Repairs & Upgrades

December 4, 2019 »

Steam players – beware of fake skins as phishers try to hijack accounts

By Danny Bradbury

Phishing scammers have once again targeted users of the popular Steam gaming service, it was revealed this week.

The credential-stealing scam, first reported by security researcher ‘nullcookies’ on Twitter, offers new skins every day. A skin is a modification providing a new look and feel for items in Steam’s online games, and they are in hot demand. There are entire digital marketplaces dedicated to trading them.

The scammers post to a Steam user’s profile. A typical message reads:

Dear winner! Your SteamID is selected as winner of Weekly giveaway. Get your ? Karambit | Doppler on

A quick search reveals over a hundred Steam profiles displaying similar text.

The URL, which Cloudflare now flags as a suspected phishing scam, appears to be down. The screenshot posted on nullcookies’ Twitter account shows a site offering a $30,000 giveaway, featuring a selection of 26 loot boxes.

Bleeping Computer explains that the site asked for a user’s login credentials, promising that in exchange, the words STEAM RAIN would appear in a chat window on the left of the screen. Clicking on the link would score the victim one of the free skins on offer that day, said the scam site.

The chat window was, of course, a fake, as was the whole proposition. Victims who clicked on the link met a fake Steam login form that took their information for the crooks to use. That enabled them to perpetrate more fraud by using the victim’s account to post the same phishing link.


Facebook made to ‘correct’ user’s post as Singapore flexes fake-news muscle

By Lisa Vaas

Over the past week or so, Singapore has flexed its new fake-news muscle twice. The result: two “amended” Facebook posts.

Singapore passed the law in question – the Protection From Online Falsehoods And Manipulation (POFMA) Act – in May 2019, and it went into effect on 2 October.

POFMA outlaws “false statements of fact”, including statements that an individual knows to be false or misleading and which threaten Singapore’s security, public health, friendly relations with other countries, or elections; or statements that stoke divisions between groups or that lead people to lose faith in the government.

The penalty for not complying with a correction direction order is up to a year in prison for an individual, and/or a fine of up to SG $20,000 (USD $14,650, £11,284). For a business – say, an online media platform like Facebook – the fine can be up to SG $500,000 (USD $366,249, £281,811). The fines and/or prison sentences shoot up for people who run fake online accounts or who use bots to spread fakery.

POFMA is considered one of the most far-reaching anti-fake-news law in recent years, and it’s sparked imitation: Nigerian lawmakers have proposed a law that would jail people for lying on social media.

The first target: an opposition politician

Singapore first invoked the law last week, compelling an opposition politician to amend a 13 November post in which he blamed the government for its failing investment in a Turkish restaurant chain.

In the original post, British-born Brad Bowyer had accused the government of using “false and misleading statements” to smear reputations. Finance Minister Heng Swee Keat, under POFMA, asked Bowyer to retract implications that the Singaporean government had influenced investments made by two state investors that Bowyer had said had made bad financial moves.


Microsoft looks to Rust language to beat memory vulnerabilities

By John E Dunn

Microsoft is pressing ahead with an ambitious plan to de-fang common vulnerabilities hiding in old Windows code by using an implementation of the open-source Rust programming language.

The company’s been working on the research initiative, dubbed Project Verona, for some time, but a recently posted presentation from September’s Collaborators’ Workshop adds to the impression of its growing importance.

Traditionally, Windows software requiring fine control, such as device drivers, low-level OS functions such as storage and memory management, is written in C or C++.

But that control comes at the expense of mistakes that lead to insecure code, particularly memory issues which account for up to 70% of the vulnerabilities that Microsoft finds itself patching later.

Most of these were made in the past and are sitting in legacy code that would take a lot of resources to rewrite from scratch with no guarantee they wouldn’t suffer the same problems eventually.

Memory safe

Rust, by contrast, has built-in protections against common memory problems such as use after free, type confusion, heap and stack corruption, and uninitialized use, which can afflict the C and C++ languages that Windows is written in.

Microsoft has been busy rewriting unnamed software components in Rust to see whether the concept works despite the language’s limitations, and the fact it is still mentioning it suggests it has found some success.

Project Verona’s Rust alternative now has a “production quality” runtime, a prototype interpreter and type checker. This would be made available as an open-source tool within weeks, he said.


FBI: Russia-based FaceApp is a ‘potential counterintelligence threat’

By Lisa Vaas

Last summer, users geeked out, privacy lovers freaked out, and at least one lawmaker fretted about an aging/expression-tweaking/gender-swapping mobile app called FaceApp (no relation to Facebook) that hails from Russia.

We’re on it, the FBI said last week, saying that it views any app or product coming out of Russia as a “potential counterintelligence threat.”

In a 25 November letter responding to concerns raised by Senator Chuck Schumer, FBI assistant director Jill Tyson said that the agency is investigating FaceApp over its ties to Russia.

FaceApp lets you do things like, say, get a handle on what you’ll look like if you still want to go to Hogwarts when you’re 80.

The app also pulls what you can think of as a FaceGrab – i.e., what its license says is its “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license” to not just users’ manipulated likenesses, but also to their privacy, as in, username, location or profile photo.

In July 2019, Sen. Schumer had written to the director and chair of the Federal Trade Commission (FTC), calling on the FTC and FBI to look into the national security and privacy risks posed by the millions of Americans who were handing over full, irrevocable access to their personal photos and data to an app from a company – Wireless Lab – based in Russia.


December 3, 2019 »

SMS company exposes millions of text messages, credentials online

By Danny Bradbury

Researchers have found yet another massive database inadvertently exposed online, leaking millions of records.

This time, it was a database of SMS messages from enterprise texting services provider TrueDialog, and the people that found it claim that the exposure could have compromised tens of millions of people.

Researchers Noam Rotem and Ran Locarat at vpnMentor first found the database on Microsoft’s Azure cloud platform on 26 November 2019. It displayed what they described as a “massive amount of private data”, including tens of millions of SMS text messages. Also in public view were millions of account usernames and passwords, they said.

