Plus: 12 more people are indicted over a $263 million crypto heist, and a former FBI director is accused of threatening Donald Trump thanks to an Instagram post of seashells.

As analysts and governments around the world continue to call attention to North Korean digital fraud, researchers this week published 1,000 email addresses they claim are linked to North Korean IT worker scams perpetrated against Western companies, along with photos of people allegedly involved in the fraud. Xinbi Guarantee, a marketplace and platform used by Chinese-speaking crypto scammers for money laundering grew into an $8.4 billion hub before a crackdown by Telegram this week. And following a WIRED inquiry, messaging app Telegram banned thousands of accounts used for money laundering in cryptocurrency scams. The takedowns included prominent names like Haowang Guarantee, a black market known for enabling $27 billion in transactions.

The acting director of the Consumer Financial Protection Bureau, Russell Vought, quietly eliminated a plan to more tightly regulate the sale of Americans’ sensitive personal data. CFPB had originally launched the initiative in response to increasingly far reaching and reckless behavior from data brokers. And with the rise of widely available generative AI services—and corresponding fraud—people are increasingly looking for ways to verify and vet their digital interaction online.

Meanwhile, ahead of Google’s Android 16 launch next week, the company announced expanded capabilities for its Android Scam Detection tool that uses local AI analysis to flag potential scam texts in Google Messages. The company also launched a new, extra-secure mode for Android 16, Advanced Protection, that will allow vulnerable or highly targeted users to lock their devices down and utilize advanced scanning features for catching potentially suspicious activity.

But there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Coinbase Discloses Costly Data Breach Impacting Less Than 1 Percent of Monthly Users**

The cryptocurrency exchange Coinbase said this week that it suffered a data breach in which attackers stole data including customers’ names, physical and email addresses, phone numbers, government IDs like driver’s licenses and passports, last four digits of Social Security numbers, and other financial information. The company said that “criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1 percent of Coinbase monthly transacting users.” The company said the attackers’ goal was to collect customer data to then contact those Coinbase users, impersonate Coinbase, and trick them into giving away their cryptocurrency. The attackers also contacted the company and attempted to extort the company for $20 million. Coinbase currently has about 9.7 million total users. The company said in an Securities and Exchange Commission breach disclosure notification that it expects that it will cost between $180 million and $400 million to remediate the breach and reimburse customers for stolen funds.

**12 More Indicted Over Crypto Heist Worth $263 Million**

A four-count superseding indictment charged 12 additional people this week in an alleged criminal spree including more than $263 million in cryptocurrency theft, money laundering, and even physical break-ins. Several suspects were arrested this week in California in connection with the case. The indictment accuses the defendants of using stolen cryptocurrency for things like $500,000 nights out at clubs, hundreds of thousands of dollars spent on luxury handbags, watches, and clothes, private jet rentals, and “a fleet of at least 28 exotic cars ranging in value from $100,000 to $3.8 million.” The superseding indictment also alleges that some defendants used shell companies to register their “exotic cars” and “shipped bulk cash through US mail to members of the enterprise hidden in squishmallow stuffed animals.”

**James Comey Investigated for Instagram Post of Seashells**

On Thursday, former FBI director James Comey posted and then deleted an Instagram photo of seashells arranged to spell out the numbers “8647” captioned: “Cool shell formation on my beach walk.” Within hours, Republicans fixated on the post, claiming it was a call to violence against Donald Trump, the United States’ 47th president. Now, the Department of Homeland Security and the Secret Service are investigating.

If you’ve ever worked in a restaurant, you’ve probably heard someone in the kitchen shout that an item is “86’d”—a colloquialism meaning the kitchen is out of a particular menu item, like a cheeseburger. While most people don’t interpret that as a threat of violence against the cheeseburger, that’s apparently not how the president and his allies understood Comey’s post.

On Thursday, Department of Homeland Security secretary Kristi Noem wrote on X that both the DHS and Secret Service were investigating. “Disgraced former FBI Director James Comey just called for the assassination of @POTUS Trump,” she wrote. Later that night on Fox News, Director of National Intelligence Tulsi Gabbard accused Comey of “issuing a hit” on Trump and argued he should be “put behind bars.”

