The new Pretty Good Phone Privacy service for Android hides the data linking you to your mobile device.

As marketers, data brokers, and tech giants endlessly expand their access to individuals’ data and movements across the web, tools like VPNs or cookie blockers can feel increasingly feeble and futile. Short of going totally off the grid forever, there are few options for the average person to meaningfully resist tracking online. Even after coming up with a technical solution last year for how phone carriers could stop automatically collecting users’ locations, researchers Barath Raghavan and Paul Schmitt knew it would be challenging to convince telecoms to implement the change. So they decided to be the carrier they wanted to see in the world.

The result is a new company, dubbed Invisv, that offers mobile data designed to separate users from specific identifiers so the company can’t access or track customers’ metadata, location information, or mobile browsing. Launching in beta today for Android, the company’s Pretty Good Phone Privacy or PGPP service will replace the mechanism carriers normally use to turn cell phone tower connection data into a trove of information about users’ movements. And it will also offer a Relay service that disassociates a user’s IP address from their web browsing.

“If you can decouple a user’s identity from the way they connect to a network, that’s a general-purpose hammer that can solve a lot of privacy problems,” says Raghavan, a professor at the University of Southern California. “Privacy should be the default and it’s not currently, so we’re working on that. There’s a growing appetite as people become more concerned about what their phone is leaking to telecoms and tech companies.”

PGPP’s ability to mask your phone’s identity from cell towers comes from a revelation about why cell towers collect the unique identifiers known as IMSI numbers, which can be tracked by both telecoms and other entities that deploy devices known as IMSI catchers, often called stringrays, which mimic a cell tower for surveillance purposes. Raghavan and Schmitt realized that at its core, the only reason carriers need to track IMSI numbers before allowing devices to connect to cell towers for service is so they can run billing checks and confirm that a given SIM card and device are paid up with their carrier. By acting as a carrier themselves, Invisv can implement their PGPP technology that simply generates a “yes” or “no” about whether a device should get service. 

On the PGPP “Mobile Pro” plan, which costs $90 per month, users get unlimited mobile data in the US and, at launch, unlimited international data in most European Union countries. Users also get 30 random IMSI number changes per month, and the changes can happen automatically (essentially one per day) or on demand whenever the customer wants them. The system is designed to be blinded so neither INVISV nor the cell towers you connect to know which IMSI is yours at any given time. There’s also a “Mobile Core” plan for $40 per month that offers eight IMSI number changes per month and 9 GB of high-speed data per month.

Both of these plans also include PGPP’s Relay service. Similar to Apple’s iCloud Private Relay, PGPP’s Relay is a method for blocking everyone, from your internet provider or carrier to the websites you visit, from knowing both who you are and what you’re looking at online at the same time. Such relays send your browsing data through two way stations that allow you to browse the web like normal while shielding your information from the world. When you navigate to a website, your IP address is visible to the first relay—in this case, Invisv—but the information about the page you’re trying to load is encrypted. Then the second relay generates and connects an alternate IP address to your request, at which point it is able to decrypt and view the website you’re trying to load. The content delivery network Fastly is working with Invisv to provide this second relay. Fastly is also one of the third-party providers for iCloud Private Relay.

In this way, each relay knows some of the information about your browsing; the first simply knows that you are using the web, and the second sees the sites you connect to, but not who specifically is browsing there. In addition to being included in the two PGPP data plans, customers can also purchase the Relay service on its own for $5 per month and turn it on while connected to mobile data or Wi-Fi. 

“User privacy has historically been in the backseat for internet systems,” says Jana Iyengar, Fastly’s product lead for infrastructure services. “At Fastly, we have always believed that communication and data privacy is fundamental to the future of the internet. We believe it is time to invest, engage, and create products that will move the internet forward in this direction.”

Invisv is still working to bring its services to Apple’s iOS, and the company doesn’t provide voice calling services, only mobile data. But Raghavan and Schmitt say that their goal for this initial launch was to start offering something that would give customers drastically more privacy protection than what they get from other mobile carriers while being truly easy to use.

“The reason we’re doing this, honestly, is that it’s clear nobody else is going to do it,” Schmitt says. “I’m hopeful that people will just start to see what's possible from this, so we can start to make a dent.”

A Phone Carrier That Doesn’t Track Your Browsing or Location

Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets.
The first set of activities is what the company described as "persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting

Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets.

The first set of activities is what the company described as "persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand, India, Pakistan and the U.K.

"Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware," Meta said in its Quarterly Adversarial Threat Report. "They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware."

The attacks involved the threat actor creating fictitious personas on the platform, masquerading as attractive young women in a bid to build trust with targets and lure them into clicking on bogus links that deployed malware.

But in an interesting twist, the attackers convinced victims to download an iOS chat application via Apple TestFlight, a legitimate online service that can be used for beta-testing apps and providing feedback to app developers.

"This meant that hackers didn't need to rely on exploits to deliver custom malware to targets and could utilize official Apple services to distribute the app in an effort to make it appear more legitimate, as long as they convinced people to download Apple Testflight and tricked them into installing their chat application," the researchers said.

While the exact functionality of the app is unknown, it's suspected to have been employed as a social engineering ploy as a means to have oversight over the campaign's victims through a chat medium orchestrated for this purpose.

Additionally, the Bitter APT operators used a previously undocumented Android malware dubbed Dracarys, which abuses the operating system's accessibility permissions to install arbitrary apps, record audio, capture photos, and harvest sensitive data from the infected phones such as call logs, contacts, files, text messages, geolocation, and device information.

Dracarys was delivered through trojanized dropper apps posing as YouTube, Signal, Telegram, and WhatsApp, continuing the trend of attackers increasingly deploying malware disguised as legitimate software to break into mobile devices.

Furthermore, in a sign of adversarial adaptation, Meta noted the group countered its detection and blocking efforts by posting broken links or images of malicious links on the chat threads, requiring the recipients to type the link into their browsers.

Bitter's origins are something of a puzzle, with not many indicators available to conclusively tie to a specific country. It's believed to operate out of South Asia and recently expanded focus to strike military entities in Bangladesh.

**Meta cracks down on Transparent Tribe**

The second collective to be disrupted by Meta is Transparent Tribe (aka APT36), an advanced persistent threat alleged to be based out of Pakistan and which has a track record of targeting government agencies in India and Afghanistan with bespoke malicious tools.

Last month, Cisco Talos attributed the actor to an ongoing phishing campaign targeting students at various educational institutions in India, marking a departure from its typical victimology pattern to include civilian users.

The latest set of intrusions suggest an amalgamation, having singled out military personnel, government officials, employees of human rights and other non-profit organizations, and students located in Afghanistan, India, Pakistan, Saudi Arabia, and the U.A.E.

The targets were social engineered using fake personas by posing as recruiters for both legitimate and fake companies, military personnel, or attractive young women looking to make a romantic connection, ultimately enticing them into opening links hosting malware.

The downloaded files contained LazaSpy, a modified version of an open source Android monitoring software called XploitSPY, while also making use of unofficial WhatsApp, WeChat and YouTube clone apps to deliver another commodity malware known as Mobzsar (aka CapraSpy).

Both pieces of malware come with features to gather call logs, contacts, files, text messages, geolocation, device information, and photos, as well as enable the device's microphone, making them effective surveillance tools.

"This threat actor is a good example of a global trend \[...\] where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities," the researchers said.

These "basic low-cost tools \[...\] require less technical expertise to deploy, yet yield results for the attackers nonetheless," the company said, adding it "democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook

By Waqas
Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying…
This is a post from HackRead.com Read the original post: Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

****Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying malware dubbed SHARPEXT.****

**Gmail** users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.

**Campaign Details**

SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.

The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that **in Jun 2021**, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. **In March 2015**, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.

As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.

The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.

**How the Attack Occurs?**

The victims are lured into opening a document that contains the malware. The malware is distributed through **social engineering** and spear phishing scams.

> “Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.”
> 
> Paul Rascagneres, Thomas Lancaster – Volexity Threat Research

According to Volexity’s **blog post**, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.

For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.

Process workflow of SHARPEXT malware (Image: Volexity)

1.  **Gmail wittingly storing your online purchase data for years**
2.  **Google vulnerability allowed sending spoofed emails with Gmail ID**
3.  **Hackers using malicious Firefox extension to phish Gmail credentials**
4.  **Popular Android Zombie game phishing users to steal Gmail credentials**
5.  **Microsoft MSHTML flaw exploited in Gmail and Instagram phishing scam**

**How to Stay Protected?**

Volexity has published a list of IoCs (indicators of compromise) on **Github** to help you identify if the device has been infected already. You may also inspect all the browser extensions installed and check if all of them can be found on Chrome Web Store.

