McAfee Labs uncovers malicious GitHub repositories distributing Lumma Stealer malware disguised as game hacks and cracked software. Learn…

McAfee Labs uncovers malicious GitHub repositories distributing Lumma Stealer malware disguised as game hacks and cracked software. Learn how to protect yourself.

McAfee Labs, the threat research arm of cybersecurity giant McAfee, has recently uncovered a disturbing trend: the exploitation of popular platforms like GitHub to distribute malware. Their research reveals a network of malicious repositories offering seemingly legitimate content such as game hacks, cracked software, and free cryptocurrency tools, all designed to lure unsuspecting users into downloading and executing harmful code.

These repositories, often disguised with professional-looking features like distribution licenses and screenshots, leverage the trust and accessibility of GitHub to deceive users. Attackers strategically target individuals seeking an edge in popular games like Minecraft, Roblox, and Call of Duty, or those looking for free access to premium software like Spotify and Adobe Express.

Attack vector (Via McAfee)

The Lumma Stealer is the primary type of malware being distributed through these repositories. Promises of game hacks, cracked software, or free cryptocurrency tools lure users. Once on the repository, they are instructed to download and execute a file disguised as the promised software.

The downloaded file is typically a variant of the Lumma Stealer malware, which then collects sensitive information, including login credentials, cryptocurrency wallet information, browser history, cookies, and personally identifiable information, and extracts the stolen data to command-and-control servers controlled by the attackers.

“Every week, a new set of repositories with a new malware variant is released, as the older repositories are detected and removed by GitHub. These repositories also include distribution licenses and software screenshots to enhance their appearance of legitimacy,” McAfee’s Aayush Tyagi explained in a blog post.

To further lure users, these repositories often instruct victims to disable their antivirus software, claiming it will interfere with the downloaded program. This crucial step effectively disarms the user’s primary line of defence, allowing the malware to operate undetected and steal sensitive information such as login credentials, cryptocurrency wallet data, and browsing history.

Children and young adults, particularly avid gamers, are prime targets for these attacks. The allure of game hacks, offering advantages like aimbots and speed hacks, and that the package includes an advanced Anti-Ban system to prevent account suspension, are highly appealing, making them more susceptible to falling victim to these deceptive tactics.

Google search shows the malicious GitHub repository and a YouTube video where scammers are using descriptions to spread the repository (Via McAfee)

****McAfee’s Response and Recommendations:****

McAfee Labs is actively mitigating this threat by blocking malicious URLs, detecting and blocking downloaded malware, and providing comprehensive security solutions to protect users. The company recommends enhancing your security posture, such as keeping antivirus and anti-malware software up-to-date and practising cautious online behaviour. Regular system updates with the latest security patches are also crucial.

1.  **Fake League of Legends Download Ads Spread Lumma Stealer**
2.  **Banshee Stealer Hits macOS Users via Fake GitHub Repositories**
3.  **Hackers Use Excel Files to Drop Remcos RAT Variant on Windows**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **YouTube Channels Hacked, Drop Lumma Stealer via Cracked Software**

Lumma Stealer Found in Fake Crypto Tools and Game Mods on GitHub

Malware writing is only one of several malicious activities for which the new, uncensored generative AI chatbot can be used.

Source: Owlie Productions via Shutterstock

A recently debuted AI chatbot dubbed GhostGPT has given aspiring and active cybercriminals a handy new tool for developing malware, carrying out business email compromise scams, and executing other illegal activities.

Like previous, similar chatbots like WormGPT, GhostGPT is an uncensored AI model, meaning it is tuned to bypass the usual security measures and ethical constraints available with mainstream AI systems such as ChatGPT, Claude, Google Gemini, and Microsoft Copilot.

**GenAI With No Guardrails: Uncensored Behavior**

Bad actors can use GhostGPT to generate malicious code and to receive unfiltered responses to sensitive or harmful queries that traditional AI systems would typically block, Abnormal Security researchers said in a blog post this week.  

