Category Archives: Android

Samsung’s New Galaxy Tab S5e Is Its Lightest and Thinnest Tablet Ever

Samsung has unveiled the Galaxy Tab S5e, its lightest and thinnest tablet ever made. "At $399, it's not only far more affordable than the flagship $649 Samsung Galaxy Tab S4, it's arguably surpassed it in some ways," reports The Verge. From the report: For starters, the Tab S5e has the thinnest and lightest metal unibody of any Galaxy Tab, measuring 5.5mm thin and weighing just 400 grams -- even compared to the 11-inch iPad Pro at 5.9mm thick and 468 grams, the Tab S5e is both lighter and thinner. The company also claims they've maximized space with the Tab S5e's massive 81.8 percent screen-to-body ratio, which on paper, is an improvement over the Tab S4's lower 79 percent ratio. It's also right on the heels of the 11-inch iPad Pro's ~82.9 percent screen-to-body ratio. And unlike Samsung's previous attempt to make its 10.5-inch tablet more affordable, this slate doesn't skimp on the screen and not nearly as much on the processor. Samsung's Tab S5e is a 10.5-inch Super AMOLED device with a 16:10 aspect ratio and 2560 x 1600 resolution, while its octa-core Snapdragon 670 processor should provide solid mid-range performance. Samsung's also promising up to 14.5 hours of battery life. The Tab S5e is also the first tablet from the Korean tech giant to ship with Pie, the latest version of Android, along with the new Bixby 2.0 virtual assistant and information tool. Samsung is also carrying features like Dex, a desktop-style Android environment, over from other Galaxy devices, like the Note 9 and Tab S4. It allows users to interact with their device using the screen, a mouse, keyboard, or all three. Other features include AKG-tuned, quad surround sound speakers, 64GB of internal storage (microSD expandable to 512GB), with 4GB RAM (upgradable to 6GB RAM/128GB storage), and 13-megapixel back and 8-megapixel front-facing cameras. Cellular models will follow the Wi-Fi versions later this year.

Read more of this story at Slashdot.

Blog | Avast EN: Windows Malware for Macs and More Weekly News | Avast

Phishing scam has fishy URLs

There’s a phishing campaign afoot that tries scamming users into believing their email accounts have been compromised. The phishing email claims multiple verification errors have caused the users’ accounts to be blacklisted and the only fix is an immediate login with the proper credentials. The email provides a link that reads CONFIRM YOUR EMAIL, and when users click on it, they are taken to a fake login page based on their particular email service. If they enter their credentials, the info is sent back to the malware’s C&C (command-and-control server).

Blog | Avast EN

Google Play Store Malicious App Detection Up By Over 50%

In Google’s mid-year review which was announced on Wednesday, they said that Google Play Store app rejections went up 55%

Google Play Store Malicious App Detection Up By Over 50% on Latest Hacking News.

Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018

In 2010, Google launched its Vulnerability Reward Program (VRP) to help them identify bugs and other problems with their apps

Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018 on Latest Hacking News.

Google Plans Cheaper Smartphone To Draw Users Into Internet Empire

Google plans to unveil its first lower-priced smartphone this year as part of an aggressive push into hardware that it hopes will draw more users into its ecosystem, Nikkei Asian Review reported Wednesday, citing people familiar with the matter. From a report: The U.S. internet giant is moving quickly to exploit the troubles currently besetting Apple, which has suffered disappointing sales of its new premium iPhone as consumers migrate to cheaper models and global smartphone sales tumble, industry sources say. Google's new smartphone will be its first non-premium model aimed at price-sensitive customers and those in emerging markets. It is expected to be priced lower than Apple's cheapest iPhone, the XR, which starts at $749. The latest model in Google's own Pixel range, released last October, started at $799. Midrange to highend phones are priced at between $150 and $700, while low end models sell for less than $150, industry sources said. The new phone will be the spearhead of Google's drive to expand the hardware using its operating systems. New products planned for this year include smart speakers, wearables and web cameras, sources familiar with the company's plans told the Nikkei Asian Review. Google also plans to launch a new premium phone in its Pixel range, as usual.

Read more of this story at Slashdot.

Attackers repackage popular Android VPN app with Triout malware

Triout malware was first detected in August 2018 which infected Android applications and had spyware capabilities such as recording phone calls and text messages, and more. Recently, the malware was

The post Attackers repackage popular Android VPN app with Triout malware appeared first on The Cyber Security Place.

Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image

An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.

Read more of this story at Slashdot.

MetaMask app on Google Play was a Clipboard Hijacker

Security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

The rogue MetaMask app is a Clipboard Hikacker that monitors a device’s clipboard for Bitcoin and Ethereum addresses and replaces them with addresses of wallets under the control of the attacker. Using this trick the attackers can transfers funds to their wallets.

“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.” reads the post published by ESET.

MetaMask clipboard hijacker

The Clipboard Hikacker poses itself as a mobile version of the legitimate service which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.

However, the legitimate service currently does not offer a mobile app.

Lukas Stefanko discovered that the app was able to steal cryptocurrency using two different attack methods.

The first attack scenario sees attackers using the app to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. Once the attackers obtain this data send it to a Telegram account.

The second attack scenario sees attackers monitoring the clipboard for Ethereum and Bitcoin addresses, and when one is detected, replace it with the attackers’ address.

In June 2017, security researchers from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

In July 2017, a CryptoCurrency Clipboard Hijackers was discovered by BleepingComputer while monitoring more than 2.3 million addresses.

In March 2018, security researchers at Palo Alto Networks, spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

Pierluigi Paganini

(SecurityAffairs – Clipboard Hikacker, MetaMask)

The post MetaMask app on Google Play was a Clipboard Hijacker appeared first on Security Affairs.

Clipper Malware Found Masquerading as Legitimate Service on Google Play Store

Security researchers discovered a sample of clipper malware that targeted Android users by lurking in the Google Play store.

ESET first came across Android/Clipper.C masquerading as MetaMask, a service that allows users to access Ethereum-enabled distributed applications, in February 2019. This new threat is capable of stealing users’ credentials and private keys to gain access to their Ethereum funds. But Android/Clipper.C is a bit more sophisticated: It’s also a form of clipper malware in that it can replace a bitcoin or Ethereum wallet address copied from the clipboard with one under the attacker’s control.

ESET researchers discovered the malicious app on the Google Play store shortly after it became available for download on Feb. 1. They reported their findings to Google’s security team, which subsequently removed the app from the app marketplace.

Android/Clipper.C is not the only malware sample that’s impersonated MetaMask. Other programs used the MetaMask disguise to phish for sensitive data and steal access to users’ cryptocurrency funds.

The Growing Problem of Clipper Malware

Android/Clipper.C is just the latest instance of clipper malware to prey on users. In March 2018, ESET learned about one sample of this threat category targeting Monero users by masquerading as a Win32 Disk Imager application on

A few months later, Bleeping Computer discovered another cryptocurrency clipboard hijacker that was monitoring 2.3 million cryptocurrency addresses at the time of discovery. Dr.Web also uncovered an Android clipper in summer 2018, though this threat was not available for download on the Google Play store at that time.

How to Defend Against Disguised Malware Threats

Security professionals can help defend against threats like Android/Clipper.C by investing in a unified endpoint management (UEM) solution that can alert users when malware is detected and automatically uninstall infected apps. They should also leverage artificial intelligence (AI) to spot malicious behaviors and stop malware like Android/Clipper.C in its tracks.

The post Clipper Malware Found Masquerading as Legitimate Service on Google Play Store appeared first on Security Intelligence.

Adiantum will bring encryption on Android devices without cryptographic acceleration

Google announced Adiantum, a new encryption method devised to protect Android devices without cryptographic acceleration.

Google announced Adiantuma new encryption method devised to protect Android devices without cryptographic acceleration.

“Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.” reads the announcement published by Google.

Since Android version 6.0, user data are protected with Advanced Encryption Standard (AES) encryption, however, the feature is slow on mobile devices using low-end processors that haven’t hardware to support it.

The new encryption form has been created for devices running Android 9 and higher that doesn’t support AES CPU instructions.

For this reason, Google developed Adiantum that supports the ChaCha stream cipher in a length-preserving mode.
ChaCha allows improving security and performance in the absence of dedicated hardware acceleration.

Google experts pointed out that Adiantum encryption/decryption processes on ARM Cortex-A7 processors are around five times faster compared to AES-256-XTS.

Adiantum performance

“Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa.  It works by first hashing almost the entire plaintext,” continues Google.

“We also hash a value called the “tweak” which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, we hash again, so that we have the same strength in the decryption direction as the encryption direction”  

Adiantum could represent the optimal solution for a wide range of devices that haven’t dedicated hardware for encryption, such as smartwatches, smart TVs, and other IoT devices running on Android OS.

“Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance.”
wrote Eugene Liderman, Director of Mobile Security Strategy, Android Security & Privacy Team, says. 

“Everyone should have privacy and security, regardless of their phone’s price tag,”

Google published technical details about the new encryption form in the paper titled “Adiantum: length-preserving encryption for entry-level processors.”

Pierluigi Paganini

(SecurityAffairs – Android, encryption)

The post Adiantum will bring encryption on Android devices without cryptographic acceleration appeared first on Security Affairs.

Google Play Caught Hosting An App That Steals Users’ Cryptocurrency

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

Read more of this story at Slashdot.

Clipper malware on Play Store replaces users BTC & ETH wallet address

By Waqas

This is the first ever Clipper malware found on Play Store. Another day another Android malware on Google Play Store – This time the IT security researchers at ESET have discovered a malware known for replacing the content of clipboard on the targeted device. This type of malware is called Clipper malware. The malware was targeting Android […]

This is a post from Read the original post: Clipper malware on Play Store replaces users BTC & ETH wallet address

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone

Most people will get pictures of cute animals and other funny memes sent to them throughout the day. In many

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone on Latest Hacking News.

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File

Sharing landscape pictures, cute animal photos or memes is quite common among smartphone users. That’s why images serve as one

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File on Latest Hacking News.

Adiantum: A new encryption scheme for low-end Android devices

Google has created an alternative disk and file encryption mode for low-end Android devices that don’t have enough computation power to use the Advanced Encryption Standard (AES). About Adiantum For the new encryption scheme, dubbed Adiantum, Google used existing standards, ciphers and hashing functions, but combined them in a more efficient way. Paul Crowley and Eric Biggers from the Android Security & Privacy Team noted that they have high confidence in the security of the … More

The post Adiantum: A new encryption scheme for low-end Android devices appeared first on Help Net Security.