Furthermore, Remove any extensions that look suspicious, or you downloaded from an unreliable source. Always use the best antivirus solutions to keep your device protected.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

Categories: A week in security
The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (August 1 - August 7) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (August 1 - August 7)

By Waqas
Cellebrite is an Israel-based smartphone hacking (or cracking) firm that previously made headlines for unlocking iPhone devices for…
This is a post from HackRead.com Read the original post: Anonymous Source Leaks 4TB of Cellebrite Data After Cyberattack

****Cellebrite is an Israel-based smartphone hacking (or cracking) firm that previously made headlines for unlocking iPhone devices for law enforcement and security agencies in the United States.****

An anonymous source has leaked around 4TB of proprietary data belonging to Israeli digital intelligence firm, **Cellebrite**. The affected products are the company’s flagship product, Cellebrite Mobilogy, and the Cellebrite Team Foundation server.

It is worth noting that as of now, the leaked data is only available to researchers and journalists by requesting Distributed Denial of Secrets (**DDoSecrets**), a non-profit whistleblower organization.

The trove of data comes in two parts including Cellebrite Mobilogy and Cellebrite Team Foundation Server.

**About Cellebrite**

Cellebrite provides digital data collection, analysis, and management services. Its services are quite similar to the infamous NSO Group behind Pegasus spyware. Cellebrite’s tools are used by companies, enterprises, and federal/state/local law enforcement authorities.

Cellebrite Universal Forensic Extraction Device is among the key products from Cellebrite used by law enforcement agencies, and it shared its code with the impacted product Cellebrite Mobilogy.

Team Foundation Server offers a platform for collaborative working and has now been replaced with Azure DevOps Server, which is used for sharing code, tracking work, and shipping software.

**Leaked Data Analysis**

Another attack targeted against backup files for the Cellebrite Team Foundation Server resulted in the leaking of 430 GB of data. Reportedly, around 3.6TB of data was compromised and leaked from Cellebrite Mobilogy. This product is used for device diagnostics, content backup, transfer, and restoration.

The source behind this data leak is not yet identified. And no cybercriminal or hacker group has claimed its responsibility. The hacking technique is also not disclosed as yet.

For your information, Cellebrite is the company that helped the FBI unlock San Bernardino shooter **Syed Rizwan Farook’s iPhone**.

Screengrab: DDoSecrets

*   **iPhone hacking tool Cellebrite is being sold on eBay**
*   **Signal CEO hacks Cellebrite cellphone hacking, cracking tool**
*   **US government gets its hand on a $15,000 iPhone cracking device**
*   **Cellebrite claims its new tool unlocks almost any iOS or Android device**
*   **Textalyzer Device Tells Police Everything Users Do on Their Smartphone**

**Previous Cyber Attacks on Cellebrite**

Cellebrite has previously been targeted in several cyberattacks. **In January 2017**, an anonymous attacker leaked 900GB of data stolen from the Israeli firm. The data contained information about the political scenario in different countries.

**In February 2017**, a hacker released the cache of sensitive data from the company regarding Cellebrite’s methods of hacking into Android, Apple, and Blackberry smartphones. Reportedly, a hacker successfully compromised Cellebrite’s security systems and stole sensitive data from its servers.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Anonymous Source Leaks 4TB of Cellebrite Data After Cyberattack

With names, email addresses, and mobile numbers from underground databases, one person in five is at risk of account compromise even with SMS two-factor authentication in place.

Companies that rely on texts for a second factor of authentication are putting about 20% of their customers at risk because the information necessary to attack the system is available in compromised databases for sale on the Dark Web.  

About 1 billion records synthesized from online databases — representing about one in every five mobile phone users in the world — contain users' names, email addresses, passwords, and phone numbers. This gives attackers everything they need to conduct SMS-based phishing attacks, also known as smishing, says Thomas Olofsson, CTO of cybersecurity firm FYEO. 

Cybersecurity experts have long known that the addition of an SMS one-time password is a weak form of two-factor authentication and the simplest form of two-factor authentication for attackers to compromise. However, combining such attacks with the readily available information on users produces a "perfect storm" for attacking accounts, he says.

At Black Hat USA, Olofsson plans to go over findings from research into the problem during a session on Wednesday, Aug. 10, called "Smishmash — Text-Based 2FA Spoofing Using OSINT, Phishing Techniques, and a Burner Phone."

