Category Archives: mobile devices

Android Users Spammed With Fake Missed Call Alerts

Scammers abuse the notifications and push APIs on Android devices to send spam alerts that are customized to look like a missed call.

Both APIs are used on mobile devices for push notifications – short messages intended to re-engage the user. Messages can be triggered by a local application or server.

“The Notifications API lets us display notifications to the user. It is incredibly powerful and simple to use. Where possible, it uses the same mechanisms a native app would use, giving a completely native look and feel,” reads the description for the Notifications API.

Chrome’s icon change by the scammer

The Lookout’s KI Phishing Service has intercepted a phishing campaign that is currently sending messages to mobile users with a custom icon for the app that triggers the alert. In this case, it’s Google Chrome.

To hide the origin, the fraudsters changed the browser icon to display “missed call” as if it were a missed call notification. The message indicates that the user has an iPhone XS waiting for them.

This is powerful social engineering because users often rely on visual indicators to identify the source of a warning.

Jeremy Richards, a security researcher at Lookout, in a statement to BleepingComputer said “Scammers are looking to take advantage of the fact that we’re primed to identify certain icons we normally associate with system messages (in this case the icon of the telephone),”.

It is important to note that the message will only be displayed if the victim accepts notifications from the spam domain. This means that sites that have gained the trust of the user can be used for this type of phishing campaign.

The following is a brief list of domains that send spam via mobile device push notifications:

  • getitfree-samples.com
  • click4riches.info
  • consumertestconnect.com
  • foundmoneyguide.com
  • yousweeps.com

Not all notification spam uses this trick to change the browser icon. However, they contain messages tempting enough to make a few victims.

Same approach for desktops

Richards saw this activity on Android phones. Indeed, push notifications for Safari on iOS are currently not fully supported. However, the same approach is also suitable for the desktop. Safari and Chrome support web notifications can be used to create a fake card. If you quickly read the text and look at the Slack icon, you can easily convince the user to click on the alert and go to a phishing site that collects user credentials.

On mobile devices, the same warning is even more believable because of the name of Chrome, the app that triggers the alert, and the domain that sends spam. If the Chrome icon is changed, there is little evidence of tampering with the message because only the browser name and domain indicate the attempted fraud.

Peter Beverloo – Google software engineer has created a notification generator to test how a push card that appears on desktops and mobile devices. The tool allows you to enter a custom title and text for the message and add a selection of images like; icon, badge, picture, and actions.

Related Resources:

Simple Mitigation Tips For Securing Android E-Readers

Top Five Antivirus Apps for Your Android Smartphone

4 Most Recognizable Android Antimalware Apps You Can Install Today

How To Open Exe Files On Android Phones

First 5 Things To Do After Activating A New Android Device

The post Android Users Spammed With Fake Missed Call Alerts appeared first on .

Number of connected devices reached 22 billion, where is the revenue?

The number of devices connected to the internet reached 22 billion worldwide at the end of 2018, according to the latest research from Strategy Analytics. Enterprise IoT remains the leading segment, accounting for more than half of the market, with Mobile/Computing at just over a quarter. The report predicts, however, that Home will be the fastest growing segment over the coming years, driven by further rapid growth in smart home adoption, particularly in as-yet untapped … More

The post Number of connected devices reached 22 billion, where is the revenue? appeared first on Help Net Security.

Employees are aware of USB drive security risks, but don’t follow best practices

Employees are aware of the risks associated with inadequate USB drive security – yet their employers aren’t mandating following best practices, according to a report by Apricorn. “The State of USB Data Protection 2019: Employee Spotlight” survey report, which polled nearly 300 employees across industries including education, finance, government, healthcare, legal, retail, manufacturing, and power and energy, examined year-over-year trends of USB drive usage, policies and business drivers. The report reveals that while employees have … More

The post Employees are aware of USB drive security risks, but don’t follow best practices appeared first on Help Net Security.