With Microsoft’s announcement on Nov. 2 of its support for Azure AD Certificate-based authentication (CBA) for both iOS and Android devices, Yubico is excited to share that the YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile.

Yubico worked closely with Microsoft to ensure CBA on mobile became a reality.

Microsoft’s new support provides users with the same convenient smart card authentication method on mobile devices that they have on their desktops. CBA has been a staple of governments and high security environments for decades, long before the invention of FIDO U2F and FIDO2, mostly due to its reliability and effectiveness in physical environments. With Executive Order 14028 on Improving the Nation's Cybersecurity, the adoption of CBA and other phishing-resistant multi-factor authentication methods are mandated for civilian federal agencies in the US.

CBA is widely deployed across many industries, and remains a favorite amongst security experts. For some organizations, it is the logical choice from the available Azure offerings. With this announcement, customers can now use CBA on their mobile devices using native Azure AD CBA. When using native Azure AD CBA, organizations can reduce their existing infrastructure and move it into the cloud. Azure AD CBA capabilities can also be combined with Conditional Access policies so admins can enforce phishing-resistant sign-in methods.

CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt.

“Yubico has been a driving force in working with our teams to build this solution that allows Microsoft customers to securely log into their Microsoft accounts on their iPhone or Android mobile device. This is a big win for us, Yubico, and most importantly our federal government customers,” said Sue Bohn, Vice President of Product Management for Microsoft’s Identity and Network Access (IDNA) group.

Setting up CBA on Azure requires some basic configuration steps within Azure AD and installation of the Microsoft Authenticator app on Android or iOS/iPadOS. The Yubico Authenticator app is also needed on iOS/iPadOS. The PIV credential must be set up independently from the Azure solution. Your existing YubiKey PIV/smart card issuance process does not need to change.

Also, with the new Conditional Access authentication strength policies, you can enforce CBA as the required sign-in mechanism.

Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and committed to providing phishing-resistant authentication solutions based on FIDO2 and certificate-based authentication standards.

**Learn more**

Microsoft's mobile certificate-based solution coupled with the YubiKey is a simple, convenient, FIPS certified phishing-resistant MFA methods for organizations, and we’re excited to share additional details and best practices during our upcoming webinar, _New solutions to prevent phishing with Azure AD and YubiKeys_ on November 3rd at 9 am PT, register here to attend.

Certificate-Based Authentication With YubiKeys for Microsoft, Third-Party, and Web Applications Now Available on iOS and Android

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Whether you run IT for a massive organization or simply own a smartphone, you're intimately familiar with the unending stream of software updates that constantly need to be installed because of bugs and security vulnerabilities. People make mistakes, so code is inevitably going to contain mistakes—you get it. But a growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity.

There are fads in programming languages, and new ones come and go, often without lasting impact. Now 12 years old, Rust took time to mature from the side project of a Mozilla researcher into a robust ecosystem. Meanwhile, the predecessor language C, which is still widely used today, turned 50 this year. But because Rust produces more secure code and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support.

“It’s going viral as a language,” says Dave Kleidermacher, vice president of engineering for Android security and privacy. “We’ve been investing in Rust on Android and across Google, and so many engineers are like, ‘How do I start doing this? This is great.’ And Rust just landed for the first time as an officially recognized and accepted language in Linux. So this is not just Android; any system based on Linux now can start to incorporate Rust components.”

Rust is what's known as a “memory-safe” language because it's designed to make it impossible for a program to pull unintended data from a computer's memory accidentally. When programmers use stalwart languages that don't have this property, including C and C++, they have to carefully check the parameters of what data their program is going to be requesting and how—a task that even the most skilled and experienced developers will occasionally botch. By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.

A program's memory is a shared resource used by all of its features and libraries. Imagine a calendar program written in a language that isn't memory-safe. You open your calendar and then request entries for November 2, 2022, and the program fetches all information from the area of your computer's memory assigned to store that date’s data. All good. But if the program isn't designed with the right constraints, and you request entries for November 42, 2022, the software, instead of producing an error or other failure, may dutifully return information from a part of the memory that's housing different data—maybe the password you use to protect your calendar or the credit card number you keep on file for premium calendar features. And if you add a birthday party to your calendar on November 42, it may overwrite unrelated data in memory instead of telling you that it can't complete the task. These are known as “out-of-bounds” read and write bugs, and you can see how they could potentially be exploited to give an attacker improper access to data or even expanded system control.