Founded in 2008, Texas-based TrueDialog provides SMS solutions for businesses, enabling them to send mass texts for marketing purposes, along with sector-specific applications such as student SMS notifications for the education industry.

According to a blog post on the vpnMentor website, the database contained 604 GB of data comprising nearly a billion entries. These included email addresses, usernames, passwords stored in plain text, and some other passwords using base64 encoding (which is a system used to preserve data integrity during transmission, rather than a password protection encryption mechanism).

Aside from the account logins, the researchers also found message content, the full names of recipients and TrueDialog account holders, and phone numbers. They added:

We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic. This could by itself had exposed vulnerabilities [sic].

The leaky system logs could also have given competitors a look at TrueDialog’s backend systems and potentially a way to gain a competitive edge over the company, vpnMentor’s blog post suggested. It also warned that anyone who accessed the data could have taken over user accounts and engaged in corporate espionage by snooping on account holders’ SMS texts or even stealing leads generated by the SMS system.


Mixcloud user accounts up for sale on dark web

By John E Dunn

A hacker is ransoming account data stolen from UK-based music streaming service Mixcloud, according to news websites contacted by the attacker last week.

News of the breach first emerged on Vice, which received 1,000 sample accounts from a claimed total of 21 million that a hacker called ‘A_W_S’ seems to have nabbed on or around 13 November.

The data includes account holders’ email addresses, IP addresses, and password hashes, which Vice was able to verify as genuine. No financial data or mailing addresses are involved as the company says it doesn’t store these.

The sum reportedly demanded by the hacker is a surprisingly modest 0.5 bitcoins, equivalent to $3,700 at this week’s exchange.

This is a dark web auction so it’s possible this is simply a starting price against which the hacker wants Mixcloud to bid to have the data returned.

It’s also possible that the hacker doesn’t have as much data as claimed – for now, it’s impossible to know.

Mixcloud’s CTO and co-founder Mat Clayton told Vice he’d not been aware of the breach until told about it by journalists and that the company was “actively investigating” what had happened.

A subsequent announcement by Mixcloud confirmed the breach but offered reassurance regarding the strength of the password hashing used, reportedly SHA-256:

The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble. This means that they are unlikely to be decrypted by hackers.


IM RAT spy tool seller raided, busted, kicked offline

By Lisa Vaas

Imminent Methods – a marketplace where hackers could buy spyware for as little as $25 – has been taken down after an international investigation that’s led law enforcement to nine countries as they seek out the people who sell, buy and use its tool.

The UK’s National Crime Agency (NCA) said last week that 14,500 buyers picked up the tool, which is called the Imminent Monitor Remote Access Trojan (IM RAT).

Once a crook covertly slips the tool onto a targeted computer, IM RAT gives them full access, enabling them to turn off anti-virus software, steal data or passwords, record keystrokes, and eavesdrop on their victims via their webcams.

The Australian Federal Police (AFP) led the operation, with the North West Regional Organised Crime Unit (NWROCU) leading the UK investigation and the NCA supporting it. The action started a week ago, on 25 November, with 21 search warrants executed in the UK alone. The UK warrants – all of which were for suspected users of the RAT – led to nine arrests and seizure of what the NCA said was more than 100 pieces of evidence.

In total, worldwide, police executed 85 warrants arrested 14 people and seized more than 400 items.

On Friday, police took down the Imminent Methods site. Pulling the site down means that the RAT can’t be used by the crooks who bought it, the NCA said.

Phil Larratt, from the NCA’s National Cyber Crime Unit, said that the IM RAT was used by individual crooks and organized crime outfits to break the UK’s Computer Misuse Act in a number of ways: by fraud, theft and voyeurism.

Cyber criminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data.

Detective Inspector Andy Milligan, from the NWROCU, said that this has been “a complex, challenging cyber investigation with international scope” that was supported by Europol and Eurojust, among other cybercrime fighters. There well may be plenty of similar tools for sale elsewhere, but at least this one – what sounds like a cyberstalker/cyberburglar’s dream – is hopefully out of the running for good.


Ad fraud: Fake local news sites are rolling in the dough

By Lisa Vaas

Amazing – local media outlets are giving off death rattles if they’re not already dead and buried, but a newly launched “news” site for the teensy Texas town of Laredo has seen its traffic shoot through the roof: from 200K page views in August 2019 to 3.7m visits a mere three months later.

What’s the secret sauce for, created in June 2019?

According to Social Puncher, a firm that’s analyzed what it concludes is a series of sham news sites, the Laredo Tribune site is running on the fumes of pure ad fraud.

The fakery is funded by advertisers who are unwittingly paying fraudsters who pump up the page views on small “news” sites to eye-watering levels. They’re doing so by buying fake traffic from bots: evidenced by anomalies such as nearly all the traffic coming from mobile devices. That’s atypical, unless a site is specifically targeted at a mobile audience.

Other red flags include the fact that the average number of pages visited and the time that the “users” spent on the site were sky-high, particularly for mobile users, and that most visits came from outside the site’s target geography.

Social Puncher’s Vlad Shevtsov, director of investigations, estimates that each of these fake news sites – which have astonishingly high traffic rates but mysteriously blink out of existence after only a short time – makes at least $100,000 (£77,450) a month.

But real news costs money to make. Writing it requires humans. Why go to all that trouble, when you can just rip off evergreen articles that are years old and post them to sites with gazillions of pages that aren’t even shown to real, live humans? From the first in a series of reports titled The fake traffic schemes that are still rotting the Internet:

The annual losses from ad fraud are estimated at billions, and even tens of billions of dollars. There are thousands, and even tens of thousands of fake sites that just simulate real media to deceive advertisers. But almost no one wonders what such sites should look like.


December 2, 2019 »

Fake Android apps uploaded to Play store by notorious Sandworm hackers

By John E Dunn

The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.

They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.

In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.

On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.

That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the email app, downloaded by 1,000 users before it was stopped.

In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favorite locations, Ukraine.

However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.

There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.


Uncle Sam opens arms to friendly hackers

By Danny Bradbury

All you bug hunters out there are about to get a nice Christmas gift – the US federal government finally wants to hear from you. Unhelpful websites and cybersecurity departments will soon be a thing of the past, thanks to a new missive from the Cybersecurity and Infrastructure Agency (CIRA).

