The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: mobile security

BRATA Malware Poses as Android Security Scanners on Google Play Store

BRATA Malware Poses as Android Security Scanners on Google Play Store

April 12, 2021Ravie Lakshmanan
A new set of malicious Android apps have been caught posing as app security scanners on the official Play Store to distribute a backdoor capable of gathering sensitive information. "These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services," cybersecurity firm McAfee  said  in an analysis published on Monday. The apps in question were designed to target users in Brazil, Spain, and the U.S., with most of them accruing anywhere between 1,000 to 5,000 installs. Another app named DefenseScreen racked up 10,000 installs before it was removed from the Play Store last year. First documented by Kaspersky in August 2019,  BRATA  (short for "Brazilian Remote Access Tool Android") emerged as an Android malware with screen recording abilities before steadily morphing into a banking trojan. "It combines full device control capabilitie
Hackers Tampered With APKPure Store to Distribute Malware Apps

Hackers Tampered With APKPure Store to Distribute Malware Apps

April 09, 2021Ravie Lakshmanan
APKPure, one of the largest alternative app stores outside of the Google Play Store, was infected with malware this week, allowing threat actors to distribute Trojans to Android devices. In a supply-chain attack similar to that of German telecommunications  equipment manufacturer Gigaset , the APKPure client version 3.17.18 is said to have been tampered with in an attempt to trick unsuspecting users into downloading and installing malicious applications linked to the malicious code built into the APKpure app. The development was reported by researchers from  Doctor Web  and  Kaspersky . "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users' permission," Doctor Web researchers said. According to Kaspersky, the APKPure version 3.17.18 was tweaked to incorporate an advertisement SDK that acts as a Trojan dropper designed to deliver other malware to a victim's device. "This
Gigaset Android Update Server Hacked to Install Malware on Users' Devices

Gigaset Android Update Server Hacked to Install Malware on Users' Devices

April 09, 2021Ravie Lakshmanan
Gigaset has revealed a malware infection discovered in its Android devices was the result of a compromise of a server belonging to an external update service provider. Impacting older smartphone models — GS100, GS160, GS170, GS180, GS270 (plus), and GS370 (plus) series — the malware took the form of multiple  unwanted apps  that were downloaded and installed through a pre-installed system update app. The infections are said to have occurred starting  March 27 . The German manufacturer of telecommunications devices said it took steps to alert the update service provider of the issue, following which further infections were prevented on April 7. "Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data). We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within 8 hours," the comp
Google limits which apps can access the list of installed apps on your device

Google limits which apps can access the list of installed apps on your device

April 02, 2021Ravie Lakshmanan
Apps on Android have been able to infer the presence of specific apps, or even collect the full list of installed apps on the device. What's more, an app can also set to be notified when a new app is installed. Apart from all the usual concerns about misuse of such a data grab, the information can be abused by a potentially harmful app to fingerprint other installed apps, check for the  presence of antivirus ,  affiliate fraud , and even for targeted ads.  In 2014, Twitter  began  tracking the list of apps installed on users' devices as part of its "app graph" initiative with an aim to deliver tailored content. Digital wallet company MobiKwik was also caught  collecting information  about installed apps in the wake of a data breach that came to light earlier this week. Indeed, a study undertaken by a group of Swiss researchers in 2019  found  that "free apps are more likely to query for such information and that third-party libraries (libs) are the main requ
WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

March 22, 2021Ravie Lakshmanan
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an "improper input validation" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device's memory. "There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18. CVE-2020-11261 was discovered and reported to Qualcomm by Google's Android Security team on July 20, 2020, after which it was fixed in January 2021. It's worth noting that the access vector for the vulnerability is "local," meaning that exploitation requires local access to the device. In other words, to launch a successful attack, the
Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping

Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping

February 17, 2021Ravie Lakshmanan
A severe security vulnerability in a popular video calling software development kit (SDK) could have allowed an attacker to spy on ongoing private video and audio calls. That's according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.io's SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and Skout; healthcare apps like Talkspace, Practo, and Dr. First's Backline; and in the Android app that's paired with "temi" personal robot. California-based Agora is a video, voice, and live interactive streaming platform, allowing developers to embed voice and video chat, real-time recording, interactive live streaming, and real-time messaging into their apps. The company's SDKs are estimated to be embedded into mobile, web, and desktop applications across more than 1.7 billion devices globally. McAfee disclosed the flaw (CVE-2020-25605) to Agora.io on April 20
Unpatched ShareIT Android App Flaw Could Let Hackers Inject Malware

Unpatched ShareIT Android App Flaw Could Let Hackers Inject Malware

February 16, 2021Ravie Lakshmanan
Multiple unpatched vulnerabilities have been discovered in SHAREit , a popular app with over one billion downloads, that could be abused to leak a user's sensitive data, execute arbitrary code, and possibly lead to remote code execution. The findings come from cybersecurity firm Trend Micro's analysis of the Android version of the app, which allows users to share or transfer files between devices. But in a worrisome twist, the flaws are yet to be patched by Smart Media4U Technology Pte. Ltd., the Singapore-based developer of the app, despite responsible disclosure three months ago. "We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps' permission," Trend Micro researcher Echo Duan  said  in a write-up. "It is also not easily detectable." One of the flaws arises from the manner the app facilitates sharing of
LodaRAT Windows Malware Now Also Targets Android Devices