Another common type of memory-safety bug, known as “use-after-free,” involves a situation where a program has given up its claim to a portion of memory (maybe you deleted all your calendar entries for October 2022) but mistakenly retains access. If you later request data from October 17, the program may be able to grab whatever data has ended up there. And the existence of memory-safety vulnerabilities in code also introduces the possibility that a hacker could craft, say, a malicious calendar invitation with a strategically chosen date or set of event details designed to manipulate the memory to grant the attacker remote access.

These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant.

“Memory-safety issues are responsible for a huge, huge percentage of all reported vulnerabilities, and this is in critical applications like operating systems, mobile phones, and infrastructure,” says Dan Lorenc, CEO of the software supply-chain security company Chainguard. “Over the decades that people have been writing code in memory-unsafe languages, we’ve tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work. So you need a new technology that just makes that entire class of vulnerabilities impossible, and that’s what Rust is finally bringing to the table.”

Rust is not without its skeptics and detractors. The effort over the last two years to implement Rust in Linux has been controversial, partly because adding support for any other language inherently increases complexity, and partly because of debates about how, specifically, to go about making it all work. But proponents emphasize that Rust has the necessary elements—it doesn't cause performance loss, and it interoperates well with software written in other languages—and that it is crucial simply because it meets a dire need.

“It’s less that it’s the right choice and more that it’s ready,” Lorenc, a longtime open-source contributor and researcher, says. “There are no real alternatives right now, other than not doing anything, and that’s just not an option anymore. Continuing to use memory-unsafe code for another decade would be a massive problem for the tech industry, for national security, for everything.”

One of the biggest challenges of the transition to Rust, though, is precisely all the decades that developers have already spent writing vital code in memory-unsafe languages. Writing new software in Rust doesn't address that massive backlog. The Linux kernel implementation, for example, is starting on the periphery by supporting Rust-based drivers, the programs that coordinate between an operating system and hardware like a printer.

“When you’re doing operating systems, speed and performance is always top-of-mind, and the parts that you’re running in C++ or C are usually the parts that you just can’t run in Java or other memory-safe languages, because of performance,” Google's Kleidermacher says. “So to be able to run Rust and have the same performance but get the memory safety is really cool. But it’s a journey. You can’t just go and rewrite 50 million lines of code overnight, so we’re carefully picking security-critical components, and over time we’ll retrofit other things.”

In Android, Kleidermacher says a lot of encryption-key-management features are now written in Rust, as is the private internet communication feature DNS over HTTPS, a new version of the ultra-wideband chip stack, and the new Android Virtualization Framework used in Google's custom Tensor G2 chips. He adds that the Android team is increasingly converting connectivity stacks like those for Bluetooth and Wi-Fi to Rust because they are based on complex industry standards and tend to contain a lot of vulnerabilities. In short, the strategy is to start getting incremental security benefits from converting the most exposed or vital software components to Rust first and then working inward from there. 

“Yes, it’s a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. “Problems that are merely a lot of work are great."

As Rust makes the transition to mainstream adoption, the case for some type of solution to memory-safety issues seems to get made again and again every day. Just this week, a high-criticality vulnerability in the ubiquitous secure communication library OpenSSL could have been prevented if the mechanism were written in a memory-safe language. And unlike the notorious 2014 OpenSSL vulnerability Heartbleed, which lurked unnoticed for two years and exposed websites across the internet to data interception attacks, this new bug had been introduced into OpenSSL in the past few months, in spite of efforts to reduce memory-safety vulnerabilities.

“How many people right now are living the identity-theft nightmare because of a memory-safety bug? Or on a national security level, if we’re worried about cyberattacks on the United States, how much of that threat is on the back of memory-safety vulnerabilities?” Aas says. “From my point of view, the whole game now is just convincing people to put in the effort. Do we understand the threat well enough, and do we have the will.”

