Malware spoofed file management applications thanks to elevated permissions, enabling exfiltration of sensitive data with no user interaction, researchers find.

Two separate malicious apps loaded with spyware were found lurking in the Google Play store, loaded with zero-click spyware leading back to China.

Together, both applications tracked to the same developer, affected an estimated 1.5 million users, according to a new security alert from Pradeo. Google removed the apps within hours of being notified, the researchers add.

**Spyware Apps Relied on Elevated Permissions**

Most malicious apps rely on the victim to actually use it to successfully deliver malware, but these relied on permissions instead, according to Pradeo.

"Often, users install applications they end up not even using," the security alert said. "For most malware, that means the attack is unsuccessful. To overcome that obstacle, File Manager and File Recovery and Data Recovery can, through the advanced permissions they use, induce the restart of the device. This then permits the apps to launch and execute themselves automatically at restart."

Pradeo researcher Roxane Suau explained to Dark Reading that in addition to file manager applications, junk cleaner apps are also often spoofed for malicious purposes because of the elevated permissions required for them to perform their tasks.

Beyond sneaky permissions, the spyware apps misrepresented the amount of data collected, which raises flags about the security controls on applications available in the Google Play store, according to Melissa Bischoping, director at endpoint security research at Tanium.

**BYOD Policies Increase Risk**

"Users are often encouraged to place trust in the data privacy and safety reports on an app's page in the store, and this kind of deception undermines trust in all apps, not just the ones analyzed in the Pradeo reporting," Bischoping says. "There are over 3.5 million apps in the store, so it would be a herculean effort to perform deep-dive analysis of how each app complies with its stated privacy and security practices. That said, this type of glaring inaccuracy demonstrates a need for tighter vetting and control over what is published."

The damage these malicious applications can do to enterprises increases dramatically with bring your own device (BYOD) policies in the mix, Bischoping points out.

"A 'bring your own device' policy often results in unmanageability of mobile devices for large organizations," she explains. "Because of this, you cannot control what apps an employee may install or how much access they grant those apps. It's important to weigh the risk/reward of allowing mobile access to corporate data from personal devices."

Enterprise-owned devices should have controls in place to restrict these applications from being downloaded, Mike Parkin, senior technical engineer with Vulcan Cyber, tells Dark Reading.

"With enterprise-owned devices, they should be doing this already," Parkin says. "If they own the device, they have every right to restrict what goes onto it."

For organizations with BYOD policies, imposing restrictions on downloading apps is more difficult, Parkin adds, since the user owns the device and may balk at restrictions. "Though it would be appropriate for them to publish their expectations and, when necessary, block infected devices from accessing enterprise assets."

While malicious applications are hardly anything new, John Gallagher, vice president at Viakoo Labs, hopes incidents like these two spyware apps discovered in the Google Play Store will encourage enterprise security teams to take a look at their own policies.

"The ability of an application to have its download numbers inflated, to have more permissions than it needs, and for it to violate personal information policies and laws, are all existing attack vectors," Gallagher says. "These newly discovered threats may push more organizations to screen company-provided devices for such apps, or to monitor their network traffic to detect issues."

Spyware Gamed 1.5M Users of Google Play Store

Researchers have issued a warning about an emerging and advanced form of voice phishing (vishing) known as "Letscall." This technique is currently targeting individuals in South Korea.
The criminals behind "Letscall" employ a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website.
Once the malicious software is installed, it redirects

Mobile Security / Malware

Researchers have issued a warning about an emerging and advanced form of voice phishing (vishing) known as "**Letscall**." This technique is currently targeting individuals in South Korea.

The criminals behind "Letscall" employ a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website.

Once the malicious software is installed, it redirects incoming calls to a call center under the control of the criminals. Trained operators posing as bank employees then extract sensitive information from unsuspecting victims.

To facilitate the routing of voice traffic, "Letscall" utilizes cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also makes use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, including Google STUN servers, to ensure high-quality phone or video calls and bypass NAT and firewall restrictions.

The "Letscall" group consists of Android developers, designers, frontend and backend developers, as well as call operators specializing in voice social engineering attacks.

The malware operates in three stages: first, a downloader app prepares the victim's device, paving the way for the installation of powerful spyware. This spyware then triggers the final stage, which allows the rerouting of incoming calls to the attackers' call center.

"The third stage has its own set of commands, which also includes Web socket commands. Some of these commands relate to the manipulation of the address book, such as creating and removing contacts. Other commands relate to creating, modifying, and removing the filters that determine which calls should be intercepted and which should be ignored," Dutch mobile security firm ThreatFabric said in its report.

What sets "Letscall" apart is its utilization of advanced evasion techniques. The malware incorporates Tencent Legu and Bangcle (SecShell) obfuscation during the initial download. In later stages, it employs complex naming structures in ZIP file directories and intentionally corrupts the manifest to confuse and bypass security systems.

