New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices

By: Mohit Kumar

The recent controversies surrounding the WhatsApp hacking haven’t yet settled, and the world’s most popular messaging platform could be in the choppy waters once again.

The Hacker News has learned that last month WhatsApp quietly patched yet another critical vulnerability in its app that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them.

The vulnerability — tracked as CVE-2019-11931 — is a stack-based buffer overflow issue that resided in the way previous WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks.

To remotely exploit the vulnerability, all an attacker needs is the phone number of targeted users and send them a maliciously crafted MP4 file over WhatsApp, which eventually can be programmed to install a malicious backdoor or spyware app on the compromised devices silently.

The vulnerability affects both consumers as well as enterprise apps of WhatsApp for all major platforms, including Google Android, Apple iOS, and Microsoft Windows.

According to an advisory published by Facebook, which owns WhatsApp, the list of affected app versions are as follows:

  • Android versions before 2.19.274
  • iOS versions before 2.19.100
  • Enterprise Client versions before 2.25.3
  • Windows Phone versions before and including 2.18.368
  • Business for Android versions before 2.19.104
  • Business for iOS versions before 2.19.100

The scope, severity, and impact of the newly patched vulnerability appear similar to a recent WhatsApp VoIP call vulnerability that was exploited by the Israeli company NSO Group to install Pegasus spyware on nearly 1400 targeted Android and iOS devices worldwide.


Android And iOS: App Stores Hide ‘Prolific’ Government Spyware, Says BlackBerry

By: Zak Doffman

BlackBerry has not pulled any punches in publishing a heavyweight report into the “prolific and pervasive” government spyware it says is being spread far and wide by the official Android and iOS app stores. Setting out to paint the “big picture” on mobile malware, BlackBerry’s Cylance research team has collated examples—some old, some new—to emphasise the point. “Consumers are labouring under a false sense of security with the app stores,” BlackBerry exec Brian Robison told me as we discussed the report. “I don’t trust apps,” he said, “period.”

According to Robison,“hundreds” of such apps have circumvented Apple and Google security measures. Now BlackBerry wants consumers to be in no doubt that they cannot trust as safe everything available on the official stores. “I would advise them to to keep their spidey senses active,” he told me.

Apple and Google did not respond with comments on this story before publishing, but Apple emphasised the company’s security credentials, the safety of its App Store, its efforts to detect and avoid malware from being published, to prevent untrusted apps being installed and launched on devices. Apple also pointed out that the report does not include any specific evidence related to apps on the App Store.

What the report does include is examples of mobile cyberattack vectors going back years, charting the early days of China’s APT groups, Iran’s recent rise through the ranks, North Korea’s attacks on its southerly neighbour, and, more surprisingly, a raft of activity in Vietnam. Almost all the examples have been published before, but not together as here. There are some new findings—attacks on Pakistan’s military, for example, but the detailed chronology is not the point of the exercise.


Why is our OS derived from Android?



Many app developers and integrators ask us why we have chosen Android as the basis for our open IoT platform for security cameras. Let us explain why… 

Creating an open platform for IoT security cameras

A platform provides a solid foundation upon which to innovate and build new applications. Modern platforms also handle all the “boring” bits, such as application management and updating procedures.

In recent years, there has been a true explosion of IoT platforms. Yet, with more than 450 platforms available, none is truly well suited for the safety and security sector. Security and Safety Things has taken up the challenge of providing just such an IoT platform.

Selecting the right operating system for our platform

We value reliability and it was clear from the very beginning that the reliability that we desire for our platform couldn’t be achieved by building it from scratch. The choice of a Linux-based solution is straightforward since a lot of existing cameras are based on it. However, integrating edge devices into our IoT platform brings new requirements that need to be incorporated into the operating system design.

In this article, we want to share our key considerations

  1. Interoperable apps: Can developers create applications that run on a multitude of devices without having to tailor them to each device.
  2. Reliable updates: Is there a well-tested update mechanism for apps and the base system.
  3. Security concept: There cannot be safety without security. Thus, a well-evaluated tried and tested security concept is essential.
  4. APIs: Are required APIs such as camera support and machine learning acceleration available and well supported across devices.

The challenge is to find the right one out of the myriad of GNU/Linux distributions.

