RenderDoc through 1.26 allows an Integer Overflow with a resultant Buffer Overflow (issue 1 of 2).

CVE-2023-33863

By Habiba Rashid
The massive and sophisticated mobile malware campaign has been operating undetected on Android devices across the globe for more than six months. 
This is a post from HackRead.com Read the original post: Global Malware Attack Imitates VPN and Security Apps on Android Phones

The malware-infected apps include a variety of industries, including gaming, anti-virus, VPN, tutorials, gaming, social media and many more.

Bitdefender, a leading cybersecurity company, has recently revealed the existence of a massive and sophisticated **mobile malware campaign** that has been operating undetected on Android devices across the globe for more than six months. 

The campaign, which poses a significant threat on a global scale, primarily aims to aggressively distribute adware to Android devices with the intention of generating revenue for the malicious actors involved.

However, the researchers warn that these threat actors have the capability to switch tactics, potentially redirecting users to more dangerous forms of malware such as **banking Trojans or ransomware**. So far, Bitdefender has identified over 60,000 unique apps carrying the adware, suggesting that there may be many more variants still lurking in the wild.

Here are the countries most impacted by the new malware campaign:

*   United States 55.27%
*   South Korea 9.8%
*   Brazil 5.96%
*   Germany 2.93%
*   United Kingdom 2.71%
*   France 2.56%
*   Kazakhstan 2.5%
*   Romania 2.41%
*   Italy 1.93%
*   Other 12.19%

One of the remarkable aspects of this malware campaign is its longevity, as it has remained active since at least October 2022. The absence of behaviour-based detection capabilities on Android has enabled the malware to **evade detection** for such an extended period. Moreover, the sheer number of unique samples discovered strongly indicates that the operation is largely automated.

What sets this malware campaign apart is its distribution strategy. The malicious apps are not present in official app stores, requiring the perpetrators to convince users to download and install third-party applications. To accomplish this, the threat actors have disguised their malicious software as highly sought-after apps that are typically not found in official stores or have mimicked legitimate applications available on the **Play Store**. 

The apps imitate various popular categories, including game cracks, unlocked game features, **free VPNs**, fake videos, Netflix, fake tutorials, ad-free versions of YouTube/TikTok, cracked utility programs, and fake security programs. Here is the full list shared by the researchers:  

*   Netflix
*   Free VPN
*   Fake videos
*   Fake tutorials
*   Game cracks
*   Fake security programs
*   YouTube/TikTok without ads
*   Games with unlocked features
*   Cracked utility programs: weather, pdf viewers, etc

The distribution of this malware occurs organically when users search for these specific types of apps, cracks, or mods. Websites dedicated to offering modded apps have become popular platforms for such distribution. When a user visits a website through a Google search for a “modded” app, they may be redirected to a deceptive page hosting the malware disguised as a legitimate download for the desired mod.

Bitdefender’s researchers have discovered the malware’s sophisticated techniques to remain hidden and ensure its persistence on infected devices. By not registering any launchers during installation, the malware avoids displaying an app icon on the device’s launcher.

The malware also employs a special packer that utilizes the SQLCipher package to encrypt its malicious content. Bitdefender’s technical **blog post** includes further details about the infection process.

To protect Android devices from this widespread malware campaign and similar threats, it is crucial to employ a robust security solution capable of detecting and preventing such attacks.

Users are strongly advised against downloading apps from third-party app stores or websites, as these platforms pose a **higher risk of malware infection**. It is always safest to stick to official app stores for app downloads.

**RELATED ARTICLES**

1.  Hackers Leak i2VPN Admin Credentials on Telegram
2.  MaliBot Android Malware Stealing Personal, Banking Data
3.  Play Store Apps Caught Spreading Android Malware to Millions
4.  Evolving Toll Fraud Android Malware Draining Wallets, Microsoft
5.  Goldoson Malware Seen in 60 Android Apps with 100M Downloads

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Global Malware Attack Imitates VPN and Security Apps on Android Phones

An issue was discovered in Anyka Microelectronics AK3918EV300 MCU v18. A command injection vulnerability in the network configuration script within the MCU's operating system allows attackers to perform arbitrary command execution via a crafted wifi SSID or password.

Download PDF

> Abstract: Hidden cameras, also called spy cameras, are surveillance tools commonly used to spy on people without their knowledge. Whilst previous studies largely focused on investigating the detection of such a camera and the privacy implications, the security of the camera itself has received limited attention. Compared with ordinary IP cameras, spy cameras are normally sold in bulk at cheap prices and are ubiquitously deployed in hidden places within homes and workplaces. A security compromise of these cameras can have severe consequences. In this paper, we analyse a generic IP camera module, which has been packaged and re-branded for sale by several spy camera vendors. The module is controlled by mobile phone apps. By analysing the Android app and the traffic data, we reverse-engineered the security design of the whole system, including the module's Linux OS environment, the file structure, the authentication mechanism, the session management, and the communication with a remote server. Serious vulnerabilities have been identified in every component. Combined together, they allow an adversary to take complete control of a spy camera from anywhere over the Internet, enabling arbitrary code execution. This is possible even if the camera is behind a firewall. All that an adversary needs to launch an attack is the camera's serial number, which users sometimes unknowingly share in online reviews. We responsibly disclosed our findings to the manufacturer. Whilst the manufacturer acknowledged our work, they showed no intention to fix the problems. Patching or recalling the affected cameras is infeasible due to complexities in the supply chain. However, it is prudent to assume that bad actors have already been exploiting these flaws. We provide details of the identified vulnerabilities in order to raise public awareness, especially on the grave danger of disclosing a spy camera's serial number.

