Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mobile Security Threats. Show all posts
social engineering attacks
Android Android Spyware Cloud Infrastructure Abuse Hugging Face Abuse malware Mobile Credential Theft Mobile Security Threats Remote Access Trojan social engineering attacks

Threat Actors Leverage Hugging Face to Spread Android Malware at Scale


 

Initially appearing as a routine security warning for mobile devices, this warning has evolved into a carefully engineered malware distribution pipeline. Researchers at Bitdefender have identified an Android campaign utilizing counterfeit security applications that serve as the first stage droppers for remote access Trojans, known as TrustBastion. 

The operators have opted not to rely on traditional malware hosting infrastructure, but have incorporated their delivery mechanism into Hugging Face's public platform, allowing it to conceal malicious activity through its reputation and traffic profile. 

Social engineering is used to drive the infection chain, with deceptive ads and fabricated threat alerts causing users to install the malware. The app silently retrieves a secondary payload from Hugging Face once it has been installed on the device, providing persistence via extensive permission abuse. 

At scale, the campaign is distinguished by a high degree of automation, resulting in thousands of distinct Android package variants, thereby evading signature-based detection and complicating attribution, thus demonstrating the shift toward a more industrialized approach to mobile malware. 

Using this initial foothold as a starting point, the campaign illustrates how trusted developer infrastructure can be repurposed to support a large-scale theft of mobile credentials. As a consequence, threat actors have been using Hugging Face as a distribution channel for thousands of distinct Android application packages that were designed to obtain credentials related to widely used financial, banking, and digital payment services.

Generally, Hugging Face is regarded as a low-risk domain, meaning that automated security controls and suspicion from users are less likely to be triggered by this site's hosting and distribution of artificial intelligence, natural language processing, and machine learning models.

Despite the fact that the platform has previously been abused to host malicious AI artifacts, Bitdefender researchers point out that its exploitation as a delivery channel for Android malware constitutes an intentional attempt to disguise the payload as legitimate development traffic. It has been determined that the infection sequence begins with the installation of an application disguised as a mobile security solution known as TrustBastion. 

Using scareware-style advertisements, the app presents fake warnings claiming that the device has been compromised, urging immediate installation to resolve alleged threats, including phishing attempts, fraudulent text messages, and malware. 

Upon deployment, the application displays a mandatory update prompt which is closely similar to that of Google Play, thereby reinforcing the illusion of legitimacy. In lieu of embedding malicious code directly, the dropper contacts infrastructure associated with the trustbastion[.]com domain, which redirects the user to a repository containing Hugging Face datasets. 

After retrieving the final malicious APK via Hugging Face's content delivery network, the attackers complete a staged payload delivery process that complicates detection and allows them to continuously rotate malware variants with minimal operational overhead, complicating detection. This stage demonstrates why Hugging Face was purposefully integrated into the attacker's delivery chain during this phase of the operation. 

It is common for security controls to flag traffic from newly registered or low-reputation domains quickly, causing threat actors to route malicious activity through well-established platforms that blend into normal network behavior, resulting in the use of well-established platforms.

TrustBastion droppers are not designed to retrieve spyware directly from attacker-controlled infrastructure in this campaign. Rather than hosting the malware itself, it initiates a request to a website associated with the trustbastion[. ]com domain, which serves as an intermediary rather than as a hosting point for it.

The server response does not immediately deliver a malicious application package. The server returns a HTML resource that contains a redirect link to a Hugging Face repository where the actual malware can be found. By separating the initial contact point from the final malware host, the attackers introduce additional indirection, which makes static analysis and takedown efforts more challenging. 

According to Bitdefender, the malicious datasets were removed after being notified by Hugging Face before publication of its findings. Telemetry indicates the campaign had already reached a significant number of victims before the infrastructure was dismantled, despite the swift response. Furthermore, analysis of the repositories revealed unusually high levels of activity over a short period of time. 

A single repository accumulated over 6,000 commits within a month, indicating that it was fully automated. A new payload was generated and committed approximately every 15 minutes, according to Bitdefender. A number of repositories were taken offline during the campaign, but the campaign displayed resilience by reappearing under alternative redirect links, using the same core codebase and only minor cosmetic changes to the icons and application metadata. 

The operators further undermined traditional defense effectiveness by utilizing polymorphic techniques throughout the payloads they used. The uploaded APKs were freshly constructed, retaining identical malicious capabilities while introducing small structural changes intended to defeat hash-based detection. 

It was noted by Bitdefender that this approach increased evasion against signature-driven tools, but that the malware variants maintained consistent behavioral patterns, permission requests, and network communication traits, which made them more susceptible to behavioral and heuristic analysis in the future. 

