Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Tuesday, November 08, 2016 Wang Wei

Over 300,000 Android Devices Hacked Using Chrome Browser Vulnerability
A vulnerability in Chrome for Android is actively being exploited in the wild that allows hackers to quietly download banking trojan apps (.apk) onto victim's’ device without their confirmation.

You might have encountered a pop-up advertisement that appears out of nowhere and surprise you that your mobile device has been infected with a dangerous virus and instructs you to install a security app to remove it immediately.

This malicious advertising web page automatically downloads an Android app installation (.apk) file to your device without requiring any approval.

Citing malware threats on your mobile device, attackers trick you to change your device's settings to allow installation of the third-party apps from stores other than Google Play Store and install the banking trojan app on your device.

Kaspersky researchers Mikhail Kuzin and Nikita Buchka discovered one such widespread malicious advertising campaign across Russian news sites and popular websites.

Since this August, the Trojan has infected over 318,000 Android devices across the world — thanks to Google AdSense advertisements that was being abused to spread malicious mobile banking trojan, dubbed Svpeng.
"When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user," the duo explains in a blog post.
Google has acknowledged the issue, blocked the malicious ads and planned to patch it, although it is unclear when the next Android Chrome version will be released.

However, if Google sticks to its six-week release cycle, users can expect an update on 3rd December 2016. So, malicious actors have over three weeks to exploit the flaw.
"[The] next time they (criminals) push their adverts on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past; After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?" the pair say.
Even if the Google patch this issue with its next software update, attackers still have an evergreen technique to trick users into downloading malicious apps by exploiting vulnerabilities in popular websites.

For example, a recently disclosed XSS (Cross-Site Scripting) flaw, discovered by Indian security researcher Jitendra Jaiswal, on WhatsApp's official websites could allow attackers to trick users into downloading malware applications.

So, it is always a good idea to install apps from official Google Play Store as well as not to change default Android settings that prevent the installation of third-party apps.

So, the best recommendation for users is to think twice before installing any app (no matter how legitimate it looks) from untrusted sources or clicking on suspicious-looking links.

Wednesday, April 29, 2015 Mohit Kumar

How to Protect your Google Account with Password Alert Chrome Extension
As cybercriminals have started using sophisticated phishing techniques in an attempt to hijack online users’ account, Google on Wednesday launched a new Chrome Extension to fight against Phishing.

The search engine giant has launched a new Password Alert Chrome extension that will alert you whenever you accidentally enter your Google password on a carefully crafted phishing website that aimed at hijacking your account.

So, GO and INSTALL the freely available, open-source Password Alert extension which is now available in the Chrome Web Store.

Password Alert extension does two things:
  • Prevents you from re-using your Google account password on other websites.
  • Protects you if you've typed the same Google password on a non-Google website by generating a warning that you have just been phished and should immediately change your password.
How to Protect your Google Account with Password Alert Chrome Extension
According to the company, nearly two percent of the e-mail messages to Google's Gmail are phishing emails from cyber criminals where they aim to fool users into giving up their credentials.

Once installed and initialized, Password Alert extension stores a "scrambled" version of your Google account password in an encrypted cryptographic hash format.

Password Alert works for both Google and Google Apps for Work, providing an additional layer of security for Google's enterprise clients.

Here's how to get started with the new Password Alert extension:
  • Install Password Alert extension from the Chrome Web Store.
  • Password Alert prompts you to enter your Google account’s username and password, even if you are already logged in.
  • Once you entered the credentials, Password Alert will start monitoring where you enter your Google password.
Google also allows its users to see all the devices that have access to their Google accounts and lets you change their passwords or log out remotely using a single online dashboard.

The source code of the new Password Alert extension is available on GitHub, and there is a pre-built copy of the server.

So, now it is time to protect your Google Account with the new Password Alert Chrome extension.

NOTE: These are bunch of Android apps that I used in my smartphone to protect data and privacy of my phone. If you have some even good alternatives that you found comfortable and more secure, feel free to share with us.

Saturday, February 01, 2014 Sudhir K Bansal

Global Positioning System
A team of Researchers at Rutgers University has developed an Android application which will notify you every time, whenever an app installed on your Smartphone accesses the GPS functionality.

Smartphone is a multipurpose device, having features of both a mobile phone and a computer, allowing us to talk, text, access personal and official e-mail, browse the Internet, make purchases, manage bank accounts, and take pictures.

Smartphone also help you to find the way to your destination using GPS (Global Positioning System) technology. Unlike many of our computers, our Smartphones are always with us and many of us rarely turn them off, that means your Smartphone even can be abused to track your real time location on the map.
There are many legitimate applications which need your location in order to function properly and to enhance the app features, for example- Zomato app can give the list of all restaurants near you, WeChat like social messaging apps allows you to get the list of all users available near your location for chatting and dating and Facebook gives you a check-in facility so that you can share a place you are visiting.

Who would be interested in knowing your location? Parents, Companies, advertisers, cyber-criminals and in some situations, federal agencies. For an app with GPS location permission, it is very easy to locate your real time location and transmit the Latitude-Longitude data periodically to the app-maker.

It is already known to us that any application which has permission of accessing the location service can capture the device GPS location anytime in the background, without user interaction.

The Security app developed by the researchers will flash a notification message on the device screen that "Your location is being accessed by [app name]", as shown:
Global Positioning System
They have used a method called,'Heuristic Discovery of Location Access' which will calculate changes in the value of 'getLastKnownLocation' variable by any GPS enabled app to detect them.

"As it turns out, there is no obvious way for a normal Android app to monitor whether other apps are accessing location. However, we discovered we could exploit the method getLastKnownLocation available in the Android Location API for this purpose as an effective side channel."

But at this point, it is not clear that how much this app is accuratly able to catch the 'Location accessing' apps and the method they have mentioned could be limited to the foreground applications (the apps with a user is interacting at that time) only, rather than detecting apps while accessing your location silently in the background.

According to a study, 74% of Smartphone users use a location based service like Facebook, Whataspp, Snapchat etc. Such Security applications with detection features are the demand of time so that users can keep an eye on each and every event to protect their privacy. The app should be available on Google Play within the next two months.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!