Hackers with Amazon users’ authentication tokens could’ve stolen or encrypted personal photos and documents.

Hackers with Amazon users’ authentication tokens could’ve stolen or encrypted personal photos and documents.

The Amazon Photos app for Android insufficiently protected user access tokens, according to a blog post published on Wednesday.

Theoretically, with exposed tokens, an attacker could’ve accessed users’ personal data from a number of different Amazon apps – not just Photos but also, for example, Amazon Drive. They also could have performed a ransomware attack, locking up or permanently deleting photos, documents and more.

The findings were first reported to Amazon’s Vulnerability Research Program on November 7th of last year. On December 18th, Amazon announced that the issues had been fully resolved.

**Loose Tokens**

To authenticate users across various apps within their ecosystem, like other software suite vendors, Amazon uses access tokens. It’s convenient for users, but also, potentially, for attackers.

In their report, researchers from Checkmarx described how access tokens naturally leaked through an Amazon application programming interface (API) through “a misconfiguration of the com\[.\]amazon\[.\]gallery\[.\]thor\[.\]app\[.\]activity\[.\]ThorViewActivity component, which is implicitly exported in the app’s manifest file” – manifest files describe critical application information to the Android OS and Google Play store – “thus allowing external applications to access it. Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer’s access token.” In a video explainer, they put it in simpler terms:

“You can think of it as the password being sent to other apps in plaintext.”

In addition to third-party applications, the same unsecure token was also shared with Amazon Drive – used for file storage and sharing.

**Attackers Could’ve Stolen, Deleted Data**

There are any number of ways in which an attacker could’ve leveraged unsecured access tokens.

For example, with a malicious third-party app installed on the victim’s phone, they could’ve redirected the token in a way “that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker.” From there, the attacker could have accessed all kinds of personal information a victim had stored in Amazon Photos.

Because the tokens also leaked to Amazon Drive, attackers could’ve found, read, or even unrecoverably deleted files and folders in a victim’s Drive account.

And “with all these options available for an attacker,” the researchers speculated, “a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history.”

It’s unclear just how many apps could’ve been targeted with such loose access tokens, as only a small number of Amazon APIs were analyzed for the report. The real scope could be quite a bit greater. Erez Yalon, vice president of security research at Checkmarx, reflected on the implications, in a statement to Threatpost via email:

“In an era where we all blindly trust our technology suppliers and gladly store all our private and most coveted secrets on someone’s cloud, a reminder is necessary that these incidents might happen even to the best (Amazon.)”

Leaky Access Tokens Exposed Amazon Photos of Users

The now-patched bug allows an attacker to gain full access to a user's Amazon files.

A high-severity flaw in the Amazon Photos Android App — which has more than 50 million downloads — could allow attackers to steal a user's Amazon access token and use it to access multiple Amazon APIs.

The team at Checkmarx alerted Amazon to the broken authentication vulnerability in the Amazon Photo App for Android, which allows users to share, print, and store mobile photos.

The analysts said the bug is due to a component misconfiguration in the app's manifest file.

"Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer's access token," the team said. After receiving the request, the analysts found they could also gain control of the server.

The report added that, "with all these options available for an attacker, a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history."

To protect themselves, users should update to the latest version of the app. Checkmarx researchers said that downloads made before Dec. 18 are affected if users haven't updated the app since then.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Broken Authentication Vuln Threatens Amazon Photos Android App

Other applications using binary to extract untrusted archives are potentially vulnerable too

Other applications using binary to extract untrusted archives are potentially vulnerable too

A path traversal vulnerability in RarLab’s UnRAR binary can lead to remote code execution (RCE) on business email platform Zimbra and can potentially affect other software.

The UnRAR utility is used to extract RAR archives to a temporary directory for virus-scanning and spam-checking purposes.

However, a recently patched file-write flaw (CVE-2022-30333) means an unauthenticated attacker can “create files outside of the target extraction directory when an application or victim user extracts an untrusted archive”, according to a blog post published by Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource).

Catch up with the latest security research news

If malicious hackers manage to write to a known location, continued Scannell, they could potentially execute arbitrary commands on the system.

Successful exploitation of the high severity (CVSS 7.5) issue on Zimbra, an open source platform used by more than 200,000 businesses, “gives an attacker access to every single email sent and received on a compromised email server”.

They can also silently backdoor login functionalities and steal users’ credentials, as well as escalate access to an organization’s other internal services, warned Scannell.

