

Beyond cybersecurity, rebooting your phone regularly has additional benefits. It can help optimize device performance by clearing temporary files and resolving minor glitches. This maintenance step ensures smoother operation and prolongs the lifespan of your device. Essentially, the tried-and-true advice to "turn it off and on again" remains a relevant and practical solution for both privacy protection and device health.

Spyware and other forms of cyber threats pose a growing challenge in today’s interconnected world. From Pegasus-like software that targets high-profile individuals to less sophisticated malware that exploits everyday users, the spectrum of risks is wide and pervasive. Governments and technology companies are increasingly being pressured to develop and enforce regulations that prioritize user security. However, until such measures are in place, individuals can take proactive steps like regular phone reboots, minimizing app permissions, and avoiding suspicious downloads to reduce their vulnerability.

Ultimately, as technology continues to evolve, so too must our awareness and protective measures. While systemic changes are necessary to address the larger issues, small habits like rebooting your phone can offer immediate, tangible benefits. In the face of sophisticated cyber threats, a simple daily restart serves as a reminder that sometimes the most basic solutions are the most effective.

Read more »
User Privacy
Chrome Extension Manifest V3 Mobile Security Security flaw SquareX User Privacy

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.
Read more »
Voiceover Bug
Critical Bugs Mobile Security Security Flaws User Security Voiceover Bug

Apple Patches VoiceOver Flaw That Could Read Passwords Aloud

 

Recently, Apple fixed a serious flaw in its VoiceOver feature that caused privacy concerns for users of iPhones and iPads. The bug, known as CVE-2024-44204, allowed the VoiceOver accessibility tool to read saved passwords aloud, a serious concern for users who rely on this ability to use their devices without visual assistance. 

The flaw was identified in Apple's native password management tool, introduced in iOS 18.0. It impacted multiple models, including iPhones from the XS series and later, as well as some iPads. This issue was especially alarming for customers who kept sensitive information in their password manager. 

Although the VoiceOver feature is turned off by default, users who enabled it for accessibility reasons were at risk. Fortunately, Apple addressed the issue in the iOS 18.0.1 update by enhancing the logic that governs how VoiceOver interacts with saved passwords. 

In addition to the VoiceOver issue, Apple addressed another issue (CVE-2024-44207) with audio messages, in which iPhone 16 series devices might begin recording audio before users were aware, providing an additional privacy concern. While neither vulnerability was remotely exploitable, they were significant enough to warrant quick patches to safeguard user data. 

Cybersecurity experts have complimented Apple for quickly fixing the issues and emphasising the significance of updating devices to the most recent software versions to avoid any misuse of these vulnerabilities. Users are recommended to apply the iOS 18.0.1 update as soon as possible to prevent any potential risks. 

These updates highlight how crucial it is for companies and individuals using iPhones for sensitive work to stay up-to-date with security upgrades, especially since accessibility capabilities can occasionally be exploited in unintended ways.
Read more »
User Security
Android Trojan Banking Malware Data Privacy Mobile Security User Security

TrickMo Android Trojan Abuses Accessibility Services for On-Device Financial Scam

 

Cybersecurity experts discovered a new form of the TrickMo banking trojan, which now includes advanced evasion strategies and the ability to create fraudulent login screens and steal banking credentials. 

This sophisticated malware employs malicious ZIP files and JSONPacker to obstruct analysis and detection efforts. TrickMo, discovered by CERT-Bund in September 2019, has a history of targeting Android smartphones, with a special focus on German users, in order to acquire one-time passwords (OTPs) and other two-factor authentication (2FA) credentials for financial fraud. The trojan is believed to be the work of the now-defunct TrickBot e-crime gang, which is known for constantly enhancing its obfuscation and anti-analysis features. 

Screen recording, keystroke logging, SMS and photo harvesting, remote control for on-device fraud, and exploiting Android's accessibility services API for HTML overlay attacks and device gestures are some of the main capabilities of the TrickMo version. In addition, the malware could automatically accept permissions, handle notifications to steal or conceal login codes, and intercept SMS messages.

A malicious dropper app that mimics the Google Chrome web browser is used to spread the malware. Users are prompted to upgrade Google Play Services upon installation. In the case that the user agrees, an APK with the TrickMo payload is downloaded and set up pretending to be "Google Services." Next, the user is prompted to allow this program to use accessibility features, which gives them full control over the device. 

