An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).
Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.
"The most

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).

Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.

"The most worrying leitmotif is the increasing attention to On-Device Fraud (ODF)," Dutch cybersecurity company ThreatFabric said in a report shared with The Hacker News.

"Just in the first five months of 2022 there has been an increase of more than 40% in malware families that abuse Android OS to perform fraud using the device itself, making it almost impossible to detect them using traditional fraud scoring engines."

Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC accounted for the most active banking trojans based on the number of samples observed during the same period.

Accompanying this trend is the continued discovery of new dropper apps on Google Play Store that come under the guise of seemingly innocuous productivity and utility applications to distribute the malware -

*   Nano Cleaner (com.casualplay.leadbro)
*   QuickScan (com.zynksoftware.docuscanapp)
*   Chrome (com.talkleadihr)
*   Play Store (com.girltold85)
*   Pocket Screencaster (com.cutthousandjs)
*   Chrome (com.biyitunixiko.populolo)
*   Chrome (Mobile com.xifoforezuma.kebo)
*   BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)

What's more, on-device fraud — which refers to a stealthy method of initiating rogue transactions from victim's devices — has made it feasible to use previously stolen credentials to login to banking applications and carry out financial transactions.

To make matters worse, the banking trojans have also been observed constantly updating their capabilities, with Octo devising an improved method to steal credentials from overlay screens even before they are submitted.

"This is done in order to be able to get the credentials even if \[the\] victim suspected something and closed the overlay without actually pressing the fake 'login' present in the overlay page," the researchers explained.

ERMAC, which emerged last September, has received noticeable upgrades of its own that allow it to siphon seed phrases from different cryptocurrency wallet apps in an automated fashion by taking advantage of Android's Accessibility Service.

Accessibility Service has been Android's Achilles' heel in recent years, allowing threat actors to leverage the legitimate API to serve unsuspecting users with fake overlay screens and capture sensitive information.

Last year, Google attempted to tackle the problem by ensuring that "only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools."

But the tech giant is going a step further in Android 13, which is currently in beta, by restricting API access for apps that the user has sideloaded from outside of an app store, effectively making it harder for potentially harmful apps to misuse the service.

That said, ThreatFabric noted it was able to bypass these restrictions trivially by means of a tweaked installation process, suggesting the need for a more stricter approach to counteract such threats.

It's recommended that users stick to downloading apps from the Google Play Store, avoid granting unusual permissions to apps that have no purpose asking for them (e.g., a calculator app asking to access contact lists), and watch out for any phishing attempts aimed at installing rogue apps.

"The openness of Android OS serves both good and bad as malware continues to abuse the legitimate features, whilst upcoming restrictions seem to hardly interfere with the malicious intentions of such apps," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.

The malvertiser’s use of PowerShell could push it beyond its basic capabilities to spread ransomware, spyware or steal data from browser sessions, researchers warn.

ChromeLoader may seem on the surface like a run-of-the-mill browser hijacker that merely redirects victims to advertisement websites. However, its use of PowerShell could pose a greater risk by leading to further and advanced malicious activity, such as the propagation of ransomware or spyware or theft of browser-session data.

Researchers are warning of the potential for ChromeLoader—which has seen a resurgence in activity recently—to pose a more sophisticated threat than typical malvertisers do, according to two separate blog posts by Malwarebytes Labs and Red Canary.

ChromeLoader is a pervasive and persistent browser hijacker that eventually manifests as a browser extension, modifying victims’ Chrome settings and redirecting user traffic to advertisement websites. On Windows machines, victims become infected with the malware through ISO files that poses as a cracked video game or pirated films or TV programs, researchers said.

 However, ChromeLoader is platform agnostic, which means users of macOS also are at risk from infection, according to a blog post from Malwarebytes Lead Malware Intelligence Analyst Christopher Boyd. However, instead of lurking in ISO files, attackers use DMG (Apple Disk Image) files, a more common macOS format, to hide ChromeLoader, he said.

While its core functionality is fairly benign, ChromeLoader has a unique feature in that it uses PowerShell to inject itself into the browser and add a malicious extension to it—”a technique we don’t see very often (and one that often goes undetected by other security tools),” warned Aedan Russell from Red Canary’s Detection Engineering team in a blog post.

“If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions,” he wrote.

****The Infection Process****

ChromeLoader lurks in bogus files that are promoted on Twitter and through other services, or found on rogue and torrent sites offering pirated video games and other media for free download, researchers said.

“Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites,” Boyd explained.

Double clicking the ISO file mounts it as a virtual CD-ROM, with the ISO’s executable claiming to be the content that the victim originally was looking for, he wrote.

“Within this ISO is an executable used to install ChromeLoader, along with what appears to be a .NET wrapper for the Windows Task Scheduler,” according to Red Canary’s Russell. “This is how ChromeLoader maintains its persistence on the victim’s machine later in the intrusion chain.”

Once installed, ChromeLoader uses a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task so the victim has no idea that their browser has been compromised, Boyd said.

“At this point, search results cannot be trusted and bogus entries will be displayed to the user,” he wrote.

