#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

smartphone security | Breaking Cybersecurity News | The Hacker News

Category — smartphone security
New 5G Modem Flaws Affect iOS Devices and Android Models from Major Brands

New 5G Modem Flaws Affect iOS Devices and Android Models from Major Brands

Dec 08, 2023 Vulnerability / Mobile Network
A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called  5Ghoul  (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities. "5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers  said  in a study published today. As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google. The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated ...
Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments

Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments

Aug 12, 2022
Security flaws have been identified in Xiaomi Redmi Note 9T and Redmi Note 11 models, which could be exploited to disable the mobile payment mechanism and even forge transactions via a rogue Android app installed on the devices. Check Point said it found the flaws in devices powered by MediaTek chipsets during a security analysis of the Chinese handset maker's Trusted Execution Environment (TEE), which is used to perform mobile payment signatures A TEE refers to a  secure enclave  inside the main processor that's used to process and store sensitive information such as cryptographic keys so as to ensure confidentiality and integrity. Specifically, the Israeli cybersecurity firm discovered that a trusted app on a Xiaomi device can be downgraded due to a lack of version control, enabling an attacker to replace a newer, secure version of an app with an older, vulnerable variant. "Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps ...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Google offers up to $1.5 million bounty for remotely hacking Titan M chip

Google offers up to $1.5 million bounty for remotely hacking Titan M chip

Nov 22, 2019
With its latest announcement to increase bug bounty rewards for finding and reporting critical vulnerabilities in the Android operating system, Google yesterday set up a new challenging level for hackers that could let them win a bounty of up to $1.5 million. Starting today, Google will pay $1 million for a "full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices," the tech giant said in a blog post published on Thursday. Moreover, if someone manages to achieve the same in the developer preview versions of Android, Google will pay an additional $500,000, making the total to $1.5 million—that's 7.5 times more than the previous top Android reward. Introduced within the Pixel 3 smartphones last year, Google's Titan M secure element is a dedicated security chip that sits alongside the main processor, primarily designed to protect devices against the boot-time attacks. In other words, Titan M chip...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

Jul 17, 2019
Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions. The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels. Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone's loudspeakers without requiring any device permission. Abusing Android Accelerometer to Capture Loudspeaker Data Dubbed Spearphone , the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions. An ...
Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Apr 16, 2019
Even after Google's security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store. Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers' existing accounts, is enough for 'bad-faith' developers to trick the Play Store into distributing unsafe apps to Android users. Since the mobile device platform is growing rapidly, every new effort Google makes apparently comes with trade-offs. For example, Google recently made some changes in its Play Store policies and added new restriction in Android APIs that now makes it mandatory for every new app to undergo rigorous security testing and review process before appearing in the Google Play Store. These efforts also include: restricting developers from abusing Android accessibility services, restricting apps access to certain permissions like call logs and SMS permi...
Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

Apr 04, 2019
What could be worse than this, if the software that's meant to protect your devices leave backdoors open for hackers or turn into malware? Researchers today revealed that a security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China's biggest and world's 4th largest smartphone company, was suffering from multiple issues that could have allowed remote hackers to compromise Xiaomi smartphones. According to CheckPoint, the reported issues resided in one of the pre-installed application called, Guard Provider , a security app developed by Xiaomi that includes three different antivirus programs packed inside it, allowing users to choose between Avast, AVL, and Tencent. Since Guard Provider has been designed to offer multiple 3rd-party programs within a single app, it uses several Software Development Kits (SDKs), which according to researchers is not a great idea because data of one SDK cannot be isolated and any issue in one of ...
Police Can't Force You To Unlock Your Phone Using Face or Fingerprint Scan

Police Can't Force You To Unlock Your Phone Using Face or Fingerprint Scan

Jan 15, 2019
Can feds force you to unlock your iPhone or Android phone? ..."NO" A Northern California judge has ruled that federal authorities can't force you to unlock your smartphone using your fingerprints or other biometric features such as facial recognition—even with a warrant. The ruling came in the case of two unspecified suspects allegedly using Facebook Messenger to threaten a man with the release of an "embarrassing video" to the public if he did not hand over money. The federal authorities requested a search warrant for an Oakland residence, seeking to seize multiple devices connected to the suspects and then compel anybody on the premises at the time of their visit to unlock the devices using fingerprint, facial or iris recognition. However, Magistrate Judge Kandis Westmore of the U.S. District Court for the Northern District of California turned down the request, ruling the request was "overbroad and neither limited to a particular person nor ...
Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

Google Partially Patches Flaw in Chrome for Android 3 Years After Disclosure

Jan 03, 2019
Google has finally patched a privacy vulnerability in its Chrome web browser for Android that exposes users' device model and firmware version, eventually enabling remote attackers to identify unpatched devices and exploit known vulnerabilities. The vulnerability, which has not yet given any CVE number, is an information disclosure bug that resides in the way the Google Chrome for Android generates 'User Agent' string containing the Android version number and build tag information, which includes device name and its firmware build. This information is also sent to applications using WebView and Chrome Tabs APIs, which can be used to track users and fingerprint devices on which they are running. For example: Mozilla/5.0 (Linux; Android 5.1.1; Nexus 6 Build/LYZ28K ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.34 Mobile Safari/537.36 Yakov Shafranovich, a contributor at Nightwatch Cybersecurity firm, initially reported this issue to Google three years a...
OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

Nov 14, 2017
Another terrible news for OnePlus users. Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets. A Twitter user, who goes by the name "Elliot Anderson" ( named after Mr. Robot's main character ), discovered a backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices. The application in question is " EngineerMode ," a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device. This APK comes pre-installed ( accidentally left behind ) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5. You can also check if this application is installed on your OnePlus device or not. For this, simply go t...
How To Keep Your Android Phone Secure

