Many popular iPhone apps secretly record your screen without asking

By: Zack Whittaker

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

More: https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

New FaceTime Bug Lets Callers Hear and See You Without You Picking Up

By: Swati Khandelwal

If you own an Apple device, you should immediately turn OFF FaceTime app for a few days.

A jaw-dropping unpatched privacy bug has been uncovered in Apple’s popular video and audio call app FaceTime that could let someone hear or see you before you even pick up their call.

The bug is going viral on Twitter and other social media platforms with multiple users complaining of this privacy issue that can turn any iPhone into an eavesdropping device without the user’s knowledge.

 The Hacker News has tested the bug on iPhone X running the latest iOS 12.1.2 and can independently confirm that it works, as flagged by 9to5Mac on Monday. We were also able to replicate the bug by making a FaceTime call to a MacBook running macOS Mojave.

Here’s How Someone Can Spy On You Using FaceTime Bug

The issue is more sort of a designing or logical flaw than a technical vulnerability that resides in the newly launched Group FaceTime feature.

Here’s how one can reproduce the bug:
  1. Start a FaceTime Video call with any iPhone contact.
  2. While your call is dialing, swipe up from the bottom of your iPhone screen and tap ‘Add Person.’
  3. You can add your own phone number in the ‘Add Person’ screen.
  4. This will start a group FaceTime call including yourself and the person you first called, whose audio you will able to listen in even if he/she hasn’t accepted the call yet.

iPhone a Growing Target of Crypto-Mining Attacks

By: Kacy Zurkus

Apple has increasingly been the target of crypto-mining attacks, and according to Check Point, iPhone attacks increased by nearly 400% over the last two weeks in September.

In its most recently published Global Threat Index, Check Point researchers said they are continuing to investigate the reasons behind this sharp increase but reported that crypto-miners continued to be the most common malware in September 2018. Coinhive continued to hold the number-one position, which it has occupied since December 2017.

While Coinhive currently impacts 19% of global organizations, researchers also reported that the information-stealing Trojan Dorkbot held onto second place with a 7% global impact. The report also noted significant increase in Coinhive attacks against PCs. Attackers used the Coinhive mining malware to target iPhones, which aligned with a rise in attacks against users of the Safari browser, the primary browser used by Apple devices.

The mining malware that rivals Coinhive, known as Cryptoloot, ranked third place overall on the Threat Index, making it the second-most prevalent crypto-miner in the index. Differentiating itself from Coinhive, Cryptoloot requests a smaller revenue percentage from websites than its top competitor.

“Crypto-mining continues to be the dominant threat facing organizations globally,” Maya Horowitz, threat intelligence group manager at Check Point, said in a press release. “What is most interesting is the fourfold increase in attacks against iPhones and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development.”

More: https://www.infosecurity-magazine.com/news/iphone-a-growing-target-of/

Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs

By: Pierluigi Paganini

The security researcher security researcher Sabri Haddouche from Wire devised a new CSS attack that causes iPhone reboot or freezes Macs.

The security researcher security researcher Sabri Haddouche from Wire devised a new attack method that saturates Apple device’s resources and causing it crashes or system restarts when visiting a web page. The experts discovered that iOS restart and macOS freezes when the user visits a web page that contains certain CSS & HTML.

Depending on the version of iOS being used, the bug could trigger the UI restart, cause a kernel panic and consequent device reboot.

This attack leverages a weakness in the -webkit-backdrop-filter CSS, for this reason, it affects all browsers on iOS that leverage on WebKit as rendering engine is WebKit. The weakness also affects Safari and Mail in macOS, but it doesn’t affect Linux and Windows systems.

“The attack exploits a weakness in the –webkit-backdrop-filter CSS property,” Haddouche explained to BleepingComputer. “By using nested divs with that property, we can quickly consume all graphicresources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”

More: https://securityaffairs.co/wordpress/76228/hacking/css-attack-iphone-reboot.html

Dozens of popular iPhone apps caught sending user location data to monetization firms

By: Zack Whittaker

A group of security researchers say dozens of popular iPhone apps are quietly sharing the location data of “tens of millions of mobile devices” with third-party data monetization firms.

Almost all require access to a user’s location data to work properly, like weather and fitness apps, but share that data often as a way to generate revenue for free-to-download apps.

In many cases, the apps send precise locations and other sensitive, identifiable data “at all times, constantly,” and often with “little to no mention” that location data will be shared with third-parties, say security researchers at the GuardianApp project.

“I believe people should be able to use any app they wish on their phone without fear that granting access to sensitive data may mean that this data will be quietly sent off to some entity who they do not know and do not have any desire to do business with,” said Will Strafach, one of the researchers.

Using tools to monitor network traffic, the researchers found 24 popular iPhone apps that were collecting location data — like Bluetooth beacons to Wi-Fi network names — to know where a person is and where they visit. These data monetization firms also collect other device data from the accelerometer, battery charge status and cell network names.

In exchange for data, often these data firms pay app developers to collect data and grow their databases and often to deliver ads based on a person’s location history.

But although many claim they don’t collect personally identifiable information, Strafach said that latitude and longitude coordinates can pin a person to a house or their work.

More: https://techcrunch-com.cdn.ampproject.org/c/s/techcrunch.com/2018/09/07

Google Tracks Android, iPhone Users Even With ‘Location History’ Turned Off

By: Mohit Kumar

Google tracks you everywhere, even if you explicitly tell it not to.

Every time a service like Google Maps wants to use your location, Google asks your permission to allow access to your location if you want to use it for navigating, but a new investigation shows that the company does track you anyway.

An investigation by Associated Press revealed that many Google services on Android and iPhone devices store records of your location data even when you have paused “Location History” on your mobile devices.