TrickMo can use accessibility services to disable critical security features, stop system upgrades, and hinder app uninstallation. Misconfigurations in the malware's command-and-control (C2) server made 12 GB of sensitive data, including credentials and photos, available without authentication. 

This exposed data is vulnerable to exploitation by other threat actors for identity theft, unauthorised account access, financial transfers, and fraudulent transactions. The security breakdown highlights a severe operational security failure by the threat actors, increasing the risk to victims. The exposed private data can be utilised to create convincing phishing emails, resulting in additional information disclosure or malicious acts.
Read more »
OCR
Android Malware Android Users Data Privacy Mobile Security OCR

Novel Android Malware Employs OCR to Steal Crypto Wallet Keys From Images

 

A novel mobile malware operation dubbed SpyAgent has surfaced targeting Android device users in South Korea. According to an investigation by McAfee Labs researcher SangRyol Ryu, the malware "targets mnemonic keys by scanning for images on your device that might contain them," and it has expanded its targeting footprint to include the UK.

The campaign uses fake Android apps to deceive users into installing them. These apps seem like real banking, government, streaming, and utility apps. As many as 280 fake apps have been uncovered since the start of the year.

It all begins with SMS messages with booby-trapped links directing users to download the apps in question in the form of APK files published on fraudulent websites. Once installed, they will request intrusive permissions to extract data from the devices. 

The most prominent feature is its ability to employ optical character recognition (OCR) to steal mnemonic keys, which are recovery or seed phrases that allow users to restore access to their bitcoin wallets. Unauthorised access to the mnemonic keys could allow attackers to gain control of the victims' wallets and drain all of the funds stored in them. 

According to McAfee Labs, the command-and-control (C2) infrastructure had major security flaws that permitted unauthorised access to the site's root directory as well as the exposure of victim data. 

The server also has an administrator panel, which serves as a one-stop shop for remotely controlling the infected devices. The appearance of an Apple iPhone running iOS 15.8.2 with the system language set to Simplified Chinese ("zh") in the panel indicates that it may also target iOS users. 

"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," the researchers explained. "While this method was effective, it was also relatively easy for security tools to track and block." "In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools.” 

The finding comes a little more than a month after Group-IB disclosed another Android remote access trojan (RAT) known as CraxsRAT, which has been targeting Malaysian banking users since at least February 2024 via phishing websites. It's worth noting that CraxsRAT campaigns have already been found to target Singapore by April 2023.
Read more »
Telegram
App Store Malicious Content Mobile Security Social Media App Telegram

Security Analysts Observe Massive Surge in Telegram App Downloads Following Durov Arrest

 

The arrest of Telegram creator and CEO Pavel Durov in France is beginning to have an influence on the app's popularity and position.

The founder was arrested last month for allegedly allowing illicit practices to thrive on the social media platform by failing to properly monitor posts, particularly in drug trafficking, money laundering, and the spread of child sexual abuse material (CSAM). 

Despite concerns regarding the app's content, Telegram is now experiencing a spike in downloads, propelling it to the No. 2 spot on the U.S. App Store's Social Networking charts and increasing global iOS downloads by 4%. 

After Durov's arrest, Telegram took some time to rise. This might be the case because a lot of individuals found out about the news only after reading the stories they had missed over the weekend, or because third-party sources of app store intelligence take a little longer to report changes in rankings. 

According to Appfigures, an app intelligence company, Telegram didn't rise to the No. 2 spot on the Social Networking charts on the U.S. App Store until 3 a.m. EST on Monday, suggesting that the app is just now starting to gain traction. The app had already fallen to No. 3 in Social in the U.S. as of the time of publication, so it might only be a temporary boost.

However, the app shot to the top of the App Store's Social Networking category and rose to become the third most popular app overall in France, the country where Durov was arrested. After climbing ten spots since Friday, Telegram now stands at No. 8 in the top apps chart (which does not include games). Appfigures stated that this is the highest position it has held here since at least January 1, 2023. Apple often uses a combination of measures, including download velocity and app install count, to determine app store rankings.