"GhostGPT is marketed for a range of malicious activities, including coding, malware creation, and exploit development," according to Abnormal. "It can also be used to write convincing emails for business email compromise (BEC) scams, making it a convenient tool for committing cybercrime." A test that the security vendor conducted of GhostGPT's text generation capabilities showed the AI model producing a very convincing Docusign phishing email, for example.

The security vendor first spotted GhostGPT for sale on a Telegram channel in mid-November. Since then, the rogue chatbot appears to have gained a lot of traction among cybercriminals, a researcher at Abnormal tells Dark Reading. The authors offer three pricing models for the large language model: $50 for one-week usage; $150 for one month and $300 for three months, says the researcher, who asked not to be named.

Related:Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

For that price, users get an uncensored AI model that promises quick responses to queries and can be used without any jailbreak prompts. The author(s) of the malware also claim that GhostGPT doesn't maintain any user logs or record any user activity, making it a desirable tool for those who want to conceal their illegal activity, Abnormal said.

**Rogue Chatbots: An Emerging Cybercriminal Problem**

Rogue AI chatbots like GhostGPT present a new and growing problem for security organizations because of how they lower the barrier for cybercriminals. The tools allow anyone, including those with minimal to no coding skills, the ability to quickly generate malicious code by entering a few prompts. Significantly, they also allow individuals who already have some coding skills the ability to augment their capabilities and improve their malware and exploit code. They largely eliminate the need for anyone to spend time and effort trying to jailbreak GenAI models to try and get them to engage in harmful and malicious behavior.

Related:Change Healthcare Breach Impact Doubles to 190M People

WormGPT, for instance, surfaced in July 2023 — or about eight months after ChatGPT exploded on the scene — as one of the first so-called "evil" AI models created explicitly for malicious use. Since then, there have been a handful of others, including WolfGPT, EscapeGPT, and FraudGPT, that their developers have tried monetizing in cybercrime marketplaces. But most of them have failed to gather much traction because, among other things, they failed to live up to their promises or were just jailbroken versions of ChatGPT with added wrappers to make them appear as new, standalone AI tools. The security vendor assessed GhostGPT to likely also be using a wrapper to connect to a jailbroken version of ChatGPT or some other open source large language model.

"In many ways, GhostGPT is not massively different from other uncensored variants like WormGPT and EscapeGPT," the Abnromal researcher tells Dark Reading. "However, the specifics depend on which variant you're comparing it to."

For example, EscapeGPT relies on jailbreak prompts to bypass restrictions, while WormGPT was a fully customized large language model (LLM) designed for malicious purposes. "With GhostGPT, it’s unclear whether it is a custom LLM or a jailbroken version of an existing model, as the author has not disclosed this information. This lack of transparency makes it difficult to definitively compare GhostGPT to other variants."

Related:The Case for Proactive, Scalable Data Protection

The growing popularity of GhostGPT in underground circles also appear to have made its creator(s) more cautious. The author or the seller of the chatbot has deactivated many of the accounts they had created for promoting the tool and appears to have shifted to private sales, the researcher says. "Sales threads on various cybercrime forums have also been closed, further obscuring their identity, \[so\] as of now, we do not have definitive information about who is behind GhostGPT."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

Amid ongoing fears over TikTok, Chinese generative AI platform DeepSeek says it’s sending heaps of US user data straight to its home country, potentially setting the stage for greater scrutiny.

The United States’ recent regulatory action against the Chinese-owned social video platform TikTok prompted mass migration to another Chinese app, the social platform “Rednote.” Now, a generative artificial intelligence platform from the Chinese developer DeepSeek is exploding in popularity, posing a potential threat to US AI dominance and offering the latest evidence that moratoriums like the TikTok ban will not stop Americans from using Chinese-owned digital services.

DeepSeek, an AI research lab created by a prominent Chinese hedge fund, recently gained popularity after releasing its latest open source generative AI model that easily competes with top US platforms like those developed by OpenAI. However, to help avoid US sanctions on hardware and software, DeepSeek created some clever workarounds when building its models. On Monday, DeepSeek’s creators limited new sign-ups after claiming the app had been overrun with a “large-scale malicious attack.”