The Agency, which is part of the Department of Homeland Security, issued a surprising tweet on 27 November announcing that it would force federal agencies to be welcoming and responsive to cybersecurity bug reports from the general public.

Binding Operational Directive 20-01 would finally give ‘helpful hackers’ a sense of legitimacy when reporting bugs to federal government agencies in the US, solving some problems that CIRA admits to pretty freely in the document. It says:

Choosing to disclose a vulnerability can be an exercise in frustration for the reporter when an agency has not defined a vulnerability disclosure policy – the effect being that those who would help ensure the public’s safety are turned away.

The directive acknowledges that researchers often don’t know how to report a bug when agencies don’t include an authorized disclosure channel in the form of a webpage or email address. They shouldn’t have to search out security employees’ personal contact information, it points out.

Communication after a bug report is just as important, CIRA says. An inadequate response to a bug report, or no response at all, may prompt a researcher to report the bug elsewhere outside the agency’s control.


Convicted murderer wins ‘right to be forgotten’ case

By Danny Bradbury

Google must remove a convicted murderer from online search results in Europe following a German court ruling, it emerged last week.

A man convicted of murdering two people on a yacht in 1982 and released in 2002 took the case to the constitutional court in Karlsruhe in a bid to distance his family name from his crime, reports said.

The man shot and killed his two victims and injured another in an argument aboard a ship, the Apollonia, while sailing in the Caribbean. He got out of jail in 2002. In 1999, German publication Der Spiegel uploaded three reports mentioning his name to its website.

After learning of the articles in 2009, the man requested their removal, claiming that they violated his rights. A court dismissed the case three years later but he appealed the decision.

Right to be forgotten

The right to be forgotten (RTBF) refers to a person’s wish to remove information about their past activities from the online record, including from search engines that can amplify that information. While article 17 of the GDPR explicitly outlines the right, it’s a concept that predates the Regulation. The European Commission discusses internet protection for individuals in the Data Protection Directive, which GDPR superseded. Courts have forced Google to delete search results under that directive in the past.

In 2014, the European Court of Justice upheld a Spanish court ruling instructing the company to remove links to newspaper articles about Costeja Gonzalez. Gonzalez was involved in insolvency proceedings relating to Social Security debts in the late 1990s. That led the search giant to launch a RTBF registration form the same year.


TikTok owner to separate company over US national security worries

By John E Dunn

Chinese-owned teen video-sharing app TikTok might be under fire from US politicians but it’s not going to go down without a fight.

In the latest twist in a difficult year for TikTok, a Reuters report claims its Beijing-based parent company ByteDance has hatched a plan to firewall itself from the US division of the app in the hope of mollifying an investigation by the US Committee on Foreign Investment in the United States (CFIUS).

Suspected by some influential US politicians of being a national security risk, a negative CFIUS report could spell big trouble for ByteDance.

Reading between the lines, it appears the company’s plan is to guarantee that the data held on US citizens will be stored inside the US, rather than moved to China as it may, in theory, have been before.

Will this be enough? ByteDance perhaps shouldn’t get its hopes up.

Trouble started when it bought music-sharing app in 2017, combining it with a Chinese app called Douyin under a new brand, TikTok. The app has been downloaded up to 110 million times in the US alone and has a worldwide user base several times that number.

Suspicions revolve around issues of data on US citizens being held by a Chinese company, and that company having to comply with US government requests around the safeguarding and storage of that data. As well as potentially being able to censor content that appears on the site, there’s an implicit danger of Chinese authorities being able to carry out direct surveillance on US users if they wanted to.


Netflix account freeze – don’t click, it’s a scam!

By Paul Ducklin

Another Netflix phishing scam!

We’ve written about these scams before, and we’ll probably write about them again…

…for the sadly simple reason that THEY WORK.

They work because scammers know that the less inventive, they are, the more believable their messages become.

It’s also a lot less effort to copy genuine content and adapt it just a little than to try to create your own material from scratch.

That’s what Naked Security Editor-in-Chief, Anna Brading, thought when she received this scam yesterday:

This is a notice to remind you that you have an invoice due on, 27/11/2019. We tried to bill you automatically but you local bank being held a transaction.

Sadly, for the crooks, and fortunately for anyone who received this scam, the tiny bit of text that the criminals decided to write by themselves contains several rather jarring errors.

For the most part, however, this email is disarmingly simple, and therefore surprisingly believable, for all that it’s given away by typos, grammatical mistakes and orthographic errors.

It’s not overly dramatic, it’s not threatening, and it’s polite.

It’s the sort of thing that might easily happen from time to time – a recurring credit card transaction that’s temporarily failed – and that in real life is usually pretty easy to sort out.

Indeed, it’s the sort of glitch you’ve probably dealt with once or twice before, and that you may well have resolved entirely online without even leaving your browser.


US tightens rules on drone use in policy update

By John E Dunn

When it comes to the issue of managing drones (Unmanned Aircraft Systems, or UAS) the US Department of Justice wants Americans to know it’s on the case.

In 2015, the DOJ published what was meant to be a comprehensive policy governing how US Government departments and law enforcement use drones to take account issues such as privacy, law and the Constitution.

Four years on and things have moved on a bit, prompting tweaks addressing more recent concerns, including misuse, access to airspace, and the cybersecurity of the drones themselves.

Large parts of the 2015 policy and its 2019 update sound almost identical. On privacy, both policies limit departments gathering drone data that contains personally identifiable information (PII) to 180 days unless there’s a specific reason to keep it longer.

In other words, it’s much the same mix of privacy rules, limits, and exceptions applied to all areas of technology which give officials just enough wiggle room to gather and retain data in defined circumstances.


That said, a few of the 2019 policies could turn out to be significant, the most important relating to the cybersecurity design of the drones themselves.

It’s a complex new front that won’t be any easier to manage with drones than it is in other areas of computing. For instance, the section on drone procurement states:

The procurement of IT must comply with applicable laws, policies, and regulations, including those administered by the Office of the Chief Information Officer. The Department ensures appropriate security and privacy protections for data and IT through the risk-based Department Cybersecurity Program and effective IT management.