Nevertheless, the cliché "any press is good press" appears to hold true, at least in terms of Telegram's exposure on the App Store. As consumers downloaded the app out of curiosity — or possibly to support the founder's views about "free speech" — it began to rise in the rankings.
Read more »
User Security
Cyber Scam Data Privacy Financial Fraud Mobile Security Phone Scam User Security

Here's How to Safeguard Yourself Against Phone Scams

 

Sophisticated phone scams are becoming more common and more relentless. The numbers are mind-boggling. According to the FTC, impostor fraudsters cost US consumers $2.7 billion in 2023, and the figure is rising year after year. 

These are merely the listed losses; many people who have been duped are embarrassed and refuse to acknowledge they fell for such a scam. You may believe that you will not be misled, yet many of those who are duped thought this before the incident. 

Scammers have refined their strategies to sound trustworthy and legitimate, and AI is just making matters worse. When combined with the strain or situation, it only takes a few moments to fall for it. 

The best defence against phone scams is to be prepared to face them, as they are likely to occur at some point. We've compiled a list of some of the most popular phone scams in 2024 and how to prevent them.

AI-powered scams

The most obvious example of fraudsters exploiting new technology to power existing scams is artificial intelligence (AI). For instance, scammers might use AI to: 

  • Generate more convincing and genuine sounding phishing emails and text messages. 
  • Create deepfakes of celebrities to lure victims into thinking they're investing in a good company or project.
  • Impersonate an employer and ask for private information. 

Student loan forgiveness scams 

The back-and-forth adjustments in student loan forgiveness create an ideal scenario for scammers. Fraudsters know that individuals want to believe that their student loans will be forgiven, and they will use this need for personal benefit.

For example, scammers may call you or set up fake application sites to steal your Social Security number or bank account information. They may put pressure on their victims by sending bogus urgent messages encouraging them to seek debt relief "before it's too late." Then they will charge you a high application fee. In reality, this is a scam.

Zelle scams

Scammers are using Zelle, a peer-to-peer payment tool, to steal people's money. The fraudster might email, text, or contact you, claiming to work for your bank or credit union's fraud department. They'll claim that a thief intended to steal your money via Zelle and that they need to walk you through "fixing" the issue. 

Subsequently, fraudsters may advise you to pay the money to yourself, but the funds will actually go to their account. Starting in mid-2023, Zelle began refunding victims of some frauds. However, you may not always be eligible for reimbursement, so be aware of these financial frauds. 

Prevention tips 

Avoid clicking on unknown links: Whether the link arrives in your email, a text or a direct message, never click on it unless you're certain the sender has good intentions. If the message says it's from a company or government agency, call the firm using a number that you look up on your own to confirm its legitimacy. 

Be skeptical: Scammers can spoof calls and emails to appear to be from a number of sources, including government institutions, charities, banks, and major companies. Do not provide any personal information, usernames, passwords, or one-time codes that others could use to gain access to your accounts or steal your identity. 

Don't refund or forward overpayments: Beware whenever a company or person asks you to refund or forward part of a payment. Often, the original payment will be fraudulent and taken back later. Following simple safety precautions and reviewing the most recent scam alerts might help you stay safe. However, mistakes might occur, especially when you are stressed or overwhelmed.
Read more »
User Security
Cash App Data Leak Financial Fraud Mobile Security User Security

Worried About Cash App Breach? These Three Steps Can Keep Your Financial Data Safe

 

You're not alone if the most recent Cash App data hack made you nervous. In 2022, the parent company of Block, the peer-to-peer payment platform, failed to prevent unauthorised access to Cash App customer accounts. 

Cash App agreed to a $15 million class action settlement in exchange. Even though it was an internal change, users' concerns about the app's security were not allayed, despite the fact that it was a positive step. To learn more about how to better defend themselves, users urged the cybersecurity specialists to provide some safety tips.

“One of the biggest problems with money apps like this is their popularity,” stated Neal O’Farrell, a digital security expert and CNET Money expert review board member. “Hackers follow the crowds, and the more people use these apps, the more time criminals will spend trying to exploit them.” 

Cash App actually includes an array of security safety features. The difficulty is that, while they can help you avoid fraudsters, they cannot always keep your data secure. O'Farrell observed that even the finest privacy safeguards can be undermined by an insider with access, as happened in the Cash App case. Whether you wish to avoid financial frauds on Cash App or protect your sensitive information after it has been disclosed, here are three security procedures you should take in addition to claiming any settlement money you are owed.