"That meant assassination, and it says it loud and clear," Trump told Fox News in an interview referring to the post, on Friday. Trump survived two assassination attempts last year.

Comey addressed the backlash in a follow-up post on Instagram, writing: “I didn't realize some folks associate those numbers with violence. It never occurred to me, but I oppose violence of any kind, so I took the post down.”

Comey served as FBI director from 2013 until he was fired by President Trump in 2017 during an ongoing investigation into Russian interference in the 2016 election.

Coinbase Will Reimburse Customers Up to $400 Million After Data Breach

The Kaleidoscope ad fraud network uses a combination of legitimate and malicious apps, according to researchers.

Researchers have discovered a very versatile ad fraud network—known as Kaleidoscope—that bombards users with unskippable ads.

Normally, ad fraud is not a concern for users of infected devices. They might experience some sluggish behavior on their device, but often that’s the extent of it. Ad fraud is a type of scam aimed at companies, causing them to pay for advertisements that nobody actually sees or clicks on. Instead of real people viewing or clicking on ads, fraudsters use automated programs (bots) or other tricks to generate fake views, clicks, or interactions.

As a result, the advertising company pays for ads without receiving any real value in return. Users of infected devices usually don’t notice anything, since the malicious activity takes place in the background. This also helps the malware avoid detection.

However, the newly discovered ad fraud operation, dubbed Kaleidoscope, is different. Kaleidoscope targets Android users through seemingly legitimate apps in the Google Play Store, as well as malicious lookalikes distributed through third-party app stores.

Both versions of the app share the same app ID. Researchers found over 130 apps associated with Kaleidoscope, resulting in approximately 2.5 million fraudulent installs per month.

Advertisers believe they are paying for ads shown in the “legitimate” app, while users who download versions from third-party app stores are bombarded with the same ads—but they can’t skip them. Because both apps use the same app ID, advertisers never know the difference.

Kaleidoscope is very similar to, and appears to be built on, the CaramelAds ad fraud network, which also used duplicate apps and shares similarities in code and underlying infrastructure.

The researchers explain:

> “The malicious app delivers intrusive out-of-context ads under the guise of the benign app ID in the form of full-screen interstitial images and videos, triggered even without user interaction.”

**How to protect your device**

Google Play Protect automatically protects users against apps that engage in malicious behavior. As a result, the researchers didn’t find any malicious Kaleidoscope versions on the Google Play Store.

To keep your devices free from ad fraud related malware:

*   Get your apps from the Google Play store whenever you can.
*   Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? In this case the “Display over other apps” should raise a red flag.
*   Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
*   Use up-to-date and active security software on your Android.

Malwarebytes detects malware from the Kaleidoscope family as **Adware.AdLoader.EXTNXN**.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android users bombarded with unskippable ads 

A new extra-secure mode for Android 16 will let at-risk users lock their devices down.

With the rise of mercenary spyware and other targeted threats, tech giants like Apple, Google, and Microsoft have spent the last few years trying to figure out how to protect the digital lives of their most at-risk, vulnerable users around the world. On mobile, the launch of Apple's iOS Lockdown Mode in 2022 was one concerted effort to shed nonessential functionality in favor of maximum security—a trade-off most users wouldn't want to make, but that could be very worth it for a public figure, activist, journalist, or dissident living under daily scrutiny and threat of attack. For years, Google has offered a program for a similar demographic called Advanced Protection that focuses on adding additional layers of monitoring and security to vulnerable users' Google accounts, a core piece of many people's digital lives that could be devastating if compromised. Now, Google is extending Advanced Protection with a suite of features for Android 16.

On Tuesday, the company announced an Advanced Protection mode for phones running the newest version of Android. At its core, the mode is designed around imposing strong security settings on all apps and services to silo data as much as possible and reduce interactions with unsecured web services and previously unknown, untrusted individuals. Advanced Protection on Android is meant to be as usable and flexible as possible, though, leaning on Google's rapidly expanding on-device AI scanning capabilities to provide monitoring and alerts without having to completely eliminate features. Still, the mode imposes restrictions that can't be turned off, like blocking phones from connecting to historic 2G data networks and disabling Chrome's Javascript optimizer, which could alter or break some web functionality on some sites.