Which is a way of saying that before buying them departments must do the same cybersecurity assessment on drones that they would on other IT equipment.


November 27, 2019 »

Facebook, Twitter profiles slurped by mobile apps using malicious SDKs

By Lisa Vaas

On Monday, Twitter and Facebook both claimed that bad apples in the app stores had been slurping hundreds of users’ profile data without permission.

After getting tipped off by security researchers, the platforms blamed a “malicious” pair of software development kits (SDKs) – from marketing outfits One Audience and MobiBurn – used by the third-party iOS and Android apps to display ads. Neither Twitter nor Facebook have named names of the data-sucking apps, nor how many bad apps they’ve found.

Twitter said that this wasn’t enabled by any bug on its platform. Rather, after getting a heads-up from security researchers, its own security team found that the malicious SDK from One Audience could potentially slip into the “mobile ecosystem” to exploit a vulnerability.

That vulnerability – which is to do with a lack of isolation between SDKs within an app –  could enable the malicious SDK to slurp personal information, including email, username, and last tweet. Twitter hasn’t found any evidence that any accounts got hijacked due to the malicious SDKs, mind you, but that’s what the vulnerability could have led to.

While Twitter hasn’t found any account takeovers, it’s found evidence of slurping. The unauthorized data grab was just done to Android user profiles, via unspecified Android apps:

We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.

Facebook, however, said in a statement that it was suffering at the hands of both those bad SDKs, both of which it’s told to cease and desist:

Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.

Facebook plans to notify the people whose personal data – including name, email and gender – was likely swiped after they gave permission for apps to access their profile information. Twitter says it’s informed Google and Apple about the malicious SDK, so they can take further action if needed, as well as other industry partners.


Splunk customers should update now to dodge Y2K-style bug

By John E Dunn

If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention.

According to this week’s advisory, from 1 January 2020 (00:00 UTC) unpatched instances of Splunk will be unable to extract and recognize timestamps submitted to it in a two-digit date format.

In effect, it will understand the ‘year’ up to 31 December 2019, but as soon as this rolls over to 1 January 2020, it will mark it as invalid, either defaulting back to a 2019 date or adding its own incorrect “misinterpreted date”.

In addition, beginning on 13 September 2020 at 12:26:39 PM UTC, unpatched Splunk instances will no longer be able to recognize timestamps for events with dates based on Unix time (which began at 00:00 UTC on 1 January 1970).

Left unpatched, the effect on customers could be far-reaching.

What platforms like Splunk do is one of the internet’s best-kept secrets – turning screeds of machine-generated log data (from applications, websites, sensors, Internet of Things devices, etc.) into something humans can make sense of.

There was probably a time when sysadmins could do this job but there are now so many devices spewing so much data that automated systems have become a must.

This big data must also be stored somewhere, hence the arrival of cloud platforms designed to do the whole job, including generating alerts when something’s going awry or simply to analyze how well everything’s humming along.


EU raises eyebrows at possible US encryption ban

By Danny Bradbury

The growing battle over end-to-end encryption took another turn last week, when EU officials warned that they may not take kindly to a US encryption ban or insertion of crypto backdoor technology.

In June 2019, senior US government officials met to discuss whether they could legislate tech companies into not using unbreakable encryption. According to Politico, the National Security Council pondered whether to ask Congress to outlaw end-to-end encryption, which is a technology used by companies to keep your data safe and secure.

To recap briefly, US law enforcement worries about its targets such as criminals and terrorists “going dark” by using this technology to shield their communications. Banning it outright would make it easier for government agencies to access those messages and documents. Encryption advocates counter that making encryption breakable would also allow malicious actors such as foreign governments to steal domestic secrets and they also worry about unlawful access to information by their own governments.

US officials didn’t reach a decision on the issue, but news of the conversation spooked MEP Moritz Körner enough to ask the European Commission some formal questions picked up by Glyn Moody over at Techdirt. Körner asked whether the Commission would consider a similar ban on encryption in the EU. He also asked what a US ban would mean for existing data exchange agreements between the EU and the US:

Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

Currently, the two regions enjoy an agreement known as the EU-US Privacy Shield, which they introduced after the European Court of Justice invalidated a previous agreement called the International Safe Harbor Privacy Principles.

The Privacy Shield is a voluntary certification scheme for US businesses. By certifying under the scheme, US companies prove their adequacy to transfer and process data on EU citizens. It shows that they have made some effort to follow Europe’s strict privacy principles in the absence of any cohesive federal privacy law in the US.


Police arrest alleged Chuckling Squad member who hijacked @Jack Dorsey

By Lisa Vaas

Police have arrested an alleged member of The Chuckling Squad: the hacking group behind the recent SIM-swap and hijacking of Twitter founder and CEO Jack Dorsey’s @Jack account.

Joseph Cox, writing for Motherboard, reported on Saturday that a Chuckling Squad leader – who goes by the handle Debug – told them that the individual was arrested about two weeks prior. Motherboard withheld their name, because they’re a minor.

Debug told Motherboard that the minor – whom they identified as a “he” – was a SIM-swapping aficionado whom the group kicked out in October:

He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them.

The arrest was confirmed by the Santa Clara County District Attorney’s Office in California, which manages the Regional Enforcement Allied Computer Team (REACT) and which emailed this statement to Motherboard:

We applaud the efforts of all the law enforcement agencies involved in this arrest. REACT continues to work with and assist our law enforcement partners in any way we can. We hope this arrest serves as a reminder to the public that people who engage in these crimes will be caught, arrested and prosecuted.

Dorsey’s high-profile, high-value account – he’s got more than 4 million followers – was taken over in late August 2019 by hackers who used their brief access to go on a joyride to Nasty Town, tweeting out a racist/anti-Semitic/bomb-hoaxing exhaust cloud.

A week later, Twitter temporarily yanked the ability to tweet via SMS – one of the possible ways that Dorsey’s account got taken over.