Standing on the Shoulders of Giants

A lot of Linux distributions can be built into a platform for IoT devices. We decided to use the Android Open Source Project as the basis for three reasons:

1. Android is battle-tested in the mobile industry

Google’s Android provides a selection of well-integrated components in an industry that values reliability and security. It’s sandboxing concept isolates apps from each other and protects the system from malicious apps.

2. Android provides best-in-class interoperability

One of the great challenges when building up an IoT ecosystem like ours is interoperability. After all, we want developers to build apps that run perfectly on every device. The mobile phone market pushes towards better cameras and AI, and this is why Android provides interoperable APIs for these purposes. Thus, Android perfectly fits our ecosystem requirements. Joined by a strong hardware abstraction layer, a significant amount of compatibility testing and widespread chipset support, Android is the perfect foundation for interoperable apps.


WARNING — Malware Found in CamScanner Android App With 100+ Million Users

By: Swati Khandelwal

Beware! Attackers can remotely hijack your Android device and steal data stored on it, if you are using free version of CamScanner, a highly-popular Phone PDF creator app with more than 100 million downloads on Google Play Store.

So, to be safe, just uninstall the CamScanner app from your Android device now, as Google has already removed the app from its official Play Store.

Unfortunately, CamScanner has recently gone rogue as researchers found a hidden Trojan Dropper module within the app that could allow remote attackers to secretly download and install malicious program on users’ Android devices without their knowledge.

However, the malicious module doesn’t actually reside in the code of CamScanner Android app itself; instead, it is part of a 3rd-party advertising library that recently was introduced in the PDF creator app.

Discovered by Kaspersky security researchers, the issue came to light after many CamScanner users spotted suspicious behavior and posted negative reviews on Google Play Store over the past few months, indicating the presence of an unwanted feature.

“It can be assumed that the reason why this malware was added was the app developers’ partnership with an unscrupulous advertiser,” the researchers said.

The analysis of the malicious Trojan Dropper module revealed that the same component was also previously observed in some apps pre-installed on Chinese smartphones.

“The module extracts and runs another malicious module from an encrypted file included in the app’s resources,” researchers warned.


“As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions.”

Kaspersky researchers reported its findings to Google, who promptly removed the CamScanner app from its Play Store, but they say “it looks like app developers got rid of the malicious code with the latest update of CamScanner.”


28 Million Android Phones Exposed To ‘Eye-Opening’ Attack Risk

By: Davey Winder

New research has revealed the truly shocking state of Android phone security. The source of that security problem may well come as a surprise: antivirus apps designed to protect devices and users. Researchers at testing specialists Comparitech found that apps with more than 28 million installs between them were presenting attack paths and opportunities to threat actors looking to exploit vulnerabilities on the Android platform.

In total, Comparitech put 21 separate Android antivirus apps to the test over the course of many weeks. Some 47% of them failed in one way or other. Three apps contained serious security flaws, including a critical vulnerability exposing the address books of users which laid the details of an estimated million contacts bare. Another vulnerability made one app “very easy to disable remotely” by an attacker.

And that’s before I’ve even mentioned the apps that were unable to detect a virus used during the testing process, or how nearly all of them were found to be tracking their users according to the Comparitech researchers.

“Comparitech spent weeks testing popular free Android antivirus apps,” Aaron Phillips, a Comparitech researcher reported, “we looked for flaws in the way each vendor handles privacy, security, and advertising. The results were eye-opening.”

Comparitech’s senior security researcher, Khaled Sakr, took responsibility for the testing itself, looking at each application, its effectiveness, web management dashboard and any back-end services. The apps were also scrutinized for dangerous permissions and trackers embedded within them.


Terrifying malware on Google Play Store BREAKS through advanced security

By: Dion Dassanayake

ANDROID users have been put on alert about a terrifying new piece of malware found on the Google Play Store that can break through advanced security.

Android fans are being warned about new malware discovered on the Google Play Store which can bypass advanced security measures.

Android is one of the most used pieces of software in the world, with more than two billion devices running the Google mobile OS each and every month.

But Android users are no strangers to security alerts, with some recent widespread threats being circulated via apps found on the Goole Play Store.

Six Android apps that were downloaded a staggering 90million times from the Google Play Store were found to have been loaded with the PreAMo malware.

While another recent threat saw 50 malware-filled apps on the Google Play Store infect over 30million Android devices.

And now Android fans are being warned about a terrifying piece of malware that can bypass the advanced 2FA security protection.