**Symlink protection bypass**

The flaw resides in UnRAR’s mechanism for preventing symbolic link (symlink) attacks on Unix systems, whereby the function for validating relative symlinks, ,checks if the symlink target contains on Unix or on Windows.

This check can, however, be negated due to the fact that untrusted input is sometimes modified after it has been validated, which breaks assumptions made during the validation step.

Specifically, once the symlink has been validated, UnRAR converts backslashes (\\) to forward slashes (/) with to ensure that a RAR archive created on Windows can be extracted on a Unix system.

“By exploiting this behavior, an attacker can write a file anywhere on the target filesystem,” said Scannell.

**RCE on Zimbra**

Since the Amavis content filter used by Zimbra to analyze extracted files operates as the Zimbra user, added Scannell, the file-write primitive allows the creation and overwriting of files in other services’ working directories too.

The researcher detailed how an attacker could achieve RCE on Zimbra by writing a JSP shell to the web directory, using a file-based command injection, or creating an SSH key.

Sonar notified RarLab of the flaw on May 4, 2022, and a security patch was included with version 6.12 binaries, which were released on May 6.

Zimbr developer Synacor was also warned about the flaw on May 4 so it could warn users to patch their cloud instances.

A blog post detailing the technicalities was published yesterday (June 28).

Only Unix binaries – excluding Android – and implementations using RarLab’s code are affected.

Scannell thanked RarLab’s developers for “their very fast and professional handling of this issue”, and shouted out Zimbra’s security team for “warning their customers to help prevent exploitation”.

Zimbra is something of a specialty for Sonar, whose researchers have in the last 12 months discovered a bug chain leading to full Zimbra server compromise, an XSS flaw that powered spear phishing campaigns, and, only two weeks ago, a memcached injection vulnerability that imperilled login credentials.

RELATED Business email platform Zimbra patches memcached injection flaw that imperils user credentials

UnRAR path traversal flaw can lead to RCE in Zimbra

A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions.
The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

Google’s Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users’ mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.

Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.

Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.

Unlike NSO’s Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.

Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google’s report, these are the following exploits:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed.
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste.
*   CVE-2020-9907 internally referred to as AveCesare.
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
*   CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target’s ISP—to socially engineer targets into downloading the spyware masquerading as a tool to “fix” their internet connection.

Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit’s Firebase account, which it uses to communicate with its C2.

When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:

> RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.

Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we’ve seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.

Hermit spyware is deployed with the help of a victim’s ISP

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.
The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.

The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

Following responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of version 6.12 released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted.

"An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive," SonarSource researcher Simon Scannell said in a Tuesday report. "If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system."

It's worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.

This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network.

The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., "..\\..\\..\\tmp/shell") so as to bypass current checks and extract it outside of the expected directory.

More specifically, the weakness has to do with a function that's designed to convert backslashes ('\\') to forward slashes ('/') so that a RAR archive created on Windows can be extracted on a Unix system, effectively altering the aforementioned symlink to "../../../tmp/shell."

By taking advantage of this behavior, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra's web directory and execute malicious commands.

"The only requirement for this attack is that UnRAR is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking," Scannell noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

Your smartphone is your daily companion. The chances are that most of our activities rely on them, from ordering food to booking medical appointments. However, the threat landscape always reminds us how vulnerable smartphones can be. 
Consider the recent discovery by Oversecured, a security startup. These experts observed the dynamic code loading and its potential dangers. Why is this a problem?

Your smartphone is your daily companion. The chances are that most of our activities rely on them, from ordering food to booking medical appointments. However, the threat landscape always reminds us how vulnerable smartphones can be.

Consider the recent discovery by Oversecured, a security startup. These experts observed the dynamic code loading and its potential dangers. Why is this a problem? Well, the Google app uses code that does not come integrated with the app itself. Okay, this might sound confusing, but it all works in favor of optimizing certain processes. Thus, Google exploits code libraries pre-installed on Android phones to reduce their download size. In fact, many Android apps use this trick to optimize the storage space needed to run.

As revealed by Oversecured, perpetrators could compromise this retrieval of code from libraries. Instead of Google obtaining code from a reliable source, it could be tricked into taking code from malicious apps operating on the device in question. Thus, the malicious app could gain the same permissions as Google. And the latter giant typically gets access to your email, search history, call history, contacts, and more.