ChromeLoader uses the same bait—pirated videos or cracked games—to lure macOS users, but the infection process is a bit different, Russell explained. On macOS machines, ChromeLoader uses aDMG file that contains an installer script that can drop payloads for either Chrome or Safari instead of a portable executable file.

“When executed by the end user, the installer script then initiates cURL to retrieve a ZIP file containing the malicious browser extension and unzips it within the private/var/tmp directory, finally executing Chrome with command-line options to load the malicious extension,” he wrote.

****Mitigation and Detection****

Researchers offered mitigation advice as well as both user- and administrator-level ways to detect if a system has been infected with ChromeLoader.

One obvious tip is to avoid downloading pirated software or videos, which Boyd warned “is a very risky business,” not to mention illegal.

“If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices,” he wrote.

Users also can click on the “More” icon, then “More Tools -> Extensions” from the drop-down list in Chrome to see everything that’s installed, active or disabled, along with additional information about all extensions present. From there is anything looks dodgy, Google offers steps to reset browser settings or clean things up, he said.

Red Canary offered more advanced detection tactics based on ChromeLoader’s use of PowerShell to find out if a browser has been infected.

One is to search for PowerShell containing a shortened version of the encodedCommand flag in its command line, which can find the execution of encoded PowerShell commands. Another is to looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\\local as a parameter.

In macOS, security administrators can search forsh or bash scripts running in macOS environments with command lines associated with the macOS variant of ChromeLoader, as well as the execution of encoded sh, bash, or zsh commands on macOS endpoints to know if a browser has been infected.

ChromeLoader Browser Hijacker Provides Gateway to Bigger Threats

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft's update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.

Posts from the last week on Malwarebytes Labs describing all the latest news, exploits, scams, and more.
The post A week in security (May 23 – 29) appeared first on Malwarebytes Labs.

Posted: May 30, 2022 by

**RELATED ARTICLES**

May 17, 2022 - AirTag stalking is in the news as bills look to close loopholes used by stalkers. What are AirTags, and how can they be used to track people?

May 9, 2022 - Google and all its products can dominate the average person's life. Here's an in-depth guide on how to remove yourself from their ecosystem.

May 5, 2022 - Google has released updates for Android and its Pixel phone. We discuss the three vulnerabilities that were classified as critical.

April 29, 2022 - Google has been busy. After introducing badges for browser apps, it's also launched its "nutrition labels" for apps.

April 12, 2022 - We take a look at a collection of apps which were all harvesting user data via an SDK promising "monetisation".

A week in security (May 23 – 29)

By Deeba Ahmed
The new WhatsApp scam is currently targeting users in India. On May 23rd, 2022, the founder and CEO…
This is a post from HackRead.com Read the original post: New WhatsApp OTP Scam Allows Scammers to Hijack Your Account

**The new WhatsApp scam is currently targeting users in India.**

On May 23rd, 2022, the founder and CEO of CloudSEK, a contextual AI firm, Rahul Sasi, shared details of a new WhatsApp scam where threat actors try to hijack users’ accounts through phone calls.

The scam is somewhat unconventional as the victim receives a call from the attacker, who convinces them to make a call at a number starting either with 405 or 67. After the call, the victim is logged out of their WhatsApp account, and hackers hijack them, gaining complete control of the accounts. Here’s how Sasi explained the entire attack scenario on Twitter.

“First, you receive a call from the attacker who will convince you to make a call to the following number \*\*67\*<10 digit number> or \*405\*<10 digit number>. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account.”

**How does the WhatsApp hack work?**

According to Sasi, the number used for the fraudulent call is a service request for Airtel and Reliance Jio for Call Forwarding when a number is engaged. The scammer forwards the victim’s call to a number they own and quickly starts the WhatsApp registration process for the victim’s number.

They choose the option of sending an OTP through phone calls. Because the phone is engaged, the code goes straight to the attacker’s phone. That’s how the attacker gains control of the victim’s WhatsApp account while they get logged out.

Rahul Sasi on Twitter

Although the scam is targeting WhatsApp users in India at the moment, Sasi explained that attackers could hack anyone’s WhatsApp account if the hacker gets physical access to the phone and makes calls using this trick.

Since every country and service providers use somewhat similar service request numbers, this trick can have a global impact. The only way to protect yourself is avoiding to respond to calls from unknown numbers and not making calls to such numbers.

**More WhatsApp Security and Scam News**

1.  WhatsApp Pink is malware spreading through group chats
2.  Watch out as new Android malware spreads through WhatsApp
3.  Authorities lost track of suspect after WhatsApp hacking warning
4.  Fake Netflix app on Play Store caught hijacking WhatsApp sessions
5.  Man pleads guilty to selling WhatsApp hacking tool and Signal Jammers

New WhatsApp OTP Scam Allows Scammers to Hijack Your Account

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

Plus: A $150 million Twitter fine, a massive leak from a Chinese prison in Xinjiang, and an ISIS plot to assassinate George W. Bush.

After another week of dismally tragic news and moral failures by the powerful, it's good to know that you can at least depend on the small things, like "privacy-focused" search engine and browser DuckDuckGo resisting the temptation to sell out and help corporations to surveil its users. Oh, wait.