Two-factor authentication (2FA) gives an extra layer of security, with users having to enter their password and a unique, one-time code.

The latter is sent via an SMS message or email, but this newly discovered malware can obtain this unique password – even without SMS or email permissions.


Aplicações consideradas malware permanecem no Google Play em média 51 dias

By: ESET Portugal Blog

Um estudo sobre a segurança em Android realizado no primeiro semestre de 2019 assegura que 2% das apps eliminadas do Google Play são consideradas malware e chegam a permanecer na loja até 138 dias

estudo realizado pela ElevenPath sobre o estado da segurança na primeira metade de 2019 analisa a segurança em Android, e refere que, durante este primeiro semestre, foram eliminadas um total de 44.782 aplicações da loja oficial da Google. Assim, e como parte do estudo, foi analisado um conjunto de 5.000 aplicações como amostra, das quais um total de 115 foram qualificadas como maliciosas.

Como tal, extrapolando estes números concluíram que cerca de 2% das aplicações eliminadas do Google Play durante o primeiro semestre de 2019 foram consideradas malware.

O estudo analisou também o tempo de permanência destas apps maliciosas no Google Play e revelou que estas apps maliciosas estiveram em média 51 dias disponíveis para download antes de serem eliminadas, chegando mesmo a permanecer 138 dias, em alguns casos.

Apesar dos especialistas em segurança recomendarem o download de apps apenas a partir de sites oficiais dada a possibilidade de descarregarem malware de sites e plataformas de baixa reputação, a realidade também indica que, tal como temos reportado noutras oportunidades, muitas aplicações maliciosas enganam os filtros de segurança da loja oficial da Google (assim como da Apple) e conseguem ficar disponíveis para download, até que sejam detetadas e eliminadas. Apesar desta ser uma realidade inegável e abordar as dificuldades que enfrenta um gigante como a Google quanto à aplicação de filtros para determinar a segurança de uma app antes de a disponibilizar na sua loja oficial, isto não quer dizer que mesmo assim não seja mais seguro descarregar uma app do Google Play ou da App Store que de lojas não oficiais cujos filtros são ainda mais débeis.

O investigador de segurança da ESET, Lukas Stefanko, assegurou que “várias investigações têm demonstrado, em diversas ocasiões, que os sistemas de proteção do Google Play não são inexpugnáveis. Mas, e apesar de não ser tão segura como uma base militar, faz um bom trabalho a combater aquelas aplicações perigosas, e caso as detete, elimina-as, evitando mesmo que desenvolvedores cujas contas foram proibidas possam criar novas contas e continuem a publicar apps maliciosas”.


Há uma nova ameaça de ransomware para os dispositivos móveis Android

By: Rui Bacelar

O ransomware para Android está em declínio desde 2017, no entanto, os investigadores de segurança descobriram uma nova família destas ameaças, agora apelidada de Android/ Filecoder.C. O método utiliza listas de contactos das vítimas e tenta espalhar-se pelos dispositivos móveis via SMS com links maliciosos.

Em seguida ficará a conhecer os contornos deste novo método utilizado por mentes mal intencionadas.

O novo ransomware foi detetato em distribuição através de tópicos relacionados com pornografia no Reddit. Em seguida, o perfil malicioso usado na campanha de distribuição de ransomware foi avançado pela ESET, mas ainda está ativo. Isto é, ainda se encontram em circulação ameaças deste género.

Há uma nova ameaça de ransomware para Android

Além disso e por um curto período de tempo, a campanha também foi veiculada no portal XDAdevelopers, um fórum para desenvolvedores de Android. Entretanto, com base baseado num relatório da agência de segurança, os operadores removeram as publicações maliciosas.

“A campanha agora descoberta é pequena e bastante amadora. No entanto, se a distribuição avançar, este novo ransomware pode tornar-se numa séria ameaça”, comenta Lukáš Štefanko, investigador da agência que liderou a investigação.

O novo ransomware é notável pelo seu mecanismo de propagação. Isto é, antes de começar a encriptar ficheiros, envia um lote de mensagens de texto para todos os endereços da lista de contactos da vítima, atraindo os destinatários para clicarem num link malicioso. Este, por sua vez, leva ao ficheiro de instalação do ransomware.

“Em teoria, isso pode levar a uma série de infeções – mais ainda, pois o malware tem 42 versões em diferentes idiomas da mensagem maliciosa. Felizmente, mesmo os utilizadores não suspeitos devem perceber que as mensagens estão mal traduzidas e algumas versões parecem não fazer sentido”, comenta Lukáš Štefanko.