The scariest part: everything can happen without your knowledge. Let's discuss other spooky threats currently daunting mobile devices.

**Top Mobile Security Threats****Data Leaks**

When you download a new app on your smartphone and launch it, you must pay attention to the pop screen that appears. It is a permission popup, the request of providing a few permissions to the app. Sadly, granting extensive permissions to dangerous apps can have severe consequences. Hackers can hack the database where all this information is stored, and all your data can be leaked.

But, with some recent development in Android 11 and IOS 14, users can deny unnecessary permission requests or even grant them for one time only. Never give apps all the permissions, see what permission they need to run, and grant only those.

Therefore, it is crucial to protect the device by not using any public Wi-Fi hotspot. Remember, never get lured by a "Free Wi-Fi" hung hanged in any coffee shop, restaurant, or hotel.

**Spyware Pretending to be an Update**

Bug fixes, longevity, and overall safety boost are the three main reasons why you should always update your OS. However, there are cases when you must fight this instinct. If you find a random application called System Update, be wary of its true nature. As reported, this malicious Android threat pretends to be a system update. Sadly, its true intentions are much more sinister. Once installed (outside Google Play, which is already a dangerous practice), the app starts stealing victims' data. How? Well, it connects to the perpetrators' Firebase server, the tool used to take remote control of the infected device.

What can this spyware steal? Basically, anything. Your messages, contacts, browser bookmarks, and more are up for grabs. An even more frightening reality is that it can record phone calls, monitor your location, and steal photos.

**Malware via SMS Messages**

We all know the feeling of receiving bizarre SMS messages. But sometimes, such attempts are nothing but social engineering scams. A recently discovered TangleBot is one of the recent examples, stepping into the mobile threat landscape.

Apparently, the malware gets distributed via fake messages sent to users across the US and Canada. Mostly, they provide certain COVID-19 information and urge recipients to click on embedded links. If users click on the link, they are led into a website urging them to install an Adobe Flash update. If you decide to install it, TangleBot proudly enters your system. What can it do? Many things, from stealing data and taking control over certain apps.

**How to Defend Your Device?**

*   **Use updated operating systems**. Use only the latest operating systems like Android 11 and 12, as they have the newest security codes. However, install updates from reliable sources only. A random app floating online is not the right choice to keep your device up to date.
*   **Firewalls**. Always have a firewall securing your device. It works like a regular firewall. When your mobile device sends a request to a network, the firewall forwards a verification request to the network. Additionally, it contacts the database to verify the device.
*   **Be careful on app stores**. Even if you trust Google Play Store, do not install every app available. It is a known fact that many applications available are far from reliable. For instance, you could accidentally download cryptocurrency mining malware, banking Trojans, or intrusive adware.
*   **Use a VPN**. If you are in a position where you cannot avoid the use of public Wi-Fi, you need to download VPN apps. They will hide all your activities from hackers lurking on the network, and it will protect your sensitive information.
*   **Do not jailbreak your device**. iPhones can be somewhat restrictive. Thus, many might consider jailbreaking them to get the opportunity to customize their devices. However, a jailbroken smartphone is more vulnerable; you will likely lose your warranty and struggle to install the necessary updates.

**Conclusion**

The mobile threats are evolving with time, and they will keep on improving further as well. But that's not what we have to care about. The only thing that needs our concern is our security and privacy. Therefore, one must take all the precautionary measures to evade potential danger.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Overview of Top Mobile Security Threats in 2022

A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA.
Said to be in its early stages of development, the malware — dubbed Revive by Italian cybersecurity firm Cleafy — was first observed on June 15, 2022 and distributed by means of phishing campaigns.
"The name Revive has been chosen since one of the

A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA.

Said to be in its early stages of development, the malware — dubbed **Revive** by Italian cybersecurity firm Cleafy — was first observed on June 15, 2022 and distributed by means of phishing campaigns.

"The name Revive has been chosen since one of the functionality of the malware (called by the \[threat actors\] precisely 'revive') is restarting in case the malware stops working, Cleafy researchers Federico Valentini and Francesco Iubatti said in a Monday write-up.

Available for download from rogue phishing pages ("bbva.appsecureguide\[.\]com" or "bbva.european2fa\[.\]com") as a lure to trick users into downloading the app, the malware impersonates the bank's two-factor authentication (2FA) app and is said to be inspired from open-source spyware called Teardroid, with the authors tweaking the original source code to incorporate new features.