LodaRAT Windows Malware Now Also Targets Android Devices

February 10, 2021Ravie Lakshmanan
A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives. "The developers of  LodaRAT  have added Android as a targeted platform," Cisco Talos researchers  said  in a Tuesday analysis. "A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities." Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted. The reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor. First documented in May 2017 by  Proofpoint , Loda is an AutoIt malware typically delivered via phishing lures that's equipped to run a wide range of commands designed to record audio, video, and capture oth
Italy CERT Warns of a New Credential Stealing Android Malware

Italy CERT Warns of a New Credential Stealing Android Malware

January 28, 2021Ravie Lakshmanan
Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. Dubbed " Oscorp " by Italy's CERT-AGID and spotted by  AddressIntel , the malware "induce(s) the user to install an accessibility service with which [the attackers] can read what is present and what is typed on the screen." So named because of the title of the login page of its command-and-control (C2) server, the malicious APK (called "Assistenzaclienti.apk" or "Customer Protection") is  distributed  via a domain named "supportoapp[.]com," which upon installation, requests intrusive permissions to enable the accessibility service and establishes communications with a C2 server to retrieve additional commands. Furthermore, the malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage stati
Beware — A New Wormable Android Malware Spreading Through WhatsApp

Beware — A New Wormable Android Malware Spreading Through WhatsApp

January 24, 2021Ravie Lakshmanan
A newly discovered Android malware has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign. "This malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app," ESET researcher Lukas Stefanko said. The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website. Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack. Specifically, it leverages WhatApp's quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically. Besides requesting permissions to read notifications, the app also requests intrusive access to run in the background as well as to draw over other apps,
Several Unpatched Popular Android Apps Put Millions of Users at Risk of Hacking

Several Unpatched Popular Android Apps Put Millions of Users at Risk of Hacking

December 03, 2020Ravie Lakshmanan
A number of high-profile Android apps are still using an unpatched version of Google's widely-used app update library, potentially putting the personal data of hundreds of millions of smartphone users at risk of hacking. Many popular apps, including Grindr, Bumble, OkCupid, Cisco Teams, Moovit, Yango Pro, Microsoft Edge, Xrecorder, and PowerDirector, are still vulnerable and can be hijacked to steal sensitive data, such as passwords, financial details, and e-mails. The bug, tracked as  CVE-2020-8913 , is rated 8.8 out of 10.0 for severity and impacts Android's Play Core Library versions prior to  1.7.2 . Although Google addressed the vulnerability in March,  new findings  from Check Point Research show that many third-party app developers are yet to integrate the new Play Core library into their apps to mitigate the threat fully. "Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side
Incomplete 'Go SMS Pro' Patch Left Millions of Users' Data Still Exposed Online

Incomplete 'Go SMS Pro' Patch Left Millions of Users' Data Still Exposed Online

December 01, 2020Ravie Lakshmanan
A week after cybersecurity researchers disclosed a flaw in the popular GO SMS Pro messaging app, it appears the developers of the app are silently taking steps to fix the issue from behind the scenes. The  security misstep  made it possible for an attacker to come up with a trivial script to access media files transferred between users, including private voice messages, photos, and videos, stored on an unauthenticated, publicly accessible server. Although the behavior was observed on version 7.91 of GO SMS Pro for Android, the app makers have since released three subsequent updates, two of which (v7.93 and v7.94) were pushed to the Google Play Store after public disclosure of the flaw and Google's removal of the app from the marketplace. Google reinstated the app back to the Play Store on November 23. Now following an analysis of the updated versions, Trustwave researchers said , "GOMO is attempting to fix the issue, but a complete fix is still not available in the app.&
WARNING: Unpatched Bug in GO SMS Pro App Exposes Millions of Media Messages

WARNING: Unpatched Bug in GO SMS Pro App Exposes Millions of Media Messages

November 19, 2020Ravie Lakshmanan
GO SMS Pro, a popular messaging app for Android with over 100 million installs, has been found to have an unpatched security flaw that publicly exposes media transferred between users, including private voice messages, photos, and videos. "This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user," Trustwave Senior Security Consultant Richard Tan said in a report shared with The Hacker News. According to Trustwave SpiderLabs, the shortcoming was spotted in version 7.91 of the app, which was released on the Google Play Store on February 18, 2020. The cybersecurity firm said it attempted to contact the app makers multiple times since August 18, 2020, without receiving a response. But checking the app's changelog, GO SMS Pro received an update (v7.92) on September 29, followed by another subsequent update, which was published yesterday. The latest updates to the app, however
Watch Out! New Android Banking Trojan Steals From 112 Financial Apps