The Moto G7 Lineup Offers Bigger Screens and Smaller Bezels On a Budget

Motorola is releasing three versions of the Moto G7 this year: the G7, the G7 Power, and the G7 Play (a fourth, more powerful G7 Plus model will also be released internationally). These new devices offer slimmer bezels, bigger displays, and larger batteries than their predecessors. The Verge reports: [T]he $299 G7 (not to be confused with LG's G7 ThinQ) is the top-of-the-line model, with a 6.2-inch Gorilla Glass display that features a 2270 x 1080 resolution and a more subtle teardrop notch. The G7 also has more RAM (4GB), and more internal storage (64GB) than its siblings, along with a dual-camera setup on the back that offers a 12-megapixel main lens along with a 5-megapixel depth sensor for a better portrait mode experience (the other G7 phones will have a software-based portrait mode instead). The G7 also supports Motorola's 15W TurboPower charging spec, which promises nine hours of battery life from a 15-minute charge. The next phone in the lineup, the $249 G7 Power, may not offer the same level of premium upgrades as the G7, but it does offer an intriguing feature that its pricier counterpart doesn't: a massive 5,000mAh battery that Motorola promises should last for up to three days, besting the 3,000mAh battery in the G7 by a considerable amount (it also supports Motorola's TurboPower charging). The G7 Power also features a 6.2-inch display, but at a lower 1520 x 720 resolution and with a larger notch, and only a single 12-megapixel camera on the back. It also drops down to 3GB of RAM and a base storage of 32GB, and is a bit bulkier than the main G7 -- but if sheer battery life is your goal, it seems like the G7 Power will be tough to beat. Lastly, there's the $199 G7 Play, the smallest and cheapest model in the 2019 Moto G lineup. There are more cuts here: a smaller 5.7-inch 1512 x 720 display with an even larger notch than the G7 Power, a cheaper plastic case, and just 2GB of RAM. All three devices will feature Qualcomm's mid-tier Snapdragon 632 processor, Android 9.0 Pie, 8-megapixel front-facing cameras, charge via USB-C, and offer rear-mounted fingerprint sensors. Lastly, the 3.5mm headphone jack is still included on all three models. Motorola is promising a release date sometime in the spring for both the U.S. and Canada.

Read more of this story at Slashdot.

Jack’d Dating App Allowing Strangers to See Intimate Photos

Dating sites can sometimes contain photos that the users don’t want everyone to see. However, dating and hook-up app Jack’d

Jack’d Dating App Allowing Strangers to See Intimate Photos on Latest Hacking News.

10 Best Android Launchers In 2019

Android is the most popular smartphone OS of all times. Infact, more than 85% of smartphone users prefer using Android over iOS.

One of the primary reasons why people prefer using Android over much more stable and reliable iOS is the ability to customize their smartphones as per their preference.

Well if you have been scouting for some of the best Android launchers to customize your smartphone, then this article might help you. So these are some of the best Android launchers that are worth checking out.

ALSO READ: 10 Of The Best Free Android Apps You Should Check Out for 2019

Best Android Launchers

1. Nova Launcher

The first and possibly the most customizable Android launcher on the list is Nova Launcher. You can easily customize every aspect of this launcher and make your custom Nova Launcher setup.

This popular launcher for Android supports thousands of icon packs, widgets, and themes. Nova Launcher is relatively lightweight and consumes fewer resources for its proper functioning. Lastly, you can easily backup and even share your custom Nova Launcher setup with others.

Download Nova Launcher

2. Lens Launcher

The next unique launcher on the list is Lens Launcher. As the name of this Android launcher suggests, it replicates a graphical fisheye lens. Apps on Lens Launcher are placed in an equispaced grid.

Using the graphical fisheye lens you can quickly zoom, pan and launch apps with touch gestures. Furthermore, the launcher allows users to tweak things like lens distortion, scaling of the lens, icon size, haptic feedback, and much more. Lens Launcher will provide a unique look to your phone.

Download Lens Launcher

3. Microsoft Launcher

Microsoft Launcher is another impressive launcher for Android smartphones. Similar to Nova Launcher, you can customize the wallpaper, theme, accent colors, icon packs, and gestures on Microsoft Launcher.

Nifty features like the ability to pin contacts on your home screen and personalized feed for news, calendar events, and documents help the Microsoft Launcher to stand out from the crowd. Lastly, the continue on PC feature allows users to continue editing an Office 365 document on PC.

Download Microsoft Launcher

4. Blackberry Launcher

The name says it all; Blackberry Launcher allows users to replicate the UI found on Blackberry smartphones. This underrated launcher for Android smartphones has a clean and straightforward UI.

Using the Blackberry Launcher, you can create custom shortcuts for Speed Dial, Google Maps Directions, Drive Scan and place them on different home screens. Furthermore, the launcher allows users to hide individual apps. Lastly, its worth noting that after the compilation of 30 days trail ads will start showing up on the launcher.

Download Blackberry Launcher

5. POCO Launcher

The next feature-rich launcher on the list is POCO Launcher. Using the launcher, you can easily replicate the software experience of POCO F1. This launcher offers a clean and distortion free UI.

POCO Launcher automatically groups apps based on their category. Additionally, using the third party icon packs, you can easily customize the appearance of POCO Launcher. Similar to Nova launcher, POCO launcher is super lightweight and consumes decidedly fewer resources.

Download POCO Launcher

6. Hi-Tech Launcher

If you want to provide your smartphone with a unique and sci-fi based look, then Hi-Tech Launcher might help you. Widgets like clock, weather information, memory analyzer, music player and battery information are displayed on the home screen of this launcher.

The complex UI of this launcher can help your smartphone to stand out from the crowd. Hi-Tech Launcher is very lightweight. Consequently, you can expect smoother and faster animations. As for customization, you can tweak the accent color of this launcher, enable or disable animations, and replace icon app with another app.

Download Hi-Tech Launcher

7. LessPhone Launcher

If you want to reduce your smartphone addiction than LessPhone Launcher might help you. This minimal launcher eliminates the clutter from your smartphone and allows users to access only three applications in addition to the dialer. LessPhone Launcher can also help you during social-media detox challenge.

The launcher also comes with a built-in task manager that helps manage your day. Initially, you might find it difficult to live with only three apps, but sooner or later you will adapt to it. Lastly, you can upgrade to the dark mode by making a small in-app purchase.

Download LessPhone Launcher

8. ADW Launcher 2

The next fast, fluid & and very customizable launcher for Android smartphones on the list is ADW Launcher 2. Similar to Nova Launcher, ADW Launcher 2 offers the ability to customize every aspect of this launcher. ADW Launcher 2 replicates the stock Android UI.

The launcher allows users to back up their setup and even share it with other users. Moreover, the transitions, animations, and fast scroll app drawer style make the ADW Launcher 2 feel much more responsive and faster.

Download ADW Launcher 2

9. Rootless Launcher

If you want to replicate the UI found on Google’s flagship Pixel smartphones, then Rootless Launcher might help you. Rootless Launcher offers a clean and stock Android-based UI. The launcher also changes different aspects of the home screen based on the wallpaper applied by the user.

As for downsides, Rootless Launcher is not as customizable as other launchers mentioned on the list. That said, you can still use this launcher for replicating the stock Android UI.

Download Rootless Launcher

10. Niagara Launcher

The last best Android launcher on the list is Niagara Launcher. This feature-rich launcher offers a clean and minimal UI. Niagara Launcher only displays things that matter to you the most. The launcher also helps users to use their smartphone with one hand.

Furthermore, Niagara Launcher also displays all of your incoming messages right on your home screen. Lastly, Niagara Launcher also allows users to hide Preinstalled apps. Overall, Niagara Launcher is a minimal launcher that can help reduce bloatware from your smartphone.

Download Niagara Launcher


So these were some of the best Android launchers that are worth checking out. Using these launchers, you can provide a unique look to your Android smartphone. Do share any of your personal recommendations for the best Android launchers in the comments section below.

The post 10 Best Android Launchers In 2019 appeared first on TechWorm.

Hackers can hack an Android smartphone just by looking at a PNG image

Vulnerability in PNG file can allow hackers to hack Android smartphones

Beware, while opening a harmless-looking image downloaded from the internet, emails, social media apps, or messaging apps, as it could compromise your smartphone.

Google has discovered three new critical vulnerabilities that allow hackers to hack an Android smartphone just by looking at a PNG image. This bug has affected millions of devices that run on Android OS versions, ranging from Nougat 7.0 to its current Android 9.0 Pie.

The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, were, however, patched in Android Open Source Project (ASOP) by Google as part of their Android Security Updates for February 2019.

According to Google’s Android Security Bulletin, the vulnerability that allows “a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” is the most severe vulnerability.

This means that if a hacker successfully manages to deceive a user to open or download an image from any webpage, or received through an instant messaging service, or as an attachment in an email, he or she can get access to your smartphone.

Besides the three flaws, Google also included fixes for 42 vulnerabilities in the Android OS in total in its 2019 February update, of which 11 are considered as critical, 30 high impact and one medium-gravity.

Google has said that it has no reports of anyone exploiting the vulnerabilities listed in its February security bulletin against real users or in the wild. The search giant also said that it has alerted its Android partners of all vulnerabilities a month before publication, adding that “source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours.”

Unfortunately, it is unknown when third-party handset manufacturers will roll out the security updates on their phones, as many of them take weeks, if not months, to do roll them out. This means your Android handset is still not protected even after receiving the 2019 February update. It is suggested that one should patch their Android smartphone as soon as a security update available from the handset manufacturer.

The post Hackers can hack an Android smartphone just by looking at a PNG image appeared first on TechWorm.

The problem with vulnerable IoT companion apps

There’s no shortage of exploitable security holes in widely used Internet of Things devices, so it shouldn’t come as a surprise that the communication between many of those devices and their companion apps is not encrypted. The research A group of researchers from Brazil’s Federal University of Pernambuco and the University of Michigan have analyzed 32 unique companion Android apps for 96 WiFi and Bluetooth-enabled devices popular on Amazon. They searched for answers to the … More

The post The problem with vulnerable IoT companion apps appeared first on Help Net Security.

Android devices could be hacked by viewing a malicious PNG Image

Google patched a critical flaw in its Android OS that allows an attacker to send a specially crafted PNG image file to hack a target device,

Opening an image file on your smartphone could allow attackers to hack into your Android device due to three critical vulnerabilities,
CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988.

The flaws affect millions of Android devices running versions of the Google OS, ranging from Android 7.0 Nougat to the latest Android 9.0 Pie.

Google addressed the three vulnerabilities in the Android Open Source Project (AOSP) as part of the February Android Security Updates.

Android PNG image hack

Even if Google has addressed the flaws, each vendor will have to distribute the patch for its models and this process usually doesn’t occur on a regular basis.

Researchers at Google did not provide technical details for the flaws, the tech giant only reported that the security updates addressed a “heap buffer overflow flaw,” “errors in SkPngCodec,” and vulnerabilities in some components that render PNG images.

According to the security advisory published by Google, the most severe of the three vulnerabilities could allow a maliciously crafted .PNG image file to execute arbitrary code on the vulnerable Android devices.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.” reads the security bulletin.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Experts pointed out that an attacker could exploit the flaw by tricking potential victims into opening a maliciously crafted PNG image file on their Android.

The malicious image could be sent through a mobile message service or an email app.

Google addressed three critical flaws in The Framework component, the overall number of critical issues is 11. The tech giant addressed a total of 42 flaws, 30 of which were rated high severity.

Google fixed 4 flaws in Android components manufactured by NVIDIA and five by the chip maker Qualcomm.

The good news is that Google is not aware of active exploitation of the flaws addressed by the company in the wild.

Google reported the flaws to its partners in January.

“Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. ” concludes Google.

Pierluigi Paganini

(SecurityAffairs – Android, PNG)

The post Android devices could be hacked by viewing a malicious PNG Image appeared first on Security Affairs.

Smashing Security #114: Darknet Diaries, death, and beauty apps

Smashing Security #114: Darknet Diaries, death, and beauty apps

Jack Rhysider from the “Darknet Diaries” podcast joins us to chat about his interview with the elusive Hacker Giraffe, how a death is preventing cryptocurrency investors from reaching their money, and how ‘beauty camera’ apps are redirecting users to phishing websites and stealing their selfies.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault.