Secure your sign-on 

By default, Cash App makes signing in much safer by sending a code to your email address or phone number each time you log in. But there's a catch: after logging in, you must manually sign out of your account; otherwise, you can access your account from your phone without a code. I've signed out and signed back in without a code, which could be a concern if someone gains access to your phone and the app.

To be on the safe side, experts recommend logging out once you've finished completing transactions. You can add two-factor authentication as a second layer of account security, but you'll need to download a separate app, such as Google Authenticator. 

Don’t send money to strangers

From romance scams to tax scams, there are numerous ways for perpetrators to trick you into sending money using Cash App or other payment apps. Experts recommended not to send money to strangers and always double-checking their phone number or email address before sending. If you mistakenly send money to the wrong person or discover you were scammed on a Cash App, banks will often refuse to refund your money.

O'Farrell advises being wary of any messages you receive via payment apps. He frequently sees scams in which someone poses as a friend and asks for money or claims you owe them money. Others may attempt to steal access to your app and money by requesting that you verify your security code so that they can resolve a security issue with your account.

A few things can help you figure out who you're giving money to. Cash App's Incoming Requests option, available under the Security & Privacy menu, will only allow you to give money to a specific contact rather than everyone else on the app. You can also prevent people from finding your Cash App account by disabling the "$CashTag Cash.app" option in the same security page. 

Monitor your transaction activity 

Beyond data security, it's critical to monitor your account's behaviour. To receive text messages and emails about your transactions, enable push alerts under Cash App's 'Notifications' option. This allows you to track all of your payment activities and keep an eye out for anything odd.
Read more »
T-Mobile
Cyber Attacks Malicious Link Mobile scam Mobile Security Phishing Attack Scams T-Mobile

T-Mobile Customers Alarmed by Unfamiliar Support Links, But They Are Legitimate

 

T-Mobile customers have recently raised concerns after receiving unusual-looking links from the company’s support channels, leading to fears of potential phishing scams. However, investigations have confirmed that these links are legitimate, though their appearance and unfamiliar origin have caused some confusion. The Mobile Report has revealed that T-Mobile’s support teams, including T-Force, the social media support team, are now utilizing a third-party service called Khoros to manage secure forms for customers. This change has led to the use of links with unfamiliar domain names, which naturally appear suspicious to users. 

For instance, one customer was directed to a “Handset Upgrade Form” through a link that, at first glance, seemed questionable. T-Mobile employees have assured The Mobile Report that these links are indeed authentic and part of a new procedure aimed at handling sensitive customer information more securely. In the past, T-Mobile hosted similar forms directly on its own servers using a T-Mobile domain, which customers were familiar with. The shift to an external platform, particularly one that customers do not recognize, has understandably caused some concern and confusion among users. 

Adding to the unease is the fact that Khoros, the company now hosting these forms, describes itself as a platform that uses AI and automation to analyze large amounts of data. While this approach is standard for many data-driven companies, it raises questions about the potential risks involved in sharing sensitive information with third-party services, especially when customers are not fully informed about the transition. Despite the legitimacy of these links in this instance, it is always wise for customers to exercise caution when dealing with unfamiliar links, even if they appear to originate from a trusted source. Phishing scams often rely on the use of seemingly legitimate links to deceive users into disclosing sensitive information. 

As a precaution, customers are advised to contact T-Mobile directly through official channels to verify the authenticity of any communication they receive, particularly when it involves providing personal or financial information. While T-Mobile’s new process using Khoros is legitimate, the lack of clear communication regarding the change has led to understandable concerns among customers. As always, caution and verification remain key to ensuring online safety, particularly when dealing with unexpected or unfamiliar links.
Read more »
User Safety
AI Apps Mobile Security Privacy Violation User Privacy User Safety

The Concerning Rise of AI “Undressing” Apps: A Violation of Privacy and Ethics

 

Today, AI can help with a variety of tasks, like making personalised food plans and offering dating advice, as well as fixing image flaws and optimising workflow.

However, AI technology has also opened the door to more controversial apps, such as AI nude generators used for AI undressing. AI undressing is becoming increasingly popular as a result of rapid technical breakthroughs and the interest it generates. These apps use deep learning algorithms to analyse and edit images, successfully removing clothing from photographs. 

