The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Android

New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

July 17, 2019Swati Khandelwal
Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions. The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels. Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone's loudspeakers without requiring any device permission. Abusing Android Accelerometer to Capture Loudspeaker Data Dubbed Spearphone , the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions. An
Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

July 16, 2019Mohit Kumar
If you think that the media files you receive on your end-to-end encrypted secure messaging apps can not be tampered with, you need to think again. Security researchers at Symantec yesterday demonstrated multiple interesting attack scenarios against WhatsApp and Telegram Android apps, which could allow malicious actors to spread fake news or scam users into sending payments to wrong accounts. Dubbed " Media File Jacking ," the attack leverages an already known fact that any app installed on a device can access and rewrite files saved in the external storage, including files saved by other apps installed on the same device. WhatsApp and Telegram allow users to choose if they want to save all incoming multimedia files on internal or external storage of their device. However, WhatsApp for Android by default automatically stores media files in the external storage, while Telegram for Android uses internal storage to store users files that are not accessible to any othe
Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions

Over 1,300 Android Apps Caught Collecting Data Even If You Deny Permissions

July 09, 2019Mohit Kumar
Smartphones are a goldmine of sensitive data, and modern apps work as diggers that continuously collect every possible information from your devices. The security model of modern mobile operating systems, like Android and iOS, is primarily based on permissions that explicitly define which sensitive services, device capabilities, or user information an app can access, allowing users decide what apps can access. However, new findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using shady techniques to harvest users' data even after they deny permissions. In their talk " 50 Ways to Pour Your Data " [ PDF ] at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users' precise geolocation data and phone identifiers even when they've explicitly denied the required permi
Android July 2019 Security Update Patches 33 New Vulnerabilities

Android July 2019 Security Update Patches 33 New Vulnerabilities

July 02, 2019Swati Khandelwal
Google has started rolling out this month's security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity. The vulnerabilities affect various Android components, including the Android operating system, framework, library, media framework, as well as Qualcomm components, including closed-source components. Three of the critical vulnerabilities patched this month reside in Android's Media framework, the most severe of which could allow a remote attacker to execute arbitrary code on a targeted device, within the context of a privileged process, by convincing users into opening a specially crafted malicious file. "The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypas
Android's Built-in Security Key Now Works With iOS Devices For Secure Login

Android's Built-in Security Key Now Works With iOS Devices For Secure Login

June 12, 2019Mohit Kumar
In April this year, a software update from Google overnight turned all Android phones , running Android 7.0 Nougat and up, into a FIDO-certified hardware security key as part of a push to encourage two-step verification. The feature made it possible for users to confirm their identity when logging into a Google account more effortless and secure, without separately managing and plugging-in a Yubico's YubiKey or Google's Titan key . "FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page, so that an attacker can't access your account even if you are tricked into providing your username and password," Google said . Android's security key feature until now was only compatible with Bluetooth-enabled Chrome OS, macOS, or Windows 10 devices over the Chrome browser. However, the latest update from Google now allow
Tor Browser for Android — First Official App Released On Play Store

Tor Browser for Android — First Official App Released On Play Store

May 23, 2019Wang Wei
Wohooo! Great news for privacy-focused users. Tor Browser, the most popular privacy-focused browser, for Android is finally out of beta, and the first stable version has now arrived on Google Play Store for anyone to download. The Tor Project announced Tuesday the first official stable release of its ultra-secure internet browser for Android devices, Tor Browser 8.5 —which you can now download for FREE on your mobile devices from Google Play Store. Tor Browser is mostly used by privacy-focused people, activists, journalists, and even cyber criminal gangs to avoid government monitoring. It allows users to browse the Internet anonymously, by hiding their IP addresses and identity, through a network of encrypted servers that bounce their web requests around multiple intermediate links. Access to Tor anonymity network was previously available on Android mobile operating system only through other apps or browsers like Orbot / Orfox app, but you can now use the official Tor Brow
US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