Numerous Beauty Camera Apps Were Found to be Loaded With Malware

Most smartphone users, particularly those selfie-freaks, love to download various photo-filtering and beauty camera apps. From adding special effects and

Numerous Beauty Camera Apps Were Found to be Loaded With Malware on Latest Hacking News.

Ask Slashdot: Are Custom Android ROMS Still a Thing?

Thelasko writes: Reading Kashmir Hill's series Goodby Big Five on Gizmodo made me consider switching to a custom Android ROM like LineageOS again. The Gizmodo articles make it seem that most phones are so locked down it is almost impossible to do. My last experience with custom ROMs confirmed that to be true for me. Is anyone having success? Why is LineageOS making builds for 185 devices if no one can use them?

Read more of this story at Slashdot.

Experts found popular beauty apps in the Play Store including malicious code

Researchers at Trend Micro discovered at least 29 malicious photo editing and beauty apps that were able to perform several malicious activities.

Crooks continue to abuse Google Play store to distribute malicious apps, this time experts at Trend Micro discovered at least 29 malicious
photo editing and beauty apps that were stealing users’ photos.

The malicious apps in the Google Play Store have been downloaded more than 4 million times before they were removed.

malicious camera beauty apps

The photo editing and beauty apps were including a code that could perform a broad range of malicious activities.

Experts estimated that 3 of the tainted applications (Pro Camera Beauty, Cartoon Art Photo, Emoji Camera) have been downloaded more than a million times. The Artistic Effect Filter was downloaded over 500,000 times and other seven rogue apps were installed over 100,000 times.

“We discovered several beauty camera apps (detected as AndroidOS_BadCamera.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes.” reads the analysis published by Trend Micro.

“Some of these have already been downloaded millions of times, which is unsurprising given the popularity of these kinds of apps.”

When an Android user will download one of the malicious apps he will not immediately sees any suspicious behavior.

Once installed, some of these apps would redirect users to phishing websites others would push full-screen advertisements on the infected device for fraudulent or pornographic content every time the victims will unlock the device.

Some of the beauty apps were including a malicious code that uploads user’s photos to a remote server controlled by the author.

However, instead of displaying an edited photo, the apps display a picture with a fake update prompt in nine different languages.

“However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages.” continues the analysis.

“The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.”

Some of the beauty apps use packers to prevent them from being analyzed by security firms, they also hide the app icon from the list of installed applications to make it more difficult for users to uninstall them.

TrendMicro reported the list of malicious apps to Google that quickly removed them from the Play Store.

Experts recommend downloading mobile apps only from the official store and that were developed by known and trusted authors. Users can also check reviews for the apps and never install applications for which were reported anomalous behaviors.

Additional info, including Indicators of Compromise (IoCs) are reported in the post published by Trend Micro.

Pierluigi Paganini

(Security Affairs – beauty apps, malware)

The post Experts found popular beauty apps in the Play Store including malicious code appeared first on Security Affairs.

Several Popular Beauty Camera Apps Caught Stealing Users’ Photos

Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been

Blog | Avast EN: Fake Android Apps and Phony YouTube Stars | Avast

Fake Android photo apps booted off Google Play

Cybersecurity researchers identified dozens of fake apps on the Google Play Store intended solely for malicious purposes. The apps posed as Android photo enhancers, some claiming to beautify photos as they’re taken, others claiming to provide fun filters for existing pictures. But no matter what the app claimed to be, it didn’t work as promised. The “beautifying” apps triggered a cavalcade of malware-laced ads and phishing attempts, while the “photo filter” apps uploaded user snapshots to the malware’s C&C (Command and Control Server). A trait among each of the dirty apps was the ability to disappear from the application list once installed so the user would have difficulty trying to delete it. Once alerted about the apps, Google immediately removed them from the Play Store.

Blog | Avast EN

Selfie stealing malware found in popular Android beauty camera apps

By Waqas

We all want to look perfect in the pictures that we post online and beauty camera apps are our best bet in order to fine-tune our pictures. However, according to the findings of Trend Micro researchers, these kinds of applications are performing more functions than what we think they are. Reportedly, some of the Android […]

This is a post from Read the original post: Selfie stealing malware found in popular Android beauty camera apps

Facebook Pays Teens to Download a VPN App That Spies on Them

In an attempt to gather data on its competitors, Facebook has been secretly paying people to install a VPN to

Facebook Pays Teens to Download a VPN App That Spies on Them on Latest Hacking News.

Google Cleans Up Gmail App With An All-White Redesign

While Gmail on the web was significantly redesigned last year, the app for Android and iOS stayed relatively unchanged, with the exception of an update last year that removed the bold colors in favor of an almost entirely white look. Engadget reports that a redesigned Gmail for mobile is starting to roll out today and it will be available to all Android and iOS users in the coming weeks. Engadget reports: Functionally, the new Gmail mobile app isn't wildly different than what came before. There's a button in the lower-right corner to compose a new email, just like before -- it's just white with a multi-colored "plus" sign, the same glyph that shows up in Gmail and Drive on the web. The iconic top red bar is now white, and the whole top area is a search bar; the old app required tapping a smaller target to get into search. Finally, there's a shortcut right to the account switcher on the main page. Previously, switching accounts required opening the sidebar, but now that option is front and center. A few features that came to the web version of Gmail make their way to mobile today. Probably most recognizable is that attachment previews will show up below the messages, making it easier to both find messages with attachments and get a sense of the content. For those that prefer to see more messages, Google also has "comfortable" and "compact" density options that remove attachment previews and avatars, respectively. The large red phishing warnings that Gmail on the web shows also now show up in the app. Visually, it looks just like you'd expect if you've tried any of Google's recent mobile apps -- it's basically all white, with the new Google font throughout.

Read more of this story at Slashdot.

South Korea Rules Pre-Installed Phone Bloatware Must Be Deletable

New industry guidelines in South Korea will allow smartphone users the option of deleting unnecessary pre-installed bloatware. "The move aims to rectify an abnormal practice that causes inconvenience to smartphone users and causes unfair competition among industry players," said the Ministry of Science, ICT and Future Planning, in a press release. ZDNet reports: The measure will also help give users more data storage and improve battery life, said the ministry. Under the new guidelines, telcos are required to make most of their pre-installed apps deletable except for four necessary items related to Wi-Fi connectivity, near-field communication (NFC), the customer service center and the app store.

Read more of this story at Slashdot.

Popular free Android VPN apps on Play Store contain malware

By Waqas

If you want to ensure optimal privacy while surfing the web, a VPN (virtual private network) is the only reliable option. In this regard, a majority of web and smartphone users rely upon free VPN services, which according to the latest research is a risky step. In 2017, researchers identified that 38% of Android VPN apps on […]

This is a post from Read the original post: Popular free Android VPN apps on Play Store contain malware

Browser push notifications: a feature asking to be abused

“I’m seeing a lot of ads popping up in the corner of my screen, and the Malwarebytes scan does not show there is anything wrong. It says my computer is clean. So what’s happening?”

Our support team runs into questions like this regularly, but the volume seems to be increasing lately. In most of these cases, it helps to look at the “Notification permissions” of the browser displaying this annoying behavior. A good cleansing in that department might be just what you need to get rid of those “pop-ups.”

The problem is that the messages users are seeing are not pop-ups at all, but in fact “push notifications,” often referred to as simply “notifications.” We understand that naming them differently doesn’t make them any less annoying. But it does change our classification of such messages.

not so harmless

Some notifications are not simple advertisements, but rather misleading messages about the safety of your computer.

What are these notifications?

From the Mozilla Developer pages:

The Notifications API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background. This article looks at the basics of using this API in your own apps.

What we can learn from this is that the notifications can originate from a website or from an app. We are going to focus on the case where a website is causing the problem. Any app showing you commercial messages outside of a browser window would get detected as adware by Malwarebytes, so these would not escape a scan.

However, website notifications can be displayed outside the browser window. Wait, what’s the difference between notifications and pop-ups again? A pop-up is a new browser window or tab, whereas notifications are more like tooltips. They are messages that are independent from any open websites.

Notifications show the domain from which they originate, so that could clue you in on the answer to another important question, which is:

How did I get them?

To receive browser notifications, a user must have first allowed them. In Firefox, the dialog to allow them looks like this:

Firefox allow prompt

While that seems pretty straightforward, there are trickier sites that use a bit of social engineering to get you to allow their notifications.

social engineering

The website visitors are led to believe that they have to click “Allow“ to see the video. In fact, if they click the “Allow” button, they will be redirected to another website, sometimes asking yet again to allow notifications, but meanwhile their clicking has allowed this site to show them notifications. And, mind you, the site does not have to be open in the browser for the notifications to pop up. As you can see, the fact that you are allowing notifications is a bit less clear in the Chrome prompt than it is in Firefox.

How do I disable them?

There are some options for disabling notifications. You can disable them altogether or you can disable notifications for specific domains, by removing them from your “Allow” list. You can even add them to your “Blocked” list.

example notifications

For every browser, the notifications look slightly different and the methods to disable them are slightly different as well. To make them easier to find, I have split them up by browser.


To completely turn off notifications, even from an extension:

  • Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
  • Scroll down in the Settings menu and click on Advanced.
  • Under Privacy and Security, select Content settings.
  • In this menu, select Notifications.
  • By default, the slider is set to Ask before sending (recommended), but feel free to move it to Block if you wish to block notifications completely.

Notifications settings Chrome

For more granular control, you can use this menu to manipulate the individual items. Note that the items with a jigsaw puzzle piece are enforced by an extension, so you would have to figure out which extension first and then remove it. But for the ones with the three dots behind them, you can click on the dots to open this context menu:

notifications options

Selecting Block will move the item to the block list. Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site (unless you have set the slider to Block).

Shortcut: another way to get into the Notifications menu shown earlier is to click on the gear icon in the notifications themselves.

notification settings icon

This will take you directly to the itemized list.


To completely turn of notifications in Firefox:

  • Click the three horizontal bars in the upper right-hand corner of the menu bar and select Options in the settings menu.
  • On the left-hand side, select Privacy & Security.
  • Scroll down to the Permissions section and click on the Settings button behind Notifications.

Firefox notifications permissions

  • In the resulting menu, put a checkmark in the Block new requests asking to allow notifications box at the bottom.

Firefox granular notifications control

In the same menu, you can apply a more granular control by setting listed items to Block or Allow by using the drop-down menu behind each item.


Where push notifications are concerned, you can see how closely related Opera and Chrome are.

  • Open the menu by clicking the O in the upper left-hand corner.
  • Click on Settings (on Windows)/Preferences (on Mac).
  • Click on Advanced and select Privacy & security.
  • Under Content settings (desktop)/Site settings (Android,) select Notifications.

Setting Opera on Android

On Android, you can remove all the items at once or one by one. On desktops, it works exactly the same as it does in Chrome. The same is true for accessing the menu from the notifications themselves. Click the gear icon in the notification, and you will be taken to the Notifications menu.


To disable web notifications in Windows:

  • Click the Start button in Windows (Windows icon).
  • Select Settings (gear icon).
  • Select System.
  • Select Notifications & actions.
  • Scroll down and select Microsoft Edge in the list of senders.
  • Here, you set the switch for Notifications to Off or change the notification properties.

