The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Android

Google now requires app developers to verify their address and use 2FA

Google now requires app developers to verify their address and use 2FA

June 29, 2021Ravie Lakshmanan
Google on Monday announced  new measures  for the Play Store, including requiring developer accounts to turn on 2-Step Verification (2SV), provide an address, and verify their contact details later this year. The new identification and two-factor authentication requirements are a step towards strengthening account security and ensuring a safe and secure app marketplace, Google Play Trust and Safety team said. As part of the changes, individual users and businesses in possession of Google Play developer accounts will be asked to specify an account type (personal or organization), a contact name, their physical address, as well as verifying the email address and phone number provided during account creation. In addition, the search giant is also mandating users of Google Play Console to sign in using Google's 2-Step Verification to prevent account takeover attacks. According to the timeline shared by Google, developer account owners will be able to declare their account type a
DroidMorph Shows Popular Android Antivirus Fail to Detect Cloned Malicious Apps

DroidMorph Shows Popular Android Antivirus Fail to Detect Cloned Malicious Apps

June 21, 2021Ravie Lakshmanan
A new research published by a group of academics has found that anti-virus programs for Android continue to remain vulnerable against different permutations of malware, in what could pose a serious risk as malicious actors evolve their toolsets to better evade analysis. "Malware writers use stealthy mutations (morphing/obfuscations) to continuously develop malware clones, thwarting detection by signature based detectors," the researchers  said . "This attack of clones seriously threatens all the mobile platforms, especially Android." The findings were published in a study last week by researchers from Adana Science and Technology University, Turkey, and the National University of Science and Technology, Islamabad, Pakistan. Unlike iOS, apps can be downloaded from third-party sources on Android devices, raising the possibility that unwitting users can install unverified and lookalike apps that clone a legitimate app's functionality but are built to trick tar
Google to Let Android Users Opt-Out to Stop Ads From Tracking Them

Google to Let Android Users Opt-Out to Stop Ads From Tracking Them

June 04, 2021Ravie Lakshmanan
Google is tightening its privacy practices that could make it harder for apps on Android phones and tablets to track users who have opted out of receiving personalized interest-based ads. The change will go into effect sometime in late 2021. The development, which mirrors Apple's move to enable iPhone and iPad users to opt-out of ad tracking, was first  reported  by the Financial Times.  Once the revised policy goes live, Google is expected to completely cut off developers' access to the so-called "Advertising IDs," showing a "string of zeros" in its place. The Google Advertising ID (AAID), analogous to Apple's  IDFA , is a unique device identifier that can be used by app developers to track users as they move between apps to target ads better and measure the effectiveness of marketing campaigns. "Starting in late 2021, when a user opts out of interest-based advertising or ads personalization, the advertising identifier will not be available,&q
Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

May 19, 2021Ravie Lakshmanan
Google on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days. "There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," the search giant  said  in an updated alert. The four flaws impact  Qualcomm Graphics  and  Arm Mali GPU Driver  modules — CVE-2021-1905  (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component due to improper handling of memory mapping of multiple processes simultaneously. CVE-2021-1906  (CVSS score: 6.2) - A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure. CVE-2021-28663  (CVSS score: NA) - A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper operations on GPU memory, leading
Experts Reveal Over 150 Ways to Steal Control of 58 Android Stalkerware Apps

Experts Reveal Over 150 Ways to Steal Control of 58 Android Stalkerware Apps

May 18, 2021Ravie Lakshmanan
A total of 158 privacy and security issues have been identified in 58 Android stalkware apps from various vendors that could enable a malicious actor to take control of a victim's device, hijack a stalker's account, intercept data, achieve remote code execution, and even frame the victim by uploading fabricated evidence. The new findings, which come from an analysis of 86 stalkerware apps for the Android platform undertaken by Slovak cybersecurity firm ESET, highlight the unintended consequences of a practice that's not only unethical but in the process could also expose private and intimate information of the victims and leave them at risk of cyberattacks and fraud. "Since there could be a close relationship between stalker and victim, the stalker's private information could also be exposed," ESET researcher Lukas Stefanko  said  in a Monday write-up. "During our research, we identified that some stalkerware keeps information about the stalkers using
Experts warn of a new Android banking trojan stealing users' credentials

Experts warn of a new Android banking trojan stealing users' credentials

May 11, 2021Ravie Lakshmanan
Cybersecurity researchers on Monday disclosed a new Android trojan that hijacks users' credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands. Called " TeaBot " (or Anatsa), the malware is said to be in its early stages of development, with malicious attacks targeting financial apps commencing in late March 2021, followed by a rash of infections in the first week of May against Belgium and Netherlands banks. The first signs of TeaBot activity emerged in January. "The main goal of TeaBot is stealing victim's credentials and SMS messages for enabling frauds scenarios against a predefined list of banks," Italian cybersecurity and online fraud prevention firm Cleafy said in a Monday write-up. "Once TeaBot is successfully installed in the victim's device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Serv
4 Major Privacy and Security Updates From Google You Should Know About

