May 14, 2019

CVE-2019-3568 is the code referring to a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

What? Let’s leave the details to technology savvies.

What you need to know is that vulnerability in the WhatsApp application has allowed cyber-attackers to inject surveillance software on to both iPhones and Android phones by merely ringing up targets using the app’s phone call function. The spyware could be transmitted even if users did not answer their phones, and the calls disappeared from call logs after that.

WhatsApp team has fixed this vulnerability a few days back, and it encourages WhatsApp users to install its recent patched version. Though now a security-focused app, WhatsApp and many popular commercial apps were not built from ground-up with security in mind, thus unknowingly allowing exploits in their backend.

This extremely severe security hole is just another manifestation of the 0-day game, in which attackers usually prevail.

Bottom line: you cannot trust commercial mobile apps that were not built as safe apps from the beginning. It means that commercial mobile environment, as you know it, cannot be regarded as private and protected. You should not conduct secretive lives, both personal and professional, via common mobile devices.

May 14, 2019

Google recently released its May security update for Android. These are great news for Google’s Pixel device holders that immediately benefit from the update. However, for the bulk of Android users who own smartphones made by other vendors, that security update could be deployed anytime between this month and several months later. Furthermore, Android devices running OSs older than version 7.x will not get any of these updates.

Google plans to improve things in the next version of Android, currently known as ‘Android Q’.

According to details released at the Google I/O 2019 developer conference and in an interview with The Verge, the company will adopt a different approach, updating a list of 14 OS modules over-the-air straight from the Play Store at Google’s direction, getting rid of the middleman.

Bottom line: even when Android Q is available, the majority of Android users will continue using a device that runs an unpatched operating system for many months, exposing exploits to cybercriminals.

May 14, 2019

One of Android device downsides is “bloatware”.  “Bloatware” are apps and services pre-loaded on smartphones and tablets by phone vendors, mobile carriers, and their partners along with the basic suite of Google apps and Android.

Researchers at the Universidad Carlos III de Madrid in Spain and Stony Brook University in the US analyzed crowdsourced data from 1,742 devices made by 214 vendors. Software shipping on Android devices totaled 424,584 firmware files, where only 9% of which corresponded to app APKs found on Google Play. That amounted to around 140,000 apps, built using 11,665 different third-party software libraries (TPLs), and 1,200 developers. This software does mostly social networking, advertising, and analytics, with activities ranging from gathering location data to the collection of phone call metadata, contacts and, valuable behavioral data.

Bottom-line: the searchers have found that pre-installed software exhibit potentially harmful behaviors and backdoored access to sensitive data that might be exploited maliciously by third parties.

December 15, 2018

You should remove these 22 applications:

Sparkle FlashLight; Snake Attack; Math Solver; ShapeSorter; Tak A Trip; Magnifeye; Join Up; Zombie Killer; Space Rocket; Neon Pong; Just Flashlight; Table Soccer; Cliff Diver; Box Stack; Jelly Slice; AK Blackjack; Color Tiles; Animal Match; Roulette Mania; HexaFall; HexaBlocks; PairZap.

​

The reasoning for removing them is that you simply do not want to use apps that drain your device’s battery, generate data traffic you might be charged for, and exhaust device by constantly clicking on ads. These behaviors occur because the apps perform an advertising click fraud by maliciously bombarding websites with bogus traffic to earn advertising revenue.

Uncovered by SophosLabs and named Andr/Clickr-ad by researchers, the malicious apps were downloaded a total of two million times with Sparkle Flashlight accounting for half of this. Clickr-ad is a uniquely sophisticated attempt to pass off much of the traffic the apps generate as coming from a range of Apple models as advertisers tend to pay more for traffic that comes from Apple devices than from Android ones.

To battle these apps you should fully uninstall them as they can restart themselves after three minutes if you just force-closing them.

This is evidence that the Google Play store does not guarantee safe apps.

Safe apps can only reside in an internal malware- free app store that limits the presence of non-crucial apps and tightly manages app upgrades.  

December 15, 2018

According to app analytics firm Kochava, Android apps developed by Cheetah Mobile and Kika Tech have been allegedly accused of falsely claiming the credits for driving the installation of new apps in order to claim a fee or bounty. 8 apps with a total 2 billion downloads on Google Play Store have allegedly been caught up in an Android ad fraud scheme.

Mobile application developers generate revenue by driving the installation of other apps inside their apps for a fee. The credit is determined via a "lookback" mechanism immediately after the newly installed app is opened for the first time to see from where the last click was originated.

Kochava claims that Cheetah Mobile and Kika Tech apps have misused user permissions to track downloads and hijack app-install bounties for apps installed from other referrals.

Given the magnitude of their apps presence, it is assumed that this Android ad fraud scheme has stolen millions of dollars from advertisers. 

What to do?

You are recommended to uninstall the listed apps. This will stop an allegedly fraudulent activity and help innocent app developers get their justified fee.