"The research that we have done is two parts: How do you bypass 2FA, and how many phone numbers can we tie to an email address and a password," he tells Dark Reading. "So, for about one in five — a billion — people, we can connect your email address to your phone number, and that is really bad."

The analysis found that by collecting information from known databases of compromised usernames and passwords, researchers could create a database of 22 billion credentials. Linking those credentials to a phone number reduced the exposure to a bit more than 1 billion records, of which about half have been verified.

To make use of those records, attackers can conduct an adversary-in-the-middle attack, where the smishing attack goes to a proxy. When a targeted user opens a link in a malicious SMS message on a mobile device, browsers on iOS and Android rarely show any security information, such as a the URL, since screen real estate is so small. Because of that, few — if any — signs of the attack are presented to the user, making the attacks much more effective, Olofsson says.

In addition, smishing attacks are seven times more likely to succeed than phishing attacks conducted through email, he says.

"It makes it extremely likely that someone will click on the link," Olofsson says. "I even look at our attacks, and I said, wow, I could fall for this."

Attackers have used smishing to compromise financial accounts — especially those linked to cryptocurrency exchanges — during the past two years, with more than $1.6 billion of crypto stolen so far in 2022, according to an analysis published in May. 

**SMS for 2FA: Risky Biz**

Meanwhile, the US federal government has already put additional restrictions on any use of SMS for a second factor of authentication. In 2016, the National Institute of Standards and Technology (NIST) warned against using one-time passwords sent as text messages for a second factor to authenticate users.

"An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn't have to know the difference when they hit send — that’s part of the Internet’s magic. But it does matter for security," NIST wrote in an explanation of the policy, adding: "While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn't have the strength of device authentication mechanisms inherent in the other authenticators allowable" by NIST guidelines.  

To make it less likely that such attacks succeed, users should ignore any notifications that come through SMS and instead log directly into their account.

"Never trust an SMS message," Olofsson says. "If you feel something is wrong, don't click on it, don't trust it. Go on a computer, and see if you have an e-mail, because at least you can verify the headers then."

Unfortunately, many financial institutions and other companies make it hard for users to implement better security because they only offer SMS as an option for the second factor of authentication. Adding reCAPTCHA checks can give users a hint that something is wrong, Olofsson notes, because any adversary-in-the-middle attack will display the proxy server, not the user's IP address.

Stolen Data Gives Attackers Advantage Against Text-Based 2FA

Improper Privilege Management vulnerability in Game Optimizing Service prior to versions 3.3.04.0 in Android 10, and 3.5.04.8 in Android 11 and above allows local attacker to execute hidden function for developer by changing package name.

CVE-2022-36833

Flaw that opened the door to cookie modification and data theft resolved

Flaw that opened the door to cookie modification and data theft resolved

A bug in the Chromium project allowed attackers to bypass site isolation protection through iFrames and popup windows to carry out a host of malicious activities.

The security weakness opens the door to a number of exploits including stealing private information, reading and modifying cookies, and gaining access to microphone and camera feeds.

The vulnerability – which was recently patched – was caused by a code change made to a previous version of the browser.

**Site isolation bypass**

Site isolation is a security feature that puts every origin’s renderer in a different process to prevent different websites in a browser from accessing each other’s data. The technology also allows the browser to assign each renderer a specific origin, which it calls “process locks.”

Process locks are checked before allowing sensitive actions requested by the origin. If a renderer pretends to be another origin, the browser will notice the process lock does not match and block access.

“Both techniques combined prevent memory-compromised renderers or logic bugs such as my bug from being able to read, modify, or perform sensitive actions related to another origin,” Alesandro Ortiz, the security researcher who discovered the bug, told The Daily Swig.

“There are other checks that are also used to enforce site isolation, but they’re less robust than process locks. This bug bypasses these less-robust checks.”

Catch up with the latest browser-related security news

According to Ortiz’s findings, the vulnerability is triggered if an embedded iFrame opens a new window, such as a popup or a new tab, with a specially crafted URL that keeps the initial navigation entry for the new window. It can then access the data of the top window.

“The initial navigation entry is supposed to inherit the origin of the opener, but the bug causes the navigation entry to inherit the origin of the top-most page,” Ortiz said.

**A broad range of attacks**

“There are only a couple of ways to trigger the bug, but there is a broad range of ways to exploit it,” Ortiz explained. In essence, anything that has not been protected by process locks can be exploited through the vulnerability.

