Android malware steals money from victims’ PayPal account

ESET researchers have found a new Android Trojan hidden inside a battery optimization app that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.

This happens because during installation, the app requests access to the Android “Accessibility” permission, a very dangerous feature that allows an app to automate screen taps and OS interactions.

If the official PayPal app is installed on the compromised device, the malware displays a notification alert prompting the user to launch it. Once the user opens it and logs in, the malicious accessibility service steps in to perform the transaction.

“During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location,” Stefanko explained.

“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA). Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”

This particular Trojan bundled up with the bogus battery optimization app is distributed via third-party app stores, but the researchers also spotted five malicious apps with similar capabilities on Google Play, masquerading as tools for tracking the location of other Android users.

That malware concentrates on phishing the credentials for online banking services for several Brazilian banks, as well as on thwarting uninstallation attempts by AV or app manager apps.

The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds.

The only thing that will prevent the theft is if the user has insufficient PayPal balance and no payment card connected to the account.

Users who have installed the PayPal-targeting Trojan would do well to check if their accounts have been drained (the malware can repeat the stealing manoeuvre) and to report the unauthorized transactions to PayPal. Changing their Gmail and online banking passwords is also a good idea.

Australia passes new encryption laws that could force tech companies to offer access to encrypted messages

Australia has passed that encryption legislation, which means companies including Apple, Facebook and Google could be forced to “build new capabilities” to thwart encrypted messages.

As reported by CNET, the legislation calls on companies to provide three levels of assistance to law enforcement and select government agencies:

  • Technical Assistance Requests: Companies provide voluntary assistance to aid certain agencies as they perform duties relating to “Australia’s national interests, the safeguarding of national security and the enforcement of the law.”
  • Technical Assistance Notices: Requires companies to provide assistance that is “reasonable, proportionate, practicable and technically feasible.” Providers are able to use existing means like encryption keys to decrypt communications.
  • Technical Capability Notices: Requires companies to build a new capability that enables it to provide assistance to law enforcement agencies and government bodies. The notice cannot force a provider to build or implement a capability to remove electronic protection, such as encryption.

Technical Assistance and Technical Capability Notices both require an underlying warrant or authorization, the bill reads.

Australian government officials have been cautious of using the word “backdoor,” but tech companies worry that the law is essentially a pathway for such tools. Speaking about the piece of legislation, Apple stated that it is “wrong to weaken security for millions of law-abiding customers in order to investigate the very few who post a threat.”

What Apple and other tech companies also worry about is the precedent this could set for other countries. Apple has long opposed the idea of creating a backdoor for government officials, but this new Australian legislation could hurt Apple’s efforts around the world.

Google is shutting down Google+ following massive user data exposure

Following a massive data breach first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers.

According to the Wall Street Journal’s sources as well as documents reviewed by the publication, a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place. Google said that it also found no evidence that any of the developers behind the 438 applications that used the API in question were aware of the bug.

Though Google allows developers to collect Google+ profile information when granted access by users, a bug gave developers access to the profile data of friends of those users as well, regardless of whether those friends had chosen to share that information publicly. It included static data fields such as name, email, occupation, gender and age. It did not include information from Google+ posts. The bug was patched in March 2018, but Google didn’t inform users at that point. “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks,” the company said in a blog post. “That means we cannot confirm which users were impacted by this bug.”

Facebook finds ‘no evidence’ hackers accessed third-party apps with its Facebook Login

Facebook has said it’s found “no evidence” that third-party apps were affected by the data breach it revealed last week.

Hackers stole account access tokens on at least 50 million users by exploiting a chain of three vulnerabilities inadvertently introduced by Facebook last year. Another 40 million also may have been affected by the attack. Facebook revoked those tokens — which keep users logged in when they enter their username and password — forcing users to log back into the site again.
But there was concern that third-party apps, sites and services that rely on Facebook to log in — like Spotify, Tinder and Instagram — also may have been affected, prompting companies that use Facebook Login to seek answers from the social networking giant.

Facebook security VP Guy Rosen revealed that investigators “found no evidence” of the intruders accessing third-party apps with its Facebook Login feature. Some sites using the single sign-on also confirmed that there was no indication of a data breach on their end, although they’re not necessarily taking chances.

“We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week,” said Guy Rosen, in a blog post. “That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.”

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens,” he said.

Admittedly, Rosen said that not all developers use Facebook’s developer tools, so the social network is “building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”

Security vulnerability in Apple’s DEP could allow full access to corporate networks

A security vulnerability discovered in Apple’s Device Enrollment Program (DEP) could allow an attacker to gain full access to a corporate or school network.

The DEP is a free service offered by Apple to allow new devices to be automatically configured with everything from custom apps to VPN settings.

The vulnerability may allow attackers to enroll any device into an organization’s Mobile Device Management server and, consequently, to obtain privileged access to the private resources of an organization or even full VPN access to internal systems.

The vulnerability was discovered by Duo Security researchers while probing Apple DEP’s security.

“Our research focused on the details of how some of the undocumented DEP APIs work, specifically those that are used by Apple devices to communicate and enroll with the DEP service. Through this research, we found that because of the way DEP is implemented, it only uses a device’s serial number to authenticate to the service prior to enrolment,” James Barclay, Senior R&D Engineer at Duo Labs, explained.

“Also, while Apple’s MDM protocol supports user authentication prior to MDM enrollment, it does not require it – meaning many organizations are currently protecting device enrollment with the serial number alone.”

