Skip to content

Mobile Security

Another malware outbreak in Google’s Play Store

Regular readers (are their any?) will note that I often rail against Google not policing their Good Play Store. Users think that since it has Google’s name on it, it is safe. Not in the least bit. In addition to the fact that the majority of apps have built in spyware, there are even more serious malware laden apps as the following article delineates.

Quote

50 apps get pulled as ExpensiveWall malware runs riot in the store

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory’s code checking system.

The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload that registers victims for paid online services and sends premium SMS messages from a user’s phone and leaves them to pick up the bill. It was found in 50 apps on the Play Store and downloaded by between 1 million and 4.2 million users.

Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages. It then pings its command and control server with information on the infected handset, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI numbers.

The servers then send the malware a URL, which it opens in an embedded WebView window. It then downloads the attack JavaScript code and begins to clock up bills for the victim. The researchers think the malware came from a software development kit called GTK.

“Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store,” the researchers note. “However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.”

It appears that Google missed warnings about the malware infection. The user comments section of at least one of the infected apps was filled with outraged users noting that it was carrying a malicious payload and it appears that the apps were being promoted on Instagram.

Cases of malware infecting Google’s Play Store are becoming depressingly common. Just last month it was banking malware and a botnet controller, in July commercial spyware made it in, advertising spamming code popped up in May (preceded by similar cases in March and April), and there was a ransomware outbreak in January.

By contrast, Apple’s App Store appears to do a much better job at checking code, and malware is a rarity in Cupertino’s app bazaar. While some developers complain that it can take a long time to get code cleared by Apple, at least the firm is protecting its customers by doing a thorough job, although Apple’s small market share also means malware writers tend not to use iOS for their apps.

By contrast, Google’s Bouncer automated code-checking software appears to be very easily fooled. Google advised users to only download apps from its Store, since many third-party marketplaces are riddled with dodgy apps, but that advice is getting increasingly untenable.

It’s clear something’s going to have to change down at the Chocolate Factory to rectify this. A big outbreak of seriously damaging malware could wreak havoc, given Android’s current market share, and permanently link the reputation of the operating system with malware, in the same way as Windows in the 90s and noughties. ®

Oh, that Apple Link you clicked on — it is Russian or Chinese or anything but Apple

Quote

Click this link (don’t fret, nothing malicious). Chances are your browser displays “apple.com” in the address bar. What about this one? Goes to “epic.com,” right?

Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.

In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We’re told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.

This domain disguising, which tricks people into visiting a site they think is legit but really isn’t, is called a “homograph attack” – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address “paypal.com.”

So what is this, how does it work, and why does it still exist?

Well, thanks to the origins of the internet in the United States, the global network’s addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.

The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.

And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became “Punycode.”

PS: To fix the issue with Chrome, wait for Chrome 58 to arrive around April 25 and install it. On Firefox, Firefox Mobile, and Seamonkey, go to about:config and set network.IDN_show_punycode to true.

Democrats draft laws in futile attempt to protect US internet privacy

At a the the present, I agree that this has a snowball’s chance in hell. But if more states take it seriously, just maybe it will negate the disgusting screwing of Internet users privacy by big corporate ISPs with their bidding done by their lackies in the congress, chief FCC lackie Pai and signed by the poorest excuse for a leader in years, Trump.

Hah Hah – Drain the swamp. What a joke. Just filled it with swine dung and does it wreak worse than it ever did. Hey maybe I show start a new category “swine swamp.”

Oh, do I sound angry? God damn right I am.

Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.

On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.

“Thanks to Congressional Republicans, corporations, not consumers, are in control of sensitive information about Americans’ health, finances, and children. The Republican roll-back of strong broadband privacy rules means ISP no longer stands for Internet Service Provider, it stands for ‘Information Sold for Profit’,” said Senator Markey.

“This legislation will put the rules back on the books to protect consumers from abusive invasions of their privacy. Americans should not have to forgo their fundamental right to privacy just because their homes and phones are connected to the internet.”

The bill has been cosponsored by ten senators, all Democrats except for the independent Bernie Sanders. No Republicans have added their name to the legislation – nor shown any support for it – which probably means it’s doomed to failure given the GOP-dominated composition of the Senate.

The new bill echoes similar legislation introduced in the House of Representatives earlier in the week. Representative Jacky Rosen, who was a software developer before she got into politics, has introduced the Restoring American Privacy Act of 2017.

“As someone who has first-hand experience as a computer programmer, I know that keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers,” said Representative Rosen (D-NV).

“I will not stand by and let corporations get access to the most intimate parts of people’s lives without them knowing and without consent. It is appalling that Republicans and President Trump would be in favor of taking Americans’ most personal information to sell it to the highest bidder.”