Ortiz details some of these exploits in his report.

For example, in e-commerce websites, chat applications, and social networks, an attacker would be able to read cookies, IndexedDB data, and CacheStorage data, any of which may contain sensitive data, including authentication info for account access. In cases where the website has been granted access to the device’s microphone or camera, the attacker will be able to silently record the victim’s conversations or visible activity.

A potential attacker will also be able to receive messages from the website using postMessage, WebSockets, BroadcastChannel, and SharedWorkers communication APIs, which may contain sensitive data, including authentication info.

iFrame sandboxing can mitigate the attack if “allow-scripts” and “allow-popups” are not present. In some cases, the attack requires “allow-same-origin” to be enabled.

“Unfortunately, ‘allow-scripts’ and ‘allow-same-origin’ are fairly common, and ‘allow-popups’ is also present in many cases,” Ortiz said.

This is not the first time that a site isolation bypass bug has been discovered. However, most of the recent site isolation bypasses affect a single feature or a small subset of features while the latest vulnerability is more wide ranging in its effects.

“This bug is unusual in that it spoofs several different values that are used by many important features to enforce site isolation, hence the much wider impact,” Ortiz said. “Typically spoofing only one of these values would trigger either process lock checks or other site isolation checks.”

**Going down the rabbit hole**

In 2020, Ortiz discovered CVE-2020-6506, a Universal Cross-Site Scripting (XSS) bug in Android WebView (part of Chrome). The proof of concept (PoC) for that bug involved calling window.open() with a javascript: URL.

The PoC used a JavaScript dialog as one way to demonstrate impact. That PoC and a tip from another researcher helped Ortiz find the new bug.

“On March 30th, 2022, a researcher sent me a Twitter DM about potentially unexpected behavior when trying CVE-2020-6506’s PoC in Chrome,” Ortiz said. “The initial details were vague and I often get outreach from researchers confused about expected vs observed behavior regarding this CVE, but I try to chase down every reasonable lead.”

After some exploration, Ortiz realized the JavaScript dialog was showing the incorrect origin, a telltale sign of a potential security lapse.

“At this point I realized there was likely an interesting security issue here, so I kept investigating,” Ortiz said.

Ortiz submitted the initial Chromium security report knowing only the JavaScript dialog impact since that in itself was already a vulnerability.

“I kept investigating and quickly identified there were further impacts. The full investigation took a while, but I realized this was a wider-impact bug within a couple of hours of submitting the initial report,” he said.

The full bug report is an interesting study of going back and forth between researcher and vendor, all the while finding new exploits along the way.

**Bad coding**

According to Ortiz’s findings and the discussion thread on Chromium’s bug tracker, a misunderstanding of the logic behind the functions for opening new windows in the browser introduced the site isolation bypass in one of the commits in Chromium version 98. This bug was in Chrome Canary for about four months and in the Stable release for around two months before it was discovered.

“There are always interesting bugs even in secure software like major browsers,” Ortiz said. “Even the best of programmers accidentally make mistakes. I would have probably made the same mistake given the same circumstances as the commit author.”

“Different changes over time plus lack of context is usually a recipe for bugs, sometimes with security implications. I can't speak on behalf of the Chromium team, but I personally don't think there was a single point of failure here,” Ortiz concluded.

Ortiz was awarded $20,000 in bug bounty by the Google Vulnerability Reward Program (VRP) panel, of which he gave $4,000 to a collaborating researcher.

YOU MAY ALSO LIKE Chromium browsers vulnerable to dangling markup injection

Chromium site isolation bypass allows wide range of attacks on browsers

By Deeba Ahmed
According to the latest research findings from VirusTotal, cybercriminals and threat actors are increasingly relying on mimicked versions…
This is a post from HackRead.com Read the original post: VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

According to the latest research findings from **VirusTotal**, cybercriminals and threat actors are increasingly relying on mimicked versions of genuine, common-use apps such as Adobe Reader, Skype, and VLC Player to successfully conduct social engineering attacks.

**Findings Details**

In their study of malware, researchers at Google’s VirusTotal revealed that cybercriminals deploy numerous approaches to abuse the trust users have in many reputable apps.

The most widespread tactic is **mimicking legit apps to deliver malware**. In this technique, the app’s icon is replicated to gain the victim’s trust and convince them to use the mimicked app. The purpose behind this malicious new strategy is to bypass security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.