4 Major Privacy and Security Updates From Google You Should Know About

May 07, 2021Ravie Lakshmanan
Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings. "Today we ask people who have enrolled in  two-step verification  (2SV) to confirm it's really them with a simple tap via a Google prompt on their phone whenever they sign in," the company  said . "Soon we'll start automatically enrolling users in 2SV if their accounts are appropriately configured." Google Play To Get Apple-Like Privacy Labels The Google Play Store for Android is also getting a huge overhaul on the privacy front. The search giant said it plans to include a new  safety section  for app listings that highlights the type of data being collected and stored — such as approximate or precise location, contacts, personal information, photos and videos, and audio files — and how the dat
New Qualcomm Chip Bug Could Let Hackers Spy On Android Devices

New Qualcomm Chip Bug Could Let Hackers Spy On Android Devices

May 06, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed a new security vulnerability in Qualcomm's mobile station modems (MSM) that could potentially allow an attacker to leverage the underlying Android operating system to slip malicious code into mobile phones, undetected. "If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations," researchers from Israeli security firm Check Point  said  in an analysis published today. The heap overflow vulnerability, tracked as CVE-2020-11292 , resides in the QMI voice service API exposed by the modem to the high level operating system, and could be exploited by a malicious app to conceal its activities "underneath" the OS in the modem chip itself, thus making it invisible to the security protections built into the device. Designed since the 1990s, Qualcomm  MSM  chip
Attention! FluBot Android Banking Malware Spreads Quickly Across Europe

Attention! FluBot Android Banking Malware Spreads Quickly Across Europe

April 28, 2021Ravie Lakshmanan
Attention, Android users! A banking malware capable of stealing sensitive information is "spreading rapidly" across Europe, with the U.S. likely to be the next target. According to a new analysis by  Proofpoint , the threat actors behind FluBot (aka  Cabassous ) have branched out beyond Spain to target the U.K., Germany, Hungary, Italy, and Poland. The English-language campaign alone has been observed to make use of more than 700 unique domains, infecting about 7,000 devices in the U.K. In addition, German and English-language SMS messages were found being sent to U.S. users from Europe, which Proofpoint suspects could be the result of malware propagating via contact lists stored on compromised phones. A concerted campaign aimed at the U.S. is yet to be detected. FluBot, a nascent entry in the banking trojan landscape, began its operations late last year, with campaigns leveraging the malware infecting more than 60,000 users in Spain, according to an analysis published b
New WhatsApp Bugs Could've Let Attackers Hack Your Phone Remotely

New WhatsApp Bugs Could've Let Attackers Hack Your Phone Remotely

April 14, 2021Ravie Lakshmanan
Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even exfiltrate sensitive information. The flaws take aim at devices running Android versions up to and including Android 9 by carrying out what's known as a "man-in-the-disk" attack that makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage. "The two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions," researchers from Census Labs  said  today.  "With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise protocol keys u
Android to Support Rust Programming Language to Prevent Memory Flaws

Android to Support Rust Programming Language to Prevent Memory Flaws

April 07, 2021Ravie Lakshmanan
Google on Tuesday announced that its open source version of the Android operating system will add support for Rust programming language in a bid to prevent memory safety bugs. To that end, the company has been building parts of the Android Open Source Project (AOSP) with Rust for the past 18 months, with plans in the pipeline to scale this initiative to cover more aspects of the operating system. "Managed languages like Java and Kotlin are the best option for Android app development," Google  said . "The Android OS uses Java extensively, effectively protecting large portions of the Android platform from memory bugs. Unfortunately, for the lower layers of the OS, Java and Kotlin are not an option." Stating that code written in C and C++ languages requires robust isolation when parsing untrustworthy input, Google said the technique of containing such code within a tightly constrained and unprivileged sandbox can be expensive, causing latency issues and additional
WhatsApp-based wormable Android malware spotted on the Google Play Store

WhatsApp-based wormable Android malware spotted on the Google Play Store

April 07, 2021Ravie Lakshmanan
Cybersecurity researchers have discovered yet another piece of wormable Android malware—but this time downloadable directly from the official Google Play Store—that's capable of propagating via WhatsApp messages. Disguised as a rogue Netflix app under the name of "FlixOnline," the malware comes with features that allow it to automatically reply to a victim's incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.  "The application is actually designed to monitor the user's WhatsApp notifications, and to send automatic replies to the user's incoming messages using content that it receives from a remote C&C server," Check Point researchers said in an analysis published today. Besides masquerading as a Netflix app, the malicious "FlixOnline" app also requests intrusive permissions that allow it to create fake Login screens for other apps, with the goal of stealing credentials and gain access to
Pre-Installed Malware Dropper Found On German Gigaset Android Phones