In a successful SIM-swap attack, hackers persuade a mobile phone provider to transfer a victim’s phone number to the hacker’s SIM card, giving the hacker access to the victim’s calls and messages.

At the time, Twitter said that it was suspending the ability to tweet via text due to vulnerabilities that mobile carriers need to address, and due to its reliance on having a linked phone number for two-factor authentication (2FA) – something it said it’s working to improve.


Firefox gets tough on tracking tricks that sneakily sap your privacy

By Paul Ducklin

We just did an informal survey around the office – we asked 10 people in various departments, technical and non-technical, to say the first thing that came into their head when we said, “Browser tracking.

(No one heard anyone else’s answer, in case you’re wondering how independent each reply might have been.)

All 10 said, “Cookies.

That’s not surprising, because many websites these days pop up a warning to say they make use of cookies for tracking you across visits – the theory seems to be that you can’t then later complain you didn’t know.

Cookies, therefore, are a well-documented part of online tracking, and the phrase “web cookie” can be considered everyday terminology now, rather than jargon – we encounter it all the time and have become used to it.

Indeed, some sites openly and visibly allow you to choose to accept or reject their cookies…

…although there’s an amusing irony that the most reliable way for a website to remember that you don’t want cookies set is to set a cookie to tell it not to set any more cookies.


November 26, 2019 »

Sir Tim Berners-Lee publishes plan to save the web from ‘digital dystopia’

By John E Dunn

Web inventor Sir Tim Berners-Lee is so worried his 30-year-old creation is turning into a “digital dystopia” that he’s proposed a Contract for the Web to rescue it from a headlong plunge into a moral abyss.

It’s not an original worry – Berners-Lee has publicly fretted about the web’s direction many times in recent years – and it’s not hard to understand where his pessimism comes from.

Governments enact laws mandating forms of mass surveillance and information control, while big internet companies and data brokers vacuum up as much data as they can for ever-more intrusive ad targeting.

Meanwhile, political parties invest in manipulative advertising, on top of the shadowy forces pushing ever more outlandish conspiracy theories and deepfakes that embed fiction as fact with bad consequences for democracy.

That’s before examining the toll of scams, malware campaigns, data breaches, and websites selling illegal and disturbing material in ways the established rule of law struggles to contain.

Worst of all, nobody seems to care. The web started as a promising, anarchic force but nobody said people with bad intentions couldn’t and wouldn’t turn it into a disturbing free-for-all.

Said Berners-Lee to The Guardian:

I think people’s fear of bad things happening on the internet is becoming, justifiably, greater and greater. If we leave the web as it is, there’s a very large number of things that will go wrong. It’s not that we need a 10-year plan for the web, we need to turn the web around now.


National Veterinary Associates catches dose of ransomware

By Danny Bradbury

Ransomware attacks don’t discriminate. They are just as happy targeting those with four legs as those with two.

Anonymous sources told cybersecurity reporter Brian Krebs this week that National Veterinary Associates (NVA) has fallen victim to a ransomware attack that has affected hundreds of hospitals.

NVA describes itself as one of the largest veterinary pet care services organisations in the world. It partners with over 700 general practice veterinary hospitals, spanning general practice clinics, equine hospitals, and pet resorts in a network spanning the US, Canada, Australia, and New Zealand. Founded in 1996 by Dr. Stan Creighton, it began by buying hospitals from retiring veterinarians. It now has 2,600 veterinarians in its network.

Ryuk ransomware

NVA didn’t respond to our requests for comment, but reports said that the company discovered a ransomware attack on Sunday 27 October. The culprit was apparently Ryuk, an especially pernicious form of ransomware first detected by researchers in August 2018.

According to sources quoted by Krebs, the ransomware hit nearly 400 hospitals in the company’s 700-strong network. The infection wasn’t ubiquitous because hospitals have some autonomy in how they run their IT networks, but some were left struggling to provide care after they lost access to their patient information management systems, reports said.

A source also told Krebs that this wasn’t the first Ryuk infection than the company has endured. The company had discussed the first attack more openly, the source said.


Court says suspect can’t be forced to reveal 64-character password

By Lisa Vaas

The dry facts: A US court has come down in favor of Fifth Amendment protections against forced disclosure of a 64-character passcode in a child abuse imagery case = an important interpretation of whether forced password disclosure is the modern equivalent of an unconstitutionally coerced confession.

The gut punch: The defendant is a man previously convicted over distribution and possession of child abuse imagery who, on the ride over to his arraignment, openly chatted with cops about how much he likes watching sexual videos featuring 10- to 13-year-old victims.

The ruling, handed down last Wednesday, quoted appellant Joseph J. Davis’s response when asked for his passcode:

It’s 64 characters and why would I give that to you? We both know what’s on there. It’s only going to hurt me. No f*cking way I’m going to give it to you.

Agents from the Office of the Attorney General (OAG) were investigating a child abuse imagery ring that led them to Davis’s apartment twice: once in 2014, and again in 2015. They said that his computer had repeatedly used a peer-to-peer file-sharing network, eMule, to share the imagery, which OAG agents received and confirmed to be illegal.

Davis was charged with two counts relating to disseminating child abuse imagery and one relating to criminal use of a communication facility. In 2015, prosecutors filed a pre-trial motion to compel Davis to give up that 64-character key to his encrypted computer. Davis responded by invoking his Fifth Amendment right against self-incrimination.

A lower court focused on whether the encryption was testimonial in nature, and, thus, protected by the Fifth Amendment – as in, would handing over his password be the same as revealing the contents of his mind?


Parents say creep hacked their baby monitor to tell toddler they ‘love’ her

By Lisa Vaas

Another mouthbreather with nothing better to do than hack a baby monitor and broadcast their “love” for a 3-year-old has apparently struck again.

This time, it happened to a family in Seattle.

According to local broadcaster King 5, a couple who asked to be identified only as Jo and John said that their daughter, Jaden, was spied on by a stranger who spoke to the tot via a babycam last week. The King 5 segment is also available on Insider.

What Jaden’s mom, Jo, told King 5:

We were both downstairs working in our office here, and our daughter called out. She’s saying, ‘Mommy, mommy.’ She said, ‘The voice is talking to me.’