After installation, the malware presents itself as a benign "Phone Security" feature and guides users through the process of enabling Android Accessibility Services. This step allows the remote access trojan to obtain extensive information about user activity and on-screen activity. In order to monitor activity in real time, capture sensitive screen content, and relay information to the malware's command and control servers, additional permissions are requested. 

By impersonating legitimate financial and payment applications, such as Alipay and WeChat, this malware enhances the threat. By intercepting credentials and collecting lock-screen verification information, it becomes a full-spectrum tool to collect credentials and spy on mobile devices. 

In a defensive perspective, this campaign reminds us that trust in popular platforms can be strategically exploited if security assumptions are not challenged. By combining legitimate developer infrastructure abuse with high levels of automation and polymorphic payload generation, traditional indicators alone cannot detect these types of attacks. 

For Bitdefender's users, the findings reinforce the importance of identifying such threats earlier in the infection chain through behavioral analysis, permission monitoring, and anomaly-based network inspection. Users are advised to take precautions when responding to unsolicited security alerts or applications requesting extensive system privileges based on the findings.

Additionally, the operation highlights the growing adoption of cloud-native distribution models by malicious mobile malware actors, emphasizing the importance of platform providers, security vendors, and enterprises collaborating more closely to monitor abuse patterns and respond quickly to emerging misuses of trusted ecosystems.
Read more »
Mobile Security Threats
block scam calls call scams Caller Identity Calling Cyber Security mobile security measures Mobile Security Threats

TRAI Approves Caller Name Display Feature to Curb Spam and Fraud Calls

 

The Telecom Regulatory Authority of India (TRAI) has officially approved a long-awaited proposal from the Department of Telecommunications (DoT) to introduce a feature that will display the caller’s name by default on the receiver’s phone screen. Known as the Calling Name Presentation (CNAP) feature, this move is aimed at improving transparency in phone communications, curbing the growing menace of spam calls, and preventing fraudulent phone-based scams across the country. 

Until now, smartphone users in India have relied heavily on third-party applications such as Truecaller and Bharat Caller ID for identifying incoming calls. However, these apps often depend on user-generated databases and unverified information, which may not always be accurate. TRAI’s newly approved system will rely entirely on verified details gathered during the SIM registration process, ensuring that the name displayed is authentic and directly linked to the caller’s government-verified identity. 

According to the telecom regulator, the CNAP feature will be automatically activated for all subscribers across India, though users will retain the option to opt out by contacting their telecom service provider. TRAI explained that the feature will function as a supplementary service integrated with basic telecom offerings rather than as a standalone service. Every telecom operator will be required to maintain a Calling Name (CNAM) database, which will map subscribers’ verified names to their registered mobile numbers. 

When a call is placed, the receiving network will search this CNAM database through the Local Number Portability Database (LNPD) and retrieve the verified caller’s name in real-time. This name will then appear on the recipient’s screen, allowing users to make informed decisions about whether to answer the call. The mechanism aims to replicate the caller ID functionality offered by third-party apps, but with government-mandated accuracy and accountability. 

Before final approval, the DoT conducted pilot tests of the CNAP system across select cities using 4G and 5G networks. The trials revealed several implementation challenges, including software compatibility issues and the need for network system upgrades. As a result, the initial testing was primarily focused on packet-switched networks, which are more commonly used for mobile data transmission than circuit-switched voice networks.  

Industry analysts believe the introduction of CNAP could significantly enhance consumer trust and reshape how users interact with phone calls. By reducing reliance on unregulated third-party applications, the feature could also help improve data privacy and limit exposure to malicious data harvesting. Additionally, verified caller identification is expected to reduce incidents of spam calls, phishing attempts, and impersonation scams that have increasingly plagued Indian users in recent years.  

While TRAI has not announced an official rollout date, telecom operators have reportedly begun upgrading their systems and databases to accommodate the CNAP infrastructure. The rollout is expected to be gradual, starting with major telecom circles before expanding nationwide in the coming months. Once implemented, CNAP could become a major step forward in digital trust and consumer protection within India’s rapidly growing telecommunications ecosystem. 

By linking phone communication with verified identities, TRAI’s caller name display feature represents a significant shift toward a safer and more transparent mobile experience. It underscores the regulator’s ongoing efforts to safeguard users against fraudulent activities while promoting accountability within India’s telecom sector.
Read more »
Websites
Android Google Chrome Location Mobile Security Mobile Security News Mobile Security Threats Websites

Change These Settings to Prevent Your Android From Tracking You

 


You are being watched at every turn in today's connected world. You can have different kinds of apps and websites to track and collect your data for a wide range of purposes, both for personal and commercial use. A prominent example of this can be seen when Apple utilizes your data to process your transactions. Twitter can serve you with relevant advertisements, and Life360 can help it improve its location services based on your information.

