VidMate - Chinese video app with 500M+ installs is charging people, draining their batteries, and exposing data without their knowledge.
https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download
https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download
BuzzFeed News
A Huge Chinese Video App Is Charging People, Draining Their Batteries, And Exposing Data Without Their Knowledge
VidMate told BuzzFeed News it was investigating the claims, but declined to share basic information about its employees and ownership.
👎1
Facebook Messenger Bug in Android
An attacker is able to send media messages on behalf of other users on Facebook Messenger
https://bugreader.com/kbazzoun@sending-message-on-behalf-of-other-users-72
An attacker is able to send media messages on behalf of other users on Facebook Messenger
https://bugreader.com/kbazzoun@sending-message-on-behalf-of-other-users-72
Bugreader
Sending message on behalf of other users
This could have allowed a malicious user to send media messaged on behalf of other users by making them(victims) admins on his page .
Everyone should read this sad story.
Real victim of SIM swapping lost $100K from Coinbase within 24h.
This happened not because of malware, but as a result of sharing too much personal information on social media that end up in intelligence gathering for targeted attack.
https://t.co/Tu1ML9QGDi
Real victim of SIM swapping lost $100K from Coinbase within 24h.
This happened not because of malware, but as a result of sharing too much personal information on social media that end up in intelligence gathering for targeted attack.
https://t.co/Tu1ML9QGDi
Medium
The Most Expensive Lesson Of My Life: Details of SIM port hack
I lost north of $100,000 last Wednesday. It evaporated over a 24 hour timespan in a “SIM port attack” that drained my Coinbase account.
New release of Kali NetHunter 2019.2 (Kali for Android).
NetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.
https://www.kali.org/news/kali-linux-2019-2-release/
NetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.
https://www.kali.org/news/kali-linux-2019-2-release/
Kali Linux
Kali Linux 2019.2 Release | Kali Linux Blog
Welcome to our second release of 2019, Kali Linux 2019.2, which is available for immediate download. This release brings our kernel up to version 4.19.28, fixes numerous bugs, includes many updated packages, and most excitingly, features a new release of…
Yesterday was released official version of Tor Browser for Android.
Info: https://www.zdnet.com/article/first-official-version-of-tor-browser-for-android-released-on-the-play-store/
Google Play: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&rdid=org.torproject.torbrowser
For iOS Tor Project recommends: https://itunes.apple.com/us/app/onion-browser/id519296448
Info: https://www.zdnet.com/article/first-official-version-of-tor-browser-for-android-released-on-the-play-store/
Google Play: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&rdid=org.torproject.torbrowser
For iOS Tor Project recommends: https://itunes.apple.com/us/app/onion-browser/id519296448
ZDNET
First official version of Tor Browser for Android released on the Play Store
After eight months of alpha testing, Tor Browser for Android is now ready for rollout.
👍1
Objection - Runtime Mobile Exploration toolkit without need for a jailbroken or rooted mobile device.
Supports iOS & Android while powered by Frida.
https://github.com/sensepost/objection
Supports iOS & Android while powered by Frida.
https://github.com/sensepost/objection
GitHub
GitHub - sensepost/objection: 📱 objection - runtime mobile exploration
📱 objection - runtime mobile exploration. Contribute to sensepost/objection development by creating an account on GitHub.
Phishing "Trezor Mobile Wallet" app found on Google Play and pops as a second search result.
This fake Trezor is also connected to "Coin Wallet" service which was another cryptocurrency wallet on Google Play with over 1,000 installs using same source code and server.
https://www.welivesecurity.com/2019/05/23/fake-cryptocurrency-apps-google-play-bitcoin/
This fake Trezor is also connected to "Coin Wallet" service which was another cryptocurrency wallet on Google Play with over 1,000 installs using same source code and server.
https://www.welivesecurity.com/2019/05/23/fake-cryptocurrency-apps-google-play-bitcoin/
WeLiveSecurity
Fake cryptocurrency apps crop up on Google Play as bitcoin price rises
ESET researchers have analyzed fake cryptocurrency wallets cropping up on Google Play at the time of bitcoin’s renewed growth.
