Google Play Store Fails Vetting Again…

whatsapp-bubbles-664x374

In case you haven’t noticed, I like beating up on the Google Play Store just a bit. More fake apps were released onto the Play Store. Instead of stealing personal information through phony banking apps, attackers are now spamming users with ads through fake WhatsApp messenger lookalikes.

Continue reading

Advertisements

Smartwatches designed for children have become a target for hackers.

Smartwatches are becoming more and more popular to the general population. However did you know even young children are starting to wear smartwatches. In theory this sounds like not such a bad idea they give the parent a way to see where their young child is and communicate with them if need be. These watches also offer a way for the child to quickly call their parents in case of an emergency. This all sound good until you realize a hacker can get into the watch and do the same things.

The Norwegian Consumer Council tested some of these watches and found that some were transmitting the GPS data without encryption. This allows for hackers with basic tools to get into the watch and track the movements of the child wearing the watch, which is an incredibly dangerous problem. The hacker could also spoof the location and make it look like the child is in a completely different place. They also found that the hacker could communicate with the child and eavesdrop on the conversations the child is having with others on the watch. Thankfully many of the company’s who designed and produce the watches have recalled the watches and started to fix the problems and make them more secure.

-Levi Walker

Sources:

http://www.bbc.com/news/technology-41652742?intlink_from_url=http://www.bbc.com/news/topics/62d838bb-2471-432c-b4db-f134f98157c2/cybersecurity&link_location=live-reporting-story

 

Lenovo Patches Bug Affecting Tens of Millions of Devices

The security vulnerabilities were discovered on May 10 by Imre Rad, an independent security researcher, and reported to Lenovo on May 14. On Oct. 5, Lenovo released four patches for its Android tablets, Vibe and Zuk phones, and Moto M and Moto E3 model handsets.

According to Rad, the vulnerabilities were related to the Lenovo Service Framework, an Android application exclusive to Lenovo devices. Lenovo states the application is used to receive notifications from Lenovo servers (product promotions, news, notices, surveys) and to facilitate emergency app repairs and upgrades when necessary.

However, the application could be exploited by attackers to help download code onto devices from a server, resulting in remote code execution. Rad described four vulnerabilities:

CVE-2017-3758 – Improper access controls on several Android components of the LSF application.

CVE-2017-3759 – The application accepts responses from the server without proper validation, meaning it was vulnerable to man in the middle attacks.

CVE-2017-3760 – The credentials for integrity verification of downloaded applications and/or data was not secure.

CVE-2017-3761 – The application runs some system commands without proper sanitation of input.

Lenovo states that the issues have been patched and updates are available both manually and automatically. They are not aware of any of the vulnerabilities being exploited.

– Antony Lin

Source:

https://threatpost.com/lenovo-quietly-patches-massive-bug-impacting-its-android-tablets-and-zuk-vibe-phones/128489/

New DoubleLocker Ransomware Attacks Android Devices

Security researchers have discovered a new kind of ransomware for android that both changes the affected device’s PIN code and encrypts the files. It goes by the name DoubleLocker and is reported to use code from an old banking trojan called Svpeng. This was formerly one one of the more interesting pieces of android malware. It would overlay fake banking logins, steal money from bank accounts using sms account management, change PIN codes, and encrypt user files. Fortunately the DoubleLocker ransomware doesn’t attempt to steal any banking information. At least not yet.

DoubleLocker takes a new approach to ransomware, being the first of its kind to misuse Android’s accessibility service to gain admin rights. Once it is installed, usually through a fake flash player update, the app gives requests device accessibility permissions. If the user enables these, the app is able to simulate touches on the screen so it can make itself a device administrator and set itself as the default home app. This means that whenever the user presses the home button, the malware is re-launched. The app uses its administrator rights to change the PIN code on the phone and encrypt all of the user files to .cryeye files with a random key stored at a remote location.

doublelocker

Once running, the app shows a ransom request for 0.013 BTC (about $70) like this one, which when paid will remotely decrypt the phone and remove the PIN lock.

There are a few ways to protect yourself from these kinds of attacks. For one, Flash Player for mobile is dead so don’t be trying to update it. More generally, however, you should

  • Only install apps from trusted sources
  • Keep the “Unknown Sources” checkbox off unless you have a very good reason to turn it on. Always turn it back off right afterwards.
  • Keep an antivirus app on your smartphone

 

Sources used:

 

~ Daniel Monteagudo

Phishing for Apple ID passwords on iOS

It has recently been discovered that legitimate dialogue boxes that prompt the user for their password to log into their Apple ID can be easily replicated with frightening similarity. Felix Kraus, an iOS developer for Fastlane.Tools posted the proof of concept on his blog in an effort to get this “loophole which has been around for many years” closed. The fake boxes are nearly identical to the legitimate ones.

apple-id-phishing-attack

As you can see, they are nearly indistinguishable from one another. Unless you’re looking for it, you would never be able to distinguish between the two. Even if you were thinking it might be a phishing attack, it would be nearly impossible to determine with certainty whether it was legitimate or not. This particular box type has the user email associated with the Apple account in it, but there is also a version without the email address.

apple-id-phishing-attacks

Again, if you weren’t expecting this to be a phishing attack, you would probably not think twice before inputting your password.

The boxes are created, quite easily, through the Apple Developer tool UIAlertController. The exact methods for creating these boxes were not disclosed by Krause for security purposes, but a quick look at the UIAlertController on Apple’s developer page shows that creating the box is as easy as following a template.

 

Thankfully, Krause also offered several tips to avoid being phished in this manner:

If you press the home button and the app and dialogue boxes both close, then it was a phishing attack. If the app and dialogue are still up then it is legitimate. This is because system dialogues are handled with a different protocol than app dialogues.

Don’t even begin to enter your credentials into a popup. Even if you don’t submit the form, they probably have recorded your inputs. Go into the settings app and enter them there.

 

If the user has 2 factor authentication enabled they’ll be safer from phishing attacks of this nature. That said, if the app also asks for the 2 Factor Authentication token and the user puts it in, then they’ve nullified the whole process.

As always, be careful when you’re putting in your credentials. You never know where phishing attacks will come from next.

 

– Daniel Szafran

 

Felix Kraus blog: https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

Source Article: https://thehackernews.com/2017/10/apple-id-password-hacking.html

Apple Developer UIAlertController:  https://developer.apple.com/documentation/uikit/uialertcontroller