Google plays Whack-A-Mole with naughty Android developers

By Lisa Vaas

Following updates to Android application programming interfaces (APIs) and Google Play policies, some developers have been surprised to find they’ve been blocked from distributing apps through Google Play.

Sorry, Google said on Monday: we’re playing Whack-A-Mole with “bad-faith” developers.

Google said that the “vast majority” of Android developers are good at heart, but some accounts are rotten to the core.

At least, some accounts are suspended after “serious, repeated” violations of policies meant to protect Android users, according to Sameer Samat, VP of Product Management, Android & Google Play.

Samat said that such developers often try to slip past Google’s checks by opening up new accounts or hijacking other developers’ accounts in order to publish their unsafe apps.

In order to fend off those repeat offenders, developers without an established track record can henceforth expect to be put through a more thorough vetting process, Samat said.

Sorry for the 1% of blunders

As with any move made to boost Android security, this one’s bound to misfire, he said – although he claimed that 99% of Google’s suspension decisions are correct.

The company isn’t always able to share the reasoning behind deducing that a given account is related to another, he said, but developers can immediately appeal any enforcement.

Read more at https://nakedsecurity.sophos.com/2019/04/18/google-plays-whack-a-mole-with-naughty-android-developers/

Chrome flaw on iOS leads to 500 million unwanted pop-up ads

By John E Dunn

If you own an iOS device and use the Chrome browser, there is a chance during the last week that you’ve encountered some strange-looking advertising pop-ups.

There are no rewards, of course, because these pop-up ads are run by a cybercrime group and exist to generate revenue for the crooks – you don’t get to share the spoils.

But the bigger question that bugged Confiant’s researchers when they analysed the pop-ups was how they were bypassing Chrome’s iOS ad-blocking protection.

The volume of campaigns was massive – 500 million pop-ups since 6 April 2019, apparently – featuring 30 adverts connected to a cybercrime group called eGobbler.

Aiming such a large volume of ads at the users of one platform and browser, iOS Chrome, also looked a little unusual.

Sure enough, Confiant discovered the campaigns had found a way to beat Chrome’s pop-up blocker by exploiting a previously unknown and unpatched security vulnerability.

Google was told of the issue last week, which Confiant hasn’t yet explained in detail because it remains unpatched:

We will be offering an analysis of the payload and POC [proof-of-concept] exploit for this bug in a future post given that this campaign is still active and the security bug is still unpatched in Chrome as of this blog post.

Read more at https://nakedsecurity.sophos.com/2019/04/18/chrome-flaw-on-ios-leads-to-500-million-unwanted-popup-ads/

Oracle issues nearly 300 patches in quarterly update

By Danny Bradbury

Oracle is keeping people busy before the Easter weekend. The company has issued a raft of quarterly security updates for 297 vulnerabilities, along with an urgent warning to patch now.

The latest Critical Update Patch contains vulnerabilities spanning dozens of products including its Fusion Middleware product set, which received 53 new security fixes overall – 42 of them for vulnerabilities that could in theory be exploited remotely over a network with no user credentials

The Oracle E-Business Suite accounted for 35 new security fixes in the critical patch update – 33 of them for remotely exploitable bugs. The Suite encompasses business applications including enterprise resource planning, customer relationship management, and supply chain management.

Also high on the list of affected product groups was Oracle Communications Applications, which received 26 security fixes for vulnerabilities, 19 of which were remotely exploitable.

The software giant’s suite of retail applications got 24 security fixes between them; Oracle Database Server had six; Java SE, which Oracle acquired along with Sun Microsystems in 2010, had five holes patched.

Read more at https://nakedsecurity.sophos.com/2019/04/18/oracle-issues-nearly-300-patches-in-quarterly-update/