The FCC rules would have required internet users to sign up to allow their browsing histories to be sold, and put an increased onus on ISPs to protect their private data. One of the first acts of the new administration was to drop the FCC rules and legislate against them, with President Trump signing off on the legislation on Monday.

Facing a public backlash, the major ISPs have promised that they won’t sell off an individual’s browsing history – but left the door open for selling the data as part of a group. Customers will also have the choice to opt out, but you can bet the form to do so will be in the internet equivalent of a locked filing cabinet carrying a sign reading “Beware of the leopard.”

The bills will be welcomed by many but, realistically, have no chance of passing unless a sizable number of Republicans cross the floor. That’s not going to happen, so individual states have been taking action of their own.

Last week, Minnesota and Illinois legislatures began enacting legislation to provide privacy protections for internet users, and now New York has done the same. Senator Tim Kennedy (D-Buffalo) has introduced legislation to stop ISPs selling off their customers’ browsing histories.

“When voters across the country elected this House and US Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” said Senator Kennedy.

“This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real-world consequences.”

It’s possible the ISPs could have bitten off more than they can chew on this one by seriously underestimating quite how angry this issue has made people. Despite frantic PR moves, more and more states are now taking matters into their own hands – which is just as the Founding Fathers designed the system.

SOURCE: HERE

The House voted to wipe away the FCC’s Internet privacy protections

SJ 34 would repeal safeguards that prohibit Internet service providers (ISPs) from sharing data, such as e-mails and web history, with third parties without user consent. It would also do away with transparency requirements, which mandate that ISPs provide easily accessible privacy notices to customers and advanced notice prior to changes…..Assuming Trump signs the measure, Internet providers will be freed from those obligations, which would otherwise have taken effect later this year. With this data, Internet providers can sell highly targeted ads, making them rivals to Google and Facebook, analysts say.

Internet providers also will be free to use customer data in other ways, such as selling the information directly to data brokers that target lucrative or vulnerable demographics.

“ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you,” wrote Gigi Sohn, a former FCC staffer who helped draft the privacy rules, in a recent blog post on the Verge.

Selling your data is merely one of the four ways in which Internet providers intend to make money off consumers. The others include selling you access to the Internet, as they have traditionally done; selling access to media content they’ve acquired by purchasing large entertainment companies; and selling advertising that directly targets you based on the data the provider has collected by watching how you use the Internet and what content you consume.

Sources: The Hill, Washington Post

Here is the roll call Miscreants who voted to repeal. Source Senate.Gov

Miscreants who voted For BillVoted AgainstNot Voting
Alexander (R-TN)Baldwin (D-WI)sakson (R-GA)
Barrasso (R-WY)Bennet (D-CO)Paul (R-KY)
Blunt (R-MO)Blumenthal (D-CT)
Boozman (R-AR)Booker (D-NJ)
Burr (R-NC)Brown (D-OH)
Capito (R-WV)Cantwell (D-WA)
Cassidy (R-LA)Cardin (D-MD)
Cochran (R-MS)Carper (D-DE)
Collins (R-ME)Casey (D-PA)
Corker (R-TN)Coons (D-DE)
Cornyn (R-TX)Cortez Masto (D-NV)
Cotton (R-AR)Donnelly (D-IN)
Crapo (R-ID)Duckworth (D-IL)
Cruz (R-TX)Durbin (D-IL)
Daines (R-MT)Feinstein (D-CA)
Enzi (R-WY)Franken (D-MN)
Ernst (R-IA)Gillibrand (D-NY)
Fischer (R-NE)Harris (D-CA)
Flake (R-AZ)Hassan (D-NH)
Gardner (R-CO)Heinrich (D-NM)
Graham (R-SC)Heitkamp (D-ND)
Grassley (R-IA)Hirono (D-HI)
Hatch (R-UT)Kaine (D-VA)
Heller (R-NV)King (I-ME)
Hoeven (R-ND)Klobuchar (D-MN)
Inhofe (R-OK)Leahy (D-VT)
Johnson (R-WI)Manchin (D-WV)
Kennedy (R-LA)Markey (D-MA)
Lankford (R-OK)McCaskill (D-MO)
Lee (R-UT)Menendez (D-NJ)
McCain (R-AZ)Merkley (D-OR)
McConnell (R-KY)Murphy (D-CT)
Moran (R-KS)Murray (D-WA)
Murkowski (R-AK)Nelson (D-FL)
Perdue (R-GA)Peters (D-MI)
Portman (R-OH)Reed (D-RI)
Risch (R-ID)Sanders (I-VT)
Roberts (R-KS)Schatz (D-HI)
Rounds (R-SD)Schumer (D-NY)
Rubio (R-FL)Shaheen (D-NH)
Sasse (R-NE)Stabenow (D-MI)
Scott (R-SC)Tester (D-MT)
Shelby (R-AL)Udall (D-NM)
Strange (R-AL)Van Hollen (D-MD)
Sullivan (R-AK)Warner (D-VA)
Thune (R-SD)Warren (D-MA)
Tillis (R-NC)Whitehouse (D-RI)
Toomey (R-PA)Wyden (D-OR)
Wicker (R-MS)
Young (R-IN)

Cloud Pets! Your Family & Intimate Messages exposed to all sorts of Miscreants

… Now I know the average parent spends a good deal their time on Facebook and other “look at me .. look at me” social media and can care less about such hard to understand things like I.T. Security.

