If Bluetooth is ON on your Apple device everyone nearby can sniff your mobile phone number. [Video demo included]
https://hexway.io/blog/apple-bleee/
PoCs: https://github.com/hexway/apple_bleee
https://hexway.io/blog/apple-bleee/
PoCs: https://github.com/hexway/apple_bleee
Five bugs in iMessages
1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873
2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917
3) CVE-2019-8660 is remote, interactionless memory corruption - https://bugs.chromium.org/p/project-zero/issues/detail?id=1884
4) CVE-2019-8646 allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandbox - https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
5) Out-of-bounds read in DigitalTouch tap message processing - https://bugs.chromium.org/p/project-zero/issues/detail?id=1828
1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873
2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917
3) CVE-2019-8660 is remote, interactionless memory corruption - https://bugs.chromium.org/p/project-zero/issues/detail?id=1884
4) CVE-2019-8646 allows an attacker to read files off a remote device with no user interaction, as user mobile with no sandbox - https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
5) Out-of-bounds read in DigitalTouch tap message processing - https://bugs.chromium.org/p/project-zero/issues/detail?id=1828
Android Security & Malware
Five bugs in iMessages 1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873 2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917 3) CVE-2019-8660 is remote…
Such vulnerabilities, when sold on the black market, can bring a bug hunter well over $1 million, according to a price chart published by Zerodium.
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/
https://www.zdnet.com/article/google-researchers-disclose-exploits-for-interactionless-ios-attacks/
ZDNet
Google researchers disclose vulnerabilities for 'interactionless' iOS attacks
The six bugs, if sold on the exploit market, would have brought in well over $5 million.
2019 mobile threat report - CrowdStrike.pdf
367.4 KB
Mobile Threat Landscape Report 2019
A comprehensive review of mobile malware trend
A comprehensive review of mobile malware trend
Update your Truecaller app
The bug led the Truecaller app to quietly send a text message to a bank to verify their account — which is part of the procedure to sign up to the payments service.
https://techcrunch.com/2019/07/30/truecaller-upi-payments-bug/
The bug led the Truecaller app to quietly send a text message to a bank to verify their account — which is part of the procedure to sign up to the payments service.
https://techcrunch.com/2019/07/30/truecaller-upi-payments-bug/
TechCrunch
Truecaller pushes software fix after covertly signing up Indians to its payments service
Truecaller, a service that helps users screen robocalls, has rolled out an update to its app in India, its largest market, after a previous software release covertly signed up an unspecified number of users to its payments service. A number of users in India…
Mobile Security Review 2019
Google Play Protect had the worst malware scan results.
"Android includes built-in security features for malware detection, device loss or theft, and safe browsing for free. However, Play Protect does not yet provide effective protection." @AV_Comparatives
https://www.av-comparatives.org/tests/mobile-security-review-2019/
Google Play Protect had the worst malware scan results.
"Android includes built-in security features for malware detection, device loss or theft, and safe browsing for free. However, Play Protect does not yet provide effective protection." @AV_Comparatives
https://www.av-comparatives.org/tests/mobile-security-review-2019/
Facebook & WhatsApp will send to their cloud all users messages in clear text before encryption. #privacy
"If the company’s new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption."
https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/
"If the company’s new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption."
https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/
Forbes
The Encryption Debate Is Over - Dead At The Hands Of Facebook
The sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook.
Mobile forensics are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud.
https://blog.elcomsoft.com/2019/07/extended-mobile-forensics-analyzing-desktop-computers/
https://blog.elcomsoft.com/2019/07/extended-mobile-forensics-analyzing-desktop-computers/
ElcomSoft blog
Extended Mobile Forensics: Analyzing Desktop Computers
When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the…
HiddenAd Adware with 500,000 installs found on Google Play
https://twitter.com/ESETresearch/status/1156551255701020672?s=19
https://twitter.com/ESETresearch/status/1156551255701020672?s=19
Twitter
ESET research
Beware of sneaky #Android adware lurking among Trending Photography apps on #GooglePlay! @LukasStefanko #reported it. #ESETresearch #cybersecurity https://t.co/wHuyfc5iaA
AdFraud app found on Google Play had 1,000,000+ installs
https://twitter.com/ESETresearch/status/1156587825812271106?s=19
https://twitter.com/ESETresearch/status/1156587825812271106?s=19
Twitter
ESET research
#ESETresearch @LukasStefanko has discovered a #TrojanClicker disguised as a barcode reader app, installed by 1M+ users before being removed from #GooglePlay. The Trojan generates network traffic in the background to click on ads without the user’s consent.…
Android Security & Malware
Five bugs in iMessages 1) CVE-2019-8647 is a remote, interactionless use-after-free - https://bugs.chromium.org/p/project-zero/issues/detail?id=1873 2) CVE-2019-8662 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1917 3) CVE-2019-8660 is remote…
Remotely Stole Files Through iMessage on iOS 12.3.1 (CVE-2019-8646 by natashenka)
https://youtu.be/ld2m0CPR1nM
https://youtu.be/ld2m0CPR1nM
YouTube
Remotely Stole Files Through iMessage on iOS 12.3.1 (CVE-2019-8646 by natashenka)
Remotely Stole Files Through iMessage on iOS 12.3.1 (CVE-2019-8646 by natashenka)
Twitter @ SparkZheng
Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
Twitter @ SparkZheng
Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
👍1
Review of harmful apps on Google Play in July 2019
All these apps and numbers are based on researches, blogs, reports, tweets published in July, 2019 by #infosec community.