Nevertheless, the usage of these apps raises serious legal and ethical concerns. Many of these apps have the potential to infringe private rights and be used maliciously, which could result in legal consequences. Responsible use of AI undressing apps is critical, but the potential for abuse and the difficulties of regulation remain significant hurdles.

In Israel, for example, there have been debates about implementing regulations similar to those governing revenge pornography, which would criminalise the unauthorised use of AI undressing apps. In addition, Israeli tech businesses and academic institutions are creating educational courses and guidelines to promote the appropriate use of AI. These initiatives aim to mitigate the negative effects of applications such as AI undressing while upholding ethical standards in technology use. 

One of the most pressing challenges concerning AI-powered undressing apps is whether they can be used properly. This is a complex subject that ultimately depends on individual notions of right and wrong, as well as the willingness to take the required measures to safeguard oneself and others from the possible harms that these apps can generate. 

The appropriate use of such technology necessitates a thorough awareness of its ramifications as well as a commitment to ethical principles. As AI evolves, it is critical for society to strike a balance between innovation and ethical responsibility. It is critical to ensure that technological breakthroughs are used to improve our lives while maintaining our values and safety. 

This includes establishing strong legal frameworks, raising awareness and educating about the risks, and cultivating an ethical AI culture. By doing so, we can maximise the benefits of AI while minimising its potential risks, resulting in a safer and more responsible technological landscape for everybody.
Read more »
User Safety
Data Privacy Mobile Security Public Charging Stations USB Attacks User Safety

Here's Why You Shouldn't Use Public USB Charging Ports

 

We've all been there: stranded in a coffee shop with a dropping phone battery and no connector, only to find a free USB charging station nearby. Relieved, you plug in your device and go about your business, unaware that a potential threat lurks behind that seemingly benign USB port. 

That concern is "juice jacking," a cybersecurity vulnerability that has received enough attention in recent years to warrant an advisory from the FBI. So, what exactly is juice jacking and how risky is it? Here's all you need to know, along with some recommendations for keeping your mobile devices safe while charging on the road. 

What is juice-jacking? 

Juice-jacking is when hackers siphon your phone's data while it is charging. It achieves this using software placed in a kiosk that allows you to quickly charge your phone, or through a cable connected to a charging station. It can do this by plugging the USB charger directly into the socket. USBs, unlike two-pronged plugs, may transmit data as well as electricity. 

The methodology is similar to how a "skimmer" steals your bank or credit card information; however, juice-jacking has the potential to collect all of the data on your cell phone, including passwords, account information, contacts, emails, and so on. While this form of hacking is not yet widespread, it has the potential to become so. However, there are techniques to defend yourself from this type of hack. 

Prevention Tips 
  • Do not plug your phone directly into a USB charging port. Keep your data secure by using a 2-prong electrical charger.
  • Don't use the provided cord or someone else's 2-prong attachment since it might contain software designed to steal your information. 
  • Use a "sync stop" device to prevent attackers from accessing your phone. When charging your phone, leave it locked or switched off. 
  • Most phones cannot access your information while locked or switched off. Don't rely on others; bring your own personal power bank to charge your mobile device. 

When your phone's battery goes low in the airport, hotel, or coffee shop, be sure you're prepared to give it the power it requires without leaving you powerless.
Read more »
Twilio Alerts
CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Mobile Security Phone number Security Risks Twilio Alerts

Twilio Alerts Authy Users of Potential Security Risks Involving Phone Numbers

 


The U.S. messaging giant Twilio has been accused of stealing 33 million phone numbers over the past week as a result of a hacker's exploit. Authy, a popular two-factor authentication app owned by Twilio that uses the phone numbers of people to authenticate, has confirmed to TechCrunch today that "threat actors" can identify the phone numbers of users of Authy. It was recently reported that a hacker or hacker group known as ShinyHunters entered into a well-known hacking forum and posted that they had hacked Twilio and received the cell phone numbers of 33 million subscribers from Twilio. 

As a spokesperson for Twilio Ramirez explained to TechCrunch, the company has detected that threat actors have been able to identify phone numbers associated with Authy accounts through an unauthenticated endpoint, however, it's yet to be known how this happened. According to a report by TechCrunch earlier this week, someone has obtained phone numbers related to Twilio's two-factor authentication service (2FA), Authy, of which it is a part. 