Unfortunately, serial numbers of Apple devices are predictable and also often found online, and this info can be exploited to query the DEP APIs.

Apple has, of course, been notified of the find earlier this year, but has yet to do something about it.
The researchers recommended that Apple add strong authentication of devices going throug the DEP enrolment process, rate-limit requests to the DEP APIs and limit the information returned by the API endpoints. Not relying on serial numbers as a sole authentication factor has also been put forward as a solution.

Twitter squashes security bug leaking direct messages since 2017

The team at Twitter has discovered and corrected a security bug within one of their developer APIs that has been leaking sensitive information sent via direct messages to business accounts.

According to Twitter, the company recently discovered a bug within its Account Activity API — a programming interface that allows business developers to source information regarding other accounts in real-time. The API feature is regarded as a source of premium information access that allows businesses to connect with customers and monitor social streams.

If you direct messaged a business account between May 2017 and September 10, 2018, it is possible that your information was unintentionally routed to a registered developer. Instead of your private information being shared only with the intended recipient, the developer of the platform used by the business may have also received its contents. Businesses that users may have interacted with include accounts for customer support, airlines, banks, and more.

The team at Twitter stresses that the data breach was fixed within hours of being discovered, but that still means that the bug ran for sixteen months without being detected. The company has also noted that the software glitch affected less than 1 percent of people on Twitter, but with Twitter having sixty-eight million active users as of early 2018, that could mean that up to approximately 680,000 people were affected.

Twitter has begun reaching out via in-app communication and website notices to any users who may have been compromised by the incident. The company’s policies require developer partners to dispose of any information that they may have unintentionally received. As expected, Twitter is hoping that developers will do the right thing and delete any intercepted messages.

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

Security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.

Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its GitHub page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.

Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.

What what makes matters worse with this vulnerability is that NUUO actually licenses its software to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world, and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.

Sprint security lapse gave access to Sprint staff portal

TechCrunch has confirmed that the provider was using two sets of easily-guessed logins that let a security researcher access a company portal with access to customer data.

Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher navigated to pages that could have allowed access customer account data.

The researcher would only have needed an account holder’s phone number and a four-digit PIN to access their data, change plans or swap devices, and there was no limit on the number of PIN guesses.

In a statement, Sprint confirmed that the expert used “legitimate credentials” to get in. It promptly changed the passwords and vowed to “research this issue” in a bid to avoid a repeat.

Android crypto-mining is infecting Amazon Fire TVs and Fire Sticks

Crypto-mining android malware is infecting Amazon Fire TV and Fire Stick devices and causing them to go to Borksville.

If you’ve loaded any apps onto your Amazon Fire TV or Fire TV Stick that let you watch pirated movies and TV shows, you could be at risk from a cryptocurrency-mining Android virus.
AFTVnews reports that the virus — a malware worm variant dubbed ‘ADB.Miner’, is installing itself on Amazon gadgets as an app called ‘Test’ under the package name ‘’ Once it’s infected a device, it eats up resources mining cryptocurrency — devices will become slow, video playback will stop abruptly and a notification saying “Test” with the green Android robot icon will appear randomly on screen.

The virus is not specifically targeting Fire TV devices, but they’re vulnerable because of their Android-based operating system.

The good news is that your Amazon Fire TV device is safe from the threat if you’ve never messed around with its developer settings. However, if you’ve allowed ADB debugging or apps from unknown sources, your device is at risk — switch both to off.

If you suspect you’ve already been infected, AFTVNews recommends that, first of all, you head into your gadgets’ settings and ensure both aforementioned options are set to ‘off’.

The report also recommends that you perform a full factory reset of your Amazon device, but if you can’t bear the thought of starting from scratch, you can also download an app called ‘Total Commander’ from the Amazon app store that will allow you to uninstall the ADB.Miner malware.

Alternatively, you can install a modified version of the malware, which updates the virus to a version that turns off the miner — again, not ideal, but it appears to have fixed the issue for people who weren’t able to remove the malware entirely. This XDA post shows you how, but you should definitely only try this if you’re sure you know what you’re doing.

TeleGrab steals swipes Telegram cache and key files

Researchers have discovered a malware in the end-to-end encrypted instant messaging service Telegram that seeks to collect cache and key files from.

Cisco Talos researchers Vitor Ventura and Azim Khodjibaev dubbed the malware Telegrab.

They analyzed two versions of it. The first one, discovered on April 4, 2018, only stole browser credentials, cookies, and all text files it can find on the system. The second one, spotted less than a week later, is also capable of collecting Telegram’s desktop cache and key files and login information for the Steam website.

To steal Telegram cache and key files, the malware is not taking advantage of software flaws. The malware is capable of targeting only the desktop version of the popular messenger because it does not support Secret Chats and does not have the auto-logout feature active by default.

This means that the attacker can use those stolen files to access the victim’s Telegram session, contacts and previous chats.

Telegrab is distributed via a variety of downloaders, and it checks if the victim’s IP address is part of a list that includes Chinese and Russian IP addresses, along with those of anonymity services in other countries. If it is, it will exit.

It also doesn’t have a persistence mechanism, so it won’t work after a system reboot.

The stolen data and files are exfiltrated to one of five pCloud account. They are not encrypted, so technically anyone who has the credentials to those accounts or gets their hands on them can access this information.

“The malware samples analysed are not particularly sophisticated but they are efficient,” the researchers noted.

“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim’s contacts and previous chats are compromised.”