The Rise of Rust, the ‘Viral’ Secure Programming Language That’s Taking Over Tech

By Waqas
The spyware is delivered through a malicious VPN app, and the preferred targets of attackers are Persian-speaking Baháʼí Faith practitioners. 
This is a post from HackRead.com Read the original post: SandStrike Spyware Infecting Android Devices through VPN Apps

Did you know **38% of VPN apps** on Google Play Store are plagued with malware? Nonetheless, the IT security researchers at Kaspersky have discovered that threat actors are increasingly relying on SandStrike spyware that is specifically impacting Android devices.

The spyware is delivered through a **malicious VPN app**, and the preferred targets of attackers are Persian-speaking Baháʼí Faith practitioners. It is the name of a religion practiced mainly in the Middle East, particularly in Iran.

**How SandStrikes Infect Devices**

The previously undocumented spyware campaign was detected to be disguised as a harmless-looking VPN app, which is marketed as a potent method of **bypassing censorship** of religious content in certain parts of the Middle East.

For distributing SandStrike through the malicious VPN app, threat actors have set up Facebook and Instagram accounts boasting over 1,000 followers. These pages are designed with attention-grabbing religious content to trap those who adhere to the religion. Most of these accounts contain a **Telegram** channel link owned by the attacker.

Unsuspecting users download links to the malicious app, and SandStrike spyware also gets installed. Once on the device, it scans it for sensitive data and extracts the information from the attacker-controlled servers. The campaign is yet to be attributed to a specific threat actor/group.

**What Data Does SandStrike Target?**

SandStrike targets diverse data types, including call logs and contact lists, and monitors the victim’s device to keep track of the victim’s activities. The company noted in its **APT trends report for Q3 2022** that the SandStrike spyware is distributed to access resources about the Bahá’í religion, which is banned in Iran.

**Stay Protected from Such Threats**

For businesses and government organizations, the use of **threat intelligence** has become increasingly important in recent years as the landscape of cyber threats has shifted and evolved.

Attackers are now more sophisticated and organized, and they are using more sophisticated methods to launch attacks. This has made it more difficult for traditional security defenses to keep up.

Threat intelligence can help organizations stay ahead of the curve by providing them with information about the latest threats and trends. This information can be used to improve security defenses and help organizations respond quickly to new attacks.

Organizations that use threat intelligence can stay one step ahead of attackers and protect themselves from the latest malware threats. By understanding the latest trends and techniques, they can develop better defenses and response plans to keep their systems safe.

For unsuspected users, it is a fact that in recent years, the number of spyware programs has increased dramatically, making it more important than ever for computer and smartphone users to know how to protect themselves.

While most people are aware of the need to **install antivirus and anti-malware software**, they may not realize that these programs do not always provide adequate protection against spyware.

There are a few simple steps that every user can take to protect themselves from spyware. First, be careful about what you download and install on your computer. Many spyware programs are installed without the user’s knowledge or consent when they visit malicious websites or download infected files.

Second, keep your software up to date. Both your operating system and your applications should be kept up to date with the latest security patches. Spyware authors are constantly finding new ways to exploit vulnerabilities, so it’s important to have the latest security fixes installed.

**Use VirusTotal**

**VirusTotal** is a free virus, malware, and URL online scanning service. It is one of the most popular online services used by computer users to scan files and URLs for viruses, malware, and malicious content.

VirusTotal scans files and URLs using over 50 antivirus engines and URL scanners. If a file or URL is detected by at least one scanner, it is considered malicious. VirusTotal also aggregates and analyses information from other sources, such as user comments and offense reports. This allows users to see if a file or URL has been reported as malicious by other users.

Fake VPN website delivering password-stealing malware

What is a VPN and what does data logging by a VPN means?

Popular free Android VPN apps on Play Store contain malware

This malware hides behind free VPN, pirated security software keys

Hackers clone ProtonVPN website to drop password stealer malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

SandStrike Spyware Infecting Android Devices through VPN Apps

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.
The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.
According to Malwarebytes, the websites are designed to generate

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.

The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.

According to Malwarebytes, the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware.

