Investigation of remote vulnerabilities on the iPhone via SMS, MMS, VVM, Email and iMessage
https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html
https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html
Blogspot
The Fully Remote Attack Surface of the iPhone
Posted by Natalie Silvanovich, Project Zero While there have been several rumours and reports of fully remote vulnerabilities affecting ...
Over 2,000 scam apps discovered on App Store #iOS
-scan fingerprint to make in-app purchase
-some of them are still on App Store
-2 apps made around $400k in June alone
-list of 517 apps
https://appsexposed.home.blog/2019/08/02/app-store-a-safe-haven-for-scammers-500-apps-exposed/
-scan fingerprint to make in-app purchase
-some of them are still on App Store
-2 apps made around $400k in June alone
-list of 517 apps
https://appsexposed.home.blog/2019/08/02/app-store-a-safe-haven-for-scammers-500-apps-exposed/
AppsExposed
App Store: A safe haven for scammers (+500 apps exposed)
IMPORTANT UPDATE: This article was first published on Medium. But the scammers which we exposed below reported us and Medium without an explanation suspended our account. We lost all our research t…
Decrypt WhatsApp protocol to manipulate group chat
https://research.checkpoint.com/black-hat-2019-whatsapp-protocol-decryption-for-chat-manipulation-and-more/
https://research.checkpoint.com/black-hat-2019-whatsapp-protocol-decryption-for-chat-manipulation-and-more/
Check Point Research
Black Hat 2019 – WhatsApp Protocol Decryption for Chat Manipulation and More - Check Point Research
Research By: Dikla Barda, Roman Zaikin and Oded Vanunu According to sources, WhatsApp, the Facebook-owned messaging application has over 1.5 billion users in over 180 countries. The average user checks WhatsApp more than 23 times per day. And, the number…
Fake Android security solutions found on Google Play
Discovered 8 fake AV apps with 1,236,000+ installs
https://labs.k7computing.com/?p=17228
Discovered 8 fake AV apps with 1,236,000+ installs
https://labs.k7computing.com/?p=17228
Sex app leaks locations, pics and personal details.
https://www.pentestpartners.com/security-blog/group-sex-app-leaks-locations-pictures-and-other-personal-details-identifies-users-in-white-house-and-supreme-court/
https://www.pentestpartners.com/security-blog/group-sex-app-leaks-locations-pictures-and-other-personal-details-identifies-users-in-white-house-and-supreme-court/
Pentestpartners
Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court | Pen Test Partners
We’ve seen some pretty poor security in dating apps over recent years; breaches of personal data, leaking users locations and more. But this one really takes the biscuit: probably the worst security for any dating app we’ve ever seen And it’s used for arranging…
👍1
In the official Android app of BlackHat an attacker can:
- Open a random url in the app browser
- Pre dial a number
- Create an email
- Open Chrome to download a file https://t.co/mZ4UsuilPm
- Open a random url in the app browser
- Pre dial a number
- Create an email
- Open Chrome to download a file https://t.co/mZ4UsuilPm
Twitter
Elliot Alderson
The official Android app of #BHUSA is a joke. For an event of this size this is not serious @BlackHatEvents. Thanks to the #BlackHat app, an attacker can: - Open a random url in the app browser - Pre dial a number - Create an email - Open Chrome to download…
Reversing Android pre-installed apps
Convince 1 company to include your app rather than
thousands of users
https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf
Convince 1 company to include your app rather than
thousands of users
https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf
GitHub
ConPresentations/Blackhat2019.SecuringTheSystem.pdf at master · maddiestone/ConPresentations
Slide decks from my conference presentations. Contribute to maddiestone/ConPresentations development by creating an account on GitHub.
Vulnerabilities in 5G
1) A protocol vulnerability in 4G and 5G specification that allows the fake base station to steal information about the device and mount identification attacks
2) Implementation vulnerability in cellular network operator equipment that can be exploited during a device registration phase
3) A protocol vulnerability that affects the battery life of low-powered devices
https://infosec.sintef.no/en/informasjonssikkerhet/2019/08/new-vulnerabilities-in-5g-security-architecture-countermeasures/
1) A protocol vulnerability in 4G and 5G specification that allows the fake base station to steal information about the device and mount identification attacks
2) Implementation vulnerability in cellular network operator equipment that can be exploited during a device registration phase
3) A protocol vulnerability that affects the battery life of low-powered devices
https://infosec.sintef.no/en/informasjonssikkerhet/2019/08/new-vulnerabilities-in-5g-security-architecture-countermeasures/
infosec.sintef.no
New vulnerabilities in 5G Security Architecture & Countermeasures (Part 1)
The 5G network promises to transform industries and our digital society by providing enhanced capacity, higher data rates, increased battery life for machine-type devices, higher availability and reduced power consumptions. In a way, 5G will act as a vehicle…
Remote Code Execution Vulnerabilities in Apple FaceTime #BlackHat
https://i.blackhat.com/USA-19/Thursday/us-19-Huang-Towards-Discovering-Remote-Code-Execution-Vulnerabilities-In-Apple-FaceTime.pdf
https://i.blackhat.com/USA-19/Thursday/us-19-Huang-Towards-Discovering-Remote-Code-Execution-Vulnerabilities-In-Apple-FaceTime.pdf
Attacking iPhone XS Max
https://i.blackhat.com/USA-19/Thursday/us-19-Wang-Attacking-IPhone-XS-Max.pdf
https://i.blackhat.com/USA-19/Thursday/us-19-Wang-Attacking-IPhone-XS-Max.pdf
Clicker Trojan Installed from Google Play by 102,000,000 Android Users #AdFraud
https://news.drweb.com/show/?i=13382&lng=en
https://news.drweb.com/show/?i=13382&lng=en
Dr.Web
Doctor Web: Clicker Trojan Installed from Google Play by Some 102,000,000 Android Users
Clicker trojans are widespread malicious programs, designed to increase website visit rates and earn money on online traffic. They simulate user actions on web pages by clicking on links and other interactive elements. Doctor Web virus analysts have detected…
Audio Recorder - Voice Recorder app with 1,000,000+ installs is subnoscription scam. After 3 days requests payment $199,99 per week.