There are, however, some apps and websites that utilize your personal information for the greater good, but not all of them. The same applies to your privacy, so it is always a wise idea to protect it as much as possible. 

The steps below are designed to help you stop your Android device from tracking you if you are using one. This includes deleting your web and app activity history, turning off your apps' location access, and disabling unnecessary location settings. 

By taking advantage of your location history 

The GPS feature of your Android phone is probably the most powerful way to track your location when using the phone. By signing into your Google account and allowing Location History to be enabled, Google can keep track of every place you visit when you are signed in. Several benefits can be gained from it, such as personalized maps, traffic reports, and the ability to find your phone when it is lost. These can enhance your experience in many ways. 

On the other hand, if you do not want Google following you everywhere, you can turn off location history. Here are the steps you need to follow to do so: 

  • Open the Settings app on your mobile device.
  • Open the Google search engine.
  • On the Google Account page, tap on "Manage your Google Account."
  • Click on the tab labeled "Date & privacy."
  • Next, below the History settings, select Location History. 
  • After that tap the "Turn off" button. 
  • Eventually, a dialog box will pop up, tap on "Pause". 
Regardless of whether you wish to delete your Location History or not, you can do so. As a result, you can remove data from the last 3, 18, or 36 months. 

You can set up Google to automatically delete your account by following these steps: 

  • Open Google Maps. 
  • Click on your profile icon. 
  • Select the timeline you wish to delete. 
  • Towards the top-right corner, click on the More icon (three vertical dots). 
  • Select "Settings and privacy" from the menu.
  • Under "Location settings," choose "Automatically delete Location History." 
  • Select "Auto-delete activity older than." 
  • From the drop-down menu, choose either three, 18, or 36. 
  • Tap Next. 
  • Select Confirm. 
  • Tap on the "Got it" button to exit. 

Your data will be automatically deleted from your account within the next few days if it has been older than the specified months. 

Tracing web and app activity 

Several settings on your phone can save your location, including Location History. The Web & App Activity gives you the same information as well as a lot more. Whenever you decide to enable Web & App Activity in your Google Account (via Google), you will be able to see the information you have entered and the location, IP address, ads you clicked, and even the things you have purchased (by Google). The following steps will guide you through the process of turning off this setting: 
  • Launch your Settings app. 
  • Scroll down and tap on Google. 
  • Select "Manage your Google Account." 
  • Navigate to the "Data & privacy" tab. 
  • Under "History settings," select "Web & App Activity." 
  • Click the "Turn off" button to disable Web & App Activity. 
  • Tap on Pause.
  • Click "Got it" to exit. 
  • Back on the "Web & App Activity" page, tap on the "Choose an auto-delete option" to automatically delete saved data. 
  • Select "Auto-delete activity older than."
  • From the drop-down menu, choose whether to delete saved data older than three, 18, or 36 months.
  • Click on Next. 
  • Select Confirm. 
  • Tap on "Got it" to exit. 

Update your location settings 


Additionally, you should also make sure that settings for your phone's location are changed, as well as blocking Google from saving your location. The settings you can turn off include the following:

Location

Scanners that help you locate nearby Wi-Fi and Bluetooth devices: The phone can detect nearby Wi-Fi and Bluetooth devices so it can get better location information based on their locations.

Location Services for Emergency Responses: Provides emergency responders with the ability to pinpoint your location when an emergency occurs.

Using the sensors on your phone, Wi-Fi, and the network of your mobile device, Google Location Accuracy improves the location information provided by your phone.

The steps listed below will guide you through the process of managing these settings (via Google): 

  • Launch the Settings app. 
  • Select Location. 
  • Toggle the slider off for "Use location" on top of the screen. 
  • Select "Wi-Fi and Bluetooth sharing." 
  • Turn off the sliders for both "Wi-Fi scanning" and "Bluetooth scanning." 
  • Return to the Location screen by clicking the Back button.
  • Select Advanced.
  • Tap on Emergency Location Service. 
  • Toggle the slider off if you prefer to do so. 
  • Return to the Location screen. 
  • Tap on Google Location Accuracy. 
  • Toggle the slider off next to "Improve Location Accuracy." 

Edit your device's permissions 

Location access is required by the majority of apps, if not all, so that you can get the best possible experience. If you live in a place where Facebook uses your location as an algorithm, you will be able to automatically include it when you post about it, find nearby places, and receive relevant ads.