After Jo went upstairs to check, here’s what she heard:

I said, ‘What’s going on?’ And she said the man said, ‘Jaden, I love you.’ And I said, ‘What!’

Neither parent heard the voice of the hacker first-hand. At first, they thought nothing of it. But then, the couple said, John’s mother heard a stranger’s voice coming from upstairs last week. Meanwhile, Jaden’s story has stayed consistent: yes, the voice comes from the camera, no, not from a nearby stuffed animal.

Jo and John also noticed that the camera had been mysteriously resetting itself, moving its focus from its typical angle of looking down into Jaden’s crib, to instead peer up, into the room, without their input.


November 25, 2019 »

OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud

By Lisa Vaas

A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that started in Bulgaria but spread like a money-sucking fungus around the world.

Mark Scott, 51, a former equity partner at the law firm Locke Lord LLP, was convicted in Manhattan Federal Court on Thursday for laundering about $400 million from the massive international OneCoin fraud.

It’s not just an alleged mega-fraud; it’s also led to mega-busts, and its founder – The Missing Cryptoqueen, who talked millions of people into her scheme – has blinked out of sight. Bulgarian Ruja Ignatova was last spotted around October 2017: around the time that the US filed a secret warrant for her arrest. Her brother, Konstantin Ignatov, took over the reins, was arrested at Los Angeles International Airport in March 2019, signed a plea deal, and is facing up to 90 years in jail (though maximum sentences are rarely handed out).

Pop some corn and pull up a chair: you can tune in to the true crime saga from the BBC here as reporter Jamie Bartlett presents “a story of greed, deceit and herd madness.”

As far as the other OneCoin shysters go, most of them have been arrested or, like Ignatova, disappeared. A slew of OneCoin reps were pitching their scam – what they called “the next Bitcoin” – in a Mumbai exurb in April 2017 when financial cops busted in, raided the meeting, and jailed 18 of them, ultimately seizing more than $2 million in investor funds. As The Atlantic tells it, they’d already moved at least $350m in allegedly scammed funds through a German payment processor.


Ad-blocking companies block ‘unblockable’ tracker

By Danny Bradbury

Ad-blocking companies have figured out a way to block the unblockable – a pernicious tracker technique that hides advertising networks from your browser in plain sight.

Whenever your browser visits a website supporting third-party advertisers, the site shows it tracking pixels or IFRAME tags that cause it to make extra requests. These requests go to ad companies that use various techniques to identify your browser and track it across multiple sites.

Ad-blocking companies are in a constant battle with the advertisers to block these trackers.

The latest weapon in this fight exploits a long-established web concept called a CNAME record. CNAME stands for Canonical Name. It’s an alias that the owner of a domain (say, can use to describe a subdomain (like You could set the CNAME for to resolve to an entirely different domain, like When your browser reaches out to, it’ll send a query to the name server, which will look up the second domain instead.

That’s a problem for people that don’t want advertisers to track them. Ad-blocking software tends to trust cookies sent by the same domain that you’re visiting. If sends you a cookie, it could contain session information that helps the site remember who you are. Blocking it would break the site’s functionality.

So, companies that use CNAMEs to hide third-party trackers behind their own domains can fool ad blockers into waving through cookies from their advertising friends.


Russia to ban sale of devices that don’t come with “Russian software”

By John E Dunn

The Russian Government’s campaign to control how its citizens use the internet seems to be gathering steam.

Earlier this month, the country passed a controversial new ‘sovereign internet’ law that requires the country’s ISPs to set up deep packet inspection of all internet traffic and ready themselves for the imposition of a separate Domain Name System (DNS) under Government control.

Last week the country’s Parliament passed what might turn out to be an even more significant order – from July 2020 all computing devices sold in Russia will be required to come pre-loaded with what is loosely described as “Russian software”.

According to the BBC, bill co-author and MP Oleg Nikolaev explained that:

[People] might think that there are no domestic alternatives available. And if, alongside pre-installed applications, we will also offer the Russian ones to users, then they will have a right to choose.

…and it will also “provide domestic companies with legal mechanisms to promote their programs for Russian users”, according to a translation of the press release.

The law covers all devices including mobiles, desktop and laptop computers and smart TVs which today ship with Russian language versions of the same apps used elsewhere in the world.

According to sources, in future these applications will be joined by mysterious new Russian Government-approved applications. These will probably include a browser, a search engine, a messaging app, and possibly others which have yet to be specified.


Hacker gets 4 years in jail for NeverQuest banking malware

By Lisa Vaas

A Russian hacker has been sentenced to four years in US prison for using the NeverQuest banking Trojan to infect the computers of unwitting victims, steal their login information for online banking accounts, and use it to wipe out their accounts.

The US Attorney’s Office for the Southern District of New York announced the sentencing of Stanislav Vitaliyevich Lisov on Thursday.

According to the Justice Department (DOJ), NeverQuest has been used by cybermuggers to try to weasel millions of dollars out of victims’ bank accounts.

Nasty and complex

It’s a nasty piece of work. Researchers have determined that NeverQuest’s origins lie in an evolving threat family called Vawtrack, also known as Snifula, Catch or Grabnew.

Once NeverQuest slips onto a victim’s computer, it wakes up when the system logs onto an online banking website. Then, it transfers the victim’s login credentials, including their username and password, back to a command and control server. That lets the malware’s administrators remotely control a victim’s computer and log into their financial accounts, transfer money to accounts that the crook’s control, change the login credentials, write online checks, and purchase goodies from online vendors at their victims’ expense.


Iran’s APT33 sharpens focus on industrial control systems

By Danny Bradbury

Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating industrial control systems (ICS), say reports.

APT33, also known by the names Holmium, Refined Kitten, or Elfin, has focused heavily on destroying its victims’ data in the past. Now though, the group has changed tack according to Ned Moran, principal program manager at Microsoft, who spoke at the CYBERWARCON conference in Arlington, Virginia on Thursday. Moran, who is also a fellow with the University of Toronto’s Citizen Lab focusing on security and information technologies, focuses on identifying and disrupting state-sponsored attackers in the Middle East.