Disabling “Location History” in the privacy settings of Google applications should prevent Google from keeping track of your every movement, as its own support page states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

However, AP found that even with Location History turned off, some Google apps automatically store “time-stamped location data” on users without asking them, eventually misleading its claim.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,” the AP explains.

 

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

To demonstrate the threat of this Google’s practice, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android smartphone with ‘Location History’ switched off to prevent location data collection.

More: https://thehackernews.com/2018/08/google-mobile-location-tracking.html

iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known

By: Swati Khandelwal

India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.

As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.

Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.

These modified apps have been designed to secretly spy on iOS users, and steal their real-time location, SMS, contacts, photos and private messages from third-party chatting applications.

During their ongoing investigation, Talos researchers identified a new MDM infrastructure and several malicious binaries – designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used in previous campaigns.

  • Ios-update-whatsapp[.]com (new)
  • Wpitcher[.]com
  • Ios-certificate-update.com

“We know that the MDM and the Windows services were up and running on the same C2 server in May 2018,” researchers said in a blog post published today.

“Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps.”

 

Possible Connections with “Bahamut Hacking Group”

mobile device management software

Hackers Used Malicious MDM Solution to Spy On ‘Highly Targeted’ iPhone Users

By: Swati Khandelwal

 

Security researchers have uncovered a “highly targeted” mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.

The attackers, who are also believed to be operating from India, were found abusing mobile device management (MDM) protocol—a type of security software used by large enterprises to control and enforce policies on devices being used their employees—to contol and deploy malicious applications remotely.

To enroll an iOS device into the MDM requires a user to manually install enterprise development certificate, which enterprises obtained through the Apple Developer Enterprise Program.

Companies can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using Apple Configurator.

Once a user installs it, the service allows the company administrators to remotely control the device, install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” Apple explains about MDM.

Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service.

However, researchers at Cisco’s Talos threat intelligence unit, who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.

More: https://thehackernews.com/2018/07/mobile-device-management-hacking.html?m=1

Apple pushes back on hacker’s iPhone passcode bypass report

By: Zack Whittaker

Bangkok, Thailand – December 12, 2015 : Apple iPhone5s held in one hand showing its screen with numpad for entering the passcode.

The researcher later found that passcodes he tested weren’t always counted.

A security researcher’s demonstration that purportedly bypassed a passcode on up-to-date iPhones and iPads has been pushed back by Apple.

Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, tweeted Friday about a potential way to bypass security limits, allowing him to enter as many passcodes as he wants — even on the latest version of iOS 11.3.

Beyond ten wrong passcodes, the device can be set to erase its contents.

Hickey said he found a way around that. He explained that when an iPhone or iPad is plugged in and a would-be-hacker sends keyboard inputs, it triggers an interrupt request, which takes priority over anything else on the device.

“Instead of sending passcode one at a time and waiting, send them all in one go,” he said.

“If you send your brute-force attack in one long string of inputs, it’ll process all of them, and bypass the erase data feature,” he explained.

Despite several requests for comment, Apple spokesperson Michele Wyman said Saturday: “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.”

Apple did not say why it disputed Hickey’s findings, which he reported to the company Friday, before tweeting.

We reported Friday on Hickey’s findings, which claimed to be able to send all combinations of a user’s possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature.

But Hickey tweeted later, saying that not all tested passcodes are sent to a the device’s secure enclave, which protects the device from brute-force attacks.

Perdas com fraudes bancárias podem chegar a US$ 93 bilhões mundialmente

By: TI Inside Online

Se você quer dormir tranquilo depois de fazer uma transação financeira ou efetuar uma compra pela internet, adote como padrão executar tudo pelo smartphone, recomentam os especialistas em segurança digital Ricardo Leocádio, coordenador de tecnologia de Segurança no Banco Mercantil do Brasil; e Thiago Bordini, diretor de inteligência cibernética e pesquisa da New Space.

Durante o painel “Fraudes na Internet: Ascensão, Ápice e Além”, nesta quarta-feira, 13, durante o CIAB Febraban 2018, os riscos de fraudes bancárias são cada vez maiores, chegando a US$ 93 bilhões no mundo e R$ 750 milhões no Brasil.

Ambos traçaram um histórico de comportamento do cibercrime, revelando que riscos e investimentos em prevenção crescem na mesma proporção. “O malware bancário evoluiu, chegando ao atual momento de publicar telas falsas que capturam todas as credenciais dos usuários de internet banking”, disse Leocádio.

Ele traçou um histórico de aperfeiçoamento dos malwares bancários, o qual revela que entre 2009 e 2011, o ápice foi um único malware ser capaz de atacar 40 bancos. “Foi um período que identificamos inclusive o comércio de credenciais bancárias em redes sociais, como Orkut”, cita.

Em 2012, o grupo que monitora as fraudes bancárias dentro da Febraban, identificou um novo salto qualitativo do malware bancário. Foi quando perceberam o início da chamada “codificação segura”, com qual os malwares ganharam inteligência suficiente para identificar se estavam rodando em máquinas virtuais, por exemplo, e também perceberem se estavam sendo monitorados.

No ano seguinte, o iPhone dificultou a vida dos cibercriminosos, que rapidamente passaram a infectar os modems residenciais para modificar o DNS das máquinas e centralizar os ataques. E de 2017 para cá, a prática mais preocupante tem sido o maqueamento de telas de internet banking e dos aplicativos dos bancos.

Mais: http://tiinside.com.br/tiinside/seguranca/mercado-seguranca/13/06/2018/perdas-com-fraudes-bancarias-podem-chegar-a-us-93-bilhoes/?noticiario=TI&&&&utm_source=akna&&utm_medium=email&&utm_campaign=TI+INSIDE+Online+-+13%2F06%2F2018+23%3A41