Pre-Installed Malware Dropper Found On German Gigaset Android Phones

April 07, 2021Ravie Lakshmanan
In what appears to be a fresh twist in Android malware, users of Gigaset mobile devices are encountering unwanted apps that are being downloaded and installed through a pre-installed system update app. "The culprit installing these malware apps is the Update app, package name  com.redstone.ota.ui , which is a pre-installed system app," Malwarebytes researcher Nathan Collier  said . "This app is not only the mobile device's system updater, but also an auto installer known as Android/PUP.Riskware.Autoins.Redstone." The development was  first reported  by German author and blogger Günter Born last week. While the issue seems to be mainly affecting Gigaset phones, devices from a handful of other manufacturers appear to be impacted as well. The full list of devices that come with the pre-installed auto-installer includes Gigaset GS270, Gigaset GS160, Siemens GS270, Siemens GS160, Alps P40pro, and Alps S20pro+. According to Malwarebytes, the Update app installs
Google limits which apps can access the list of installed apps on your device

Google limits which apps can access the list of installed apps on your device

April 02, 2021Ravie Lakshmanan
Apps on Android have been able to infer the presence of specific apps, or even collect the full list of installed apps on the device. What's more, an app can also set to be notified when a new app is installed. Apart from all the usual concerns about misuse of such a data grab, the information can be abused by a potentially harmful app to fingerprint other installed apps, check for the  presence of antivirus ,  affiliate fraud , and even for targeted ads.  In 2014, Twitter  began  tracking the list of apps installed on users' devices as part of its "app graph" initiative with an aim to deliver tailored content. Digital wallet company MobiKwik was also caught  collecting information  about installed apps in the wake of a data breach that came to light earlier this week. Indeed, a study undertaken by a group of Swiss researchers in 2019  found  that "free apps are more likely to query for such information and that third-party libraries (libs) are the main requ
Watch Out! That Android System Update May Contain A Powerful Spyware

Watch Out! That Android System Update May Contain A Powerful Spyware

March 27, 2021Ravie Lakshmanan
Researchers have discovered a new information-stealing trojan, which targets Android devices with an onslaught of data-exfiltration capabilities — from collecting browser searches to recording audio and phone calls. While malware on Android has previously taken the guise of copycat apps, which go under names similar to legitimate pieces of software, this sophisticated new malicious app masquerades itself as a System Update application to take control of compromised devices. "The spyware creates a notification if the device's screen is off when it receives a command using the Firebase messaging service," Zimperium researchers  said  in a Friday analysis. "The 'Searching for update..' is not a legitimate notification from the operating system, but the spyware." Once installed, the sophisticated spyware campaign sets about its task by registering the device with a Firebase command-and-control (C2) server with information such as battery percentage, sto
WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

March 22, 2021Ravie Lakshmanan
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an "improper input validation" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device's memory. "There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18. CVE-2020-11261 was discovered and reported to Qualcomm by Google's Android Security team on July 20, 2020, after which it was fixed in January 2021. It's worth noting that the access vector for the vulnerability is "local," meaning that exploitation requires local access to the device. In other words, to launch a successful attack, the
9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware

9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware

March 09, 2021Ravie Lakshmanan
Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT," Check Point researchers Aviran Hazum, Bohdan Melnykov, and Israel Wernik said in a write-up published today. The apps that were used for the campaign include Cake VPN, Pacific VPN, eVPN, BeatPlayer, QR/Barcode Scanner MAX, Music Player, tooltipnatorlibrary, and QRecorder. After the findings were reported to Google on January 28, the rogue apps were removed from the Play Store on February 9.  Malware authors have resorted to a variety o
Researchers Uncover Android Spying Campaign Targeting Pakistan Officials

Researchers Uncover Android Spying Campaign Targeting Pakistan Officials

February 11, 2021Ravie Lakshmanan
Two new Android surveillanceware families have been found to target military, nuclear, and election entities in Pakistan and Kashmir as part of a pro-India, state-sponsored hacking campaign. Dubbed Hornbill and Sunbird, the malware impersonates legitimate or seemingly innocuous services to cover its tracks, only to stealthily collect SMS, encrypted messaging app content, and geolocation, among other types of sensitive information. The findings published by Lookout is the result of an analysis of 18GB of exfiltrated data that was publicly exposed from at least six insecurely configured command-and-control (C2) servers located in India. "Some notable targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir," the researchers  said  in a Wednesday ana
LodaRAT Windows Malware Now Also Targets Android Devices

LodaRAT Windows Malware Now Also Targets Android Devices

February 10, 2021Ravie Lakshmanan
A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives. "The developers of  LodaRAT  have added Android as a targeted platform," Cisco Talos researchers  said  in a Tuesday analysis. "A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities." Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted. The reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor. First documented in May 2017 by  Proofpoint , Loda is an AutoIt malware typically delivered via phishing lures that's equipped to run a wide range of commands designed to record audio, video, and capture oth
Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices

Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices

February 04, 2021Ravie Lakshmanan
A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks. Called " Matryosh " by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare them into its network. ADB is a  command-line tool  part of the Android SDK that handles communications and allows developers to install and debug apps on Android devices. While this option is turned off by default on most Android smartphones and tablets, some vendors ship with this feature enabled, thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and open the devices directly to exploitation. This is not the first time a botnet has taken advantage of ADB to infect vulnerable devices. In July 2018, open ADB ports were used to spread multip
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.