You can also manage the notifications on a site-by-site basis in Edge:

  • Click the three dots button in the top-right corner and select Settings.
  • Scroll down and click on View advanced settings.
  • Under Notifications, click on Manage.
  • Here, you can switch notifications off for a specific website.


Launch Safari and go to Safari > Preferences, or press Command-Comma. Click on the Notifications tab. From there, you can manually disable/enable notifications from select sites, remove all notifications, or access your system-wide Notification Preferences.

Are these notifications useful at all?

While we could conceive of some cases where push notifications might be found useful, we would certainly not hold it against you if you decided to disable them altogether.

Web push notifications are not just there to disturb Windows users. Android, Chromebook, MacOS, even Linux users may see them if they use one of the participating browsers: Chrome, Firefox, Opera, Edge, and Safari. In some cases, the browser does not even have to be opened, and it can still display push notifications.

Be careful out there and think twice before you click “Allow.”

The post Browser push notifications: a feature asking to be abused appeared first on Malwarebytes Labs.

Android Q Will Include More Ways For Carriers To SIM Lock Your Phone

An anonymous reader quotes a report from 9to5Google: Over the weekend, four commits were posted to various parts of Android's Gerrit source code management, all entitled "Carrier restriction enhancements for Android Q." In them, we see that network carriers will have more fine-grained control over which networks devices will and will not work on. More specifically, it will be possible to designate a list of "allowed" and "excluded" carriers, essentially a whitelist and a blacklist of what will and won't work on a particular phone. This can be done with a fine-grained detail to even allow blocking virtual carrier networks that run on the same towers as your main carrier. Restriction changes are also on the way for dual-SIM devices. At the moment, carriers can set individual restrictions for each SIM slot, but with Android Q, carriers will be able to lock out the second slot unless there's an approved SIM card in the first slot. This SIM lock restriction is applied immediately and will persist through restarting the phone, and even doing a factory reset. Thankfully, in both cases, emergency phone calls will still work as expected, regardless of any restrictions on the particular SIM cards in your phone.

Read more of this story at Slashdot.

ES File Explorer Vulnerability Exposed Files Saved On a Victim Android Phone

Researchers have spotted a vulnerability in the popular file manager among Android users, ES File Explorer. The vulnerability could allow

ES File Explorer Vulnerability Exposed Files Saved On a Victim Android Phone on Latest Hacking News.

Android Q first beta build shows system-wide dark theme, privacy controls, and more

Android Q may bring system-wide dark theme, improved privacy, and desktop mode

Google had launched its latest operating system, Android Pie or ‘P’ in August last year. Five months after the release, Google has already started testing its upcoming mobile operating system, Android ‘Q’, according to a new leak spotted by XDAdevelopers.

The first build of Android Q that was created in January 2019 was spotted in February 2019’s security patch that Google recently rolled out for Android Pie. The earliest build of Google’s upcoming OS version gives us a glimpse of what is in store.

According to the in-depth analysis video uploaded by XDA-developers, the upcoming Android Q includes a number of new features such as system-wide dark mode, new privacy controls, new permissions UI, desktop mode, new developer tools and much more.

The most notable change in Android Q is the system-wide Dark Theme. It is believed that Android Q will introduce the “override force-dark” feature. It means that even if third-party apps do not feature built-in themes, this feature can make them switch from white backgrounds to dark gray.

Also, Google is looking to further strengthen its user privacy by adding a new “allow only while the app is in use” permission. This will enable users to see each apps’ permissions individually and also see in the notifications which apps have access to your location. This feature will offer more flexibility to those apps that don’t work if permission is disabled entirely.

Besides the above, Google is working on its own desktop/external display mode, a feature similar to Samsung’s DeX hints XDA Developers. This will make it possible to connect a phone to a monitor and use it as a desktop computer.

Android Q also includes a developer setting for built-in screen recording; however, this feature is not yet functional in this early build of the OS. Additionally, users will be able to use slide notifications right to dismiss them or slide them left for options to access icons for snoozing.

Some other features discovered in the early Android Q build include an off switch for all sensors, improvements to Files app, revamped Screen Lock settings, Game Update Package Preferences setting and more.

Since this is an early build version of Android Q, it is likely to undergo changes before the Developer Preview.

You can watch XDA’s detailed video comparison of Pie and Q running on the Google Pixel 3 XL in the video below.

The post Android Q first beta build shows system-wide dark theme, privacy controls, and more appeared first on TechWorm.

A Look at the Amount of Time Smartphone Vendors Have Taken To Roll out Major Android Updates To Their Handsets, and How Things Are Beginning To Improve

Most Android smartphone vendors have been notorious for the time they take to roll out the newest Android OS updates to their respective handsets. To tackle this, Google in 2017 announced Project Treble, which bypasses some middlemen in delivering new updates to consumers. With Project Treble now supported by all Android phone makers, in theory updates should roll out to us faster than before. To test this, news blog AndroidAuthority looked at the data to see where things stand. From the report: On average, Nougat updates took about 192 days to reach key devices, while Oreo was slightly faster at 170. Android Pie updates hit devices much faster, averaging just 118 days from Google's launch to significant OEM rollout. That's a significant improvement, though we're still waiting on updates from LG and HTC, which could drag this average back up. Most manufacturers are faster at providing updates now, but a few are slower. Huawei, Samsung, and Xiaomi were noticeably quicker this time around, bringing updates to key devices before the end of 2018. OnePlus and Sony were especially fast, but they've always been speedier than most. Disappointingly, Motorola has rolled out updates to its flagship Z series slower over the last few years.

Read more of this story at Slashdot.

Malicious apps deploy Anubis banking trojan using motion detection

By Waqas

Google has left no stone unturned in preventing malware and banking trojan from invading the applications uploaded on its official Play Store. Despite having anti-malware protection, shady applications somehow make it to the platform. In fact, malware developers have become so advanced in their skills and tactics that they are now using motion detection technology […]

This is a post from Read the original post: Malicious apps deploy Anubis banking trojan using motion detection

Security Affairs: ES File Explorer vulnerabilities potentially impact 100 Million Users

Security expert Robert Baptiste (akaElliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to are affected by this MitM flaw.

At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

The post ES File Explorer vulnerabilities potentially impact 100 Million Users appeared first on Security Affairs.

Security Affairs

ES File Explorer vulnerabilities potentially impact 100 Million Users

Security expert Robert Baptiste (akaElliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to are affected by this MitM flaw.

At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

The post ES File Explorer vulnerabilities potentially impact 100 Million Users appeared first on Security Affairs.

Twitter bug exposed private tweets of Android users to public for years

By Carolina

A security bug in Twitter exposed private tweets of users to the public. The flaw only affected Android users of the Twitter app while iPhone users were not affected. According to Twitter, private tweets of users from November 3, 2014, to January 14, 2019, were exposed. Although the company did not say how many people were affected […]

This is a post from Read the original post: Twitter bug exposed private tweets of Android users to public for years

Twitter Android App Bug Revealed Private Tweets Spanning Five Years

Social media giant Twitter has just announced a bug fix that has been affecting users of its Android App. However,

Twitter Android App Bug Revealed Private Tweets Spanning Five Years on Latest Hacking News.

New Android Malware Apps Use Motion Sensor to Evade Detection

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have

Twitter fixed a bug in its Android App that exposed Protected Tweets

A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.

The bug in the Android Twitter app affects the “Protect my Tweets” option from the account’s “Privacy and safety” settings that allows viewing user’s posts only to approved followers.

People who used the Twitter app for Android may have had the protected tweets setting disabled after they made some changes to account settings, for example after a change to the email address associated with the profile.

“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the company.

“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”

The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version were not impacted. 

Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.

“We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your ‘Protect your Tweets’ setting reflects your preferences,” continues the advisory.

Recently Twitter addressed a similar bug, in December the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users’ direct messages (DMs) and protected tweets to wrong developers.

Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.

In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

Pierluigi Paganini

(SecurityAffairs – Twitter app, Android)

The post Twitter fixed a bug in its Android App that exposed Protected Tweets appeared first on Security Affairs.

Where Can IT Get Expert Guidance for Managing Android in the Enterprise?

Over the past decade, Android has taken the enterprise by storm. In each new operating system (OS) version update, its capabilities continue to become more business-friendly as the strength and depth of its mobile security functionality improves. With these changes considered, it’s clear Google is committed to delivering an OS that transcends the consumer world into the enterprise. For this reason, it’s no surprise that one of the world’s most popular platforms appears on IT’s shortlist for new device investments and bring-your-own-device (BYOD) programs.

Despite its extensive improvements over time, one of the biggest questions that remains for IT decision-makers is, “How can I be certain I am managing and securing Android with the best tools and technical resources available to me?”

Register for the webinar

The Android Enterprise Recommended Program

With its introduction of the Android Enterprise Recommended program earlier this year, Google has improved this decision-making process for IT leaders, making it possible to zero in on the vendors that meet specifications across a broad range of stringent criteria. The limited number of vendors that achieve this validation have not only taken appropriate steps to support the full gamut of Android’s specifications — they have also gone the extra mile to partake in Google-led trainings that enable them to deliver an exceptional experience for partners and customers.

Android Enterprise Recommended

Up until this point, the Android Enterprise Recommended program has been available to help IT teams select smartphones, tablets and ruggedized devices that are well-suited for the enterprise setting. However, customers and partners have had to conduct independent research and assessments to determine which enterprise mobility management (EMM) solutions should be used to manage Android devices in the enterprise.

These evaluations cannot be taken lightly; enterprise use cases for Android have grown in number, and organizations need to ensure that their EMM of choice has what it takes to support them. Furthermore, security threats have evolved and become more complex, and endpoints and their users remain their biggest targets. The less careful organizations are about who they partner with in supporting their environment, the consequences become more severe.

These reasons considered, at minimum EMMs should be able to prove their ongoing commitment to delivering same-day support for the latest OS updates. As Android continues to roll out new functionality for Android in the enterprise — most recently zero-touch enrollment, managed Google Play, Verify Apps and SafetyNet APIs — the onus is also on EMMs to keep up.

A Program Expansion for Enterprise Mobility Management Vendors

To stay ahead of the evolving threat landscape and more effectively manage Android devices, IT decision-makers need to fast-track the EMM selection process. That’s why Google expanded its Android Recommended Program to help security leaders gain confidence in their EMM selection, streamline deployment and deliver up-to-date support for the latest updates.

IBM MaaS360 with Watson is a validated solution in the Android Enterprise Recommended program for EMMs, placing it among the select few EMMs that meet these new comprehensive program requirements.

Recognizing the value of the overall Android Enterprise Recommended program, MaaS360 delivers support for all Android Enterprise Recommended OEM devices, including both categories of knowledge worker and rugged use cases.

To learn more, register for our Jan. 31 webinar, “IBM Joins Google in Announcing Android Enterprise Recommended Program for EMMs” or watch it on-demand thereafter.

Register for the  webinar

Google and Android are trademarks of Google LLC.

The post Where Can IT Get Expert Guidance for Managing Android in the Enterprise? appeared first on Security Intelligence.

10 Best Twitter Clients For Android And Windows

Twitter is one of the most popular social media and news sharing platform that is used by millions of users across the globe. That said, one of the major flaws with both the Twitter web page and smartphone application is that the tweets are not available in chronological order.

Well, if you have been scouting for some of the best Twitter clients for Windows and Android smartphones then this article might help you. So these are the best twitter app for Android and windows.