An alert from Twilio on Monday warned of possible phishing attacks and other scams using stolen phone numbers, which the company described as "threat actors" trying to steal personal information. An incident that happened in 2022 occurred following a phishing campaign that tricked employees into using their login credentials to gain access to the company's computer network. During the attack, hackers gained access to 163 Twilio accounts as well as 93 Authy accounts through which they were able to access and register additional devices. It has been revealed that Twilio traced this leak to an "unauthenticated endpoint" that has since been secured by the company. 

As the dark web was abuzz last week with the release of 33 million phone numbers from Authy accounts, the threat actor ShinyHunters published a collection of the data. The threat actor, as pointed out by BleepingComputer, appears to have obtained the information by using the app's unsecured API endpoint to input a massive list of phone numbers, which would then be checked to see whether the numbers were tied to the application. 

During the investigation into the matter, it was found that the data was compiled by feeding an enormous number of phone numbers into the unsecured API endpoint for an unsecured API. Upon validity of the number, Authy's endpoint will return information about the associated accounts registered with Authy once the request is made. Since the API has been secured, these are no longer able to be misused to verify whether a phone number is being used with Authy because the API has been secured.

Threat actors have used this technique in the past, as they exploited unsecure Twitter APIs and Facebook APIs to compile profiles of tens of millions of users that contain both public and private information about the users. Although the Authy scrape contained only phone numbers, such data can still prove to be valuable to users who are interested in conducting smishing and SIM-swapping attacks to breach the accounts of their consumers. 

A CSV file containing 33,420,546 rows is available for download. Each row contains an account ID, phone number, an "over_the_top" column, the account status of the account, as well as the number of devices according to the site. According to reports on Authy's blog, the company has acknowledged that it was attacked. Twilio has confirmed a recent data breach affecting its Authy two-factor authentication app users. 

While the company experienced two separate cyberattacks in 2022, it emphasized that this latest incident is not related to the previous breaches. In light of this development, Twilio is urging all Authy users to exercise extreme caution when dealing with unsolicited text messages that appear to be from the company. According to Sean Wright, Head of Application Security at Featurespace, the primary threat stemming from this incident is the potential for targeted phishing attacks. Exposure to users' phone numbers significantly increases the risk of such attacks. 

Wright reassures users that direct access to their Authy accounts remains unlikely unless the attackers can obtain the seeds for the multi-factor authentication (MFA) tokens stored within the app. Despite this, he stresses the importance of remaining vigilant. Users should be particularly wary of messages from unknown senders, especially those that convey a sense of urgency or threaten financial loss if no action is taken. 

To enhance security, Wright suggests that users consider switching to an alternative MFA application or opting for more secure hardware keys, such as the Yubico YubiKey. Additionally, if any user experiences difficulty accessing their Authy account, Twilio advises immediate contact with Authy support for assistance. Furthermore, Twilio recommends that users update their Authy app on iOS and Android platforms to address potential security vulnerabilities. 

Keeping the application up-to-date is critical in safeguarding against future threats and ensuring the highest level of protection for user accounts. This proactive approach will help mitigate the risks associated with the recent breach and reinforce the security of the authentication process for all Authy users.
Read more »
Mobile Security
CSAM Data Privacy European Union Messaging Apps Mobile Security

EU Proposes New Law to Allow Bulk Scanning of Chat Messages

 

The European elections have ended, and the European football tournament is in full flow; why not allow bulk searches of people's private communications, including encrypted ones? Activists around Europe are outraged by the proposed European Union legislation. 

The EU governments' vote on Thursday in a significant Permanent Representatives Committee meeting would not have been the final obstacle to the legislation that aims to identify child sexual abuse material (CSAM). At the last minute, the contentious question was taken off the agenda. 

However, if the EU Council approves the Chat Control regulation later rather than sooner, experts believe it will be enacted towards the end of the difficult political process. Thus, the activists have asked Europeans to take action and keep up the pressure.

EU Council deaf to criticism

Actually, a regulation requiring chat services like Facebook Messenger and WhatsApp to sift through users' private chats in order to look for grooming and CSAM was first put out in 2022. 

Needless to say, privacy experts denounced it, with cryptography professor Matthew Green stating that the document described "the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR.” 

“Let me be clear what that means: to detect “grooming” is not simply searching for known CSAM. It isn’t using AI to detect new CSAM, which is also on the table. It’s running algorithms reading your actual text messages to figure out what you’re saying, at scale,” stated Green. 

