Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022.
"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However,

Mobile Security / Malvertising

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022.

"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to

redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware."

The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy.

It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, security software, and cracked versions of YouTube on a search engine are redirected to an ad page hosting the malware.

The apps, once installed, have no icons or names in a bid to evade detection. What's more, users launching an app for the first time after installation are displayed the message "Application is unavailable in your region from where the app serves. Tap OK to uninstall," while stealthily activating the malicious activity in the background.

The modus operandi is another area of note wherein the adware behavior remains dormant for the first few days, after which it's awakened when the victim unlocks the phone in order to serve a full-screen ad using Android WebView.

The findings come as cybersecurity firm CloudSEK disclosed it had identified the rogue SpinOK SDK – which was revealed by Doctor Web last month – in 193 apps on the Google Play Store that have been downloaded 30 million times.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini-games and tasks to win alleged rewards. But peer inside, the trojan harbors functionalities to steal files and replace clipboard contents.

In a related development, the SonicWall Capture Labs Threat research team also unearthed another strain of Android malware that impersonates legitimate apps to harvest a wide range of information from compromised handsets by abusing the operating system's accessibility services.

"These features allow the attacker to access and steal valuable information from the victim's device, which can lead to various types of fraud, including financial fraud, and identity theft," SonicWall said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices

In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588531; Issue ID: ALPS07588531.

CVE-2023-20727: June 2023

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

CVE-2023-33733: Cure53 – Fine penetration tests for fine websites

Categories: News
Tags: week in security

A list of topics we covered in the week of May 29 - June 4 of 2023



(Read more...)




The post A week in security (May 29 - June 4) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

iPhone Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (May 29 - June 4)

By Habiba Rashid
The dark web search feature enables users to scan for their Gmail address on the dark web and receive guidance on online protection.
This is a post from HackRead.com Read the original post: Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID

For now, the dark web report is only available for most Google Accounts in the United States; however, access will also expand to more than 20 countries in the coming months.

Last month, Hackread.com reported that Google had started offering dark web monitoring for Gmail users in the United States. Now, the tech and search engine giant has announced the release of its latest Android feature drop, introducing several new enhancements and functionalities for Google-powered smartphones, tablets, and smartwatches.

Among the notable additions is the ability to search the dark web for Gmail addresses, expanded accessibility features for Google Books, and updates for Wear OS devices.

In the blog post detailing the feature drop, Google mentions that the dark web search feature, which enables users to scan for their Gmail address on the dark web and receive guidance on online protection, is now available for Google account holders in the United States.

The company also plans to expand this feature to include 20 more countries in the coming months, with the United Kingdom expected to be among them.

Younger readers using Google Books will benefit from a new reading practice feature. Books marked with the Practice badge will allow readers to hear the correct pronunciation of unusual words, enabling them to practice pronunciation effectively.

Google has also introduced three new home screen widgets for Android phones and tablets. These widgets provide personalized recommendations from Google TV, Google Finance, and Google News, enhancing the user experience by delivering relevant and tailored content.

The Spotify Wear OS app has received an update to incorporate the recently-launched Spotify DJ feature. This AI-powered function offers users a curated selection of streaming content along with a DJ who provides explanations and insights into the chosen songs or podcasts. Additionally, the app includes new tiles and watch face shortcuts for convenient access to Spotify on Wear OS devices.

In terms of Wear OS enhancements, users can now access Google Keep notes quickly through pinned lists. Furthermore, the Gboard keyboard app now offers new aquatic-themed emoji mashups, adding a touch of creativity and fun to text messaging.

While the Android feature drop delivers exciting updates, Google is also preparing for the anticipated release of Android 14 later this year. The company has been relatively quiet about the upcoming operating system, which is currently in beta, but it is expected to roll out to the public in August 2023.

**RELATED ARTICLES**

1.  On Dark Web Your Facebook ID is worth $5.20 & Gmail ID $1
2.  1 Million Decrypted Gmail & Yahoo Accounts Sold on Dark Web
3.  DarkBERT AI: Enhancing Cybersecurity Efforts on the Dark Web

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID

An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

Sorry, I can't find "_1816158?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-29543: Invalid Bug ID

Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111.

Sorry, I can't find "_1810705?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-25749: Invalid Bug ID

A duplicate <code>SystemPrincipal</code> object could be created when parsing a non-system html document via <code>DOMParser::ParseFromSafeString</code>. This could have lead to bypassing web security checks. This vulnerability affects Firefox < 109.

**Mozilla Foundation Security Advisory 2023-01**

Announced

January 17, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 109

**#CVE-2023-23597: Logic bug in process allocation allowed to read arbitrary files**

Reporter

Niklas Baumstark

Impact

high

**Description**

A compromised web child process could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. Given a reliable exploit primitive, this new process could be exploited again leading to arbitrary file read.

**References**

*   Bug 1538028

**#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux**

Reporter

Tom Schuster

Impact

high

**Description**

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData.

**References**

*   Bug 1800425

**#CVE-2023-23599: Malicious command could be hidden in devtools output on Windows**

Reporter

Vadim

Impact

moderate

**Description**

When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within.

**References**

*   Bug 1777800

**#CVE-2023-23600: Notification permissions persisted between Normal and Private Browsing on Android**

Reporter

Kazuki Nomoto of Waseda University

Impact

moderate

**Description**

Per origin notification permissions were being stored in a way that didn't take into account what browsing context the permission was granted in. This lead to the possibility of notifications to be displayed during different browsing sessions.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1787034

**#CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation**

Reporter

Luan Herrera

Impact

moderate

**Description**

Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks

**References**

*   Bug 1794268

**#CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers**

Reporter

Dave Vandyke

Impact

moderate

**Description**

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers.

**References**

*   Bug 1800890

**#CVE-2023-23603: Calls to console.log allowed bypasing Content Security Policy via format directive**

Reporter

Dan Veditz

Impact

low

**Description**

Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser.

**References**

*   Bug 1800832

**#CVE-2023-23604: Creation of duplicate SystemPrincipal from less secure contexts**

Reporter

Nika Layzell

Impact

low

**Description**

A duplicate SystemPrincipal object could be created when parsing a non-system html document via DOMParser::ParseFromSafeString. This could have lead to bypassing web security checks.

**References**

*   Bug 1802346

**#CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

**#CVE-2023-23606: Memory safety bugs fixed in Firefox 109**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 108. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 109

CVE-2023-23604: Security Vulnerabilities fixed in Firefox 109

Under specific circumstances a WebExtension may have received a <code>jar:file:///</code> URI instead of a <code>moz-extension:///</code> URI during a load request. This leaked directory paths on the user's machine. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

Sorry, I can't find "_1685403?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-29538: Invalid Bug ID

Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

Sorry, I can't find "_1824200?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#android