Another commonly used attack tactic is stealing authentic signing certificates from legit software vendors and using them for signing the malware. Reportedly, since 2021, over one million signed samples had been declared suspicious.

Around thirteen percent of the samples checked by Google’s team didn’t have a valid signature when uploaded on VirusTotal for the first time, and over ninety-nine percent of them were DLL or Windows Portable Executable files.

This happens because the process of examining the validity of a signed file can be abused by malware stated VirusTotal security engineer Vicente Diaz. This becomes concerning when attackers start stealing legit certificates and creating an **ideal supply chain attack scenario**.

The third technique is incorporating legit installers as a portable executable resource into malicious samples to execute the installer when malware is run.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **US and China Exposed Most Databases Among 380k Found in 2021**
3.  **Fake reviews & third-party apps cause 50% of threats against Android**
4.  **134 million downloads in 85 countries: A look at VPN usage in H1 2020**
5.  **Google, Microsoft and Oracle generated the most vulnerabilities in 2021**
6.  **Google Drive accounted for 50% of malicious Office document downloads**

**Over 2 Million Suspicious Files Downloaded from Top Domains**

According to VirusTotal’s **blog post**, ten percent of the **top 1,000 Alexa domains** had distributed suspicious samples, including the domains commonly used for distributing files, and over 2 million shady files were downloaded from these domains.

Despite the technique’s simplicity, Diaz explains, it can effectively avoid raising red flags for the victim. That’s why many channels are becoming popular as potent malware distribution vectors. This includes the distribution of **cracked software**.

**Most Abused Websites and Apps**

The top three mimicked apps include the following:

*   Adobe Acrobat
*   VLC media player
*   Skype VoIP platform

When they researchers examined the URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.

> “Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective.”
> 
> VirusTotal

Furthermore, VirusTotal discovered 1,816 samples since January 2020 masquerading legit software by hiding the malware in installers for popular software like Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.

Other impersonated apps by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom, and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom, and qqcom. 

The reason why attackers are using these software and apps is unknown as yet but one reason could be their popularity, Diaz stated.

**More Malware News**

1.  **Malware families using Pay-Per-Install service to expand targets**
2.  **This malware hides behind free VPN, pirated security software keys**
3.  **Fake KPSPico Windows activator tool KPSPico steals crypto wallet data**
4.  **Malware droppers for hire targeting users on fake pirated software sites**
5.  **Researchers Warn of New Variants of ChromeLoader Browser in the Wild**

VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

We give you some tips as you gear up to return to school or college to ward off theft, and limit the impact should the worst happen.
The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

Posted: August 3, 2022 by  
Last updated: July 21, 2022

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it’s not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

**How to protect yourself against mobile device theft**

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

*   **Lock your device**. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
*   **Encrypt your data**. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to **Settings > Face ID/TouchID & Passcode**. If you scroll to the bottom you should see “Data Protection is enabled”
*   **Turn on Find my phone**. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it’s likely to be turned on by default, but you can check by navigating to the “Find My” app.

**How to protect yourself against laptop theft**

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

*   **Don’t neglect physical security**. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
*   **Observe campus rules**. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
*   **Encrypt your device (again**). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
*   **Turn on Find your device**. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to **Start** > **Settings** > **Update & Security** > **Find my device**, and then select “**Change**” to finish configuring. On Mac, navigate to **System Preferences > AppleID > iCloud**. Select **Find My Mac** and click **Allow**.

****A tip for both mobiles and laptops****

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

**RELATED ARTICLES**

September 2, 2020 - With the pandemic in full swing, many US schools are empty, or rather, full of distance learners. How can parents make sure their kids stay secure in virtual instruction?

September 9, 2019 - A roundup of the latest cybersecurity news for the week of September 2 – 8, including TrickBot’s new trick, a social engineering toolkit, and how to keep remote workers safe.

August 14, 2017 - When you buy your child new devices, it's important to lay down some ground rules—especially when it comes to security. That's why we're providing you with a cybersecurity checklist you can use to prepare your children for the coming school year.

August 15, 2015 - Ahhhhh, back-to-school. The smell of freshly sharpened pencils. Blank notebooks and backpacks free of bottom-of-the-bag schmutz. New books with crackling spines. And, most importantly, your very own computer. Owning your own computer is a huge investment. It’ll hold all of your schoolwork, your photos, your browsing history. You don’t have to worry about clearing the...

**ABOUT THE AUTHOR**

Christopher Boyd  
Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

Tag

#android