However, the EU has not backed down, and the draft law is currently going through the system. To be more specific, the proposed law would establish a "upload moderation" system to analyse all digital messages, including shared images, videos, and links.

The document is rather wild. Consider end-to-end encryption: on the one hand, the proposed legislation states that it is vital, but it also warns that encrypted messaging platforms may "inadvertently become secure zones where child sexual abuse material can be shared or disseminated." 

The method appears to involve scanning message content before encrypting it using apps such as WhatsApp, Messenger, or Signal. That sounds unconvincing, and it most likely is. 

Even if the regulation is approved by EU countries, additional problems may arise once the general public becomes aware of what is at stake. According to a study conducted last year by the European Digital Rights group, 66% of young people in the EU oppose the idea of having their private messages scanned.
Read more »
User Safety
Data Privacy Juice Jacking Lockdown Mode Mobile Security User Safety

Android 15's Lockdown Mode Safeguards Your Phone Against "Juice Jacking"

 

You shouldn't use any random cable that is provided to you to charge your favourite Android phone—or any other device, for that matter—at a public charging station for a few very good reasons. More importantly, there are always a number of security issues, so you might not receive the fastest charging speeds. Even though they are not scalable, "juice jacking" attacks that weaponize charging stations are common; however, Android 15's Lockdown mode now includes defences against such types of attacks. 

Google is still working on Android 15, which is now in beta testing. The most recent development, spotted by apex tech sleuth Mishaal Rahman (via Android Authority), suggests that the operating system update will have built-in protections against fraudulent individuals who attempt to use juice-jacking devices. These attacks have the ability to install malicious apps, run commands, transmit malicious payloads to your device, and maliciously control how the USB connection handles data.

However, Rahman claims there is no reason to be concerned about juice jackers because Android currently prevents you from enabling USB Debugging before you unlock your smartphone. Access to files on the device is similarly restricted until you change the USB connection mode to explicitly allow file transfers. These safety nets work together to prevent attempts to execute ADB commands or tamper with your device's files. Lockdown mode, on the other hand, takes safety to the next level, and it just gets better with Android 15.

Put things on lockdown

Lockdown mode, which was introduced as a safety feature alongside Android 9 in 2018, was made available as a default in the power menu on Pixel phones with Android 12. Other device manufacturers are free to place the option elsewhere, but once selected, it disables all notifications and requires your original PIN, password, or pattern to restore device functionality.

After testing with a Pixel 6 Pro running Android 15 and another device running Android 14, Rahman confirmed that the most recent firmware prevents USB data access. Any current connections to the ADB terminal or linked input devices are likewise terminated when Lockdown mode is enabled. It should work as soon as eligible Pixel phones receive the Android 15 upgrade, but other OEMs must update their devices' USB HAL to include the necessary APIs for this implementation to function. 

In any case, the Android 15 upgrade includes additional safeguards against juice jacking, even if you were already adequately protected on older versions. However, it's worth noting that taking precautions like avoiding unfamiliar chargers at airports and malls is the greatest and most effective defense.
Read more »
Threat Landscape
cyber threat iPhone Malware Mobile Security Spyware Threat Landscape

Is Your iPhone at Risk? Understanding iPhone Spyware Issue

 

Surprisingly, one iOS user has successfully identified Apple's iPhone Spyware Problem. Unfortunately, iPhone spyware attacks have extended to 92 nations. And it can be one of the most scary threats in the realm of technology. 

The blog post below will explore how these Spyware Attacks are potentially growing. We will share some interesting and easy-to-do strategies to ensure your privacy. 

Alarming rise 

Almost three weeks ago, Apple sent out a notification to all iOS users in 90+ countries. The alert message included a warning about iPhone spyware attacks. However, it quickly got viral, and users were incredibly wary and concerned regarding their privacy.

Apple, on the other hand, explicitly said that "the increasing use of spyware against iPhone users across the world". The company has not provided any further updates on cyberattacks, and the situation remains unclear.

Pegasus issue

Why has Apple's iPhone spyware problem become so serious? Don't mistake them as typical spying or malware. However, these assaults disrupt the weaknesses of the deployed apps. And their major goal is to gain access to your WhatsApp and iMessage. They usually install silently on your iPhone.