The APT33 group is closely associated with Shamoon malware that wipes data from its targets’ systems. Experts have also warned of other tools in the group’s arsenal, including a data destruction tool called StoneDrill and a piece of backdoor software called TURNEDUP.

Moran said that APT33 used to use ‘password spraying’ attacks, in which it would try a few common passwords on accounts across lots of organizations. More recently, though, it has refined its efforts, ‘sharpening the spear’ by attacking ten times as many accounts per organization while shrinking the number of organization’s it targets. It has also focused heavily on ICS manufacturers, suppliers and maintainers, Moran said.


November 21, 2019 »

DNS-over-HTTPS is coming to Windows 10

By John E Dunn

For fans of DNS-over-HTTPS (DoH) privacy, it must feel like a dam of resistance is starting to break.

Mozilla Firefox and Cloudflare were the earliest adopters of this controversial new way to make DNS queries private by encrypting them, followed not long after by the weight of Google, which embedded DoH into Chrome as a non-default setting.

This week an even bigger name joined the party – Windows 10 – which Microsoft has announced will integrate the ability to use DoH, and eventually also its close cousin DNS-over-TLS (DoT), into its networking client.

It looks like game over for the opponents of DoH, predominantly ISPs which have expressed a nest of worries – some rather self-serving (we can’t monetise DNS traffic we can’t see) and others which perhaps deserve a hearing (how do we filter out bad domains?).

Things got so hyperbolic that last summer the UK ISP Association (ISPA) even shortlisted Mozilla for an “Internet Villain” award to punish its enthusiasm for DoH before backing down after a public backlash.

Earlier this month, Mozilla retaliated, accusing ISPs of misrepresenting the technical arguments around encrypted DNS.


Official Monero site delivers malicious cash-grabbing wallet

By Lisa Vaas

On 18 November, somebody swapped out the legitimate command line wallet binaries for the Monero (XMR) cryptocurrency and replaced them with software that stole users’ funds.

The malicious versions of the Linux and Windows binaries were first spotted by a user on Monday who noticed that the software failed an integrity check.

Like a lot of software vendors, The Monero Project publishes SHA-256 hashes of its software. Users can check their software download by running it through a SHA-256 hashing function to see if it matches the published hash.

In this case, it didn’t.

The Monero team confirmed the swap on Tuesday, assuring users that the malicious wallet binaries were up for only a short time – 35 minutes, to be precise.

The malware-impregnated binaries were immediately dealt with, according to binaryFate – a member of the XMR core team who said on Tuesday that the binaries were now being served from a new, safe, “fallback” source.

A half hour was long enough to lead to at least one wallet getting drained, however: one user claimed on Reddit that 9 hours after they ran the binary, a single transaction scooped $7,000 worth of coins out of their wallet.


Tories change Twitter name to ‘factcheckUK’ during live TV debate

By Lisa Vaas

The Tories changed their verified Twitter press account’s display name to read “factcheckUK” for Tuesday’s live TV general-election debate between Boris Johnson and Jeremy Corbyn, switched it back right after, and triggered much gleeful parodying of the attempt to pull on the mask of nonpartisan fact-checkers.

Hey, if the UK’s Conservative Party gets to do that with its @CCHQPress account, then “@BorisJohnson_MP” (a parody account) evidently feels that they get to rename their account “CCHQ Press” and issue this apology on the party’s behalf:

We apologize for any misunderstanding caused by the changes to our account last night. It was an honest attempt to……

CCHQ Press (@BorisJohnson_MP) November 20, 2019

Twitter has officially tsk-tsk’ed the Tories, telling the BBC that it plans to take “decisive corrective action” if they pull that stunt again … though it apparently didn’t do anything at all in response to this particular incident.

A Twitter spokesperson:

Twitter is committed to facilitating healthy debate throughout the UK general election.

We have global rules in place that prohibit behavior that can mislead people, including those with verified accounts. Any further attempts to mislead people by editing verified profile information – in a manner seen during the UK Election Debate – will result in decisive corrective action.

Twitter told the BBC that according to its terms of service, it can remove an account’s “verified” status if the account owner is “intentionally misleading people on Twitter by changing one’s display name or bio”.


Android camera bug could have turned phones against their users

By Danny Bradbury

Android users beware: rogue apps could be using your phone’s camera against you, taking pictures and videos without your knowledge and sending them to attackers. They could even record your phone calls and make others aware of your location.

News of the vulnerability, which affects the Android camera app used by millions of Google Pixel and Samsung Android users, comes courtesy of application security testing company Checkmarx which has been working with Google and Samsung to fix it. The company’s researchers figured out a way to hijack the camera on Android phones using a permission bypass vulnerability.

Aware that access to camera functions is highly sensitive, Google created a special set of permissions that the user would have to grant to an application before it could use the phone’s camera. These permissions are:

  • android.permission.CAMERA
  • android.permission.RECORD_AUDIO
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_COARSE_LOCATION

The vulnerability that Checkmarx discovered enables apps to bypass the need for those permissions as long as they have storage permissions that enable an application to access the SD card. In a report on the vulnerability, the company explained:

An application that has access to storage not only has access to past photos and videos (which it already had, by permission design, nothing new there), but also has a way to access newly taken photos and videos by abusing the Google Camera app exported components.

This means an app with SD card permissions gets access to the user’s phone, which enables an attacker to turn the camera into a remotely-controlled sensor:

By manipulating the specific actions and intents, an attacker can now control the Google Camera app to take photos and/or record videos through a rogue application that has no permissions to do so.

Certain conditions on the phone could enable them to harvest more data still, the report continued. If the phone’s location data settings embedded location information in the photos’ EXIF metadata, they could access that data and find out where the photos were taken (and therefore where the user has been).


November 20, 2019 »

Update WhatsApp now: MP4 video bug exposes your messages

By Lisa Vaas

WhatsApp’s pitch: Simple. Secure. Reliable messaging.

Needed marketing addendum: Hole. Update. Now. Evil. MP4s.