ALSO READ: Microsoft Windows zero-day vulnerability exposed through Twitter

Best Twitter App For Android

1. Fenix 2

The first best twitter app for Android on the list is Fenix 2. This popular Twitter client offers many nifty features like support for multiple accounts, highly customizable UI, well-developed conversations layout, and a lot more.

Fenix 2 supports external websites like YouTube, Instagram, Vine, and Flickr. Fenix 2 is fairly inexpensive and it will definitely improvise your Twitter experience.

Download Fenix 2

2. Plume

Plume for Twitter is the next best twitter client for Android. Similar to Fenix 2, this feature-rich Twitter client supports multiple accounts, offers the ability to customize the timeline, and you can even live stream using Plume.

Plume allows users to share their photos with Twitter, Twitpic, YFrog, Mobypicture, and If you want to eliminate advertisements from the app you can upgrade to the pro version of Plume.

Download Plume

3. Talon

Talon is another highly customizable Twitter client for Android. If you prefer materialized theme then Talon will definitely impress you. Talon allows add or remove elements like activity, notifications, and direct messages based on their preference.

The app also comes with useful night mode and do not disturb mode. It is worth noting that, Talon supports a maximum of two accounts. Overall Talon is a good twitter client that allows users to customize every aspect of their twitter feed.

Download Talon

4. Twidere

Twidere is a comparatively new twitter client for Android. Similar to other Twitter clients on the list, Twidere allows users to manage multiple accounts, customize their feed, and Twidere also has a very well developed UI. Ability to schedule tweets to post them even when you are offline is another nifty feature of this Twitter client.

In addition to that, Twidere is an open-source application. Consequently, Twidere is completely free and doesn’t contain annoying advertisements.

Download Twidere

 5. TweetCaster

The last best Twitter client for Android on the list is TweetCaster. This feature-rich Twitter app allows users to filter tweets on the timeline based on users preference. TweetCaster consists of twelve vibrant themes and the app also allows users to schedule their tweets.

Using TweetCaster you can directly save links to Pocket, Instapaper, or Readability. Overall TweetCaster is a reliable Twitter client for Android that gets the job done.

Download TweetCaster

Best Twitter Clients For Windows

1. TweetDeck


TweetDeck is undoubtedly one of the most feature-rich Twitter clients for Windows. TweetDeck’s UI makes managing multiple twitter accounts a breeze. Furthermore, TweetDeck contains every Twitter feature that you can think of.

Keyboard shortcuts, ability to schedule tweets, and customize the timeline by adding or removing tabs are some of the nifty features that TweetDeck offers. Overall TweetDeck is a reliable Twitter client for Windows, MacOS, and Linux users.

Visit TweetDeck

2. Buffer

The next best Twitter app for Windows on the list is Buffer. It is worth noting that Buffer is actually a social media management tool and by no means, it replaces the original Twitter website. That said, using Buffer you can schedule your tweets and you can also monitor the activities on your tweets.

In addition to Twitter, you can also manage LinkedIn, Facebook, Instagram, and Pinterest account with Buffer. Overall, Buffer is a great social media management tool for brands or people who want to take social media seriously.

Visit Buffer

3. Twitter For Windows

Yes, you read it right Twitter also has an official Twitter application for Windows 10. This app simply allows a user to scroll through their timeline, check notifications and talk to other people using direct messages.

Desktop notifications on the Twitter app for windows help users to stay updated even when they are not close to their smartphones. Lastly, Twitter for windows is one of the most secure and very well optimized apps for using Twitter on a Windows PC.

Download Twitter For Windows

4. Fenice for Twitter

The next best Twitter app for Windows that can be downloaded from the Microsoft store is Fenice for Twitter. Fenice offers interactive notifications which eliminate the need of launching the application to perform tasks like retweets, reply to messages, and much more.

Using Fenice you can manage multiple twitter accounts at once and the app also allows users to personalize their home screen. Lastly, Fenice allows users to directly add tweets to their Pocket or Instapaper account.

Download Fenice For Twitter

5. TweetTen

The last best Twitter client for Windows on the list is TweetTen. You can use TweetTen either on a browser or download the TweetTen application on your Windows or MacOS computer. TweetTen is a feature-rich Twitter client that allows users to manage multiple accounts, scheduled tweets, and track their activity.

TweetTen can be customized to a great extent and the app also allows users to search and use GIF. Overall TweetTen is an impressive Twitter client for Windows.


So these were the ten best Twitter clients for Android and Windows that are worth checking out. Do share any other personal recommendations for the best twitter client for Android and Windows in the comments section below.

The post 10 Best Twitter Clients For Android And Windows appeared first on TechWorm.

A week in security (January 7 – 13)

Last week on the Malwarebytes Labs blog, we took a look at the Ryuk ransomware attack causing trouble over the holidays, as well as a ransom threat for an Irish transportation company. We explored the realm of SSN scams, and looked at what happens when an early warning system is attacked.

Other cybersecurity news

  • Password reuse problems. Multiple Reddit accounts reported being locked out after site admins blamed “password reuse” for the issue. (Source: The Register)
  • 85 rogue apps pulled from Play Store. Sadly, not before some 9 million downloads had already taken place. (Source: Trend Micro)
  • Home router risk. It seems many home routers aren’t doing enough in the fight against hackers. (Source: Help Net Security)
  • Deletion not allowed. Some people aren’t happy they can’t remove Facebook from their Samsung phones. (Source: Bloomberg)
  • Takedown: How a system admin brought down the notorious “El Chapo.” (Source: USA Today)
  • 2FA under fire. A new pentest tool called Mantis can be used to assist in the phishing of OTP (one time password) codes. (Source: Naked Security) 
  • Facebook falls foul of new security laws in Vietnam. New rules have brought a spot of bother for Facebook, accused of not removing certain types of content and handing over data related to “fraudulent accounts.” (source: Vietnam News)
  • Trading site has leak issue. A user on the newly set up trading platform was able to grab a lot of potentially problematic snippets, including authentication tokens and password reset links. (source: Ars Technica)
  • Local risk to card details. A researcher discovered payment info was being stored locally on machines, potentially exposing them to anyone with physical access. (Source: Hacker One) 
  • Facebook exec swatted. The dangerous “gag” of sending armed law enforcement to an address ends up causing problems for a “cybersecurity executive,” after bogus calls claimed they had “pipe bombs all over the place.” (source: PA Daily post)

Stay safe, everyone!

The post A week in security (January 7 – 13) appeared first on Malwarebytes Labs.

Android devices 50 times more infected with malware compared to iOS.

Android-powered connected devices are fifty times more likely to be infected with malware when compared to iOS.

Android devices are nearly fifty times more likely to be infected by malware than Apple devices, revealed Nokia’s latest threat intelligence report. According to the whitepaper, Android devices were responsible for 47.15% of the observed malware infections, Windows/ PCs for 35.82%, IoT for 16.17% and iPhones for less than 1%. We’ve compiled a list top three reasons that explain why almost half of all malware-infected devices are running the Google-created platform.

Market share

Cyber-criminals are aiming at the largest crowd. Currently, there are more than two billion devices operating the Google-created platform making it the most popular end-user OS in the world. Google claims Android managed to surpass the number of Windows-powered devices back in 2017. The continuously growing amounts of cell phones and tablets is the primary driver for the recent change. The more active devices are out there, the bigger the chances for human error are.

Android’s open source

The fact that Android is open source makes it a fantastic OS option for many vendors. However, granting companies with the ability to modify the Google-owned OS increase the chances for human error. Small tweaks in the OS can end up being potential security holes. And the fact that currently half of the world’s malware-infected devices are running Android means that betting that no one will ever find out about possible security issues is not a good idea. One way or another, someone finds out about the loophole and exploits it until a patch is released.


Apple is strict on getting its users to keep their OS up-to-date. Many are unhappy that Apple always finds a way to make them update and generally want to control everything that appears on the platform. However, it is a fact that if Android users were more diligent in updating their OS, Android-enabled devices would’ve not been topping the list of most malware-infected products in the world. Making sure that your OS is up-to-date is the first step towards securing your device.

Android Oreo, the eight major update by the Google-created OS, is undoubtedly a step forward towards better protection. Google is doing its best to decrease the number of possible vulnerabilities by making it not as open as its predecessors. However, vulnerabilities are still appearing, and hackers are not thinking of giving up. Even though Apple seems to be well ahead, the fact is that no matter what OS devices you operate, you will end up getting infected if you do not use them with caution and proper protection. End-users who wish to be fully protected must have quality anti-virus software installed on all their connected devices.

Download Panda Mobile Security

The post Android devices 50 times more infected with malware compared to iOS. appeared first on Panda Security Mediacenter.

This Week in Security News: Adware and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about an adware that disguised itself as different apps and monitors mobile devices. Also, learn more about the different ransomware attacks Trend Micro has been tracking.

Read on:

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

This adware discovered by Trend Micro is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. 

Reddit locks out users with poor password hygiene after spotting ‘unusual activity’

Some Redditors have been locked out of their accounts over a mysterious security problem that the internet forum’s admins have blamed on people reusing old passwords.

German Man Admits to Politician Data Breach

A 20-year-old man has admitted to police that he was behind the recent data breach that exposed the personal data and documents of almost 1,000 German politicians and public figures online. 

Tech Support Scams: What are They and How do I Stay Safe?

If you’re still unsure what tech support scams are, and how you can protect yourself, this handy guide will tell you everything you need to know.

Chubb Announces Key Cyber Security Trends to Watch in 2019

 As business decision-makers look to the year ahead, it is critical to address existing and new cyber security concerns. To help with that process, Chubb has launched its first annual cyber security predictions, which focus on the top risks in 2019 and beyond.

Millions of Android Users Tricked Into Downloading 85 Adware Apps From Google Play

Researchers at Trend Micro discovered 85 apps that were pushing adware designed to squeeze money out of around 9 million affected Android users. 

Ransomware MongoLock Immediately Deletes Files, Formats Backup Drives

Trend Micro has been following MongoLock ransomware attacks that demands a payment of 0.1 bitcoin from victims within 24 hours to retrieve the files allegedly saved in the cybercriminals’ servers. 

Samsung Phone Users Perturbed to Find They Can’t Delete Facebook

With consumers becoming more alert about their digital rights and privacy, Android phone users have begun to question Samsung’s deal to sell phones with a permanent version of Facebook.

JavaScript Malware in Spam Spreads Ransomware, Miners, Spyware, Worm

Trend Micro observed a sudden spike in JavaScript malware in more than 72,000 email samples that sourced and spread at least eight other kinds of malware beginning December 31, 2018. 

Kitchenware Companies Breached in Dual Attacks

OXO International, a maker of kitchen utensils, and, which sells a variety of kitchenware promotional materials, each reported attacks this week.

Do you think adware and ransomware will continue to be prominent cybersecurity issues this year? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Adware and Ransomware appeared first on .

Pre-Installed Malware Targets Critical System Apps on Mobile Devices

Several new types of pre-installed malware are targeting critical system apps on mobile devices, making them difficult to remove.

Researchers at Malwarebytes came across two instances of pre-installed malware targeting applications in /system/priv-app/, where critical apps such as settings and system UI reside. The first infection occurred on a THL T9 Pro device. The malware repeatedly installed variants of Android/Trojan.HiddenAds, which is known for displaying lock screen advertisements that take up the device’s entire screen. In this particular case, the infection wrapped itself up in the critical system Android app System UI.

