A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices.
Joker, a repeat offender, refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information.

A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices.

Joker, a repeat offender, refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information.

Despite continued attempts on the part of Google to scale up its defenses, the apps have been continually iterated to search for gaps and slip into the app store undetected.

"They're usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name," Kaspersky researcher Igor Golovin said in a report published last week.

The trojanized apps, taking the place of their removed counterparts, often appear as messaging, health tracking, and PDF scanner apps that, once installed, request permissions to access text messages and notifications, abusing them to subscribe users to premium services.

A sneaky trick used by Joker to bypass the Google Play vetting process is to render its malicious payload "dormant" and only activate its functions after the apps have gone live on the Play Store.

Three of the Joker-infected apps detected by Kaspersky through the end of February 2022 are listed below. Although they have been purged from Google Play, they continue to be available from third-party app providers.

*   Style Message (com.stylelacat.messagearound),
*   Blood Pressure App (blood.maodig.raise.bloodrate.monitorapp.plus.tracker.tool.health), and
*   Camera PDF Scanner (com.jiao.hdcam.docscanner)

This is not the first time subscription trojans have been uncovered on app marketplaces. Last year, apps for the APKPure app Store and a widely-used WhatsApp mod were found compromised with malware called Triada.

Then in September 2021, Zimperium took the wraps off an aggressive money-making scheme called GriftHorse, following it up with yet another case of premium service abuse called Dark Herring earlier this January.

"Subscription trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers' own non-existent services," Golovin said.

"To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which is the most frequent source of malware."

Even when downloading apps from official app stores, users are advised to read the reviews, check the legitimacy of the developers, the terms of use, and only grant permissions that are essential to perform the intended functions.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Another Set of Joker Trojan-Laced Android Apps Resurfaces on Google Play Store

Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

**Apple**, **Google** and **Microsoft** announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

Image: Blog.google

The tech giants are part of an industry-led effort to replace passwords, which are easily forgotten, frequently stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.

Apple, Google and Microsoft are some of the more active contributors to a passwordless sign-in standard crafted by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have been working with hundreds of tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems.

According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices — including a device PIN, or a biometric such as a fingerprint or face scan.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.

**Sampath Srinivas**, director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

As _ZDNet_ notes, Apple, Google and Microsoft already support these passwordless standards (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device.

**Johannes Ullrich**, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich said.

**Steve Bellovin**, a computer science professor at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.

Bellovin and others say one potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks and they can’t recall their iCloud password.

“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”

Google says that even if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft likewise have cloud backup solutions that customers using those platforms could use to recover from a lost mobile device. But Bellovin said much depends on how securely such cloud systems are administered.

“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”

**Nicholas Weaver**, a lecturer at the computer science department at **University of California, Berkeley**, said websites still have to have some recovery mechanism for the “you lost your phone and your password” scenario, which he described as “a really hard problem to do securely and already one of the biggest weaknesses in our current system.”

“If you forget the password and lose your phone and can recover it, now this is a huge target for attackers,” Weaver said in an email. “If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”

Even so, he said, the overall FIDO approach has been a great tool for improving both security and usability.

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” But experts said it will likely take several more years for smaller web destinations to adopt the technology and ditch passwords altogether.

Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm **SpyCloud** found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.

A March 2022 white paper on the FIDO approach is available here (PDF). A FAQ on it is here.

Your Phone May Soon Replace Many of Your Passwords

Joomla Guru extension 5.2.5 is affected by: Insecure Permissions. The impact is: obtain sensitive information (remote). The component is: Access to private information and components, possibility to view other users' information. Information disclosure Access to private information and components, possibility to view other users' information.

**6.0.1**

**Bug Fixes**

*   Update guru config
*   Fix missing og (Open Graph) tag
*   Fix installer issue
*   Fix redactor editor when add question

**6.0.0 Stable**

**New Updates**

*   Joomla 4 support
*   Fully PHP8 support

**Improvements**

*   Course list layout: improved default view and new list view
*   Course detail layout: improved default view and new Modern view
*   Improved Lesson layout and support dark and light theme
*   All pages are improved for better layout & style
*   Improved responsive for all pages.
*   Back-end dashboard improvements
*   Social sharing and Open Graph
*   Bug fixes

View details

**6.0.0 Beta**

**New Updates**

*   Joomla 4 compatibility
*   Fully PHP8 support

**Improvements**

*   Improved design for all pages
*   New course list view - List view
*   New course detail view - Modern view
*   Lesson layout with dark and light theme
*   Back-end dashboard improvements