All these apps and numbers are based on researches, blogs, reports, tweets published in July, 2019 by #infosec community.
Forwarded from The Bug Bounty Hunter
Opera Android Address Bar Spoofing: CVE-2019–12278
https://medium.com/@justm0rph3u5/opera-android-address-bar-spoofing-cve-2019-12278-9ffcfd6c508c
https://medium.com/@justm0rph3u5/opera-android-address-bar-spoofing-cve-2019-12278-9ffcfd6c508c
Medium
Opera Android Address Bar Spoofing: CVE-2019–12278
Learning is a continuous process, there are millions of writeups, blogs and researches which one keeps on studying. Similarly, I read that…
America Phone Farmers
Ordinary Americans are using armies of phones to generate cash through ad fraud.
https://www.vice.com/en_us/article/d3naek/how-to-make-a-phone-farm
Ordinary Americans are using armies of phones to generate cash through ad fraud.
https://www.vice.com/en_us/article/d3naek/how-to-make-a-phone-farm
VICE
America’s DIY Phone Farmers
Ordinary Americans are using armies of phones to generate cash to buy food, diapers, and beer through ad fraud.
Tested 21 Android antivirus apps and found serious vulnerabilities
-3 IDOR vulnerabilities (leak address book, send fake alerts, remotely disabling AV protection)
-2 XSS
https://www.comparitech.com/antivirus/android-antivirus-vulnerabilities/
-3 IDOR vulnerabilities (leak address book, send fake alerts, remotely disabling AV protection)
-2 XSS
https://www.comparitech.com/antivirus/android-antivirus-vulnerabilities/
Comparitech
We tested 21 Android antivirus apps and found these serious vulnerabilities - Comparitech
Android antivirus apps claim to protect your device, but we found a ton of security holes and privacy risks -- one of them even exposes your address book
Top Android malware threats - Month of July, 2019
Full list: http://skptr.me/malware_timeline_2019.html
Download samples: https://github.com/sk3ptre/AndroidMalware_2019
Full list: http://skptr.me/malware_timeline_2019.html
Download samples: https://github.com/sk3ptre/AndroidMalware_2019
Fake Antivirus with 100K+ installs found on Google Play
https://twitter.com/tom_sara05/status/1157176010585997312?s=19
https://twitter.com/tom_sara05/status/1157176010585997312?s=19
Subnoscription scam on Google Play with 1,000,000+ downloads exploits 3-day trial, then robs you of €54.99 per week
https://twitter.com/ESETresearch/status/1157206903602028544
https://twitter.com/ESETresearch/status/1157206903602028544
Twitter
ESET research
Subnoscription #scam on #GooglePlay with 1M+ downloads exploits 3-day trial, then robs you of €54.99 per week. This makes it 10 times more expensive than legitimate professional software. @LukasStefanko #reported it to Google. #ESETresearch thanks @jaymin9687…
Three adware apps with 30,000+ installs altogether.
- in app manager they change name to Google Play Store
- hide itself icon
- display full-screen ads every 15 minutes, but only starting 24 hours after installation
https://labs.bitdefender.com/2019/07/adware-packed-fake-apps-still-making-their-way-to-google-play/
- in app manager they change name to Google Play Store
- hide itself icon
- display full-screen ads every 15 minutes, but only starting 24 hours after installation
https://labs.bitdefender.com/2019/07/adware-packed-fake-apps-still-making-their-way-to-google-play/
Bitdefender Labs
Adware-Packed Fake Apps Still Making Their Way to Google Play
Adware is nothing new, nor will it go away any time soon, especially since it’s a legitimate means for app developers to generate revenue. When it... #aggressiveadware #androidadware #androidresearch
HiddenAd adware discovered on Google Play was one of the top 10 new apps in the store in July!
Reached 1M+ downloads. Reported.
https://t.co/iY3z60gicp
Reached 1M+ downloads. Reported.
https://t.co/iY3z60gicp
Twitter
ESET research
#HiddenAd adware found on Google Play was one of the top 10 new apps in the store in July, with 1M+ downloads - until @LukasStefanko #reported it. IoC Hash: 3E1E1FD9BAE9E7DDE2CB06859E125352B7EA8ABD ESET detection name: Android/Hiddad.ADQ
Record for HiddenAd Adware found on Google Play.
It reached 5,000,000+ installs.
-after launch can hide itself icon
-after unlocking device it display fullscreen ad
-reported
https://twitter.com/ReBensk/status/1157267868993515521?s=19
It reached 5,000,000+ installs.
-after launch can hide itself icon
-after unlocking device it display fullscreen ad
-reported
https://twitter.com/ReBensk/status/1157267868993515521?s=19