“There are two classes of things that we use to defend the user. One is you obviously harden the system, so you try to lock things down, you prevent many forms of attacks," says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. "But two is you can't always prevent every attack entirely. But if you can detect that you've been compromised, you can take some sort of corrective action. In consumer security on mobile this detection has never really been a possibility, so that's one of the big things we've done here."

This monitoring and detection capability, known as Intrusion Logging, uses end-to-end encryption to indelibly store logs from your device in the cloud such that they can't be accessed by Google or any party aside from you, but also in a form that can't be deleted or modified, even if your device and Google account are compromised.

Logging and system monitoring tools are common on laptops and desktops—not to mention in enterprise IT environments—but offering the capabilities for consumers on mobile devices is more unusual. As with any scheme that takes data off a device and puts it in the cloud, the system does introduce some new risks, but Google and Google Cloud Services already run many end-to-end encrypted platforms for users, and Kleidermacher notes that the ability to create indelible logs that can't be manipulated or deleted by a sophisticated attacker is invaluable in addressing targeted attacks.

“The main innovation here is you have an audit log mechanism to detect compromise that is actually resistant to device tampering,” he says. “It's bringing intrusion detection to the consumer. So if you as a consumer suspect a problem and you're not sure, you can pull the logs down from the cloud. You can share them with a security expert, you can share them with an NGO, and they can use tools for analysis.”

Another feature that is on by default and can't be turned off in Advanced Protection is Android's Memory Tagging Extension (MTE). The feature, which debuted for Google's Pixel line and is starting to be adopted in processors on other devices, is a hardware security protection related to how a system manages its memory. If an attacker attempts to exploit a memory vulnerability such as a so-called buffer overflow, MTE will cause the process to fail, stopping the attack in its tracks. Memory corruption bugs are a common tool used by hackers, so neutering the entire class of vulnerabilities makes it much more difficult to attack a device.

Most Advanced Protection features will launch next week with Android 16, but Google says that Intrusion Logging is coming later this year along with features like USB protections that will prevent untrusted peripherals from using your phone's charging port for data transfers. And Google is also offering an API for integrating Advanced Protection directly into third-party apps. When a user turns Advanced Protection on, Android will impose enhanced defenses broadly across the operating system, but third-party integration will enable deeper defenses within non-Google apps.

“You want to prevent as much as you can, and a lot of these features are locking down the phone in ways that will make some attacks just much, much harder for attackers, more expensive, or even impossible,” Kleidermacher says.

Courtesy of Google

Google’s Advanced Protection for Vulnerable Users Comes to Android

Android’s “Scam Detection” protection in Google Messages will now be able to flag even more types of digital fraud.

Digital scammers have never been so successful. Last year Americans lost $16.6 billion to online crimes, with almost 200,000 people reporting scams like phishing and spoofing to the FBI. More than $470 million was stolen in scams that started with a text message last year, according to the Federal Trade Commission. And as the biggest mobile operating system maker in the world, Google has been scrambling to do something, building out tools to warn consumers about potential scams.

Ahead of Google’s Android 16 launch next week, the company said on Tuesday that it is expanding its recently launched AI flagging feature for the Google Messages app, known as Scam Detection, to provide alerts on potentially nefarious messages like possible crypto scams, financial impersonation, gift card and prize scams, technical support scams, and more. Combined with other AI security features for Google Messages—all of which run locally on users’ devices and do not share data or message content with the company—Android is now detecting roughly 2 billion suspicious messages a month.

“The fraud is truly heartbreaking,” says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. “There’s really a very huge amount—almost epidemic and a scourge to humanity—of financial scams that are all across the world.”