The list of apps is as follows -

*   Bluetooth App Sender (com.bluetooth.share.app) - 50,000+ downloads
*   Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) - 1,000,000+ downloads
*   Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) - 10,000+ downloads
*   Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) - 1,000+ downloads

It's no surprise that malicious apps have devised new ways to get past Google Play Store security protections. One of the more popular tactics adopted by threat actors is to introduce time-based delays to conceal their malicious behavior.

Malwarebytes' analysis found the apps to have an approximately four-day waiting period before opening the first phishing site in Chrome browser, and then proceed to launch more tabs every two hours.

The apps are part of a broader malware operation called HiddenAds, which has been active since at least June 2019 and has a track record of illicitly earning revenues by redirecting users to advertisements.

The findings also come as researchers from Guardio Labs disclosed details of a malvertising campaign dubbed Dormant Colors that leverages rogue Google Chrome and Microsoft Edge extensions to hijack user search queries to an actor-controlled domain.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites

By Deeba Ahmed
The OpenSSL vulnerability was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations. 
This is a post from HackRead.com Read the original post: OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

On Thursday, October 27th, 2022, OpenSSL cryptography library developers issued a pre-warning about an upcoming critical update on Tuesday, November 1st to address a high-severity vulnerability. Now, the fix has been released.

It is worth noting that earlier the vulnerability was thought to be the worst ever since **Heartbleed in 2014**.

**What is OpenSSL?**

OpenSSL is an important software library used by servers and apps for data encryption over the internet and networks. It is basically an open-source implementation of the TLS and SSL cryptographic protocols to ensure secure communications. Such as you can see a lock button on the left side of your web address when you are surfing the net on your browser. That’s what OpenSSL does.

**2 Vulnerabilities Identified in OpenSSL**

For your information, Infosec researchers detected two bugs in the OpenSSL platform. As per OpenSSL’s **security advisory**, the first flaw is tracked as **CVE-2022-3602**. It could be exploited with a maliciously long email ID verified with an encryption X.509 certificate to overflow 4 threat actors-controlled bytes on the stack, which will force the app or server to crash or lead to remote code execution if the certificate is validated.

However, this needs a CA to sign the malicious certificate or the app to continue certificate verification even if it fails to create a path to a trusted issuer. If the attacker gains control, they can set up the stack to use the overwritten byes for hijacking the program flow. 

The second bug, also a high-severity vulnerability, is tracked as, **CVE-2022-3786** and is fixed in OpenSSL version 3.0.7. Just like the first one, it triggers a buffer overflow, leading to crashing the app or server after the certificate is signed/accepted. The attacker may craft a malicious email ID in the certificate to overflow an “arbitrary number of bytes containing the ‘.’ character (decimal 46) on the stack,” resulting in a crash and denial of service, the advisory read.

**Details of the Patch**

Project maintainers had warned about the OpenSSL vulnerability last week that was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations.

However, developers were sure that the bug was unlikely to allow remote code execution. That’s why it was downgraded to high severity on November 1st, 2022 because it couldn’t be exploited through remote code executions in common situations, which is a significant criterion for critical vulnerabilities. The team has not issued a detailed explanation of the patch but it has urged users to apply the patch as necessary. 

**Assessing the Bugs**

As per the IT security researcher **Marcus Hutchins**, both bugs impacted a “small subset of OpenSSL deployments.” This includes software using version 3.0.0-3.0.6. Operating systems, apps, and servers using these versions must be upgraded to OpenSSL 3.0.7 to fix the bugs.

“Due to the fact OpenSSL 3.0.0 was released in September 2021, it is far less widespread than previous versions. Given the very recent release date, older appliances with hardcoded OpenSSL versions are unlikely to be vulnerable,” Hutchins noted in his **blog post.**

1.  **GitHub fixes critical Flaw that exposed repositories to attackers**
2.  **AttachMe – Oracle Patches “Severe” Flaw in its Cloud Infrastructure**
3.  **Critical Flaw in GPS Tracker Lets Hackers Remotely Control Vehicles**
4.  **Critical Amazon Ring Vulnerability Could Expose Camera Recordings**
5.  **Critical vulnerability allowed hackers to hijack Firefox Android browser**

OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application.
Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker SandStrike. It has not been attributed to any particular threat group.
"SandStrike is distributed as a means to access resources about the Bahá'í religion

A previously undocumented Android spyware campaign has been found striking Persian-speaking individuals by masquerading as a seemingly harmless VPN application.