While DeepSeek has several AI models, some of which can be downloaded and run locally on your laptop, the majority of people will likely access the service through its iOS or Android apps or its web chat interface. Like with other generative AI models, you can ask it questions and get answers; it can search the web; or it can alternatively use a reasoning model to elaborate on answers.

DeepSeek, which does not appear to have established a communications department or press contact yet, did not return a request for comment from WIRED about its user data protections and the extent to which it prioritizes data privacy initiatives.

As people clamor to test out the AI platform, though, the demand brings into focus how the Chinese startup collects user data and sends it home. Users have already reported several examples of DeepSeek censoring content that is critical of China or its policies. The AI setup appears to collect a lot of information—including all your chat messages—and send it back to China. In many ways, it’s likely sending more data back to China than TikTok has in recent years, since the social media company moved to US cloud hosting to try to deflect US security concerns

“It shouldn’t take a panic over Chinese AI to remind people that most companies in the business set the terms for how they use your private data” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “And that when you use their services, you’re doing work for them, not the other way around.”

**What DeepSeek Collects About You**

To be clear, DeepSeek is sending your data to China. The English-language DeepSeek privacy policy, which lays out how the company handles user data, is unequivocal: “We store the information we collect in secure servers located in the People's Republic of China.”

In other words, all the conversations and questions you send to DeepSeek, along with the answers that it generates, are being sent to China or can be. DeepSeek’s privacy policies also outline the information it collects about you, which falls into three sweeping categories: information that you share with DeepSeek, information that it automatically collects, and information that it can get from other sources.

The first of these areas includes “user input,” a broad category likely to cover your chats with DeepSeek via its app or website. “We may collect your text or audio input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services,” the privacy policy states. Within DeepSeek’s settings, it is possible to delete your chat history. On mobile, go to the left-hand navigation bar, tap your account name at the bottom of the menu to open settings, and then click “Delete all chats.”

This collection is similar to that of other generative AI platforms that take in user prompts to answer questions. OpenAI’s ChatGPT, for example, has been criticized for its data collection although the company has increased the ways data can be deleted over time. Regardless of these types of protections, privacy advocates emphasize that you should not disclose any sensitive or personal information to AI chat bots.

“I would not input personal or private data in any such an AI assistant,” says Lukasz Olejnik, independent researcher and consultant, affiliated with King's College London Institute for AI. Olejnik notes, though, that if you install models like DeepSeek’s locally and run them on your computer, you can interact with them privately without your data going to the company that made them. Additionally, AI search company Perplexity says it has added DeepSeek to its platforms but claims it is hosting the model in US and EU data centers.

Other personal information that goes to DeepSeek includes data that you use to set up your account, including your email address, phone number, date of birth, username, and more. Likewise, if you get in touch with the company, you’ll be sharing information with it.

Bart Willemsen, a VP analyst focusing on international privacy at Gartner, says that, generally, the construction and operations of generative AI models is not transparent to consumers and other groups. People don’t know exactly how they work or the exact data they have been built upon. For individuals, DeepSeek is largely free, although it has costs for developers using its APIs. “So what do we pay with? What do we usually pay with: data, knowledge, content, information,” Willemsen says.

As with all digital platforms—from websites to apps—there can also be a large amount of data that is collected automatically and silently when you use the services. DeepSeek says it will collect information about what device you are using, your operating system, IP address, and information such as crash reports. It can also record your “keystroke patterns or rhythms,” a type of data more widely collected in software built for character-based languages. Additionally, if you purchase DeepSeek’s premium services, the platform will collect that information. It also uses cookies and other tracking technology to “measure and analyze how you use our services.”

A WIRED review of the DeepSeek website's underlying activity shows the company also appears to send data to Baidu Tongji, Chinese tech giant Baidu's popular web analytics tool, as well as Volces, a Chinese cloud infrastructure firm. In a social media post, Sean O'Brien, founder of Yale Law School's Privacy Lab, said that DeepSeek is also sending “basic” network data and “device profile” to TikTok owner ByteDance “and its intermediaries.