May 20, 2019Mohit Kumar
Google has reportedly suspended all businesses with the world's second-biggest smartphone maker, Huawei, and revoked its Android license effective immediately—a move that will have a drastic impact on Huawei devices across the globe. Revoking Android license means Huawei future smartphones will no longer have access to Android updates and apps like Gmail or the Play Store, as well as Google technical support beyond services that are publicly available via open source licensing, Reuters report. Why? That's because last week, U.S. President Donald Trump signed an executive order declaring a national emergency banning foreign companies—over surveillance fear—from doing telecommunication business in the United States without the government's approval. About the executive order, White House Press Secretary Sarah Sanders said in a statement that President Trump "has made it clear that this Administration will do what it takes to keep America safe and prosperous, an
Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

April 16, 2019Swati Khandelwal
Even after Google's security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store. Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers' existing accounts, is enough for 'bad-faith' developers to trick the Play Store into distributing unsafe apps to Android users. Since the mobile device platform is growing rapidly, every new effort Google makes apparently comes with trade-offs. For example, Google recently made some changes in its Play Store policies and added new restriction in Android APIs that now makes it mandatory for every new app to undergo rigorous security testing and review process before appearing in the Google Play Store. These efforts also include: restricting developers from abusing Android accessibility services, restricting apps access to certain permissions like call logs and SMS permi
'Exodus' Surveillance Malware Found Targeting Apple iOS Users

'Exodus' Surveillance Malware Found Targeting Apple iOS Users

April 09, 2019Swati Khandelwal
Cybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store. Dubbed Exodus , as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year. Unlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers. Since Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store. "Each of the phishing sites contained links to a distribution manifest, which contained metadata
Unpatched Flaw in Xiaomi's Built-in Browser App Lets Hackers Spoof URLs

Unpatched Flaw in Xiaomi's Built-in Browser App Lets Hackers Spoof URLs

April 05, 2019Mohit Kumar
EXCLUSIVE — Beware, if you are using a Xiaomi's Mi or Redmi smartphone, you should immediately update its built-in MI browser or the Mint browser available on Google Play Store for non-Xiaomi Android devices. That's because both web browser apps created by Xiaomi are vulnerable to a critical vulnerability which has not yet been patched even after being privately reported to the company, a researcher told The Hacker News. The vulnerability, identified as CVE-2019-10875 and discovered by security researcher Arif Khan , is a browser address bar spoofing issue that originates because of a logical flaw in the browser's interface, allowing a malicious website to control URLs displayed in the address bar. According to the advisory, affected browsers are not properly handling the "q" query parameter in the URLs, thus fail to display the portion of an https URL before the ?q= substring in the address bar. Since the address bar of a web browser is the most r
Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

April 04, 2019Swati Khandelwal
What could be worse than this, if the software that's meant to protect your devices leave backdoors open for hackers or turn into malware? Researchers today revealed that a security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China's biggest and world's 4th largest smartphone company, was suffering from multiple issues that could have allowed remote hackers to compromise Xiaomi smartphones. According to CheckPoint, the reported issues resided in one of the pre-installed application called, Guard Provider , a security app developed by Xiaomi that includes three different antivirus programs packed inside it, allowing users to choose between Avast, AVL, and Tencent. Since Guard Provider has been designed to offer multiple 3rd-party programs within a single app, it uses several Software Development Kits (SDKs), which according to researchers is not a great idea because data of one SDK cannot be isolated and any issue in one of
Android Q — Google Adds New Mobile Security and Privacy Features

Android Q — Google Adds New Mobile Security and Privacy Features

March 19, 2019Swati Khandelwal
Google has recently released the first beta version of Android Q, the next upcoming version of Google's popular mobile operating system, with a lot of new privacy improvements and other security enhancements. Android Q, where Q has not yet been named, offers more control over installed apps, their access, and permissions, and location settings; more support for passive authentication like face ID, and warnings when you install a new app targeting Android Marshmallow or older. Instead of directly going through dozens of different pages Google published about Android Q, here I have summarized all new privacy and security features of the new version of Android you can quickly learn from: 1) Stop Android Apps From Tracking Your Location in the Background Android Q gives you more control over how an app can use your device location information. Currently, you have a single option to either allow or deny an app access to your device location, doesn't matter if it is in-use
Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins

Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins

February 25, 2019Swati Khandelwal
Great news. If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified. Are you thinking… what the heck that actually means? It means, instead of remembering complex passwords for your online accounts, you can now actually use your Android's built-in fingerprint sensor or FIDO security keys for secure password-less access to log into apps and websites that support the FIDO2 protocols, Google and the FIDO Alliance—a consortium that develops open source authentication standards—announced Monday. FIDO2 (Fast Identity Online) protocol offers strong passwordless authentication based on standard public key cryptography using hardware FIDO authenticators like security keys, mobile phones, and other built-in devices. FIDO2 protocol is a combination of W3C's WebAuthn API that allows developers to integrate FIDO aut
How to Stop Facebook App From Tracking Your Location In the Background