December 15, 2018

Researchers at the University of Oxford have analyzed nearly one million Android apps downloaded from the US and UK Google Play Stores and found an alarming number of third-party trackers.

Most third-party trackers were embedded in apps under the ‘Family’ and the ‘News’ categories. Trackers medians by category range between 7 trackers to just more than 10.

Apps used by children also embed high numbers of trackers of any app category, despite recent regulations.

This means that users, and especially children, are being closely watched by penetrating eyes derived by business interests.

What to do?

Not much to do. However, be aware that chances are that what you’re doing is being watched. This will probably be translated into advertising related parameters and will surface sometime in the future. Remember, nothing is free.

October 03, 2018

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts.

The complicated 37-step iPhone passcode bypass process is described in Rodriguez YouTube channel. By the video demonstration, the attacker must have physical access to the targeted iPhone that has Siri enabled and Face ID either disabled or physically covered.

An iPhone holder can prevent attackers from abusing the feature by disabling Siri from the lock screen:
Settings >>> Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) >>> Disable Siri toggle under "Allow access when locked."

Yet, it is evident that commercial mobile phones fail to provide complete protection against cyber-attacks. Their exposure as a known widespread device and operating system eases hackers’ attempts to breach them and execute on known vulnerabilities.

Security-minded organizations should pursue robust security and privacy on mobile devices for the protection of confidential information. This requires multiple, best-of-breed solutions combining specialized hardware and software.

September 11, 2018

“Adware Doctor," the No. 1 adware removal paid utility on Mac App Store caught spying on Mac users. Ex-NSA staffer Patrick Wardle has examined the app and published a blog post, saying that the app collects users' browser histories and then transfers it to a server in China.

According to Wardle, Adware Doctor bypasses Apple Mac App Store sandbox restrictions and collects sensitive users' data—primarily any website visited or searched for—from all the popular web browsers including Chrome, Firefox, and Safari, and then sends that data to Chinese server at http://yelabapp.com/ run by the app's makers.
Apple removed Adware Doctor from the Mac App Store only after about 4 weeks from Wardle initial warning. Users who have downloaded Adware Doctor are strongly advised to remove the app from their systems.

Yet, this is clear evidence that commercial app stores are not totally protected against cyber threats. Truly protected apps are required to reside in a walled garden app store after profound security inspection followed by app risk score and verification that they are not transferring any data to suspicious external sources.

August 25, 2018

Bitdefender labs security researchers found a new Android malware framework called Triout. Triout enables cybercriminals to repackage legitimate versions of Android apps and gain powerful surveillance capabilities while keeping their original appearance, feel and functionality. Spying abilities on infected devices include recording phone calls, monitoring text messages, secretly stealing photos and videos, collecting location data and sending it back to an attacker-controlled command and control (C&C) server —all without users' knowledge.

The researchers believe the malicious app was delivered to victims either by third-party app stores or by other attacker-controlled domains likely used to host the malware.

Malicious apps continue to be a salient attack vector for stealing data. Controlling apps installation is a necessity to ensure risk-free mobile devices. It requires a two-tier defense: secure apps and safe installation source. IntactPhone allows installing apps only from an internally monitored app store with no access to Android Play store or any third-party app store. In addition, all apps are inspected by security experts and given a security level score. System administrators can define the preferred security level for their organization. IntactPhone eliminates apps as an attack vector and the damages that follow it.  

August 18, 2018

An “exclusive” from the Associated Press (AP) describes how researchers at Princeton University have confirmed Google’s ability to record an Android or iPhone’s user location history even when they’ve turned it off. Once deactivated, Google no longer stores a timeline and a precise record of a user’s movements when they take their device with them. But according to AP’s research, turning off Location History doesn’t stop certain Google apps from storing a timestamped location when you open them. In Google’s view, this is fine because it does inform users that apps can track their location. Evidently, when you are using Google services, you renounce your privacy as Google tracks your experience in general, and when it comes to your location in particular. Following this logic, if you wish to maintain your privacy, you should renounce Google.

IntactPhone makes it possible for you. All Google services are replaced in IntactPhone: Google app store is replaced with an internal secure app store and Google push notifications are replaced with proprietary push notifications. IntactPhone provides you with complete privacy and hardly limits its usefulness as a smartphone.

August 14, 2018

Security researchers at Check Point Software Technologies have discovered a new "man-in-the-disk" (MitD) attack vector that involves interception and manipulation of data being exchanged between external storage and an application in the Android operating system. If a legitimate app update is replaced with a malicious app, it could potentially allow attackers to silently infect smartphones with malicious apps or launch denial of service attacks.

This vulnerability stresses the need for a fully controlled app installation mechanism in highly secure phones. IntactPhone only allows app installation from a monitored proprietary app store. This store contains apps that were carefully examined by security experts and given security score. External app store like Google Play cannot be accessed and users are forced to use only the internal store for upgrades, eliminating the MiTD vulnerability of installing malicious apps.