The second infection occurred on a UTOK Q55. In that case, the threat came hardcoded in the device’s Settings app. It fit the “monitor” category of potentially unwanted programs (PUP), which are capable of collecting and reporting users’ information.

The Pre-Installed Malware Problem Persists

These two instances of pre-installed malware aren’t the first detected by Malwarebytes. In March 2017, researchers at the security software provider observed mobile devices manufactured by BLU being shipped out with Android/Adware.YeMobi. Then in December of that year, the researchers found an auto-installer known as FWUpgradeProvider pre-installed on devices bought from legitimate phone carriers in the U.K. and elsewhere.

Other security firms have detected pre-installed malware more recently. For instance, Check Point discovered RottenSys disguised as a system Wi-Fi service; the threat targeted nearly 5 million users for fraudulent ad revenues as of March 2018. A few months later, Avast Threat Labs found adware known as Cosiloon pre-installed on hundreds of Android device models.

How to Protect Mobile Devices From Pre-Installed Malware

Security professionals can protect mobile devices from pre-installed malware and other threats by using a unified endpoint management (UEM) solution to monitor how these devices report to the corporate IT environment. They should also use behavioral analysis to help defend mobile devices against zero-day threats.

The post Pre-Installed Malware Targets Critical System Apps on Mobile Devices appeared first on Security Intelligence.

Skype flaw grants access to the photos on your Android phone without a passcode

A design flaw in Microsoft’s Skype app can be exploited to grant access to the data on your Android phone without passcode authentication, a researcher has shown.

Kosovo-based bug-hunter Florian Kunushevci demonstrates in the YouTube video below how Skype can be manipulated into accessing private data, including photos on the phone, without unlocking the handset. All one has to do is gain physical access to the phone and answer a Skype call on it. From there, the user can access contact information, as well as the photo gallery through the app’s file sharing function.

“One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should,” he explained to The Register. “Then I had to change the way of thinking as a regular user into something that I can use for exploitation.”

While the flaw could tempt a suspicious spouse to look through their partner’s phone, it is more of a design oversight than anything. Kunushevci himself tells the publication, “For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.”

A responsible bug-hunter, Kunushevci alerted Microsoft to the bug and waited for the company to patch the bug before he disclosed it. That doesn’t mean it can’t still be exploited. Anyone who hasn’t updated their Android Skype app in over a month is at risk. Only the latest versions of Skype, issued December 23, are safe to use. And because Skype versioning differs between Android versions, everyone must be sure to be on a version number above over

The new landscape of pre-installed mobile malware: malicious code within

Here’s a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future.

In the past, we’ve seen pre-installed malware with the notorious Adups threat, among others. “Pre-installed” means the malware comes already installed on a device at the system level, thus, it cannot be removed; only disabled. However, remediating these iterations of pre-installed malware is possible by using a work-around to uninstall apps for the current user. This method involves connecting the mobile device to a PC and using the ADB command line tool. Follow our guide, removal instructions for Adups, to find out more.

Although this method is a bit tedious, it works to remediate the malware. In contrast, remediating newer versions of pre-installed malware has become much more difficult. We are now seeing malware authors target system apps that are required for the device to function properly. By injecting malicious code within these necessary apps, threat actors have reshaped the landscape of pre-installed malware for the worse.

Types of pre-installed apps

There are two types of preinstalled apps, based on the apps’ location on the device. This location also determines the importance of the app.

The first location is /system/app/. Apps in this location are typically something you want to have, but not critical for the device to run. For example, apps that contain functionally for the camera, Bluetooth, FM radio on the device, or photo viewing are stored in this location. This location is also where device manufactures cache what some may consider bloatware. Uninstalling some of these apps may degrade the user experience, but it isn’t going to stop the device from functioning.

The other location is /system/priv-app/. This is where significantly important apps reside. For instance, apps like settings and system UI, which include the functionality for the back/home buttons on Android devices, are stored here. In other words, apps you absolutely cannot uninstall these without essentially breaking the phone. Sadly, the latest pre-installed malware is targeting this location.

The evidence

In the light of this new, frightening pre-installed malware, let’s look at two case studies.

Case study 1: Riskware auto installer within System UI

The device is a THL T9 Pro. The infection is Android/PUP.Riskware.Autoins.Fota.INS. Although the code looks similar to the well-known preinstalled malware Adups, it’s entangled within the critical system app System UI, instead of being in a standalone app like a UpgradeSys. The infection causes headaches, as it repeatedly installs variants of Android/Trojan.HiddenAds. It’s unknown if this is the doing of Adups themselves, or on the other hand, if code was taken from the Adups Auto Installer and inserted into System UI. Neither scenario is good.

Case Study 2: Monitor within settings

This time, the device is a UTOK Q55. The infection is Android/Monitor.Pipe.Settings. The category “Monitor” is a subset of Potentially Unwanted Programs (PUPs). As the name implies, Monitor apps collect and report sensitive information from the device. Furthermore, this particular Monitor app is hardcoded in the highly-important Settings app. In effect, the app used to uninstall other apps would need to be uninstalled itself to remediate—pure irony.

Attempting to remediate

Here lays the biggest problem with these infections—there is currently no good way to remediate. I have worked with several customers with these infections, but despite my attempts, I have yet to find a good work around. However, I can offer some guidance. If a clean version of the system app can be found to replace the malicious version, you might be able to replace it. You will want to look for system apps that match the current Android OS version of the device.  If found, you can try using the following method:

  • Read the disclaimer from the removal instructions for Adups.
  • Follow the steps under Restoring apps onto the device (without factory reset) in the removal instructions for Adups to save the proper <full path of the apk> of the system app to be replaced.
  • Download a clean version of the system app to your PC.
    • You can use the popular site VirusTotal to determine if it’s clean or not.
  • Move the system app from your PC to your device.
    • adb push <PC file path>\<filename of clean version.apk> /sdcard/Download/<filename of clean version.apk>
  • Uninstall the old, malicious version of the system app.
    • adb shell pm uninstall -k –user 0 <package name of malicious system app>
  • Install the new version of the system app.
    • adb shell pm install -r –user 0 /sdcard/Download/<filename of clean version.apk>
  • See if it works.
    • Common failure errors:
    • If the new version fails to install, you can revert to the old system app.
      • adb shell pm install -r –user 0 <full path of the apk saved from second step>

As noted above, I have yet to find a version of any of the infections encountered that successfully installs. If you need assistance, feel free to post on our forum Mobile Malware Removal Help & Support.

What really can be done?

Currently, the best method to deal with these infections is to:

  1. Stay away from devices with these infections. Here are the manufacturers/models we have seen so far that have been impacted:
    • THL T9 Pro
    • UTOK Q55
    • BLU Studio G2 HD
  2. If you already bought one, return the device.
  3. If you already bought the device and can’t return it, contact the manufacturer.

Extreme frustration

As a mobile malware researcher, it pains me to no end to write about malware we can’t currently remediate.  However, the public needs to know that these types of infections exist in the wild. No one should have to tolerate such infections on any mobile device regardless of its price point and/or notoriety. I will continue to look for methods to deal with these infections. In the meantime, stay safe out there.

APK samples

Detection: Android/PUP.Riskware.Autoins.Fota.INS
MD5: 9E0BBF6D26B843FB8FE95FDAD582BB70
Package Name:

Detection: Android/Monitor.Pipe.Settings
MD5: DC267F396FA6F06FC7F70CFE845B39D7
Package Name:

The post The new landscape of pre-installed mobile malware: malicious code within appeared first on Malwarebytes Labs.

Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service

The unfortunate implications of a well-intentioned change to Google Play Developer policies – and the negative impact it has on ESET’s Android app customers

The post Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service appeared first on WeLiveSecurity

Klickbetrug mit Gewinnoptimierung: Android-Apps tarnen sich als iPhone-Programme

Profitsteigerung ist eine der Maximen jedes Cyberkriminellen. Da wundert es nicht, dass die SophosLabs nun eine neue Machenschaft aufgedeckt haben, die auf der Tatsache beruht, dass Werbetreibende mehr Geld pro Klick zahlen, wenn dieser von vermeintlich wohlhabenderen iPhone- oder iPad-Besitzern kommt. Da der sogenannte Klickbetrug, bei dem kommerzielle Werbeflächen geklickt oder Klicks zur Manipulation der […]

Police arrest alleged Russian hacker behind huge Android ad scam

Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.

Source: Kommersant

Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control

smartphone screen timeYou aren’t going to like this post. However, you will, hopefully, find yourself nodding and perhaps, even making some changes because of it. Here it friends: That love-hate relationship you have with your smartphone may need some serious attention — not tomorrow or next week — but now.

I’m lecturing myself first by the way. Thanks to the June iOS update that tracks and breaks down phone usage, I’m ready — eager in fact — to make some concrete changes to my digital habits. Why? Because the relationship with my phone – which by the way has become more like a third child — is costing me in time (75 days a year to be exact), stress, and personal goals.

I say this with much conviction because the numbers don’t lie. It’s official: I’m spending more time on my phone than I am with my kids. Likewise, the attention I give and the stress caused by my phone is equivalent to parenting another human. Sad, but true. Here’s the breakdown.

Screen time stats for the past seven days:

  • 5 hours per day on my device
  • 19 hours on social networks
  • 2 hours on productivity
  • 1 hour on creativity
  • 18 phone pickups a day; 2 pickups per hour

Do the math:

  • 35 hours a week on my device
  • 1,820 hours a year on my device
  • 75 days a year on my device

Those numbers are both accurate and disturbing. I’m not proud. Something’s gotta give and, as Michael Jackson once said, change needs to start with the man (woman) in the mirror.

A 2015 study by Pew Research Center found that 24% of Americans can’t stop checking their feeds constantly. No surprise, a handful of other studies confirm excessive phone use is linked to anxiety, depression, and a social phenomenon called FOMO, or Fear Of Missing Out.

Efficiency vs. Anxiety

There’s no argument around the benefits of technology. As parents, we can keep track of our kids’ whereabouts, filter their content, live in smart houses that are efficient and secure, and advance our skills and knowledge at lightning speeds.

That’s a lot of conveniences wrapped in even more pings, alerts, and notifications that can cause anxiety, sleeplessness, and stress.  In our hyper-connected culture, it’s not surprising to see this behavior in yourself or the people in your social circles.

  • Nervousness or anxiety when you are not able to check your notifications.
  • An overwhelming need to share things — photos, personal thoughts, stresses — with others on social media.
  • Withdrawal symptoms when you are not able to access social media.
  • Interrupting conversations to check social media accounts.
  • Lying (downplaying) to others about how much time you spend on social media sites.

We often promote balance in technology use, but this post will go one step further. This post will get uncomfortably specific in suggesting things to do to put a dent in your screentime. (Again, these suggested changes are aimed at this mom first.)