The final category of information DeepSeek reserves the right to collect is data from other sources. If you create a DeepSeek account using Google or Apple sign-on, for instance, it will receive some information from those companies. Advertisers also share information with DeepSeek, its policies say, and this can include “mobile identifiers for advertising, hashed email addresses and phone numbers, and cookie identifiers, which we use to help match you and your actions outside of the service.”

**How DeepSeek Uses Information**

Huge volumes of data may flow to China from DeepSeek’s international user base, but the company still has power over how it uses the information. DeepSeek’s privacy policy says the company will use data in many typical ways, including keeping its service running, enforcing its terms and conditions, and making improvements.

Crucially, though, the company’s privacy policy suggests that it may harness user prompts in developing new models. The company will “review, improve, and develop the service, including by monitoring interactions and usage across your devices, analyzing how people are using it, and by training and improving our technology,” its policies say.

DeepSeek’s privacy policy also says the company will also use information to “comply with \[its\] legal obligations”—a blanket clause many companies include in their policies. DeepSeek’s privacy policy says data can be accessed by its “corporate group,” and it will share information with law enforcement agencies, public authorities, and more when it is required to do so.

While all companies have legal obligations, those based in China do have notable responsibilities. Over the past decade, Chinese officials have passed a series of cybersecurity and privacy laws meant to allow state officials to demand data from tech companies. One 2017 law, for instance, says that organizations and citizens should “cooperate with national intelligence efforts.”

These laws, alongside growing trade tensions between the US and China and other geopolitical factors, fueled security fears about TikTok. The app could harvest huge amounts of data and send it back to China, those in favor of the TikTok ban argued, and the app could also be used to push Chinese propaganda. (TikTok has denied sending US user data to China’s government.) Meanwhile, several DeepSeek users have already pointed out that the platform does not provide answers for questions about the 1989 Tiananmen Square massacre, and it answers some questions in ways that sound like propaganda.

Willemsen says that, compared to users on a social media platform like TikTok, people messaging with a generative AI system are more actively engaged and the content can feel more personal. In short, any influence could be larger. “Risks of subliminal content alteration, conversation direction steering, in active engagement ought by that logic to lead to more concern, not less,” he says, “especially given how the inner workings of the model are widely unknown, its thresholds, borders, controls, censorship rules, and intent/personae largely left unscrutinized, and it being already so popular in its infancy stage.”

Olejnik, of King's College London, says that while the TikTok ban was a specific situation, US law makers or those in other countries could act again on a similar premise. “We can’t rule out that 2025 will bring an expansion: direct action against AI firms,” Olejnik says. “Of course, data collection may again be named as the reason.”

_Updated 5:27 pm EST, January 27, 2025: Added additional details about the DeepSeek website's activity._

_Updated 10:05 am EST, January 29, 2025: Added additional details about DeepSeek's network activity._

DeepSeek’s Popular AI App Is Explicitly Sending US Data to China

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn…

A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. Learn how to protect yourself and update your browser to the latest version.

A critical security vulnerability has been discovered in the popular Brave Browser, enabling malicious websites to deceive users into believing they are interacting with trusted sources. This flaw tracked as **CVE-2025-23086** (classified under CWE-60), impacts desktop versions of Brave from 1.70.x to 1.73.x.

The problem lies within a feature designed to enhance user safety: displaying the **origin of a website** in the operating system’s file selector dialogue during file uploads or downloads. This is intended to provide a visual cue, confirming the legitimacy of the site involved in the file transfer. However, in specific scenarios, this crucial origin information was not accurately inferred, leaving a critical gap in user protection.

This misrepresentation of origin becomes particularly dangerous when combined with an “open redirect” vulnerability on a legitimate website. Open redirects mean that a trusted website lets user-controlled input redirect users to external URLs and does not validate it properly. By exploiting this combination, malicious actors can craft scenarios where a malicious website, through the open redirect, appears as a trusted source in the file selector dialogue, tricking users into interacting with it.