Scammers operate all over the world, but Chinese scam groups particularly are behind millions of fraudulent messages, demanding things like “toll” payments or information for alleged postal service deliveries. When people click the links and enter their details, including payment information, scammers steal their data. In some cases, the scams are designed as a sort of smash-and-grab, where attackers quickly trick users into giving up some crumbs of information, like a pair of login credentials or a credit card number. These scams tend to be more formulaic and are potentially easier to detect. The more complex challenge is in detecting highly involved investment or romance scams—often called pig butchering scams—that build and evolve over months of messaging while scammers build a rapport with their targets before tricking them into handing over their life savings or even going into debt to send more money.

“It takes time for them to get to the scam—it’s not just click on the link,” Kleidermacher says. “By having the AI on-device, you can actually watch and observe these more sophisticated conversations and then detect their scams.”

Courtesy of Google

Courtesy of Google

In a screenshot of the Scam Detection feature provided by Google, an encrypted RSC chat shows a typical scam message saying an EZ Pass toll payment is outstanding. The message adds that the “legal ability” to drive may be revoked if the payment is not made. The message includes a link that directs someone toward a malicious payment website. The Scam Detection overlay at the bottom of the screen says that “suspicious activity” has been detected in the message and offers a way to report and block the sender, alongside an option that allows people to flag that it is not a scam.

Google is far from the only company using AI to try to combat scammers and stop them from reaching people’s inboxes. Some have turned to using AI to directly fight back against scammers. The British telecom company O2, for example, created an “AI Granny” that is set up to keep scammers on the phone and waste their time. And the online scam baiter Kitboga has created a series of bots to make simultaneous calls to call centers that run scams.

Meanwhile, in recent months, Meta, which owns WhatsApp, Messenger, and Instagram, has started to introduce pop-up warnings when people are asked to make payments in chat messages. Elsewhere, cybersecurity company F-Secure has created a beta tool to help people identify if a message and sender are likely scammers and block messages. Putting a layer of friction in place that nudges people away from messaging accounts they don’t know or replying to messages asking for details can reduce the chances that scammers are successful.

Google’s Kleidermacher says that the company is seeing “really positive impact” from using its machine learning systems to detect potential scam messages in real time. As the protections continue to mature, he notes that the underlying system could eventually proliferate beyond just the Google Messages app into third-party communication platforms.

For now, some of that expansion is starting within Google’s own products. The company also said on Tuesday that it is in the early phases of testing ways to incorporate scam detection for phone calls, but the capability has not been widely deployed.

Google Is Using On-Device AI to Spot Scam Texts and Investment Fraud

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and…

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.

Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.

Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.

The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.

Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.

> _“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”_
> 
> _Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024._

This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.

Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.

“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”

The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.

For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.

Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.

Roblox Corporation has not issued a public statement in response to the lawsuit as of publication.

Roblox Lawsuit Claims Hidden Tracking Used to Monetize Kids Data

Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

Google has expressed plans to use Artificial Intelligence (AI) to stop tech support scams in Chrome.

With the launch of Chrome version 137, Google plans to use the on-device Gemini Nano large language model (LLM) to recognize and block tech support scams.

Users already have the ability to chose Enhanced Protection under **Settings > Privacy and security > Security > Safe Browsing.**

Safe Browsing settings

Google’s reasoning, and we agree, is that LLMs are fairly good at understanding and classifying the varied, complex nature of websites. Meaning that, since many malicious sites have a very short lifespan, it is more effective to learn and recognize their behavior rather than keep adding a host of domain names to a block-list (something which Google has frustrated with the introduction of Manifest V3, by the way).

Tech support scams typically follow a certain pattern that should be simple to learn:

*   They make your browser tab full screen
*   Display the number they want you to call all over the place
*   Show the visitor fake ongoing scans and alerts

These are just a few of the characteristics I’d teach the LLM. I’m not speaking for Google here. They just mention they’ll be looking at usage of the Keyboard Lock API.

On that, the Keyboard Lock API is a web technology that allows websites to “capture” keyboard input, meaning they can prevent certain key combinations (or all keys) from working as they normally do in your browser or operating system. Originally, this tool was designed for legitimate purposes, like making web games or remote desktop apps more immersive by stopping accidental key presses from interrupting the experience. But tech support scammers exploit the Keyboard Lock API to make it harder for victims to escape their scam pages. This means that when a visitor tries to close the scam page or switch to another program, nothing happens, making them feel trapped on the site. Which also makes them think their system is actually infected.