A propagação pelos dispositivos móveis

Para além do seu mecanismo de propagação não tradicional, o Android/Filecoder.C tem algumas anomalias na encriptação. Exclui grandes ficheiros (acima de 50 MB) e imagens pequenas (menos de 150 kB). De igual modo, a sua lista de “tipos de ficheiros para encriptar” contém muitas entradas não relacionadas com Android, embora faltem também algumas das extensões típicas do Android.

“Aparentemente, a lista foi copiada do famoso ransomware WannaCry”, observa o investigador.

Existem também outros elementos intrigantes. Outros métodos para a abordagem não ortodoxa que os desenvolvedores deste malware usaram. Ao contrário do ransomware Android típico, o Android/Filecoder.C não impede que o utilizador aceda ao dispositivo bloqueando o ecrã.


New FinSpy iOS and Android implants revealed ITW


FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.

Malware features


FinSpy for iOS is able to monitor almost all device activities, including record VoIP calls via external apps such as Skype or WhatsApp. The targeted applications include secure messengers such as Threema, Signal and Telegram. However, functionality is achieved by leveraging Cydia Substrate’s hooking functionality, so this implant can only be installed on jailbroken devices (iPhone or iPad; iPod has not been confirmed) compatible with iOS 11 and below (newer versions are not confirmed as at the time of the research and implants for iOS 12 has not been observed yet). After the deployment process, the implant provides the attacker with almost unlimited monitoring of the device’s activities.

The analyzed implant contained binary files for two different CPU architectures: ARMv7 and ARM64. Taking into account that iOS 11 is the first iOS version that does not support ARMv7 any more, we presumed that the 64-bit version was made to support iOS 11+ targets.

It looks like FinSpy for iOS does not provide infection exploits for its customers, because it seems to be fine-tuned to clean traces of publicly available jailbreaking tools. Therefore, an attacker using the main infection vector will need physical access in order to jailbreak it. For jailbroken devices, there are at least three possible infection vectors:

  • SMS message
  • Email
  • WAP Push

Any of those can be sent from the FinSpy Agent operator’s terminal.

The installation process involves several steps. First, a shell script checks the OS version and executes the corresponding Mach-O binary: “install64” (64-bit version) is used for iOS 11+, otherwise “install7” (32-bit version) is used. When started, the installer binary performs environmental checks, including a Cydia Subtrate availability check; and if it isn’t available, the installer downloads the required packages from the Cydia repository and installs them using the “dpkg” tool. After that the installer does some path preparations and package unpacking, randomly selects names for the framework and the app from a hardcoded list, deploys components on the target system and sets the necessary permissions. After the deployment process is done, the daemon is started and all temporary installation files are deleted.


Nova ferramenta hacker desbloqueia qualquer iPhone no mercado

By: Felipe Payão


Ferramenta da Cellebrite invade qualquer iPhone e Android top de linha no mercado.

A empresa israelense Cellebrite lançou hoje (14) a UFED Premium, uma ferramenta hacker com a capacidade de desbloquear qualquer Apple iPhone vendido no mercado atualmente. A UFED Premium é uma ferramenta voltada para autoridades governamentais e policiais no mundo — a Cellebrite, por exemplo, colabora com autoridades brasileiras.

Por meio da UFED Premium, agências policiais poderão realizar a extração completa do sistema de arquivos em celulares iOS, além de smartphones Android top de linha, afirma a Cellebrite. “Obtenha acesso a dados de aplicativos de terceiros, conversas por bate-papo, e-mails baixados e anexos de email, conteúdo excluído e muito mais, aumente suas chances de encontrar provas incriminatórias e leve sua questão a uma resolução”, escreve a empresa ao vender a solução.

Vale notar que, apesar da Cellebrite afirmar que consegue desbloquear todos os iPhones no mercado, o site oficial indica que o UFED Premium ainda não consegue fazer o hack em iPhones com iOS 13, versão do sistema operacional que chegará em breve em todos os aparelhos Apple.

A Cellebrite ganhou mídia no caso Apple x FBI, quando o órgão norte-americano buscava hackear o aparelho de um suspeito do terrorismo. O FBI teve sucesso em extrair os dados de um iPhone 5c por conta da ferramenta.