Facebook on Thursday posted a security advisory about a seriously risky buffer overflow vulnerability in WhatsApp, CVE-2019-11931, that could be triggered by a nastily crafted MP4 video.

It’s rated as a high-risk vulnerability – 7.8 – on the CVE scale. Understandably so: if left unpatched, it can lead to remote code execution (RCE), which can then enable attackers to access users’ files and messages. The security hole also leaves devices vulnerable to Denial of Service (DoS) attack.

Facebook said that this one affects WhatsApp versions for iOS, Android and Windows phones. The problem isn’t just on the regular WhatsApp; it’s also found on WhatsApp for Business and WhatsApp for Enterprise.

That’s an enormous number of users: With over 1.5 billion monthly active users, WhatsApp is the most popular mobile messenger app worldwide, according to Statista.


Instagram stalker app Ghosty yanked from Play store

By Lisa Vaas

Ever wanted to view hidden profiles on Instagram? To stalk users who’ve chosen to make their profiles private?

Up until Tuesday morning, you could do that by using a stalker service called Ghosty. Here’s what the app developer promised on versions available on Google Play and Apple’s App Store:

Ghosty – View Hidden Instagram Profile. You can view all the profiles you want to view including hidden profiles on Instagram. You can download or share photos or videos from your Instagram profiles to your gallery. In addition, you will soon be able to access many new features related to your Instagram account.

“Soon” won’t come for the app, the logo for which was the profile of snooper extraordinaire Sherlock Holmes. Ghosty was removed from Google’s Play store after Android Police found the service creating what the publication called a “stalker paradise.” Nor could I find it on Apple’s store.

In that stalker paradise/privacy dystopia, anyone could view the many private profiles Ghosty amassed by signing up users who handed over their own accounts’ data – including whatever private accounts those users follow.

As Android Police tells it, this was the deal you had to make with the devil: in order to view whatever private accounts Ghosty had managed to crowd-source, you handed over your Instagram login credentials. You also had to invite at least one other person to Ghosty in order to view private profiles. Thus, did Ghosty keep expanding the pool of content it could show its users: if any of those users followed a private account, that profile got added to the content Ghosty would make available.

Android Police noted that when it looked into the app, the media outlet managed to skip past that invitation step and was still able to view at least one private profile.

Not only was the service brazenly exploiting users’ desires to get at private accounts; it was also charging them for bundles or flinging ads at them.

Ghosty isn’t new; it appeared on the Play Store in April 2019. It had been downloaded over half a million times as of 13 November.

That’s a long time for an app to be amassing content while breaking Instagram’s rules. The relevant terms of service clause that forbids what Ghosty was up to:

You can’t attempt to buy, sell, or transfer any aspect of your account (including your username) or solicit, collect, or use login credentials or badges of other users.

As Android Police points out, during the half year that Ghosty was operating, neither Facebook (Instagram’s owners) nor Google apparently did anything about it – at least, not until now.


XSS security hole in Gmail’s dynamic email

By John E Dunn

Did Android users celebrate loudly when Google announced support for Accelerated Mobile Pages for Email (AMP4Email) in its globally popular Gmail service in 2018?

Highly unlikely. Few will even have heard of it, nor have any idea why the open source technology might improve their webmail experience.

They might, however, be interested to learn that a researcher, Michal Bentkowski, of Securitum, recently discovered a surprisingly basic security flaw affecting Google’s implementation of the technology.

The intention behind AMP4Email, called ‘dynamic email’ in Gmail, was to reduce tab-clutter and make viewing email more like viewing and interacting with web pages, by allowing, for example, filling out reservation forms or searching Pinterest from within an email.

For examples of what dynamic email looks like in Gmail, scroll through Google’s 2018 YouTube demo featuring AMP4Email examples taken from Doodle, and Pinterest.

AMP4Email beats plain HTML hands down but from the start Google knew this could potentially open the door to a security wrangle – the more things an email can do, the more likely someone will abuse those capabilities maliciously.

That’s why dynamic email senders are required to use TLS encryption, as well as deploying email authentication using DKIM, SPF, and DMARC so not just anyone could spray users with empowered malicious spam.

As for the content, to avoid the possibility that attackers might execute JavaScript to attempt a Cross-Site Scripting (XSS) attack, senders must also build email content using an allow list of tags and attributes or risk validation errors that stop it rendering.

XSS is bad enough when users are lured to a vulnerable website. Embedding this in an email is even more dangerous because the threat is being delivered straight to users’ webmail inboxes.


Adobe Acrobat and Reader 2015 reach end of support

By Danny Bradbury

If you’ve been happily using Adobe Reader 2015 software for the last few years, you’re in for a rude awakening. The software vendor is ending support for these versions of its PDF-perusing product.

Adobe is bringing its support for two related products to an end: its free Acrobat Reader 2015 software, which enables people to open PDF documents without paying anything and perform basic edits, and the commercial Acrobat 2015 software that lets people create, convert, and add security and extra interactivity to their PDFs.

Adobe released both of these products in 2015, with Acrobat DC and Acrobat Reader DC. DC stands for Document Cloud, which is Adobe’s central cloud-based hub for managing documents.

The company’s Support Lifecycle Policy only provides five years of support from the date that its products become generally available. Adobe is pulling support on the products’ fifth anniversary, 7 April 2020.

At that point, customers won’t get technical support for their products, meaning that if you phone Adobe with a problem, its operatives won’t deal with it. More importantly, this end of support means that you won’t get any more security patches for the products either.


Brand new Android smartphones shipped with 146 security flaws

By John E Dunn

If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.

Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.

The sort of things these might allow include the modification of system properties (28.1%), app installation (23.3%), command execution (20.5%), and wireless settings (17.8%).

Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.

The culprit is a range of software specific to each manufacturer, installed in addition to Android itself or its Google applications.

But in common with Android and Google applications, these can’t be de-installed. The only way to patch one of these flaws is for the smartphone maker to be told about the issue and to issue a fix.

Factory soiled

We’ve been here before, of course. In August 2019, Google Project Zero researcher Maddie Stone gave a presentation at Black Hat to highlight the issue of malware she and her colleagues had discovered being installed on Android devices in the supply chain.


« older