Get Intentional

  • Look at your stats. A lot of people don’t go to the doctor or dentist because they claim “not knowing” about an ailment is less stressful than smartphone screen timeknowing. Don’t take that approach to your screen time. Make today the day you take a hard look at reality. Both iOS and Android now have screen time tracking.
  • Get reinforcements.  There are a lot of apps out there like Your Hour, AppBlock, Stay Focused, Flipd, and App Off Timer designed to help curb your smartphone usage. Check out the one/s that fits your needs and best helps you control your screen time.
  • Plan your week. If you have activities planned ahead of time for the week — like a hike, reading, a movie, or spending time with friends — you are less likely to fritter away hours on your phone.
  • Leave your phone at home. Just a decade ago we spent full days away from home running errands, visiting friends, and exploring the outdoors — all without our phones. The world kept turning. Nothing fell to pieces. So start small. Go to the grocery store without your phone. Next, have dinner with friends. Then, go on a full day excursion. Wean yourself off your device and reclaim your days and strengthen your relationships.
  • Establish/enforce free family zones. Modeling control in your phone use helps your kids to do the same. Establish phone free zones such as homework time, the dinner table, family activities, and bedtime. The key here is that once you establish the phone free zones, be sure to enforce them. A lot of parents (me included) get lax after a while in this area. Research products that allow you to set rules and time limits for apps and websites. McAfee Safe Family helps you establish limits with pre-defined age-based rules that you can be customized based on your family’s needs.
  • Delete unused apps. Give this a try: Delete one social app at a time, for just a day or a week, to see if you need it. If you end up keeping even one time-wasting app off your phone, the change will be well worth it.
  • Engage with people over your phone. If you are in the line at the grocery store, waiting for a show to begin, or hanging out at your child’s school/ sports events, seek to connect with people rather than pull out your phone. Do this intentionally for a week, and it may become a habit!
  • Do one thing at a time. A lot of wasted device time happens because we are multi-tasking — and that time adds up. So if you are watching a movie, reading, or even doing housework put your phone in another room — in a drawer. Try training yourself to focus on doing one thing at a time.smartphone screen time
  • Give yourself a phone curfew. We’ve talked about phone curfews for kids to help them get enough sleep but how about one for parents? Pick a time that works for you and stick to it. (I’m choosing to put my phone away at 8 p.m. every night.)
  • Use voice recorder, notes app, or text. Spending too much time uploading random content? Curb your urge to check or post on social media by using your voice recorder app to speak your thoughts into. Likewise, pin that article or post that photo to your notes to catalog it in a meaningful way or text/share it with a small group of people. These few changes could result in big hours saved on social sites.
  • Turn off notifications. You can’t help but look at those notifications so change your habitual response by turning off all notifications.
  • Limit, don’t quit. Moderation is key to making changes stick. Try limiting your social media time to 10 minutes a day. Choose a time that works and set a timer if you need to. There’s no need to sever all ties with social media just keep it in its proper place.

Slow but Specific Changes

Lastly, go at change slowly (but specifically) and give yourself some grace. Change isn’t easy. You didn’t rack up those screen time stats overnight. You’ve come to rely on your phone for a lot of tasks as well as entertainment. So, there’s no need to approach this as a life overhaul, a digital detox, or take an everything or nothing approach. Nor is there a need to trumpet your social departure to your online communities. Just take a look at your reality and do what you need to do to take back your time and control that unruly third child once and for all. You’ve got this!

The post Has Your Phone Become Your Third Child? Ways to Get Screen Time Anxiety Under Control appeared first on McAfee Blogs.

Android Ecosystem Security Transparency Report is a wary first step

Reading through Google’s first quarterly Android Ecosystem Security Transparency Report feels like a mix of missed opportunities and déjà vu all over again.

Much of what is in the new Android ecosystem security report is data that has been part of Google’s annual Android Security Year in Review report, including the rates of potentially harmful applications (PHAs) on devices with and without sideloaded apps — spoiler alert: sideloading is much riskier — and rates of PHAs by geographical region. Surprisingly, the rates in Russia are lower than in the U.S.

The only other data in the Android ecosystem security report shows the percentage of devices with at least one PHA installed based on Android version. This is new data shows that the newer the version of Android, the less likely it is a device will have a PHA installed.

However, this also hints at the data Google didn’t include in the report, like how well specific hardware partners have done in updating devices to those newer versions of Android. Considering that Android 7.x Nougat is the most common version of the OS in the wild at 28.2% and the latest version 9.0 Pie hasn’t even cracked the 0.1% marker to be included in Google’s platform numbers, the smart money says OEM updating stats wouldn’t be too impressive.

There’s also the matter of Android security updates and the data around which hardware partners are best at pushing them out. Dave Kleidermacher, head of Android security and privacy, said at the Google I/O developer conference in May 2018 that the company was tracking which partners were best at pushing security updates and that it was considering adding hardware support details to future Android Ecosystem Security Transparency Reports. More recently, Google added stipulations to its OEM contracts mandating at least four security updates per year on Android devices.

It’s unclear why Google ultimately didn’t include this data in the report on Android ecosystem security, but Google has been hesitant to call out hardware partners for slow updates in the past. In addition to new requirements in Android partner contracts regarding security updates, there have been rules stating hardware partners need to update any device to the latest version of Android released in the first 18 months after a device launch. However, it has always been unclear what the punishment would be for breaking those rules. Presumably, it would be a ban on access to Google Play services, the Play Store and Google Apps, but there have never been reports of those penalties being enforced.

Google has taken steps to make Android updates easier, including Project Treble in Android 8.0 Oreo, which effectively decoupled the Android system from any software differentiation added by a hardware partner. But, since Android 7.x is still the most common version in the wild, it doesn’t appear as though that work has yielded much fruit yet.

Adding OS and security update stats to the Android Ecosystem Security Transparency Report could go a long way towards shaming OEMs into being better and giving consumers more information with which to make purchasing decisions, but time will tell if Google ever goes so far as to name OEMs specifically.

The post Android Ecosystem Security Transparency Report is a wary first step appeared first on Security Bytes.

Google sets Android security updates rules but enforcement is unclear

The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates.

According to The Verge, Google’s latest contract will require OEMs to supply Android security updates for two years and provide at least four updates within the first year of a device’s release. Vendors will also have to release patches within 90 days of Google identifying a vulnerability.

Mandating more consistent Android security updates is certainly a good thing, but it remains unclear what penalties Google would levy against manufacturers that fail to provide the updates or if Google would follow through on any punitive actions.

It has been known for years that Google sets certain rules for manufacturers who want to include the Play Store, Play services and Google apps on Android devices, but because enforcement has been unclear the rules have sometimes been seen as mere suggestions.

For example, Google has had a requirement in place since the spring of 2011 mandating manufacturers to upgrade devices to the latest version of the Android OS released within 18 months of a device’s launch. However, because of the logistics issues of providing those OS updates, Google has rarely been known to enforce that requirement.

This can be seen in the Android OS distribution numbers, which are a complete mess. Currently, according to Google, the most popular version of Android on devices in the wild is Android 6.0 Marshmallow (21.6%), followed by Android 7.0 (19%), Android 5.1 (14.7%), Android 8.0 (13.4%) and Android 7.1 (10.3%). And not even showing up on Google’s numbers because it hasn’t hit the 0.1% threshold for inclusion is Android 9.0 released in August.

Theoretically, the ultimate enforcement of the Android requirements would be Google barring a manufacturer from releasing a device that includes Google apps and services, but there have been no reports of that ever happening. Plus, the European Union’s recent crackdown on Android give an indication that Google does wield control over the Android ecosystem — and was found to be abusing that power.

The ruling in the EU will allow major OEMs to release forked versions of Android without Google apps and services (something they were previously barred from doing by Google’s contract). It will also force Google to bundle the Play Store, services and most Google apps into a paid licensing bundle, while offering — but not requiring — the Chrome browser and Search as a free bundle. Although early rumors suggest Google might offset the cost of the apps bundle by paying OEMs to use Chrome and Google Search, effectively making it all free and sidestepping any actual change.

These changes only apply to Android devices released in the EU, but it should lead to more devices on the market running Android but featuring third-party apps and services. This could mean some real competition for Google from less popular Android forks such as Amazon’s Fire OS or Xiaomi’s MIUI.

It’s still unknown if the new rules regarding Android security updates are for the U.S. only or if they will be part of contracts in other regions. But, an unintended consequence of the EU rules might be to strengthen Google’s claim that the most secure Android devices are those with the Play Store and Play services.

Google has long leaned on its strong record of keeping malware out of the Play Store and off of user devices, if Play services are installed. Google consistently shows that the highest rates of malware come from sideloading apps in regions where the Play Store and Play services are less common — Russia and China – and where third-party sources are more popular.

Assuming the requirements for Android security updates do apply in other regions around the globe, it might be fair to also assume they’d be tied to the Google apps and services bundle (at least in the EU) because otherwise Google would have no way to put teeth behind the rules. So, not only would Google have its stats regarding how much malware is taken care of in the Play Store and on user devices by Play services, it might also have more stats showing those devices are more consistently updated and patched.

The Play Store, services and Google apps are an enticing carrot to dangle in front of vendors when requiring things like Android security updates, and there is reason to believe manufacturers would be willing to comply in order to get those apps and services, even if the penalties are unclear.

More competition will be coming to the Android ecosystem in the EU, and it’s not unreasonable to think that competition could spread to the U.S., especially if Google is scared to face similar actions by the U.S. government (as unlikely as that may seem).  And the less power Google apps and services have in the market, the  less force there will be behind any Google requirements for security updates.


The post Google sets Android security updates rules but enforcement is unclear appeared first on Security Bytes.

How to Squash the Android/TimpDoor SMiShing Scam

As technology becomes more advanced, so do cybercriminals’ strategies for gaining access to our personal information. And while phishing scams have been around for over two decades, attackers have adapted their methods to “bait” victims through a variety of platforms. In fact, we’re seeing a rise in the popularity of phishing via SMS messages, or SMiShing. Just recently, the McAfee Mobile Research team discovered active SMiShing campaigns that are tricking users into downloading fake voice-messaging apps, called Android/TimpDoor.

So how does Android/TimpDoor infect a user’s device? When a victim receives the malicious text, the content will include a link. If they click on it, they’ll be directed to a fake web page. The website will then prompt the victim to download the app in order to listen to phony voice messages. Once the app has been downloaded, the malware collects the device information including device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. TimpDoor allows cybercriminals to use the infected device as a digital intermediary without the user’s knowledge. Essentially, it creates a backdoor for hackers to access users’ home networks.

According to our team’s research, these fake apps have infected at least 5,000 devices in the U.S. since the end of March. So, the next question is what can users do to defend themselves from these attacks? Check out the following tips to stay alert and protect yourself from SMS phishing:

  • Do not install apps from unknown sources. If you receive a text asking you to download something onto your phone from a given link, make sure to do your homework. Research the app developer name, product title, download statistics, and app reviews. Be on the lookout for typos and grammatical errors in the description. This is usually a sign that the app is fake.
  • Be careful what you click on. Be sure to only click on links in text messages that are from a trusted source. If you don’t recognize the sender, or the SMS content doesn’t seem familiar, stay cautious and avoid interacting with the message.
  • Enable the feature on your mobile device that blocks texts from the Internet. Many spammers send texts from an Internet service in an attempt to hide their identities. Combat this by using this feature to block texts sent from the Internet.
  • Use a mobile security software. Make sure your mobile devices are prepared for TimpDoor or any other threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, as always, to stay up-to-date on the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Squash the Android/TimpDoor SMiShing Scam appeared first on McAfee Blogs.

Android/TimpDoor Turns Mobile Devices Into Hidden Proxies

The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors. McAfee Mobile Security detects this malware as Android/TimpDoor.

Devices running TimpDoor could serve as mobile backdoors for stealthy access to corporate and home networks because the malicious traffic and payload are encrypted. Worse, a network of compromised devices could also be used for more profitable purposes such as sending spam and phishing emails, performing ad click fraud, or launching distributed denial-of-service attacks.