Unlike other banking malware that are known to target a wide range of financial apps, Revive is tailored for a specific target, in this case, the BBVA bank. That said, it's no different from its counterparts in that it leverages Android's accessibility services API to meet its operational objectives.

Revive is mainly engineered to harvest the bank's login credentials through the use of lookalike pages and facilitate account takeover attacks. It also incorporates a keylogger module to capture keystrokes and the ability to intercept SMS messages received on the infected devices, primarily one-time passwords and 2FA codes sent by the bank.

"When the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the SMS and phone calls," the researchers said. "After that, a clone page (of the targeted bank) appears to the user and if the login credentials are inserted, they are sent to the \[command-and-control server\] of the TAs."

The findings once again underscore the need to exercise caution when it comes to downloading apps from third-party untrusted sources. The abuse of sideloading has not gone unnoticed by Google, which has implemented a new feature in Android 13 that blocks such apps from using accessibility APIs.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Android Banking Trojan 'Revive' Targeting Users of Spanish Financial Services

If you use a mix of Apple, Android, and Windows gadgets, you're in luck: The security tool is now available to any Microsoft 365 subscriber.

Microsoft Defender, the company’s security app, is now available to any individual who has a subscription to Microsoft 365, the online productivity suite that includes Word, Excel, and more. Different from the previously released Microsoft Defender software that was built exclusively into Windows computers, this version is available on Windows, Android, macOS, and iOS devices.

Owners of Windows computers without Microsoft 365 don’t need to sweat; Microsoft is still preinstalling software on Windows to protect against viruses and other malware. That software is now simply branded as Windows Security. Beyond accessing a security dashboard where all your connected devices are visible, there’s not a lot of extra incentive for Windows owners to download the new Microsoft Defender app.

Microsoft is extending protection options to Mac and smartphone owners who use Microsoft 365. Not all devices receive the same protections, however. For example, on the Mac, anti-malware protection is provided by Microsoft Defender, while web protection is not.

On the other hand, iPhones and Android devices are able to use web protection from Microsoft Defender. The web protection runs a virtual private network on your smartphone in the background and tries to intervene if any dangerous hyperlinks appear. Microsoft claims that the data from your browsing history is stored on-device and not shared with the company. Learn even more about VPNs and boosting your digital privacy with WIRED senior writer and reviewer Scott Gilbertson’s guide to the best VPNs. In addition to web protection, the anti-malware protection from Microsoft Defender is supported for Android phones.

The new Microsoft Defender app is designed to be used specifically by consumers—as in families and individuals. Although the names are similar, Microsoft Defender for Endpoint is a separate security suite for businesses. Microsoft has guidance on its website to help you understand the Endpoint version and how to switch between accounts.

If you aren’t a Microsoft 365 subscriber but want to get Microsoft Defender, a personal plan costs $70 a year, and a family plan for up to six people costs $100 a year. With a subscription to Microsoft 365, you get OneDrive cloud storage access, in addition to both online and downloadable versions of popular software like Microsoft Word, Excel, and Powerpoint. (Check out this article from WIRED contributor David Nield if you’re on the hunt for a free version of Microsoft Word.)

So who will benefit from the new Microsoft Defender? The features offered are slim at the moment, and it might not be as involved as software from Norton or McAfee, but that may be a good thing considering Defender is more lightweight than either of those options. Keeping that in mind, the large quantity of devices tracked from a single dashboard could be a boon for family leaders trying to keep an eye on the whole crew’s security across multiple devices.

Subscribers to the Microsoft 365 individual plan can get Microsoft Defender to protect five devices at once. For those on the family plan, you can simultaneously shield up to 30 devices. The suite will send you alerts whenever Grandma downloads malware onto her computer (again) or the teens on their smartphones click a malicious link.

Searching for even more strategies to beef up your digital security? WIRED has helpful advice on everything from password protecting your files to keeping those spicy pics private. You wouldn’t leave your front door unlocked while running errands, and with so much of our lives experienced online, taking protective measures on your computer and smartphone makes just as much sense.

How to Use Microsoft Defender on All Your Devices

It's never been easier to switch between iPhone and Android—and to get your messages out of the Meta ecosystem entirely.

Since early 2016, WhatsApp has protected messages and conversations sent in its app with end-to-end encryption. This means that nobody other than the sender and receiver of messages can read their content—not even Meta can read or snoop on the contents of your conversations.