How To Keep Your Android Phone Secure

Feb 26, 2016
As the number of threats is on the rise, Android platform is no longer safe, which isn't a surprise to anyone. Most of us are usually worried more about the security of our desktops or laptops and forget to think about the consequences our smartphones can make if compromised or stolen. Unlike desktops, your smartphones and tablets carry all sorts of information from your personal photographs, important emails, messages to your sensitive financial details. And due to rise in mobile usage, the hackers have shifted their interest from desktops to the mobile platform. Nowadays, nearly all possible threats that were previously attacking desktop platform are now targeting smartphone users. Ransomware , Phishing, Spams, Spyware, Botnets, Banking Malware , OS and Software vulnerabilities, just to name a few examples, but users don't understand the potential threat when it comes to mobile devices. Additionally, your smartphones and tablets are also subjectable mo...
ENCRYPT Act of 2016 — Proposed Bill Restricts States to Ban Encryption

ENCRYPT Act of 2016 — Proposed Bill Restricts States to Ban Encryption

Feb 11, 2016
The last year's ISIS-linked terror attacks in Paris and California has sparked debate on Encryption, and the intelligent agencies started reviving their efforts to weaken encryption on various encrypted products and services. But, there is some Good News! California Congressman and Texas Republican are now challenging state-level proposals to restrict US citizens' ability to encrypt their smartphones. On Wednesday, California Congressman Ted Lieu , one of four members of Congress, and Texas Republican Blake Farenthold , a member of the House Oversight and House Judiciary committees, introduced a new bill in Congress that… …attempts to ban states efforts to implement their own anti-encryption policies at a state level while a national debate on Encryption is ongoing. The bill, called " Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016 " – in short, " ENCRYPT Act of 2016 " – would stop states fr...
Police Using Planes Equipped with Dirtbox to Spy on your Cell Phones

Police Using Planes Equipped with Dirtbox to Spy on your Cell Phones

Jan 29, 2016
The Anaheim Police Department of California — Home of Disneyland — admitted that they used special Cell Phone surveillance technology, known as DirtBox , mounted on aircraft to track millions of mobile users activities. More than 400 pages of new documents [ PDF ] published Wednesday revealed that Local Police and federal authorities are using, DRTBox , an advanced version of Dirtbox developed by Digital Receiver Technology ( Boeing's  Maryland-based  subsidiary ). DRTBox — Spies in the Sky DRTBox is a military surveillance technology that has capabilities of both Stingray as well as Dirtbox, allowing the police to track, intercept thousands of cellphone calls and quietly eavesdrop on conversations, emails, and text messages. According to the report, DRTBox model is also capable of simultaneously breaking the encryption hundreds of cellphone communications at once, helping Anaheim Police Department track criminals while recording innocent citizens' infor...
Samsung Get Sued for Failing to Update its Smartphones

Samsung Get Sued for Failing to Update its Smartphones

Jan 22, 2016
One of the world's largest smartphone makers is being sued by the Dutch Consumers' Association (DCA) for its lack in providing timely software updates to its Android smartphones. This doesn't surprise me, though. The majority of manufacturers fail to deliver software updates for old devices for years. However, the consumer protection watchdog in The Netherlands, The Dutch Consumentenbond, filed a lawsuit against Samsung, due to the manufacturer's grip over the local market compared to other manufacturers. Last year, the discovery of the scary Stagefright Security Bug , which affected over 1 Billion Android devices worldwide, forced Samsung to implement a security update process that " fast tracks the security patches over the air when security vulnerabilities are uncovered a security update process that " fast tracks the security patches over the air when security vulnerabilities are uncovered, " and that the security updates will...
Signal 2.0 — Free iPhone App for Encrypted Calls and Texts

Signal 2.0 — Free iPhone App for Encrypted Calls and Texts

Mar 03, 2015
An open source software group, Open Whisper Systems , has announced the release of Signal 2.0 — the second version of its free and open source messaging application for iPhone and iPad users. Signal  app is specifically designed to make secure and easy-to-use encrypted voice calling. But that's what the application was providing in its previous release introduced last July with  Signal 1.0 . Apple's iMessage also provides encrypted communication, but it was challenged by security researchers in 2013, revealing that  Apple controls the key infrastructure  and could, in turn, be compelled to change a key anytime they want, and read the content of your messages. But there was no way to send secure messages from an iPhone iMessage to an Android phone, or vice versa, unless you signed up for a monthly subscription plan and got the person you wanted to communicate with to sign up for it too. GAME CHANGER: SIGNAL 2.0 Signal 2.0 lets you send end-to-end encry...
Carriers Enhance Mobile Security to Combat Attacks and Breaches

Carriers Enhance Mobile Security to Combat Attacks and Breaches

Dec 28, 2011
Carriers, developers, and phone makers are rolling out new services and features to protect mobile devices from malicious attacks and data breaches. As people increasingly use smartphones for email, banking, and document access, the wireless industry is addressing mobile device security. According to Chris Knotts, vice president of technology and innovation at IT consulting company Force 3, there is a "consumerization of IT," where more employees use personal mobile devices like smartphones, laptops, and tablets for work purposes. IT administrators recognize that mobile devices are here to stay and need to be secured against attacks and data breaches. This effort extends beyond IT administrators. Carriers and phone makers are deploying new features and services to enhance mobile device security, as noted by the Wall Street Journal. Edward G. Amoroso, chief security officer of AT&T, stated, "Everyone is realizing that this is an uncontrolled environment. We don'...
Expert Insights / Articles Videos
Cybersecurity Resources