BUT THESE ARE YOUR CHILDREN AND YOU NEED TO PROTECT THEM!

…sorry, as a parent, this stuff makes my blood boil. Look parents, you scour the pedophile databases for your neighborhood, but leave the barn door open on the Internet. If you think governmental entities are going to protect you, you are only fooling yourselves. Companies peddling these things are about making the maximum amount of money at the lowest possible cost. They will **NOT** invest in expensive and complex security. Why? they do not have to. By the time the breach is discovered, they have made there millions. And there is absolutely no teeth in any governmental mandates op provide security such that any really exist in the first place.

Ok, on with the story!

The personal information of more than half a million people who bought internet-connected fluffy animals has been compromised.

The details, which include email addresses and passwords, were leaked along with access to profile pictures and more than 2m voice recordings of children and adults who had used the CloudPets stuffed toys.

The US company’s toys can connect over Bluetooth to an app to allow a parent to upload or download audio messages for their child.

Of course the company denied it and shot at the messenger

CloudPets’s chief executive, Mark Myers, denied that voice recordings were stolen in a statement to NetworkWorld magazine. “Were voice recordings stolen? Absolutely not.” He added: “The headlines that say 2m messages were leaked on the internet are completely false.” Myers also told NetworkWorld that when Motherboard raised the issue with CloudPets, “we looked at it and thought it was a very minimal issue”. Myers added that a hacker would only be able to access the sound recordings if they managed to guess the password. When the Guardian tried to contact Myers on Tuesday, emails to CloudPets’s official contact address were returned as undeliverable.

Troy Hunt, owner of data breach monitoring service Have I Been Pwned, drew attention to the breach, which he first became aware of in mid-February. At that point, more than half a million records were being traded online. Hunt’s own source had first attempted to contact CloudPets in late December, but also received no response. While the database had been connected to the internet, it had more than 800,000 user records in it, suggesting that the data dump Hunt received is just a fraction of the full information potentially stolen.

The personal information was contained in a database connected directly to the internet, with no usernames or passwords preventing any visitor from accessing all the data. A week after Hunt’s contact first attempted to alert CloudPets, the original databases were deleted, and a ransom demand was left, and a week after that, no remaining databases were publicly accessible. CloudPets has not notified users of the hack.

Hunt argues the security flaws should undercut the entire premise of connected toys. “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

“If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”

John Madelin, CEO at IT security experts RelianceACSN, echoes Hunt’s warnings. “Connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2m voice recordings were stored online, but not securely, along with email addresses and passwords of 800,000 users, this is unforgivable.”  Source: Guardian Article Here

Now for the technical, here are some tid-bits from the researcher. Full article here

Clearly, CloudPets weren’t just ignoring my contact, they simply weren’t even reading their emails”

There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

But then I dug a little deeper and took a look at the mobile app:

CloudPets app

This app communicates with a website at spiraltoys.s.mready.net which is on a domain owned by Romanian company named mReady. That URL is bound to a server with IP address 45.79.147.159, the exact same address the exposed databases were on. That’s a production website there too because it’s the one the mobile app is hitting so in other words, the test and staging databases along with the production website were all sitting on the one box. The most feasible explanation I can come up with for this is that one of those databases is being used for production purposes and the other non-production (a testing environment, for example).

Trump: Blame the Computers not Russia

Trump: “I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need,” Trump said according to press pool report. He was at the Mar-a-Lago resort at the time of making the statement.” Source

Actually, I agree with Trump on this. We do not have the security we need. More fundamental to that, we do not have a mindset that puts computer security first. We bolt the front door and secure our physical premises with 24/7 monitoring services, yet we leave the barn door wide open for our online presence be it email, social media, browsing and shopping.

Privacy and security is an option when in fact it should come first. Imagine if the internet was built from the ground up with privacy and security as the foundation layer? That would mean no web bugs, tracking cookies, targeted advertising, privacy statements like Netflix’s (for example) that say, let me rape you and sell my experience and if you do not agree, your option is to cancel your subscription.