Google explains why it went for the on-device method, saying it allows them to see the threats at the same moment the users see them and in the same way the users see them.

> “We’ve found that the average malicious site exists for less than 10 minutes, so on-device protection allows us to detect and block attacks that haven’t been crawled before.”

**How it works**

When the user lands on a suspicious page, which is decided by the on-device LLM, based on specific triggers like the Keyboard Lock API, Chrome provides the LLM with the contents of the page that the user is on and queries it to extract security signals, such as the intent of the page. This information is then sent to a Safe Browsing server for a final verdict.

If Safe Browsing decides the website is malicious, Chrome will block the content and show the user a big warning screen, called an “interstitial.”

Image courtesy of Google

By making the target think their system is infected, tech support scammers try to gain remote access or obtain payment information. Google says:

> “Tech Support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data.”

Malwarebytes’ Browser Guard data over the last month shows that 30% of the fraudulent websites we blocked through the browser extensions are tech support scams.

30% of the three fraud categories are TSS

So, it’s nice of Google to let Chrome help us take care of some of those, but Chrome is not the only browser. We’re even hearing stories from users that ran into a website telling them their Windows machine was infected while they were using the Safari browser on their iPad.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google Chrome will use AI to block tech support scam websites 

Google on Thursday announced it's rolling out new artificial intelligence (AI)-powered countermeasures to combat scams across Chrome, Search, and Android.
The tech giant said it will begin using Gemini Nano, its on-device large language model (LLM), to improve Safe Browsing in Chrome 137 on desktops.
"The on-device approach provides instant insight on risky websites and allows us to offer

Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware. The ruling comes after a six-year legal case against the company after Meta accused it of misusing its servers to spy on users.

According to the original complaint against NSO Group, filed in October 2019, the spyware vendor used WhatsApp servers to send malware to around 1400 mobile phones. The purpose was to gain access to the messages on those devices, which were typically used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

NSO Group reverse engineered WhatsApp’s software and developed its own software and servers to send messages to victims via the WhatsApp service that contained malware. That malware installed itself on the victims’ smartphones using a zero-click attack, meaning that the victim didn’t have to take any action such as opening an link or even answering a call for the compromise to happen; it was enough simply for the message to arrive.

A judge ruled in December that NSO Group had repeatedly dodged requests to provide its code for review, and granted Meta partial summary judgment over the vendor. That set up conditions for a trial to determine damages that started in late April.

NSO Group reportedly argued that Facebook lost nothing as part of the attack, arguing that it should pay the minimum amount in damages. However, the jury awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

NSO Group is no stranger to controversy. The US federal government blacklisted it in 2021 for enabling foreign governments to spy on a range of people in acts of “transnational repression”. The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world. The European Data Protection Supervisor recommended an EU ban on the technology in 2022, although this has not yet happened.

The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta. The organization commented:

> “This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus,”

One takeaway stands out for our readers: end-to-end encryption is important for privacy, but it is not enough on its own.

As Meta pointed out in its complaint, NSO couldn’t decrypt WhatsApp messages in transit to users because they are encrypted when they’re sent from one device and stay unreadable until they’re decrypted by the receiving device. However, that doesn’t stop someone from reading the messages after they’re decrypted by the receiving device—someone who compromises your smartphone or PC has control over all of the data on it, including those decrypted messages.

For consumers, this means applying more layer of protection in the form of regular updates, security software, and cybersecurity awareness. Never open links, files, or videos from someone you don’t know. Be skeptical even if they’re from someone you do know—we recommend checking with them over a different channel first to ensure it was really them that sent it.

In this case, even that would not have enough, because NSO Group was able to infect phones without the victim even answering the call. Attacks this sophisticated often target people with sensitive roles such as journalists, activists, and government workers. Google has an advanced protection program for people like this, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp hack: Meta wins payout over NSO Group spyware 

CBP says it has “disabled” its use of TeleMessage following reports that the app, which has not cleared the US government’s risk assessment program, was hacked.