By navigating to settings > Location > App access to location (via Google), you will be able to see which apps have access to your location and how they do it. The apps here fall under three categories: permitted all the time, permitted only while in use, and not permitted at all. If you have apps under "allowed all the time" and "available only while in use" that you want to remove location access to, simply tap the app. Then, select "Don't allow." 

The app will perform closer to your actual location if you enable the "Use precise location" toggle button for Android 12. This is only available when the app is running on Android 12, and when it does it uses your exact location. By switching this off, you will be able to see your approximate location instead of your exact location when you turn this off. Your location will appear to be somewhere within a radius of three kilometers of the actual location of the device. 

Check your Google Chrome settings 

It is common for you to come across websites when you are browsing the internet that will wish to know where you are located. A certain amount of help can be obtained from this method in some cases. Using a hardware retailer's website, for example, will allow it to display the closest hardware store near you, based on the information you provided on the company's website. 

You can check what websites currently have access to your location from your Google Chrome (via Google).

  • Launch the app. 
  • Tap on the More icon (three vertical dots) in the top-right corner of the screen. 
  • Select Settings. 
  • Scroll down to the "Advanced" section. 
  • Tap on Site settings. 
  • Select Location. 
  • Expand the "Allowed" section to check all the apps that can see your location. 
It is very simple to remove a site's location access by simply tapping on the site you wish to remove it from. Next, select the Block option from the drop-down menu. In addition, you can also turn off the location-sharing feature of Google Chrome to prevent it from tracking your location at all. By disabling this feature, you do not have to share your location with any sites you visit. Alternatively, if you are particularly concerned about the security of your data, you can consider switching to Tor or Firefox as alternative Android browsers. 

The advertising ID should be turned off

In today's world, ads are becoming more and more sophisticated. After researching plaid skirts one day, the next day you will be bombarded with advertisements for plaid skirts that you have never seen before. The ads online act as if they are watching every move you make and know exactly what you like before they ever reach your computer. Here, you will find instructions on how to disable this feature on your Android device (via Google). 

  • Launch your Settings app. 
  • Open Google.
  • Tap on "Manage your Google Account." 
  • Navigate to the "Data & privacy" tab. 
  • Under Ad settings, tap on "Ad personalization." 
  • Toggle off the slider next to "Ad personalization is ON." 
  • Select Turn off in the pop-up box. 
  • Tap on "Got it" to exit. 

However, disabling ad personalization does not mean you will stop seeing ads moving forward. They will still be there, but the upside is that they will only be general ads, not creepy personalized ones. 

If you disable ad personalization from your device, you may still see ads in the future despite disabling them.
Read more »
Web Server security
Mobile Security Threats Security threats User Security Vulnerability and Exploits Web Server security

PROPHET SPIDER is Abusing Citrix ShareFile Remote Code Execution Bug to Deploy Webshell

 

Security researchers at CrowdStrike Intelligence have examined an incident in which PROPHET SPIDER abused a remote code execution (RCE) bug affecting Citrix ShareFile Storage Zones Controller to exploit one of Microsoft Internet Information Services (IIS) webservers. Threat actors exploited the flaw to install a web shell that enabled the downloading of additional weapons. 
 
Last year in September, Citrix discovered a relative path-traversal bug in ShareFile Zones Storage Controller, tracked CVE-2021-22941. The vulnerability allows malicious actors to overwrite an existing file on a target server via an upload id parameter passed in an HTTP GET request.  
 
On Jan. 10, 2022, CrowdStrike received HTTP POST request from PROPHET SPIDER on its Falcon® platform customer. Threat actors requested to upload three web requests:  
 
●Targeting upload.aspx 
●Containing encoded strings for ../ and ConfigService\Views\Shared\Error.cshtml in the URL parameters 
●And, contain &bp=123&accountid=123 if the attacker has not customized the payload  
 
The URI endpoint /upload.aspx is used for ShareFile uploads and usually comes with parameters to define upload object specifications, such as uploadid, cid or batched.   
 
Once the webshell is set, it can be accessed by sending an HTTP request to /configservice/Home/Error with one or two URL parameters. ASP.NET will direct these requests to Error.cshtml, which usually contains a simple HTML header saying “Sorry, an error occurred while processing your request.” Due to the exploit, the contents have been replaced with the C# code block and will invoke Process.Start(cmd.arg) using the URL parameter(s) passed in the GET request.  
 
According to cybersecurity researchers, PROPHET SPIDER has been active since at least May 2017, and primarily target victims by exploiting vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. This recent CVE-2021-22941 exploitation demonstrates how PROPHET SPIDER is expanding and refining its tradecraft while continuing to exploit known web-server vulnerabilities.  
 