Despite WhatsApp being omnipresent—more than 2 billion people use it each month—securely moving your encrypted chats and photos to different platforms or apps has been a challenge. Transferring your WhatsApp chats from Android to iPhone and from iPhone to Android has historically only been possible using third-party apps. These apps are often fiddly and don’t necessarily protect your data at the level offered by WhatsApp’s ecosystem.

But in recent months WhatsApp has made it possible to officially switch between iPhones and Android (and vice versa), rolling out processes to securely move data between operating systems and working with phone manufacturers to enable the move.

If you’re fed up with Meta’s ecosystem, it’s also possible to move your groups and some chat data to other messaging apps. Here’s how to move all of your WhatsApp chats and backups.

Android to iPhone

Moving your WhatsApp account from Android to an iPhone involves a few steps. But it should be possible to bring most of your information with you: Your profile photo, individual and group chats, history, photos, videos, and settings can all make the jump from one device to another. Your call history and display name can’t be moved across, however, WhatsApp says.

Most of the work in moving your WhatsApp data comes before you make the shift. To move between devices, you need to ensure you have the same phone number on each. Before you start the process, make sure you have a recently updated version of WhatsApp on your Android phone. You also need to be running at least Android 5 on the device you’re moving from and iOS 15.5 on the iPhone you’re moving to. (The iPhone needs to be a new device or have been recently reset to its factory settings.)

Next, download and install the “Move to iOS” app from Google’s Play Store—this Apple-owned app will do all the heavy lifting. When you’re ready to migrate your data, plug both devices into a power source and connect both phones to the same Wi-Fi network. (If you don’t have a Wi-Fi network, it’s possible to use a hotspot to connect your Android phone to the iPhone.)

When both phones are on the same network, open up the “Move to iOS” app on the Android phone and follow the instructions to connect the two phones. Then select WhatsApp as the data source you want to transfer from, and the app will prepare your chats to be moved across—final prompts will confirm you want to make the switch.

This process will log you out of WhatsApp on your Android phone, and you’ll need to download the app on the iPhone you are moving to. When you first use WhatsApp on this iPhone, it’ll ask you to use the same number as on the Android device and prompt you to complete the transfer process. When the process is complete, if you are getting rid of your old phone, make sure to do a factory reset and wipe all your data.

iPhone to Android

It’s been possible to transfer your WhatsApp chat history from iPhones to Android devices since October 2021. This transfer process includes your photos, messages, voice messages, and group conversations.

The compatibility was first rolled out for Samsung phones but has since expanded to include Google Pixel phones and all devices running Android 12. To make the move, you’ll need a USB-C-to-Lightning cable to physically connect the two devices, Google explains. “When prompted while setting up your new Android device, scan a QR code on your iPhone to launch WhatsApp,” the company says in a blog post. Alternatively, in WhatsApp you can go to **Settings** > **Chats** > **Move Chats to Android** and follow the transfer prompts.

WhatsApp’s guide to moving your chats between iPhones and Samsung devices says you will need the Samsung SmartSwitch app installed on the new phone and the same phone number on both devices. As with moving from Android to an iPhone, make sure you delete or wipe your old phone if you’re getting rid of it.

WhatsApp to Signal

Signal is widely considered the best messaging app for security and privacy. Check out our guide to switching your text messages to Signal and moving your messages between devices. While you can’t directly move your WhatsApp chat history to Signal, there are some things you can do to make the switch more straightforward.

It’s possible to easily recreate your WhatsApp groups on Signal—although getting all your family and friends to ditch the Meta-owned app may be more of a challenge. To recreate your groups, open the Signal app and start a new group by tapping the **pencil icon**. When you are asked to add people from your contacts, **tap on Skip** and instead pick the option to get a link to invite people to the group (a QR code is also available). From here, you can share this link with your WhatsApp chats and allow people to move over.

WhatsApp to Telegram

Unlike Signal and WhatsApp, Telegram is not end-to-end encrypted by default. As a result, security experts often warn against using Telegram. However, if you still want to use Telegram, it’s possible to move your chat history from one app to the other.

On both iOS and Android, open the chat you want to move to Telegram and click on the chat’s name or details (using _⋮_ on Android). From here, tap **Export Chat** and when you get the choice of where to **share** the chat, pick Telegram. When exporting chats from WhatsApp to Telegram, you have the choice to take photos and videos with you, or just chat messages.