In May 2024, Hackread.com **reported** HP’s quarterly Wolf Security Threat Insights series findings, which revealed a rise in cybercriminals employing “cat-phishing” tactics, exploiting open redirect vulnerabilities and other Living-off-the-Land techniques to bypass traditional security measures

The vulnerability has a base score of 6.1, classified as Medium in severity, with an attack vector of NETWORK and low attack complexity and user interaction requirements. The consequences of this vulnerability could be drastic. Users could be unknowingly tricked into downloading malware, sharing sensitive information with malicious actors, or falling victim to sophisticated phishing attacks. This dents the core principle of user trust and **security that browsers** are designed to uphold.

To mitigate CVE-2025-23086, update to Brave Desktop Browser version 1.74.48 or later, check for open redirect vulnerabilities, and make sure to verify the file download sources and recognize suspicious prompts.

In addition, use security tools and browser extensions to protect against open redirects and phishing tactics. Regular updates and user awareness can significantly reduce exploitation risks. Trusted site administrators should also review their platforms to remove or fix open redirect vulnerabilities. Check out **this article** to learn more about how to ensure browser security.

1.  **Brave browser Tor feature leaked .Onion queries to ISPs**
2.  **New Vcurms Malware Targets Popular Browsers for Data Theft**
3.  **Fake Brave browser site dropped malware, thanks to Google Ads**
4.  **New Tech Support Scam Freezes Chrome, Firefox & Brave Browser**
5.  **DOJ Proposes Breaking Up Google: Calls for Sale of Chrome Browser**

Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

The modern workplace has undergone a seismic transformation over recent years, with hybrid work becoming the norm and businesses rapidly adopting cloud-based Software-as-a-Service (SaaS) applications to facilitate it. SaaS applications like Microsoft 365 and Google Workspace have now become the backbone of business operations, enabling seamless collaboration and productivity. However, this

2025 State of SaaS Backup and Recovery Report

Google has launched a new feature called Identity Check for supported Android devices that locks sensitive settings behind biometric authentication when outside of trusted locations.
"When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you're outside of trusted locations," Google said in a post announcing the

Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

After TikTok was briefly banned in the US last weekend, an unusual phenomenon unearthed. Reportedly, people are selling iPhones that have TikTok installed for up to $25,000.

This may require some explanation, so bear with me.

TikTok has had a rough time in the US the last weeks. The ban we mentioned originates from back in March, when the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

Despite an overruled emergency injunction to stop or postpone the planned ban on the platform in the US, the ban took effect on January 19.

But TikTok’s messaging was clear, they were coming back.

> “Sorry TikTok isn’t available right now
> 
> A law banning TikTok has been enacted in the U.S. Unfortunately that means you can’t Use TikTok for now.
> 
> We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!

And it was indeed back for millions of US users as of January 19 and 20. That is to say, for those that had the app installed.

Update 3

> Welcome back!
> 
> Thanks for your patience and support. As a result of President Trump’s efforts, TikTok is back in the U.S.!
> 
> You can continue to create, share, and discover all the thing you love on TikTok.

However, anyone that deleted or never had the app installed are unable to download it as the Apple and Google app stores in the US still don’t have it available. And despite an executive order to delay enforcing the ban, it is unclear when it will be available for download again.

**Second hand iPhones for sale**

Some people have seized on this as a money-making opportunity, selling their iPhones for thousands of dollars on eBay. But is that a smart thing to do?

According to Apple’s Support pages, there is a recommended procedure to follow before you sell, give away, or trade in your iPhone or iPad. One of those steps is to **Erase All Content and Settings**. From that page:

> “When you tap **Erase All Content and Settings**, it completely erases your device, including any credit or debit cards you added for Apple Pay and any photos, contacts, music, or apps. It will also turn off iCloud, iMessage, FaceTime, Game Center, and other services. Your content won’t be deleted from iCloud when you erase your device.”

If you want to leave an app like TikTok behind, you will have to manually erase all the other items on that list to make sure the buyer will not get hold of other private information about you. This is tough to do and is highly likely you would leave some of your data behind.