Yes, a security researcher revealed this week that even DuckDuckGo, which markets itself as "the internet privacy company," made an exception for its business partner Microsoft to its browser's blocking of some advertising trackers on websites, sparking accusations of betraying its purported privacy ethos. The milkshake-ducking of DuckDuckGo comes amid a rising awareness of how the stakes of online surveillance are rising as signs grow that the US Supreme Court will overturn _Roe v. Wade_’s protections on abortion rights: A new report this week from the Surveillance Technology Oversight Project laid out all the technological means available to law enforcement and private litigants to surveil those seeking abortions, should _Roe_ be struck down. And more than 40 members of Congress called on Google to stop tracking location data in Android ahead of a potential _Roe_ reversal.

In other privacy news, we looked at how the European Union's General Data Protection Regulation has failed to meaningfully curb Big Tech's privacy abuses four years after its passage. Australia's digital driver’s licenses turn out to be far too easy to forge. China has been saber-rattling with accusations about American cyberespionage. We spoke to the inventor of the browser "cookie" about how to handle cookie settings for privacy—and those ubiquitous cookie-related pop-ups on websites. And we also interviewed the CEO of Protonmail, now rebranded as just Proton, about its ambitions to offer a broader range of privacy-focused services beyond email—hopefully without, ahem, surveillance exceptions for its business partners.

But there's more. As usual, we’ve rounded up all the news that we didn’t break or cover in-depth this week. Click on the headlines to read the full stories. And stay safe out there.

Cybersecurity and privacy researcher Zach Edwards discovered a glaring hole in the privacy protections of DuckDuckGo's purportedly privacy-focused browser: By examining the browser's data flows on Facebook-owned website Workplace.com, Edwards found that the site's Microsoft-placed tracking scripts continued to communicate back to Microsoft-owned domains like Bing and LinkedIn. DuckDuckGo CEO Gabriel Weinberg responded to Edwards on Twitter, admitting that "our search syndication agreement prevents us from stopping Microsoft-owned scripts from loading"—essentially admitting that a partnership deal DuckDuckGo struck with Microsoft includes creating a carveout that lets Microsoft track users of its browsers. Weinberg added that DuckDuckGo is "working to change that." (A company spokesperson reiterated in an email to WIRED Weinberg's assertion that none of this applies to DuckDuckGo search, adding that both its search and its browser offer more privacy protections than the competition.) In the meantime, the revelation blew a glaring hole of its own in the company's reputation as a rare privacy-preserving tech firm. Turns out this surveillance capitalism thing is pretty hard to escape.

Staying on that surveillance capitalism theme, Twitter agreed this week to pay a $150 million fine after the Federal Trade Commission and the US Department of Justice accused it of selling user data that it had collected under the guise of security. Twitter had asked users to share the emails and phone numbers for security purposes, such as two-factor authentication and account recovery, but had ultimately sold the data to advertisers seeking to target ads to its users. That bait-and-switch violated an agreement Twitter made with the FTC in 2011 after earlier privacy misbehavior.

If the world had any doubts that China's"re-education camps" for Muslim minorities in its Xinjiang region were in fact prisons with euphemistic names, a massive leak known as the Xinjiang Police Files should correct that delusion. The leak, provided by an unknown source to researcher Adrien Zenz, who in turn provided the info to a group of global media outlets, includes a vast collection of tens of thousands of internal files, manuals, and even detailed photos revealing life in one of Xinjiang's prisons. The files reveal, for instance, shoot-to-kill orders for any prisoner attempting to escape the camps, and guidelines for shackling the inmates when they're transferred between different parts of the facility—hardly the practices of a "vocational school," as China describes the camps to the world. It also includes photos of the camp's detainees, who were as young as 15 and as old as 73, often jailed for years without trial for offenses as simple as studying Islamic texts.

In a strange replay of events from 2016, Google researchers and the UK government revealed that a site publishing leaked documents from a group of pro-Brexit UK politicians was, in fact, created by Russia-based hackers. The site, called Very English Coop d'Etat, described its collection of leaked emails as coming from an influential group of hardline right-wing Brexit supporters, including former MI6 head Richard Dearlove. But Google's Threat Analysis Group told Reuters that the site appears to have been created by a Russian hacker group it calls Cold River. Former UK intelligence head Dearlove cautioned that the leak of his emails should be understood to be a Russian influence operation, especially given the West's current icy relations with Russia over its illegal and unprovoked invasion of Ukraine.

An accidentally unsealed warrant, spotted by Forbes, revealed that an Iraqi man had allegedly sought to assassinate former president George W. Bush in Dallas, going so far as to take video of Bush's home in November. According to the warrant, the FBI says it foiled the plot through the use of a confidential informant and surveillance of the would-be assassin's WhatsApp messages' metadata. The case shows how, despite law enforcement's claims that end-to-end encryption can stymy its investigations, the FBI has managed to monitor encrypted apps like WhatsApp and even penetrate communications on them through the use of undercover informants.

Tag

#android