Back up your WhatsApp chats

You can also back up your WhatsApp conversations in the cloud. This allows you to keep your messages and photos safe if you’re moving from one iPhone to another iPhone or Android to Android—for instance, if you upgrade or break your device and replace it with one using the same operating system.

Until September 2021, WhatsApp didn’t end-to-end encrypt backups, creating a potential security risk and exposing people’s chats to requests from law enforcement. However, the company has since closed that loophole, so it’s now much less of a risk to have your chats backed up to iCloud or Google’s Cloud. To back up to either platform, you will need a Google Drive account or an iCloud account.

On Android, in WhatsApp go to **More options** > **Settings** > **Chats** > **Chat backup** > **Back up to Google Drive**. While on iOS go to WhatsApp **Settings** > **Chats** > **Chat Backup** > **Back Up Now**. You’ll then be able to set the frequency of your backups and elect whether data-heavy videos are included.

How to Move Your WhatsApp Chats Across Devices and Apps

By Deeba Ahmed
According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute…
This is a post from HackRead.com Read the original post: ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

****According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy.****

Google Threat Analysis Group published its findings on the highly sophisticated Hermit spyware. Report authors Benoit Sevens and Clement Lecigne wrote that an Italian spyware provider, RCS Labs, received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy using commercially available surveillance tools. 

**Drive-By-Downloads to Infect Target Devices**

Researchers state that this campaign, which mainly relies on drive-by-downloads, proves threat actors may not always rely on exploits to get extensive permissions on a device. Through drive-by-downloads, they can fulfill their malicious goals just as effectively with the help of ISPs.

**Attack Scenario**

The attackers get their victim’s internet connection disrupted with the support of ISPs. In some cases, the target’s ISP disabled their mobile data connection. The victims are then requested to install a malicious application to get back online through an SMS message containing a URL. The victim is asked to install the application and resume their data connection.

Since the campaign involves ISPs, these apps are disguised as legit mobile carrier apps. In scenarios where attackers couldn’t directly influence the target’s ISP, they embedded the spyware in apps disguised as messaging applications.

The victim is redirected to a fake support page where they are promised to recover their suspended social media (Facebook and Instagram) and WhatsApp accounts. Though the social media links let the user install the official apps, the WhatsApp link leads the victim to a fake version of the WhatsApp app.

A screenshot shared by Google shows one of the malicious sites involved in the attack (fb-techsupportcom

**Malicious iOS Apps used by 6 Different Exploits**

According to a blog post published by Google’s Threat Analysis Group, these malicious apps were unavailable on Google Play and Apple App Store. The threat actors sideloaded the iOS version, which was signed with an enterprise certificate.

The target was asked to enable installation for these apps through unknown sources. The iOS apps used in the attack contain a “generic privilege escalation exploit wrapper” used by 6 different exploits. It also includes a “minimalist agent” that can exfiltrate device data, including the WhatsApp database. Details of these exploits are as follows:

*   **CVE-2021-30883 known as Clicked2**
*   **CVE-2021-30983 known as Clicked3**
*   **CVE-2020-9907 known as AveCesare**
*   **CVE-2020-3837 known as TimeWaste**
*   **CVE-2018-4344 known as LightSpeed**
*   **CVE-2019-8605 known as SockPort2/SockPuppet**

**Android Version Details**

The drive-by attacks on Android phones require the victims to enable a setting for installing third-party apps from unknown sources, after which fake apps disguised as legit brand apps like Samsung request extensive permissions. Besides rooting the device for rooted access, the apps are designed to fetch/execute arbitrary remote components, which communicate with the main application.

**Hermit Capabilities**

Hermit boasts a modular feature set and can steal sensitive data from smartphones, including location, contacts, call logs, and SMS messages. The spyware’s modularity allows it to become fully customizable.

Once installed on the device, it can record audio and even make/redirect phone calls, apart from abusing accessibility services permissions. However, researchers didn’t specify the RCS Labs clients involved in this campaign or its targets. For your information, RCS Labs is among the 30 spyware providers currently tracked by Google.

*   Edward Snowden urges users to stop using ExpressVPN
*   How a Woman’ Fitbit Fitness Tracker Helped Solve Her Murder Case
*   Pics of IDF women soldiers helped hackers to breach Israeli Military Servers
*   Cloud video platform abused in web skimmer attack against real estate sites
*   Cybercrime Syndicate Leader Behind Phishing, BEC Scams Arrested in Nigeria

Tag

#android