**Submission history**

From: Samuel Herodotou \[view email\]  
**\[v1\]** Thu, 1 Jun 2023 12:26:52 UTC (6,461 KB)

CVE-2023-30400: Spying on the Spy: Security Analysis of Hidden Cameras

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022.
"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However,

Mobile Security / Malvertising

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022.

"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to

redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware."

The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy.

It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, security software, and cracked versions of YouTube on a search engine are redirected to an ad page hosting the malware.

The apps, once installed, have no icons or names in a bid to evade detection. What's more, users launching an app for the first time after installation are displayed the message "Application is unavailable in your region from where the app serves. Tap OK to uninstall," while stealthily activating the malicious activity in the background.

The modus operandi is another area of note wherein the adware behavior remains dormant for the first few days, after which it's awakened when the victim unlocks the phone in order to serve a full-screen ad using Android WebView.

The findings come as cybersecurity firm CloudSEK disclosed it had identified the rogue SpinOK SDK – which was revealed by Doctor Web last month – in 193 apps on the Google Play Store that have been downloaded 30 million times.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini-games and tasks to win alleged rewards. But peer inside, the trojan harbors functionalities to steal files and replace clipboard contents.

In a related development, the SonicWall Capture Labs Threat research team also unearthed another strain of Android malware that impersonates legitimate apps to harvest a wide range of information from compromised handsets by abusing the operating system's accessibility services.

"These features allow the attacker to access and steal valuable information from the victim's device, which can lead to various types of fraud, including financial fraud, and identity theft," SonicWall said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices

In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588531; Issue ID: ALPS07588531.

CVE-2023-20727: June 2023

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

CVE-2023-33733: Cure53 – Fine penetration tests for fine websites

Categories: News
Tags: week in security

A list of topics we covered in the week of May 29 - June 4 of 2023



(Read more...)




The post A week in security (May 29 - June 4) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

iPhone Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (May 29 - June 4)

By Habiba Rashid
The dark web search feature enables users to scan for their Gmail address on the dark web and receive guidance on online protection.
This is a post from HackRead.com Read the original post: Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID

For now, the dark web report is only available for most Google Accounts in the United States; however, access will also expand to more than 20 countries in the coming months.

Last month, Hackread.com reported that Google had started offering dark web monitoring for Gmail users in the United States. Now, the tech and search engine giant has announced the release of its latest Android feature drop, introducing several new enhancements and functionalities for Google-powered smartphones, tablets, and smartwatches.

Among the notable additions is the ability to search the dark web for Gmail addresses, expanded accessibility features for Google Books, and updates for Wear OS devices.

In the blog post detailing the feature drop, Google mentions that the dark web search feature, which enables users to scan for their Gmail address on the dark web and receive guidance on online protection, is now available for Google account holders in the United States.

The company also plans to expand this feature to include 20 more countries in the coming months, with the United Kingdom expected to be among them.

Younger readers using Google Books will benefit from a new reading practice feature. Books marked with the Practice badge will allow readers to hear the correct pronunciation of unusual words, enabling them to practice pronunciation effectively.

Google has also introduced three new home screen widgets for Android phones and tablets. These widgets provide personalized recommendations from Google TV, Google Finance, and Google News, enhancing the user experience by delivering relevant and tailored content.

The Spotify Wear OS app has received an update to incorporate the recently-launched Spotify DJ feature. This AI-powered function offers users a curated selection of streaming content along with a DJ who provides explanations and insights into the chosen songs or podcasts. Additionally, the app includes new tiles and watch face shortcuts for convenient access to Spotify on Wear OS devices.

In terms of Wear OS enhancements, users can now access Google Keep notes quickly through pinned lists. Furthermore, the Gboard keyboard app now offers new aquatic-themed emoji mashups, adding a touch of creativity and fun to text messaging.

While the Android feature drop delivers exciting updates, Google is also preparing for the anticipated release of Android 14 later this year. The company has been relatively quiet about the upcoming operating system, which is currently in beta, but it is expected to roll out to the public in August 2023.

**RELATED ARTICLES**

1.  On Dark Web Your Facebook ID is worth $5.20 & Gmail ID $1
2.  1 Million Decrypted Gmail & Yahoo Accounts Sold on Dark Web
3.  DarkBERT AI: Enhancing Cybersecurity Efforts on the Dark Web

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID

An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.

Sorry, I can't find "_1816158?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-29543: Invalid Bug ID

Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. <br>*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111.

Sorry, I can't find "_1810705?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#android