Last month, BlackBerry Research & Intelligence and Incident Response teams discovered evidence correlating attacks from Prophet Spider with the exploitation of the Log4J bug in VMware Horizon. Additionally, the researchers unearthed mass deployments of cryptocurrency mining software and Cobalt Strike beacons but also identified "an instance of exploitation containing tactics, techniques, and procedures relating to the Prophet Spider IAB."  
 
"When an access broker group takes interest in a vulnerability whose scope is so unknown, it's a good indication that attackers see significant value in its exploitation," Tony Lee, vice president of global services technical operations at BlackBerry explained. "It's likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it's an attack vector against which defenders need to exercise constant vigilance."
Read more »
Mobile Security Threats
Information Security News Mobile Security Mobile Security News Mobile Security Threats

Russian expert give tips on how to protect yourself from "eavesdropping" on your smartphone

A smartphone can "eavesdrop" on its owner, said information and computer security expert Sergei Vakulin. In an interview with Radio Sputnik, he explained who might need to record conversations and how to protect sensitive information

Some smartphone applications may record our conversations when we do not expect them to. Moreover, we ourselves provide them with this opportunity, giving them permission to access the microphone during the installation of the application, explained the expert on information and computer security Sergei Vakulin.

According to him, advertisers are primarily interested in obtaining such information.

"The app can spy on you to analyze your data and sell. Not just to collect it, but to sell it. We often have the situation where you took a loan from one bank, and you immediately get a call from another bank and offer another loan. Selling data - this is already a banal topic," the expert said in an interview with Radio Sputnik.

He clarified that once the app has gained access to the microphone, it will be able to turn it on whenever it wants, not just during a phone call. Sergey Vakulin claims that the recording function can be turned on even on a locked device.

"If you've given the app permission to access the microphone, it will be able to 'listen' to you even when it's locked. If you have access, the app can turn on the microphone at any time it wants and collect information," the expert explained.

According to him, you can protect yourself from eavesdropping by limiting the number of applications with access to the microphone.

Also, for particularly important conversations you can buy a phone without the ability to connect to modern communication networks.

"If you look closely at many officials and billionaires, both Russian and foreign, they walk around with push-button phones. A pushbutton phone will be very difficult to listen to, because there is no 3G, LTE and so on," explained Sergei Vakulin.

Read more »
Privacy
Android Apps App Permissions Mobile Security Threats Privacy

Beware of Android Apps While Giving Access to Your Mobile Data

 

Have you ever thought about privacy while giving access to the app makers about your contact list, camera, recording, location, calls on your android phone? Or the issue of security and privacy doesn’t matter anymore, especially in the virtual world. 

According to CyberNews, apps in the health and fitness, communications, and productivity sections require the highest number of dangerous permissions on average. 

The most popular requirement of 99% of top android apps is to gain full network access and to view network connections, which permits an app to connect to the Internet, while 72% of apps asked for permission to view wifi connections.

Nearly, 75% of apps ask to read external storage and modify or delete external storage. On the other hand, 36% of apps ask for permission to use your camera such as photography, parenting, dating, etc. Surprisingly, the apps in the categories of gaming, astrology, and personalization also ask for camera permissions. 

Have you guessed the percentage of apps that record your conversations? If not, then the answer is 21%. Yes, out of the top 1020 Android apps nearly 215 asks for microphone access especially the apps in the categories of finance, lifestyle, and wallpapers. 

When it comes to calling, nearly 80 apps out of 1020 Android applications ask for permission to make direct calls. Luckily, most of these apps were from categories like communication, business, and social media. The interesting part is that even apps from the categories of gaming, photography, and wallpapers require access to your contact list. However, you should think twice about giving contact-related access to apps that do not need to use such information.

“It goes without saying that apps from any category might ask for dangerous permissions. For example, you’d expect a communication app to ask for access to your phone book and Android accounts, while a navigation app wouldn’t raise any eyebrows by asking to track your location,” says Vincentas Baubonis, CyberNews security researcher who analyzed the data. 

Four basic steps to minimize the risk 

• Only permit those apps that make sense. For example, if you give apps access to your microphone, they may be listening in, so be aware of what you’re giving them access to. 

• Try to download an app with all permissions disabled, you can still turn on the ones you want individually in the settings. 

• Try to download your apps from the Google play store because it identifies the apps that are potentially dangerous. 

• Turn off your location settings because a large amount of tracking comes from your location settings.
Read more »
Subscribe to: Comments (Atom)