How to Stop Facebook App From Tracking Your Location In the Background

February 22, 2019Swati Khandelwal
Every app installed on your smartphone with permission to access location service "can" continually collect your real-time location secretly, even in the background when you do not use them. Do you know? — Installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location. If you are not aware, there is a setting called "Location History" in your Facebook app that comes enabled by default, allowing the company to track your every movement even when you are not using the social media app. So, every time you turn ON location service/GPS setting on your smartphone, let's say for using Uber app or Google Maps, Facebook starts tracking your location. Users can manually turn Facebook's Location History option OFF from the app settings to completely prevent Facebook from collecting your location data, even when the app is in use. However, unf
Several Popular Beauty Camera Apps Caught Stealing Users' Photos

Several Popular Beauty Camera Apps Caught Stealing Users' Photos

February 04, 2019Swati Khandelwal
Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been downloaded more than 4 million times before Google removed them from its app store. The mobile apps in question disguised as photo editing and beauty apps purporting to use your mobile phone's camera to take better pictures or beautify the snaps you shoot, but were found including code that performs malicious activities on their users' smartphone. Three of the rogue apps—Pro Camera Beauty, Cartoon Art Photo and Emoji Camera—have been downloaded more than a million times each, with Artistic Effect Filter being installed over 500,000 times and another seven apps in the list over 100
New Android Malware Apps Use Motion Sensor to Evade Detection

New Android Malware Apps Use Motion Sensor to Evade Detection

January 18, 2019Mohit Kumar
Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware. The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi , and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis. The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps. &quo
A Twitter Bug Left Android Users' Private Tweets Exposed For 4 Years

A Twitter Bug Left Android Users' Private Tweets Exposed For 4 Years

January 18, 2019Swati Khandelwal
Twitter just admitted that the social network accidentally revealed some Android users' protected tweets to the public for more than 4 years — a kind of privacy blunder that you'd typically expect from Facebook . When you sign up for Twitter, all your Tweets are public by default, allowing anyone to view and interact with your Tweets. Fortunately, Twitter also gives you control of your information, allowing you to choose if you want to keep your Tweets protected. Enabling "Protect your Tweets" setting makes your tweets private, and you'll receive a request whenever new people want to follow you, which you can approve or deny. It's just similar to private Facebook updates that limit your information to your friends only. In a post on its Help Center on Thursday, Twitter disclosed a privacy bug dating back to November 3, 2014, potentially caused the Twitter for Android app to disable the "Protect your Tweets" setting for users without their k
Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

January 03, 2019Swati Khandelwal
Google has finally patched a privacy vulnerability in its Chrome web browser for Android that exposes users' device model and firmware version, eventually enabling remote attackers to identify unpatched devices and exploit known vulnerabilities. The vulnerability, which has not yet given any CVE number, is an information disclosure bug that resides in the way the Google Chrome for Android generates 'User Agent' string containing the Android version number and build tag information, which includes device name and its firmware build. This information is also sent to applications using WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which they are running. For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36 Yakov Shafranovich, a contributor at Nightwatch Cybersecurity firm, initially reported this issue to Google three years a
New Android API Lets Developers Push Updates Within their Apps

New Android API Lets Developers Push Updates Within their Apps

November 08, 2018Mohit Kumar
You might have read somewhere online today that Google is granting Android app developers powers to forcefully install app updates…but it is not true. Instead, the tech giant is providing a new feature that will help users to have up-to-date Android apps all the time and yes, it's optional. Along with the launch of a number of new tools and features at its Android Dev Summit 2018 , Google has also launched the a new API, called "In-app Updates," which aims to help developers ensure that users are running the latest and greatest version of their app. "We've heard that you'd like more controls to ensure that users are running the latest and greatest version of your app. To address this, we're launching an In-app Updates API," Google said . How Does Android's New In-app Updates API Work? It should be noted that the Android's new In-app Updates API doesn't force or lock out users from the app if they chose not to update it. In
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.