Russian cybersecurity firm Kaspersky is tracking the campaign under the moniker **SandStrike**. It has not been attributed to any particular threat group.

"SandStrike is distributed as a means to access resources about the Bahá'í religion that are banned in Iran," the company noted in its APT trends report for the third quarter of 2022.

While the app is ostensibly designed to provide victims with a VPN connection to bypass the ban, it's also configured to covertly siphon data from the victims' devices, such as call logs, contacts, and even connect to a remote server to fetch additional commands.

The booby-trapped VPN service, while fully functional, is said to be distributed via a Telegram channel controlled by the adversary.

Links to the channel are also advertised on fabricated social media accounts set up on Facebook and Instagram for the purpose of luring potential victims into downloading the app.

According to an Amnesty International report published in August 2022, Iran's Ministry of Intelligence has arrested at least 30 members of the community in various parts of the country since July 31, 2022.

The religious minority has been persecuted by Iranian authorities, accusing it of being spies with links to Israel, leading to "raids, arbitrary arrests, home demolitions and land grabs."

"APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns," Kaspersky security researcher Victor Chebyshev said.

"In their attacks, they use cunning and unexpected methods. Today it is easy to distribute malware via social networks and remain undetected for several months or even more."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Warn of SandStrike Android Spyware Infecting Devices via Malicious VPN App

Inappropriate implementation in Full screen mode in Google Chrome on Android prior to 107.0.5304.62 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chrome security severity: Medium)

CVE-2022-3660

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 106.0.5249.62 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chrome security severity: Low)

CVE-2022-3317

By Waqas
Security researcher Anurag Sen revealed Amazon failed to protect one of its internal servers, which allowed any third party to access the database.
This is a post from HackRead.com Read the original post: Leaked Amazon Prime Video Server Exposed Users Viewing Habits

Remember when a Chinese server leaked 7GB worth of data **including fake Amazon reviews**? Well now, an Elasticsearch database dubbed Sauron was left unprotected in cyberspace without any security authentication.

According to security researcher **Anurag Sen**, the database was stored on an internal Amazon server and contained Prime Video viewing habits.

This server was accessible on the internet because of the lack of password protection. Hence, the available data could have been accessed by someone accessing a web browser simply by entering its IP address.

It is worth noting that Sen found the database on September 30th, 2022 while scanning through the **IoT search engine Shodan**.

1.  **Our TV Viewing Habits Can Be Monitored for the Benefit of Marketers**
2.  **Hundreds of Android Gaming Apps are Tracking Your TV Viewing Habits**
3.  **General Motors collected location & radio listening habits data of drivers**
4.  **A leaked database exposed the shopping habits of 35 million US residents**

**What Data was Exposed?**

The exposed database contained 215 million records of pseudonymized viewing data. This includes the name of the movie or show being streamed, the device used for streaming the content, and similar internal data such as subscription information and network quality.

Basically, the database contained information about **Amazon Prime** customers. However, the data cannot be used to identify the customers by name. Still, this security lapse again highlights the drawbacks and dangers of misconfigured internet-facing servers left online without passport protection.

**What caused the Issue?**

Amazon spokesperson Adam Montgomery **told** TechCrunch that the issue was caused by ‘deployment errors with a Prime Video analytics server.’ When Amazon was notified about the exposed database, the company took necessary steps to make it inaccessible.

The database was protected shortly after Amazon received information about it. The company confirmed that login and payment card data or account details were safe, while the exposed data was pseudonymized.

1.  **Amazon data breach: Personal details of customers leaked**
2.  **Secret Pentagon Files Left Unprotected on the Amazon Server**
3.  **Amazon sent 1,700 audio recordings of Alexa user to a stranger**
4.  **Critical Amazon Ring Vulnerability Could Expose Camera Recordings**
5.  **Amazon Database Exposed US Military’s Social Media Spying Campaign**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#android