Based on our analysis of 26 malicious APK files found on the main distribution server, the earliest TimpDoor variant has been available since March, with the latest APK from the end of August. According to our telemetry data, these apps have infected at least 5,000 devices. The malicious apps have been distributed via an active phishing campaign via SMS in the United States since at least the end of March. McAfee notified the unwitting hosts of the phishing domains and the malware distribution server; at the time of writing this post we have confirmed that they are no longer active.

Campaign targets North America

Since at least the end of March users in the United States have reported suspicious text messages informing them that they have two voice messages to review and tricking them into clicking a URL to hear them:

Figure 1. User reporting a text that required downloading a fake voice app. Source

Figure 2. An August 9 text. Source:

Figure 3. An August 26 text. Source:

If the user clicks on one of these links in a mobile device, the browser displays a fake web page that pretends to be from a popular classified advertisement website and asks the user to install an application to listen to the voice messages:

Figure 4. A fake website asking the user to download a voice app.

In addition to the link that provides the malicious APK, the fake site includes detailed instructions on how to disable “Unknown Sources” to install the app that was downloaded outside Google Play.

Fake voice app

When the user clicks on “Download Voice App,” the file VoiceApp.apk is downloaded from a remote server. If the victim follows the instructions, the following screens appear to make the app look legitimate:

Figure 5. Fake voice app initial screens.

The preceding screens are displayed only if the Android version of the infected device is 7.1 or later (API Level 25). If the Android version is earlier, the app skips the initial screens and displays the main fake interface to listen to the “messages”:

Figure 6. The main interface of the fake voice messages app.

Everything on the main screen is fake. The Recents, Saved, and Archive icons have no functionality. The only buttons that work play the fake audio files. The duration of the voice messages does not correspond with the length of the audio files and the phone numbers are fake, present in the resources of the app.

Once the user listens to the fake messages and closes the app, the icon is hidden from the home screen to make it difficult to remove. Meanwhile, it starts a service in the background without user’s knowledge:

Figure 7. Service running in the background.

Socks proxy over SSH

As soon as the service starts, the malware gathers device information: device ID, brand, model, OS version, mobile carrier, connection type, and public/local IP address. To gather the public IP address information, TimpDoor uses a free geolocation service to obtain the data (country, region, city, latitude, longitude, public IP address, and ISP) in JSON format. In case the HTTP request fails, the malware make an HTTP request to the webpage getIP.php of the main control server that provides the value “public_ip.”

Once the device information is collected, TimpDoor starts a secure shell (SSH) connection to the control server to get the assigned remote port by sending the device ID. This port will be later used for remote port forwarding with the compromised device acting as a local Socks proxy server. In addition to starting the proxy server through an SSH tunnel, TimpDoor establishes mechanisms to keep the SSH connection alive such as monitoring changes in the network connectivity and setting up an alarm to constantly check the established SSH tunnel:

Figure 8. An execution thread checking changes in connectivity and making sure the SSH tunnel is running.

To ensure the SSH tunnel is up, TimpDoor executes the method updateStatus, which sends the previously collected device information and local/public IP address data to the control server via SSH.

Mobile malware distribution server

By checking the IP address 199.192.19[.]18, which hosted VoiceApp.apk, we found more APK files in the directory US. This likely stands for United States, considering that the fake phone numbers in the voice app are in the country and the messages are sent from US phone numbers:

Figure 9. APK files in the “US” folder of the main malware distribution server.

According to the “Last modified” dates on the server, the oldest APK in the folder is chainmail.apk (March 12) while the newest is VoiceApp.apk (August 27) suggesting the campaign has run for at least five months and is likely still active.

We can divide the APK files into two groups by size (5.1MB and 3.1MB). The main difference between them is that the oldest use an HTTP proxy (LittleProxy) while the newest (July and August) use a Socks proxy (MicroSocks), which allows the routing of all traffic for any kind of network protocol (not only HTTP)TTp on any port. Other notable differences are the package name, control server URLs, and the value of appVersion in the updateStatus method—ranging from 1.1.0 to 1.4.0.

In addition to the US folder we also found a CA folder, which could stand for Canada.

Figure 10. The “CA” folder on the distribution server.

Checking the files in the CA folder we found that VoiceApp.apk and relevanbest.apk are the same file with appVersion 1.4.0 (Socks proxy server). Octarineiads.apk is version 1.1.0, with an HTTP proxy.

TimpDoor vs MilkyDoor

TimpDoor is not the first malware that turns Android devices into mobile proxies to forward network traffic from a control server using a Socks proxy though an SSH tunnel. In April 2017 researchers discovered MilkyDoor, an apparent successor of DressCode, which was found a year earlier. Both threats were distributed as Trojanized apps in Google Play. DressCode installs only a Socks proxy server on the infected device; MilkyDoor also protects that connection to bypass network security restrictions using remote port forwarding via SSH, just as TimpDoor does. However, there are some relevant differences between TimpDoor and MilkyDoor:

  • Distribution: Instead of being part of a Trojanized app in Google Play, TimpDoor uses a completely fake voice app distributed via text message
  • SSH connection: While MilkyDoor uploads the device and IP address information to a control server to receive the connection details, TimpDoor already has the information in its code. TimpDoor uses the information to get the remote port to perform dynamic port forwarding and to periodically send updated device data.
  • Pure proxy functionality: MilkyDoor was apparently an adware integrator in early versions of the SDK and later added backdoor functionality. TimpDoor’s sole purpose (at least in this campaign) is to keep the SSH tunnel open and the proxy server running in the background without the user’s consent.

MilkyDoor seems to be a more complete SDK, with adware and downloader functionality. TimpDoor has only basic proxy functionality, first using an HTTP proxy and later Socks.


TimpDoor is the latest example of Android malware that turns devices into mobile backdoors—potentially allowing cybercriminals encrypted access to internal networks, which represents a great risk to companies and their systems. The versions found on the distribution server and the simple proxy functionality implemented in them shows that this threat is probably still under development. We expect it will evolve into new variants.

Although this threat has not been seen on Google Play, this SMS phishing campaign distributing TimpDoor shows that cybercriminals are still using traditional phishing techniques to trick users into installing malicious applications.

McAfee Mobile Security detects this threat as Android/TimpDoor. To protect yourselves from this and similar threats, employ security software on your mobile devices and do not install apps from unknown sources.

The post Android/TimpDoor Turns Mobile Devices Into Hidden Proxies appeared first on McAfee Blogs.

Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets
In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel
In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:
  • 7 Austrian banks
  • 18 Australian banks
  • 5 Canadian banks
  • 6 Czech banks
  • 11 German banks
  • 11 Spanish banks
  • 11 French banks
  • 8 Hong Kong banks
  • 11 Indian banks
  • 6 Japanese banks
  • 1 Kenyan bank
  • 4 New Zealand banks
  • 32 Polish banks
  • 4 Romanian banks
  • 9 Turkish banks
  • 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
  • 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:
  • blockchaine
  • coinbase
  • localbitcoin
  • unocoin
As well as some Online Payment, Email, and Social Media sites:
  • eBay
  • Facebook
  • Gmail
  • PayPal
  • ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!

The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here:

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:

  • 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
  • 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
  • 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]

Responding to a message looked like this:

  • 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
  • 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
  • 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
  • 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
  • 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
  • 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
  • 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
  • 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
  • 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
  • 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]
A YouTube session looked like this:

  • 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
  • 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
  • 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
  • 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
  • 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
  • 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
  • 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
  • 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
  • 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
  • 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]


From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 

Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace
As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Fortnite: When Dollars and Cents Trumps Security!

When Epic Games recently announced and subsequently released Fortnite for Android, it took the decision to bypass the Play Store and ask users to side-load the app. After I read that Epic Games’ brilliant idea was to ask Android users to essentially downgrade the security on their devices, there was a lot of head-on-desk action.

Side-loading an app onto an Android device is essentially asking the user to download it from a website instead of the Play Store and then ignore the Android warnings about installing apps from untrusted locations. In more recent Android versions this safety net is called “Install unknown apps” and when a user tries to install an app directly from a website, the operating system will ask them a few times if they really want to do this. Note that this is does not affect users on Apple iOS devices as Apple locks down app distribution to the App Store.

Don’t get me wrong, I understand both the business reason and the developer logic that drove Epic Games to release the Android version in this way. For developers, Android’s lack of homogeneity means they often have to validate their app across multiple stores, each with its own constraints and minimum requirements. Thus, what should be a simple app release can gain an Nth degree of complexity; increased time to develop and associated maintenance, leading to increased cost. This is not an attractive prospect for any vendor wanting to deliver a product. Added to the fact that the Play Store takes a 30% cut on all transactions, you can see why an app vendor would look to avoid this if they could! Let’s face it, gaming companies have to make money in order to recuperate the investment in the development and maintenance of the game.

You may be reading this wondering why incentivising users to side-load popular games is really a problem. Fundamentally, it introduces bad habits to users. These bad habits break down the general foundations of mobile device security. The Fortnite game has a huge following and we can’t neglect the message being sent not only to users but also other app developers.

In InfoSec, we constantly argue the benefits of teaching users about safe and secure principals when using electronic devices, browsing the web and installing applications. The Epic Games Android installation is the antithesis of these teachings, instead sending a clear message to users – especially a younger generation that will one day enter the workforce – that it is ok to install apps from any location.

The fact is, Epic Games is inadvertently making  it easier for a malicious party to trick users into downloading fake apps and providing an opportunity for these malicious parties to introduce fake apps in the official store. This has been seen before, especially in the banking industry, and was even the case for Fortnite itself during the beta period. Google Pay Protect is one element of sanity in this situation as it will scan the apps on the device. Unfortunately this is only a recent addition to Android and is not always available depending on the version or the manufacturer of the device.

The issues continue even after the app is installed and being used. Fortnite, like many games, is free to play but relies extensively on in-app purchases – the pay to win paradigm. By not using the Play Store to deliver the app originally, the vendor needs to set-up its own payment infrastructure and ensure it is safe. This in itself is not an easy task and can be thwart with errors and potential for data loss.

Stepping back and analysing the situation, where does one place blame? I think a majority of us in the industry, myself included, will scorn the vendor for not doing the right thing and promoting bad habits to users. Looking beyond the initial rapid shame response from the industry, I think it is interesting to put oneself in the vendor’s shoes. I can see how the lack of standardisation, draconian process and exorbitant fees would make it unattractive to go to market via the various app stores in the “proper way”. Perhaps it is time for companies like Apple and Google to rethink the app distribution model, so all can benefit from a secure platform?

Realistically, I believe that this situation just boils down to the ability for a business to make a profit and you know what, this isn’t the first time or place where security has been compromised or downgraded because of money. Let’s face it, we see it all the time – most recently in IoT security and more generally in corporate security when a security risk is accepted instead of investing time and funds in fixing it.

This is why we can’t have secure things!

Update: Seems like fake Fortnite apps are already in the wild, more here

Thanks to Hannah Finch for the editorial review

The post Fortnite: When Dollars and Cents Trumps Security! appeared first on Liquidmatrix Security Digest.

Multisandbox project welcomes Cyber adAPT ApkRecon

Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:

It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:


This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:

Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:


From there we can jump to the domain entity, i.e., and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:

These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:

This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:

The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:

At a glance you can understand that something shady is going on with and you are able to discover other malicious domains such as,,, etc. Some of these, for instance, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.