For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week.
https://www.zdnet.com/article/mobile-chrome-safari-and-firefox-failed-to-show-phishing-warnings-for-more-than-a-year/
https://www.zdnet.com/article/mobile-chrome-safari-and-firefox-failed-to-show-phishing-warnings-for-more-than-a-year/
ZDNet
Mobile Chrome, Safari, and Firefox failed to show phishing warnings for more than a year
Google Safe Browsing didn't show phishing warnings for mobile browsers between mid-2017 and late-2018.
Rather use your charging adapter then USB charging stations.
“Let’s say I’m a bad guy. I go into an airport. I’m not going to easily take apart the charging station but it’s easy to just leave my cord behind. Now, if you see an Apple charging cord, you’re likely to grab it or just plug into it. But inside this cord is an extra chip that deploys the malware, so it charges your phone but now I own your computer.”
https://www.forbes.com/sites/suzannerowankelleher/2019/05/21/why-you-should-never-use-airport-usb-charging-stations/
“Let’s say I’m a bad guy. I go into an airport. I’m not going to easily take apart the charging station but it’s easy to just leave my cord behind. Now, if you see an Apple charging cord, you’re likely to grab it or just plug into it. But inside this cord is an extra chip that deploys the malware, so it charges your phone but now I own your computer.”
https://www.forbes.com/sites/suzannerowankelleher/2019/05/21/why-you-should-never-use-airport-usb-charging-stations/
Forbes
Why You Should Never Use Airport USB Charging Stations
Stop! Plugging into that airport USB charging station could put your personal data at risk.
The DuckDuckGo Privacy Browser application 5.26.0 for Android allows address bar spoofing via a setInterval call
https://www.inputzero.io/2019/05/duckduckgo-address-bar-spoofing.html
https://www.inputzero.io/2019/05/duckduckgo-address-bar-spoofing.html
www.inputzero.io
DuckDuckGo Address Bar Spoofing
DuckDuckGo Address Bar Spoofing | CVE-2019-12329
How to start with reverse engineering of ARM http://www.giovanni-rocca.com/i-want-to-be-an-arm-reverse-engineer/
Fake Antivirus app found on Google Play
https://blog.trustlook.com/security-app-rreview-lionmobi/
https://blog.trustlook.com/security-app-rreview-lionmobi/
Trustlook blog
Security APP Review - Lionmobi
An Anti-Virus mobile App can have fancy UI and claimed to have a lot of protections to your phone. However, non-tech users wouldn't know whether it is true or not. Let's have some reviews on some popular mobile security Apps.
Top Android malware threats - May 2019 http://skptr.me/malware_timeline_2019.html
Lookout has discovered 238 unique applications that include BeiTaPlugin adware with over 440 million installations on Google Play
https://blog.lookout.com/beitaplugin-adware
https://blog.lookout.com/beitaplugin-adware
Lookout
Adware "BeiTaAd" Found Hidden in Popular Applications | Threat Intel
BeiTaAd is a well-obfuscated advertising plug-in hidden within a number of popular applications in Google Play. Discover more about this mobile threat.
The idea of the new system is to turn Apple’s existing network of iPhones into a massive crowdsourced location tracking system. Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lost device. When it picks up one of these signals, the participating phone tags the data with its own current GPS location; then it sends the whole package up to Apple’s servers.
https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/amp/
https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/amp/
A Few Thoughts on Cryptographic Engineering
How does Apple (privately) find your offline devices?
At Monday’s WWDC conference, Apple announced a cool new feature called “Find My”. Unlike Apple’s “Find my iPhone”, which uses cellular communication and the lost…
Don't install these apps, they are still available on Google Play. These apps display unwanted after user unlocks device and hide from home menu.
These apps mostly impersonate Camera/Photo editor applications.
Source: https://twitter.com/LukasStefanko/status/1136568939239137280?s=19
These apps mostly impersonate Camera/Photo editor applications.
Source: https://twitter.com/LukasStefanko/status/1136568939239137280?s=19
Talk about 10 different Android malware families discovered on Google Play + analysis on Anubis Banking Trojan
https://youtu.be/4oSuv-kXWJI
https://youtu.be/4oSuv-kXWJI
YouTube
CONFidence 2019: "Latest Android threats and their techniques" - Lukas Štefanko
The number of Android devices, developers and applications is growing, making our lives even more convenient and connected. But there is also a dark side to the number of apps: malicious actors developing apps capable of stealing mobile banking credentials…