View details

**5.2.5**

**New payment plugins**

*   New Stripe SCA payment plugin
*   New PayPal Smart Payment Plugin

**Bug Fixes**

*   The sequential lesson cannot be selected
*   Fix 404 error when editing module on the frontend
*   Fix search (everything) error on frontend
*   The fix could not open page 2 on quiz results
*   Optimize workflow of adding a question to the quiz
*   Support Latest version of JW all videos plugin in Guru
*   Add zoom meeting media type
*   Complete course when teacher score essay
*   Fix outdated courses still shows on an author page
*   Fix save lesson error when kunena is installed
*   Show disabled payment methods on order list in the backend
*   Fix redirect login on multilingual didn’t keep the current language
*   Add search menu type for Guru
*   Fix exam score N/A on the certificate

View details

**5.2.4**

**Bug Fixes**

*   Student activation by super user
*   Fix override admin email when install
*   Sparate email enroll for teach and admin
*   Index database when install
*   Render sidebar when open modal
*   Fix missing jquery on yootheme
*   Fix uikit noconflict error with yoo theme
*   Increase size of media text
*   Change media column datatype to avoid media error
*   Fix duplicated id error
*   Invalid token when trying to see more than 20 uploaded projects by students
*   Remove unused parameters

**Improvements**

*   More option in Export data
*   Improve load speed guru backend

**5.2.3**

**Bug Fixes**

*   Promocode used for multiple times for the same user
*   Teachers - Students page load slowly
*   Promocode still able to used even before start date
*   Time bug when create order at backend
*   Prevent unlimited plan
*   Lessons not showing correctly when going through course
*   Status doesn't update on serial order lesson
*   Notice error on Teacher's student page
*   Course Manager: Can't filter Course by status
*   Some bugs in Media Library
*   Got error database when duplicate pending Course
*   Order Manager's toolbar need more styled

**New feature**

*   Add Student Chart Feature in Guru

**Improvement**

*   Send Purchase Email on Enroll

**5.2.2**

**Bug Fixes**

*   added new changes on preview certificate
*   fixed issue, user can access lessons/exercises when license expired
*   Fixed issue with Articulate SCORM
*   Fixed issue with multiple emails send to students
*   Bug: Guru students assigned to JS group as admin
*   Add media in course not working
*   Can not delete courses from cart

**Improvements**

*   How to create clickable image that expands into lightbox inside lessons
*   Uikit from 2.0 to 3.0
*   Option to show or not lesson status un course

**5.2.1**

**New features**

*   2Checkout Payment Plugin
*   Privacy for files
*   Guru – Events for JomSocial
*   Course review only by Super Admin

**Improvements**

*   Page title seo improvements
*   Free course should not show 00 in price
*   Add company Name value variable
*   Login Logout redirections
*   Collapsible menu for dashboard items
*   Allow admin to change the order of course
*   Display category of a course in "my courses" list
*   Translate Unlimited in courses
*   More option in Date formate
*   Close all' instead of '+Show all?

**Bug Fixes**

*   JCE editor layout issue on backend
*   Hide FB and Twiiter link in teacher profile

**5.2.0**

**New Features :**

*   Custom Certificate option
*   Login Redirection for Teachers
*   Icon control on certificate page
*   Editor support for Teachers
**Improvements :**

*   **Mask the password and secret key in PayPal Pro** : New update will mask the password and private key in papal payment plugin.
*   **Plugin support - System - User Actions Log** : User action log supported with Guru
*   **RTL Support for quiz** : RTL support added for quiz lesson in courses
*   **Certificate URL in Email** : Certificate URL added for certificate email (Student can view certificate via Email link )
*   **Add option to allow/disallow to delete their own course** : Admin can allow/disallow teachers to delete their own course, You can find these setting on Guru backend > Teacher setting are.
*   **Increase Quiz time** : Now you can add quiz timer from 1 to 150 mins or unlimited.
*   **Editor support for Essay in Quiz** : Essay type question support editor in quiz.
*   **Price with decimals** : Yen currency support.
*   **Course displays empty tab when there is no course description** : Content tab of the course will be default if there is no content in description of course.

**Bug Fixes :**

*   Quiz is not published but still run exam time
*   Lesson dropdown broken with PHP 7.2 Guru Light
*   Breadcrumb displays error on course detail page
*   Typing mistake on Custom guru url page
*   Shouldnt allow to create new course category with empty category name
*   Got error when create duplicate course category name
*   Category List Layout Layout options not working
*   Guru search module show same results
*   Teacher list page use double slash in images
*   Database Error in My Projects page
*   Can't pick color on custom certificate tab
*   Background color, Font are not working on certificate pdf
*   Got error when using MPDF for certificate page
*   Student can edit teacher's course with URL
*   Got notice error in dashboard page
*   End publishing date is not working
*   Guru Search Courses module displays error in RTL
*   Got notice error when create a lesson with scorm
*   Color picker displays wrong position

**5.1.18**

**New Feature**

*   Implement Projects Results in back-end
*   Add GURU custom fields for registration form
*   Data in time column
*   Guru and JomSocial Groups
*   SCORM Support

**Improvement**

*   Mask the password and secret key in Paypal pro
*   Lesson should be removed right after clicking on delete icon
*   Should not allow to create duplicate lesson
*   Update language for Continue button