You will not be required to perform any actions, thus the hacker has complete control of your device. Surprisingly, the Israeli Pegasus was designed similarly and is extensively used for such spyware attacks. 

It gives you control over your microphone, camera, location, text, media, and other features. Furthermore, the Israeli Pegasus was frequently employed against journalists and political associates for a long time. 

How to detect spyware 

Detecting Apple iPhone Spyware Attacks can be difficult, but it is not impossible. No doubt, these are highly developed to be cleverly disguised in your gadgets, but here are some key signs: 

Constant battery drain; Slow or odd performance; Suspicious installation; Increased data use. 

Steps to ensure your privacy 
  • Make sure your device is running the most recent iOS version. It applies all of the security fixes and can definitely serve as a shelf for you. 
  • Using strong passwords and multi-factor authentication can help add an extra degree of security to your applications and accounts.,
  • Try to avoid any dubious messages or links. Avoid downloading attachments or documents shared by strangers.
Read more »
Tech Giant
Application Vulnerability Mobile Security Phone Alarm Social Media Tech Giant

Apple Working to Patch Alarming iPhone Issue

 

Apple claims to be working rapidly to resolve an issue that resulted in some iPhone alarms not setting off, allowing its sleeping users to have an unexpected lie-in. 

Many people rely on their phones as alarm clocks, and some oversleepers took to social media to gripe. A Tiktokker expressed dissatisfaction at setting "like five alarms" that failed to go off. 

Apple has stated that it is aware of the issue at hand, but has yet to explain what it believes is causing it or how users may avoid a late start. 

It's also unknown how many people are affected or if the issue is limited to specific iPhone models. The news was first made public by the early risers on NBC's Today Show, which sparked concerns. 

In the absence of an official solution, those who are losing sleep over the issue can try a few simple fixes. One is to prevent human error; therefore, double-check the phone's alarm settings and make sure the volume is turned up. 

Others pointed the finger at Apple designers, claiming that a flaw in the iPhones' "attention aware features" could be to blame.

When enabled, they allow an iPhone to detect whether a user is paying attention to their device and, if so, to automatically take action, such as lowering the volume of alerts, including alarms. 

According to Apple, they are compatible with the iPhone X and later, as well as the iPad Pro 11-inch and iPad Pro 12.9-inch. Some TikTok users speculated that if a slumbering user's face was oriented towards the screen of a bedside iPhone, depending on the phone's settings, the functionalities may be activated. 

Apple said it intends to resolve the issue quickly. But, until then, its time zone-spanning consumer base may need to dust off some old gear and replace TikTok with the more traditional - but trustworthy - tick-tock of an alarm clock.
Read more »
User Safety
Data Surveillance Data tracking Mobile Security User Privacy User Safety

An Unusual Tracking Feature Identified on Millions of iPhone Users

 

Millions of iPhone users across the globe discovered an interesting new setting that was automatically switched on in their iPhones. The latest software version included a new setting called "Discoverable by Others''. It can be located under 'Journalling Suggestions' in iPhone's privacy and security settings. Journalling Suggestions was included in the new Journal app, which was launched with iOS 17.2 in December 2023. 

When enabled, the feature accesses past data stored on the user's iPhone. Music, images, workouts, who they've called or texted, and significant locations are all included in the data. It is used to suggest what times to write about in the Journal app.

The feature is enabled by default and stays so even after a user deletes the Journal app. According to Joanna Stern, a senior personal technology correspondent for The Wall Street Journal, Apple has confirmed that customers' phones can use Bluetooth to locate nearby devices associated with their contact list. However, the phone does not save any information about the detected contacts. This feature offers context to enhance Journalling suggestions.

The firm has also denied disclosing users' identities and locations to anyone. To clarify their point, Apple provided an example of holding a dinner party at your home with pals listed in your contacts. According to the tech behemoth, the system may prioritise the event in Journalling Suggestions. This is because it recognises that the number of guests made it more than just another night at home with your family.

As per Apple's support page, if you disable the 'Discoverable by Others' option to avoid yourself from being counted among your contacts, the 'Prefer Suggestions with Others' feature will also be turned off. This implies that the Journalling Suggestions feature will be unable to determine the number of devices and contacts in your vicinity.
Read more »
Subscribe to: Posts (Atom)