The United States Customs and Border Protection agency confirmed on Wednesday that it uses at least one communication app made by the service TeleMessage, which creates clones of popular apps like Signal and WhatsApp with the addition of an archiving mechanism for compliance with records-retention rules.

“Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure,” CBP spokesperson Rhonda Lawson tells WIRED. “The investigation into the scope of the breach is ongoing.”

President Donald Trump's now former national security adviser Mike Waltz was photographed last week using TeleMessage Signal during a cabinet meeting, and the photo seemed to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US director of national intelligence Tulsi Gabbard, and what appears to be US secretary of state Marco Rubio.

In the days since the photo was published, TeleMessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, TeleMessage—an Israeli company that completed an acquisition last year by the US-based company Smarsh—imposed a service pause on its products pending investigation.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement on Monday. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

WIRED contacted CBP about its potential use of the software after some data stolen from TeleMessage in one of the recent breaches indicated that CBP was potentially a customer.

US senator Ron Wyden called for the Department of Justice to investigate TeleMessage in a letter on Tuesday, alleging that the service is “a serious threat to US national security.” TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP. In his letter, Wyden referenced that “several federal agencies” use TeleMessage, asserting that the company “sold dangerously insecure communications software to the White House and other federal agencies.”

There is still no complete public accounting of US government officials and agencies that have used the software.

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage

A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.

The communication app TeleMessage Signal, used by at least one top Trump administration official to archive messages, has already reportedly suffered breaches that illustrate concerning security flaws and resulted in its parent company imposing a service pause this week pending investigation. Now, according to detailed new findings from the journalist and security researcher Micah Lee, TM Signal's archiving feature appears to fundamentally undermine Signal's flagship security guarantees, sending messages between the app and a user's message archive without end-to-end encryption, thus making users' communications accessible to TeleMessage.

Lee conducted a detailed analysis of TM Signal's Android source code to assess the app's design and security. In collaboration with 404 Media, he had previously reported on a hack of TM Signal over the weekend, which revealed some user messages and other data—a clear sign that at least some data was being sent unencrypted, or as plaintext, at least some of the time within the service. This alone would seem to contradict TeleMessage's marketing claims that TM Signal offers “End-to-End encryption from the mobile phone through to the corporate archive.” But Lee says that his latest findings show that TM Signal is not end-to-end encrypted and that the company could access the contents of users' chats.

“The fact that there are plaintext logs confirms my hypothesis,” Lee tells WIRED. “The fact that the archive server was so trivial for someone to hack, and that TM Signal had such an incredible lack of basic security, that was worse than I expected.”

TeleMessage is an Israeli company that completed its acquisition last year by the US-based digital communications archiving company Smarsh. TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP.

Smarsh did not return WIRED's requests for comment about Lee's findings. The company said on Monday, “TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”

Lee's findings are likely significant for all TeleMessage users but have particular significance given that TM Signal was used by President Donald Trump's now-former national security adviser Mike Waltz. He was photographed last week using the service during a cabinet meeting, and the photo appeared to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and what appears to be US Secretary of State Marco Rubio. TM Signal is compatible with Signal and would expose messages sent in a chat with someone using TM Signal, whether all participants are using it or some are using the genuine Signal app.

Lee found that TM Signal is designed to save Signal communication data in a local database on a user's device and then send this to an archive server for long-term retention. The messages, he says, are sent directly to the archive server, seemingly as plaintext chat logs in the cases examined by Lee. Conducting the analysis, he says, “confirmed the archive server has access to plaintext chat logs.”

Data taken from the TeleMessage archive server in the hack included chat logs, usernames and plaintext passwords, and even private encryption keys.

In a letter on Tuesday, US senator Ron Wyden called for the Department of Justice to investigate TeleMessage, alleging that it is “a serious threat to US national security.”

“The government agencies that have adopted TeleMessage Archiver have chosen the worst possible option,” Wyden wrote. “They have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats. The security threat posed by TeleMessage Archiver is not theoretical.”

Tag

#android