And home router manufacturers that make appliances so easily hacked it is a joke. And Microsoft windows that to this day facilitates users running with administrator privileges in everyday use. And the IoT – internet of things that have little if any security. And the mindset of the average consumer the allows Amazon’s Alexa into their home. Completely secure, right? Yeah sure, Why then, I ask, did this happen: “Amazon had been served with a search warrant in a murder case, as detectives in Bentonville, Ark., want to know what Alexa heard in the early morning hours of Nov. 22, 2015 — when Victor Collins was found dead in a hot tub behind a home after an Arkansas Razorbacks football game. (Read more) Come on! Lock the door, arm yourself to the teeth, **but** let a device with 7 microphones listening to every sound in your house connected to ?? and easily hacked by ?? (you’ll never know!). By the way, the same goes with Siri and Google voice on your smart phones.

Don’t blame the Russians, blame yourself. Yes, the mindset needs to change indeed.

Happy New Year.

Googdroid

QUOTE

This article begs the question: “Why doesn’t google police its store an evaluate apps for potential malware?” So much of the crap on google play is infected with spyware. Oh wait, spyware, that is how google makes money selling your private info others so they can market more to you.

A new strain of Android malware is infecting an estimated 13,000 devices per day.

The Gooligan malware roots Android devices before stealing email addresses and authentication tokens stored on them. The tokens create a means for hackers to access users’ sensitive data from Gmail accounts, security researchers at Check Point Software Technologies warn.

The malicious code creates a money-making sideline for crooks by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Gooligan targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), collectively around 74 per cent of Android devices currently in use. Gooligan is installing at least 30,000 apps on breached devices every day, or more than 2 million apps since the malicious campaign began, according to Check Point.

Security researchers at the Israeli firm first encountered Gooligan’s code in the malicious SnapPea app last year. In August, the malware reappeared with a new variant and has since infected at least 13,000 devices per day. About 40 per cent of these devices are located in Asia and about 12 per cent are in Europe. Hundreds of the email addresses compromised by Gooligan are associated with enterprises around the world.

Check Point has passed on its findings on the campaign to Google’s security team. “This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” said Michael Shaulov, Check Point’s head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Gooligan spreads when victims download and install an infected app. Crooks are slinging the malware by tricking victims into following malicious links in phishing messages.

“If your account has been breached, a clean installation of an operating system on your mobile device is required,” Shaulov advised.

Quote

AT&T is getting rid of Internet Preferences, the controversial program that analyzes home Internet customers’ Web browsing habits in order to serve up targeted ads.

“To simplify our offering for our customers, we plan to end the optional Internet Preferences advertising program related to our fastest Internet speed tiers,” an AT&T spokesperson confirmed to Ars today. “As a result, all customers on these tiers will receive the best rate we have available for their speed tier in their area. We’ll begin communicating this update to customers early next week.”

Data collection and targeted ads will be shut off, AT&T also confirmed.

Good news at last on privacy

More than 400 malicious apps infiltrate Google Play

I have ranted about this before, but so many apps are spyware and some are just plain malicious. Google does a piss poor job of vetting because for many of them which are spyware, they benefit as they are able to hoover up more user info. As one of the commenters to the article stated

So what it does is just allow network probing from behind a company or personal firewall, should you actually be behind one that matters? That’s potentially troubling, but doesn’t appear to be “controlling” the device. What bothers me more is that Google appears to have made too many compromises for ad-paid games, carriers, and OEMs instead of giving people the easy control over what can do things on their own devices.

Quote

“DressCode” apps turned phones into listening posts that could bypass firewalls.

Google Play was recently found to be hosting more than 400 apps that turned infected phones into listening posts that could siphon sensitive data out of the protected networks they connected to, security researchers said Thursday.

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.

Lenovo’s file-sharing app uses hardwired password ‘12345678’ … or no password at all

Quote

Lenov-LOL!

Lenovo ShareIT users, get patching: the PC maker’s file-sharing app is pretty much unsecured.

The software runs on Windows and Android devices, and creates a Wi-Fi hotspot allowing data to be exchanged – from phone to PC, PC to phone, etc. But the wireless network is pretty much unsecured on both platforms.

In ShareIT for Windows, the Wi-Fi uses “12345678” as a hardcoded password, while in Android, there’s no password at all. If someone logs into the Wi-Fi hotspot on Windows, they can browse, but not download, files on the machine.

Core Security, which found the design flaw, also note that file transfers in Windows and Android aren’t encrypted. If an attacker was logged into the hotspot on either side of a file transfer, traffic sniffing would yield a copy of the transfer.

The vulnerable versions are ShareIT for Windows version 2.5.1.1 and ShareIT for Android 3.0.18_ww. The bugs are designated CVE-2016-1489, CVE-2016-1490, CVE-2016-1491, and CVE-2016-1492.

Lenovo’s latest versions are available here. Get ’em.

That’s not the only issue. Their machines have come through with so much crapware lately that out of the box they are slower than the old XP machines we are replacing.