**Bug Fix**

*   Missing order option in backend for queeze question in file
*   Got warning error while saving lesson
*   Got warning error when select quizze
*   Cant upload file on lesson with project layout
*   Got warning error on Course category page
*   Can not reorder questions
*   Got warning error on students list take the quiz
*   Got error when remove and reselect quiz
*   Got warning error when there is no quiz in a course
*   Create new quiz button is not working on the frontend
*   Tabs in Final exam are not actived
*   Filter by quizzes type is not working
*   \[Media\] Auto play video is not working
*   \[Media\] Media filter works incorrectly after saving media
*   \[Media\] Got notice error when select article media
*   \[Lesson\] Cant show all lesson, should add scrollbar when there are many lessons
*   \[Lesson\] Got warning error when select project for lesson
*   \[Media\] Cant edit audio on the frontend
*   \[Commissions\] Export function is not working
*   \[Fields\] Typing mistake on create new field form
*   \[Course\] Can not play audio when the lesson is loaded
*   \[Course\] Got error duplicate entry after edit a lesson
*   \[Quiz\] Can not add question for quiz on the frontend
*   \[Media\] Got warning error on media library page
*   \[Quiz\] Audio is displaying not nice on the quiz page
*   \[Custom field\] Got error message after saving custom field

CVE-2022-23802: Guru Change Log - Joomla LMS - LMS for Joomla eLearning

NCSC proposes new code of conduct for app stores

NCSC proposes new code of conduct for app stores

  

A report from the UK government has laid bare the risks of malicious mobile apps, as lawmakers call for tougher protections for consumers.

The report (PDF), published by the UK National Cyber Security Centre (NCSC), found that “people’s data and money are at risk because of fraudulent apps containing malicious malware created by cybercriminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software”.

The study, which conducted a review into the app store ecosystem from December 2020 to March 2022, detailed how 87% of UK citizens now own a smartphone, conveying a widespread attack surface.

Read more of the latest security news from the UK

“\[M\]alicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps,” the NCSC claims.

“Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.”

**New rules**

In response to the findings, the government is calling views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements, which the UK says “would be the first such measure in the world”.

RELATED UK government reveals plans to become ‘global cyber power’ in 2022

Developers and store operators making apps available to UK users would be covered including Apple, Google, Amazon, Huawei, Microsoft, and Samsung.

The proposed policy would require stores to have a vulnerability reporting process for each app available. They would also be required to share more security and privacy information in an accessible way, including giving consumers information on matters such as why an app would need access to users’ contacts and location.

NCSC technical director Ian Levy commented: “Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm.

“I support the proposed code of practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

**‘Crucial awareness’**

Filip Verloy, EMEA technical evangelist at Noname Security, commented: “These types of initiatives raise crucial awareness of the security issues that we currently face and provide a healthy and necessary debate on the subject. This should prove useful even if it only accomplishes just that.

“However, there are a few flaws to the measures proposed. Firstly, Apple has already made it a point of differentiation to prioritize privacy and security and perform extensive moderation in their app store versus competitors.

“Secondly, there is no such thing as 100% certainty about security when it comes to software, though laying out best practices and increasing scrutiny will certainly help weed out the worst offenders.”

YOU MAY ALSO LIKE UK government employees receive ‘billions’ of malicious emails per year – report

UK government calls for tougher protections against malicious mobile apps

Amid ongoing software supply-chain jitters, the US' top tech division is offering a finalized, comprehensive cybersecurity control framework for managing risk.

The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders.

Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cybercriminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware.

NIST's latest publication (PDF) offers specific risk-management guidance for profiles such as cybersecurity specialists, risk managers, systems engineers, and procurement officials. Each profile matches up with a set of recommended controls, such as implementing secure remote access mechanisms for tapping the software supply chain, or enacting the principle of least privilege, or taking an inventory of all software suppliers and products.

"Managing the cybersecurity of the supply chain is a need that is here to stay," said NIST publication author Jon Boyens, in a Thursday announcement. "If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."

The development follows from an Executive Order issued by President Biden last year, which directs government agencies to "improve the security and integrity of the software supply chain, with a priority on addressing critical software."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST Issues Guidance for Addressing Software Supply-Chain Risk

A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.

There is a check after the memory alloc and set the nPages to zero if failed:

    if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {
    
        error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");
    
        nPages = 0;
    
    }

But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.

I believe it should be changed to:

    if (nPages != 0) {
    
        readTables(str, linearization, xref, secHdlr);
    
    }

Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.

pdftops poc.pdf

Edited Mar 15, 2022 by

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler · GitLab

Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a this.maildoc NULL pointer dereference.

CVE-2022-27359

CVE-2022-27337: Logic error in function Hints::Hints (#1230) · Issues · poppler / poppler

Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointer dereference via the component FoxitPDFReader.exe. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PHP file.

By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Tag

#pdf