August 11, 2018

Security researchers from Kryptowire, a security firm, found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T. Though Google makes tremendous efforts to reduce Android risks by enforcing security patches and sanitizing its Google Play, security-minded organizations cannot rely on commercial-of-the-shelf phones.

Secretive organizations need to deploy trusted devices - both hardware and software wise. Risk-free phones should come with a wall-garden application environment. It should run on a custom security-rich operating system that enables enhanced central command and control to eliminate careless use.  

August 08, 2018

Israeli security firm Check Point has found a loophole in WhatsApp's security protocols allowing malicious users to create and spread misinformation or fake news from allegedly trusted sources.

The vulnerabilities could allow hackers to misuse the 'quote' feature in a WhatsApp group conversation to change the identity of the sender, or alter the content of someone else's reply to a group chat, or send private messages to one of the group participants disguised as a group message for all.

The flaws reside in the way WhatsApp mobile application connects with the WhatsApp Web and decrypts end-to-end encrypted messages.

Often organizations regard WhatsApp as a safe communication channel given its encrypted communications. However, security-minded organizations should avoid using mass commercial collaboration apps for their secretive data exchange. They need to communicate via a dedicated highly encrypted app built from the ground up just for this task.

August 08, 2018

Epic Games, the maker of the 125m players game Fortnite is moving away from the Google Play store to increase revenues and better control customer relationships. It means that game downloads will occur outside of Google Play. Though it is not completely malware-free, Google Play is still the best source for low-risk app installations. One of the ground rules in applications management is to stick with safe sources. This is the very reason that IntactPhone comes with its own risk-controlled app store. Any other practice will jeopardize the reliability of on-device applications, exposing device holders to unknown vulnerabilities.

Make the right call.

August 04, 2018

Researchers at Talos threat intelligence unit discovered Indian cyber attackers abusing mobile device management (MDM) service to distribute malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, to spy on targeted iPhone users.

A newly-identified server was also found to distribute modified versions of Safari browser and IMO video chatting app designed to target users running Microsoft Windows operating systems.

August 01, 2018

California authorities say a 20-year-old college student hijacked more than 40 phone numbers and stole $5 million, including some from cryptocurrency investors at a blockchain conference Consensus.

July 31, 2018

A team of Graz University engineers has found a new Spectre CPU weakness that shows how attackers could steal data remotely without having to sneak malware onto the target system.

Though the process is very slow, small pieces of data achieved this way might be vulnerable.

WikiLeaks’ release of 8,761 pages of internal CIA documents indicates that the agency has built a monstrous stockpile of cross-platform cyber-weapons that make hacking and mass surveillance possible through connected devices and household gadgets. It allows the governmental agency to spy on anyone without a warrant.

Researchers at Norwegian app security firm Promon demonstrated how easy it appears to be to steal a Tesla using simple, known mobile vulnerabilities.

A fake email app is capable of stealing login credentials from 15 different mobile banking apps of German banks.

The iPhone 911 Bug can auto-dial numbers and locks the user out so that they cannot cancel the call. It is possible for a malicious party to use the vulnerability to tie up phone lines in a distributed denial-of-service (DDoS) attack.

Over 700 Million Android smartphones contain a secret 'backdoor' that surreptitiously sends all users’  text messages, call log, contact list, location history, and app data to China every 72 hours.

A faked malicious Flash Player Android app drives device holders to grant it device administrator rights via a fake Google Play service. The phishing routine is run by overlaying a screen with the fake forms and stolen graphics over the legitimate app. Once the device holder opens one of 94 different mobile banking apps or a number of other popular social networking or messaging apps, it asks for payment card details and online banking credentials.

Ahmed Mansoor, an internationally recognized human rights defender, received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link.

The text messages were a trap of unprecedented complexity. That single link would have leveraged three separate and highly serious exploits in iOS — executing arbitrary code through WebKit, gaining access to the kernel, and then executing code with elevated (root) privileges. The result would have been a one-step jailbreak with malicious code injected under the hood — granting complete access to all the phone’s data and communications.

There’s been a 200 percent increase in mobile ransomware detection in Q2, according to Quick Heal. This amounts to nearly 50 percent of the ransomware detected in all four quarters of 2015 combined.

HummingBad is a malware Check Point discovered in February 2016 that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.

Check Point indicates: “The first infection method the Check Point research team saw was a drive-by download attack, and the Check Point ThreatCloud indicates some adult content sites served malicious payloads too…”

Newer variants of the Android.Fakebank.B family arrived with call-barring functionality. The feature aims to stop customers of Russian and South Korean banks from cancelling payment cards that the malware stole.

Google removed one of its Top 20 most popular Android apps from the Play Store after an investigation from Pentest, a UK-based cyber-security firm who discovered that the application violated the Mountain View-based giant's policies by showing deceptive behavior. Pentest found it exaggerated that the app would require access to a phone's Bluetooth connection, geo-location feature, or Wi-Fi status.