https://twitter.com/WvuAlphaSoldier/status/1159712723518873601?s=19
https://twitter.com/WvuAlphaSoldier/status/1159712723518873601?s=19
Twitter
Jonathan Nichols
Yo! @GooglePlay WHAT THE ACTUAL FUCK!?!?
Malicious iPhone lightning cable
Looks like normal cable but it will give an attacker a way to remotely tap into your computer.
https://www.vice.com/amp/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer
O.MG cable: http://mg.lol/blog/omg-cable/
Looks like normal cable but it will give an attacker a way to remotely tap into your computer.
https://www.vice.com/amp/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer
O.MG cable: http://mg.lol/blog/omg-cable/
Vice
These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.
Robocall blocking apps sends your private data without permission including TrapCall, Truecaller and Hiya apps
https://techcrunch.com/2019/08/09/many-robocall-blocking-apps-send-your-private-data-without-permission/
https://techcrunch.com/2019/08/09/many-robocall-blocking-apps-send-your-private-data-without-permission/
TechCrunch
Robocall blocking apps caught sending your data without permission
Robocall-blocking apps promise to rid your life of spoofed and spam phone calls. But are they as trustworthy as they claim to be? One security researcher
Mobile Security Penetration Testing List
https://hackersonlineclub.com/mobile-security-penetration-testing/
https://hackersonlineclub.com/mobile-security-penetration-testing/
Hackers Online Club
Mobile Security Penetration Testing List 2024
Mobile Security Penetration Testing List for All-in-one Mobile Security Frameworks including Android and iOS Application Penetration Testing.
Be careful when using shared devices
In-room tablets, phones in hotels, ordering tables in restaurants....
On some of them you can install TeamViewer to monitor all the activity.
https://twitter.com/JulienEhrhart/status/1160533140047351808?s=19
In-room tablets, phones in hotels, ordering tables in restaurants....
On some of them you can install TeamViewer to monitor all the activity.
https://twitter.com/JulienEhrhart/status/1160533140047351808?s=19
Twitter
Julien Ehrhart
Be very careful when you use complimentary in-room tablets or phones in hotels, they may lack proper security hardening. I was able to install @TeamViewer to monitor all the activity of the tablet (left) on my phone (right). Using @aavgohospitalit tablet…
Canon DSLR Camera can get infected with Ransomware over the air
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/
Check Point Research
Say Cheese: Ransomware-ing a DSLR Camera - Check Point Research
Research by: Eyal Itkin TL;DR Cameras. We take them to every important life event, we bring them on our vacations, and we store them in a protective case to keep them safe during transit. Cameras are more than just a tool or toy; we entrust them with our…
Android Security & Malware
Remotely Stole Files Through iMessage on iOS 12.3.1 (CVE-2019-8646 by natashenka) https://youtu.be/ld2m0CPR1nM
The Remote, Interaction-less Attack Surface of the iPhone
Slides from BlackHat about RCEs in iPhone
http://i.blackhat.com/USA-19/Wednesday/us-19-Silvanovich-Look-No-Hands-The-Remote-Interactionless-Attack-Surface-Of-The-iPhone.pdf
Slides from BlackHat about RCEs in iPhone
http://i.blackhat.com/USA-19/Wednesday/us-19-Silvanovich-Look-No-Hands-The-Remote-Interactionless-Attack-Surface-Of-The-iPhone.pdf
History of the worst Android app ever: mAadhaar
Slides: https://github.com/fs0c131y/ConPresentations/blob/master/AppSecVillageDefcon27.mAadhaar.pdf
Presentation: https://youtu.be/1dnyV2Gd48A
Slides: https://github.com/fs0c131y/ConPresentations/blob/master/AppSecVillageDefcon27.mAadhaar.pdf
Presentation: https://youtu.be/1dnyV2Gd48A
GitHub
ConPresentations/AppSecVillageDefcon27.mAadhaar.pdf at master · fs0c131y/ConPresentations
Slide decks from my conference presentations. Contribute to fs0c131y/ConPresentations development by creating an account on GitHub.
Cerberus - A new banking Trojan from the underworld
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
Threatfabric
Cerberus - A new banking Trojan from the underworld — ThreatFabric
New Cerberus Android banking Trojan joins the threat-landscape at the moment that the banking malware rental business has no more leader. Read what to expect next.
Intercepting traffic from Android Flutter applications
https://blog.nviso.be/2019/08/13/intercepting-traffic-from-android-flutter-applications/
https://blog.nviso.be/2019/08/13/intercepting-traffic-from-android-flutter-applications/
NVISO Labs
Intercepting traffic from Android Flutter applications
Update: The explanation below explains the step for ARMv7. For ARMv8 (64bit), see this blogpost. ⚠️ Update August 2022 ⚠️An update to this blog post was written and can be found here. It …