If you’re considering buying a second hand iPhone so you can use TikTok, how can you be sure that TikTok is the only thing that’s left behind? I wouldn’t put it past cybercriminals to sell devices they can still access, or even malware.

Another bad idea is to roam the internet for unofficial TikTok apps (in the form of IPA or APK files). Installing an unsigned app requires a jailbreak and it can pose significant risks to your device and personal data. Files from unreliable sources may contain malware, spyware, or information stealers and, once installed, these malicious programs can compromise your device’s security.

My advice would be to exercise some patience. TikTok may well reappear in app stores or it’ll be completely removed from access, so everyone will be in the same boat.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Warning: Don&#8217;t sell or buy a second hand iPhone with TikTok already installed 

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru's location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

A year of location data for Sam Curry’s mother’s 2023 Subaru Impreza that Curry and Shah were able to access in Subaru’s employee admin portal thanks to its security vulnerabilities.

Screenshot Courtesy of Sam Curry

“You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account to both reassign control of cars’ Starlink features and also access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies' web tools that have yet to be discovered.

In Subaru's case, in particular, they also point out that their discovery hints at how pervasively those with access to Subaru's portal can track its customers' movements, a privacy issue that will last far longer than the web vulnerabilities that exposed it. “The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry says. “It's just normal functionality that an employee can pull up a year's worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah's findings, a spokesperson responded in a statement that “after being notified by independent security researchers, \[Subaru\] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevancy, who can access location data." The company offered as an example that employees have that access to share a vehicle's location with first responders in the case when a collision is detected. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” Subaru's statement added. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”

Responding to Subaru's example of notifying first responders about a collision, Curry notes that would hardly require a year's worth of location history. The company didn't respond to WIRED asking how far back it keeps customers' location histories and makes them available to employees.

Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee's account, and immediately found that they could use that staffer's access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to access their Starlink configurations. In seconds, they could then reassign control of the Starlink features of that user's vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.

Those vulnerabilities alone, for drivers, present serious theft and safety risks. Curry and Shah point out that a hacker could have targeted a victim for stalking or theft, looked up someone's vehicle's location, then unlocked their car at any time—though a thief would have to somehow also use a separate technique to disable the car's immobilizer, the component that prevents it from being driven away without a key.

Those car hacking and tracking techniques alone are far from unique. Last summer, Curry and another researcher, Neiko Rivera, demonstrated to WIRED that they could pull off a similar trick with any of millions of vehicles sold by Kia. Over the prior two years, a larger group of researchers, of which Curry and Shah are a part, discovered web-based security vulnerabilities that affected cars sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

More unusual in Subaru's case, Curry and Shah say, is that they were able to access fine-grained, historical location data for Subarus going back at least a year. Subaru may in fact collect multiple years of location data, but Curry and Shah tested their technique only on Curry's mother, who had owned her Subaru for about a year.

Curry argues that Subaru's extensive location tracking is a particularly disturbing demonstration of the car industry's lack of privacy safeguards around its growing collection of personal data on drivers. “It's kind of bonkers,” he says. “There's an expectation that a Google employee isn't going to be able to just go through your emails in Gmail, but there's literally a button on Subaru's admin panel that lets an employee view location history.”

The two researchers’ work contributes to a growing sense of concern over the enormous amount of location data that car companies collect. In December, information a whistleblower provided to the German hacker collective the Chaos Computer Computer and Der Spiegel revealed that Cariad, a software company that partners with Volkswagen, had left detailed location data for 800,000 electric vehicles publicly exposed online. Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla's report reads.

Curry and Shah's discovery of Subaru's security vulnerabilities in its tracking demonstrate a particularly egregious exposure of that data—but also a privacy problem that's hardly less disturbing now that the vulnerabilities are patched, says Robert Herrell, the executive director of the Consumer Federation of California, which has sought to create legislation for limiting car's data tracking.

“It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information,” Herrell says. “People are being tracked in ways that they have no idea are happening.”

_Update 4:23 pm EST, January 23, 2025: The article's subheadline has been updated to clarify the scope of the researcher's work._

Tag

#google