Criminals have developed systems that automatically call victims and play pre-recorded messages to further deceive them. By combining mobile phone infections with vishing techniques, these fraudsters can request micro-loans in the victims' names while assuring them of suspicious activities and redirecting calls to their centers.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

The consequences of such attacks can be significant, leaving victims burdened with substantial loans to repay. Financial institutions often underestimate the severity of these invasions and fail to investigate potential fraud.

Although this threat is currently limited to South Korea, researchers caution that there are no technical barriers preventing these attackers from expanding to other regions, including the European Union.

This new form of vishing attack underscores the constant evolution of criminal tactics and their ability to exploit technology for malicious purposes. The group responsible for the "Letscall" malware demonstrates intricate knowledge of Android security and voice routing technologies.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Vishing Goes High-Tech: New 'Letscall' Malware Employs Voice Traffic Routing

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

ai-dev aicombinationsonfly before v0.3.1 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

With the **combinations** on fly module, you will **amazingly accelerate the product page loading**, it's an **unlimitated product combinations generator.**

The most detrimental to shop is the number of combinations for a product, the **generator** that can not accept the generation of all combinations if they are too numerous, the second point is even more penalizing on products pages loading, because PrestaShop load all existing combinations, which can, in some cases, lead to **unacceptable page display times for customers** and especially they will be penalized by **Google algorithms**, and lead to the fall of your pages rank in searchs.

The **combinations on the fly** module allows to generate only **simple combinations** (only 1 attribute), which **reduces their generation time** and no longer a problem even if you have a lot of attribute values.

On the product, **only the existing combinations are loaded on page display**, allowing to **minimize its duration**.

You will be able to **generate unlimited combinations** with the Prestashop generator.

When a customer changes an attribute, if the resulting combination does not exist, the module **create and load it**.

There is a system to remove the generated combinations in order not to overload the server, the combinations being obsolete after order, so your pages will be lighter than ever and your server will gain speed.

The installation of the module on the site of a customer made it possible to **divide the time of display by 3** and the weight of the page by 4.

Links to download the documentations of the module are available at the bottom of the page.

**Prestashop compatible version**

1.5 & 1.6

**Module version**

0.3.1

Demo url

CVE-2023-33664: Prestashop module combinations on fly

The Site Kit by Google plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 1.8.0 This is due to the lack of capability checks on the admin_enqueue_scripts action which displays the connection key. This makes it possible for authenticated attackers with any level of access obtaining owner access to a site in the Google Search Console. We recommend upgrading to V1.8.1 or above.


**Description**

The Site Kit by Google plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 1.7.1. This is due to the lack of capability checks on the admin\_enqueue\_scripts action which displays the connection key. This makes it possible for authenticated attackers with any level of access obtaining owner access to a site in the Google Search Console.

**References**

*   www.wordfence.com

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

google-site-kit (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 1.8.0, or a newer patched version

Affected Version

*   <= 1.7.1

Patched Version

*   1.8.0

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence Enterprise**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2020-8934: Site Kit by Google <= 1.7.1 - Sensitive Information Disclosure — Wordfence Intelligence

Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks.
One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. This particular

Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks.

One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. This particular vulnerability was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022.

This vulnerability was regarded as serious enough to prompt the Cybersecurity and Infrastructure Security Agency (CISA) to issue a patching order for federal agencies in April 2023.

Another significant vulnerability, identified as CVE-2021-29256, is a high-severity issue that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. This flaw permits an unprivileged user to gain unauthorized access to sensitive data and escalate privileges to the root level.

The third exploited vulnerability, CVE-2023-2136, is a critical-severity bug discovered in Skia, Google's open-source multi-platform 2D graphics library. It was initially disclosed as a zero-day vulnerability in the Chrome browser and allows a remote attacker who has taken over the renderer process to perform a sandbox escape and implement remote code on Android devices.

Besides these, Google's July Android security bulletin highlights another critical vulnerability, CVE-2023-21250, affecting the Android System component. This issue can cause remote code execution without user interaction or additional execution privileges, making it particularly precarious.

These security updates are rolled out in two patch levels. The initial patch level, made available on July 1, focuses on core Android components, addressing 22 security defects in the Framework and System components.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

The second patch level, released on July 5, targets kernel and closed source components, tackling 20 vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components.

It's important to note that the impact of the addressed vulnerabilities may extend beyond the supported Android versions (11, 12, and 13), potentially affecting older OS versions no longer receive official support.

Google has further launched particular security patches for its Pixel devices, dealing with 14 vulnerabilities in Kernel, Pixel, and Qualcomm components. Two of these critical weaknesses could result in privilege elevation and denial-of-service attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google