Watch Out! New Android Banking Trojan Steals From 112 Financial Apps

November 09, 2020Ravie Lakshmanan
Four months after security researchers uncovered a " Tetrade " of four Brazilian banking Trojans targeting financial institutions in Brazil, Latin America, and Europe, new findings show that the criminals behind the operation have expanded their tactics to infect mobile devices with spyware. According to Kaspersky's Global Research and Analysis Team (GReAT), the Brazil-based threat group Guildma has deployed " Ghimob ," an Android banking Trojan targeting financial apps from banks, fintech companies, exchanges, and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique. "Ghimob is a full-fledged spy in your pocket: once infection is completed, the hacker can access the infected device remotely, completing the fraudulent transaction with the victim's smartphone, so as to avoid machine identification, security measures implemented by financial institutions and all their anti-fraud behavioral systems," the cybersecur
Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone

Major Instagram App Bug Could've Given Hackers Remote Access to Your Phone

September 24, 2020Ravie Lakshmanan
Ever wonder how hackers can hack your smartphone remotely? In a report shared with The Hacker News today, Check Point researchers disclosed details about a  critical vulnerability  in Instagram's Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. What's more worrisome is that the flaw not only lets attackers perform actions on behalf of the user within the Instagram app—including spying on victim's private messages and even deleting or posting photos from their accounts—but also execute arbitrary code on the device. According to an  advisory  published by Facebook, the heap overflow security issue (tracked as CVE-2020-1895 , CVSS score: 7.8) impacts all versions of the Instagram app prior to 128.0.0.26.128, which was released on February 10 earlier this year. "This [flaw] turns the device into a tool for spying on targeted users without their knowledge, as well as enabling
Android 11 — 5 New Security and Privacy Features You Need to Know

Android 11 — 5 New Security and Privacy Features You Need to Know

September 18, 2020Anchit Sharma
After a long wait and months of beta testing, Google last week finally released Android 11 , the latest version of the Android mobile operating system—with features offering billions of its users more control over their data security and privacy. Android security is always a hot topic and almost always for the wrong reason, including Google's failure to prevent malicious apps from being distributed through the Play Store, over-claim of permissions by apps, and privacy leakages. Though most of such issues can be avoided as long as users take advantage of already available features and a little common sense, most users are still not aware of or following basic security practices. According to Google's latest announcement, the latest Android 11 OS includes a few new built-in measures designed to keep users' data secure by default, increase transparency, and offer better control. Instead of diving deep into smaller or more extensive changes, we have summarized some critica
Popular iOS SDK Accused of Spying on Billions of Users and Committing Ad Fraud

Popular iOS SDK Accused of Spying on Billions of Users and Committing Ad Fraud

August 25, 2020Ravie Lakshmanan
A popular iOS software development kit (SDK) used by over 1,200 apps—with a total of more than a billion mobile users—is said to contain malicious code with the goal of perpetrating mobile ad-click fraud and capturing sensitive information. According to a report published by cybersecurity firm Snyk , Mintegral — a mobile programmatic advertising platform owned by Chinese mobile ad tech company Mobvista — includes an SDK component that allows it to collect URLs, device identifiers, IP Address, operating system version, and other user sensitive data from compromised apps to a remote logging server. The malicious iOS SDK has been named "SourMint" by Snyk researchers. "The malicious code can spy on user activity by logging URL-based requests made through the app," Snyk's Alyssa Miller said in a Monday analysis. "This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive in
7 Ways Hackers and Scammers Are Exploiting Coronavirus Panic

7 Ways Hackers and Scammers Are Exploiting Coronavirus Panic

April 09, 2020Ravie Lakshmanan
In our previous stories, you might have already read about various campaigns warning how threat actors are capitalizing on the ongoing coronavirus pandemic in an attempt to infect your computers and mobile devices with malware or scam you out of your money. Unfortunately, to some extent, it's working, and that's because the attack surface is changing and expanding rapidly as many organizations and business tasks are going digital without much preparation, exposing themselves to more potential threats. Most of the recent cyberattacks are primarily exploiting the fears around the COVID-19 outbreak—fueled by disinformation and fake news—to distribute malware via Google Play apps , malicious links and attachments, and execute ransomware attacks. Here, we took a look at some of the wide range of unseen threats rising in the digital space, powered by coronavirus-themed lures that cybercriminals are using for espionage and commercial gain. The latest development adds to a l
Hackers Used Local News Sites to Install Spyware On iPhones

Hackers Used Local News Sites to Install Spyware On iPhones

March 27, 2020Ravie Lakshmanan
A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices. According to research published by Trend Micro and Kaspersky , the " Operation Poisoned News " attack leverages a remote iOS exploit chain to deploy a feature-rich implant called 'LightSpy' through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control. Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim's device and load it with malware. The APT group, dubbed "TwoSail Junk" by Kaspersky, is said to be leveraging vulnerabilities present in iOS 12.1 and 12.2 spanning all models from iPhone 6 to the iPhone X, with the attac
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.