Incorrect default permissions for the Intel(R) Connect M Android application before version 1.7.4 may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Connect M Android App Advisory**

**Summary: **

A potential security vulnerability in the Intel® Connect Mobile (Connect M) Android application may allow information disclosure.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-44470

Description: Incorrect default permissions for the Intel(R) Connect M Android application before version 1.7.4 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**Affected Products:**

Intel® Connect M Android application before version 1.7.4.

**Recommendations:**

Intel recommends updating Intel® Connect M Android application to version 1.7.4 or later.

Updates are available for download at this location: https://play.google.com/store/apps/details?id=com.intel.connect

**Acknowledgements:**

Intel would like to thank Sheikh Rishad for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-44470: INTEL-SA-00596

Incorrect default permissions for the Intel(R) Support Android application before 21.07.40 may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Support Android App Advisory**

**Summary: **

A potential security vulnerability in the Intel® Support Android application may allow information disclosure.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-27500

Description: Incorrect default permissions for the Intel(R) Support Android application before 21.07.40 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**Affected Products:**

Intel® Support Android application before version 21.7.40.

**Recommendations:**

Intel recommends updating the Intel® Support Android application to version 21.7.40 or later.

Updates are available for download at this location: https://play.google.com/store/apps/details?id=com.intel.ark

**Acknowledgements:**

Intel would like to thank Sheikh Rishad for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-27500: INTEL-SA-00660

By Jon Munshaw. 



Welcome to this week’s edition of the Threat Source newsletter. 



As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in. 


Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.  


With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass. 


In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “...we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced. Android has its own version of this released in 2018 that only allows users to turn on a Lockdown Mode to disable their device’s fingerprint reader and facial ID scan, only allowing users to log in using only a PIN, password or pattern. However, this feature is turned off immediately after the user successfully logs in again and must be manually re-enabled every time.  


Some individual apps have taken their own steps, like the menstrual cycle-tracking app Flo, which recently announced a new Anonymous Mode that allows users to completely remove their personal data from the app.  


These features should become not only the norm, but the opposite. Much like browser cookies are now thanks to the GDPR, users should have to opt out of these types of modes rather than opting in. I’m skeptical that will ever happen, but if device and app manufacturers are serious about protecting users’ data, users should instead have to tell the device “Yes, I want to use the fingerprint reader and take on the inherent risk” or “yes, I don’t care if you sell my data to third-party advertisers.” 


Right now, these features are buried in a few layers of settings menus, and in the case of Android, it’s not even a permanent change.  


Some startups are trying to solve this problem by going back to the era of “dumb” phones, like The Light Phone, which doesn’t have any web browsing features, or the Mudita Minimalist phone that pretty much only sends calls and text messages and plays music.  


I’m a hypocrite here. Because if one day I was suddenly told I couldn’t check my fantasy football lineups on my phone or didn’t have streaming access to podcasts, I’d probably click whatever big red button there was to turn those features back on. But at the very least, that option should be presented as a big red button and not something you have to Google to figure out how to turn it on.  

  

The one big thing 


While not necessarily the most discussed aspect of Russia’s invasion of Ukraine, it’s important to look at how vital Ukrainian farming is to the world’s food supply chain. And as state-sponsored cyber attacks continue against Ukraine, the potential for grain and food shortages in Europe continues to rise. As Joe Marshall points out in our latest blog post, there are several knock-on effects that could happen if Ukraine’s food production and transportation system were to be disrupted by a major security event.  

Why do I care? 
The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. Potential cyber attacks on this industry could induce things like a slowdown in production, shipping delays, loss of economic value or supply shortages.  
So now what? 
For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency in your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber attack. 
 

Top security headlines from the week


As many as 1,900 users of encrypted messaging app Signal could have had their login authentication codes stolen as part of a recent data breach against Twilio. Twilio is a popular gateway other web platforms use to send SMS or voice messages. Signal began notifying users this week of the issue, with one victim saying the attackers used the Twilio access to re-register a new device associated with the user’s phone number, allowing them to send and receive messages from their Signal app. Cloudflare was also a target of the phishing attack, with actors sending users phony text messages warning them their login had been changed, sometimes even contacting the target’s family members. (The Verge, Ars Technica) 
Some of the world’s top security experts, hackers and defenders unveiled new research at the Black Hat and DEF CON conferences last week. The slate of talks, presentations and exhibits brought to light several high-profile vulnerabilities, including two severe issues in the Zoom video conferencing app. Other heavily discussed topics include the spread of disinformation and election security. In a more lighthearted demonstration, one researcher even showed a way to jailbreak the Linux system on a John Deere tractor to play the video game “Doom” on its center console. (Politico, The Guardian, The Verge) 
The U.S. Cybersecurity and Infrastructure Security Agency is warning of an uptick in attacks from the Zeppelin ransomware, specifically against critical infrastructure. Threat actors are buying into the ransomware-as-a-service to spread the malware, using SonicWall firewall and remote desktop protocol vulnerabilities to initially breach targeted networks, according to a new CISA advisory. Zeppelin has a new multi-encryption tactic. Once the malware is on a victim’s network, it executes the ransomware multiple times and creates different IDs and encrypted file extensions so the victim can’t simply use one decryption key to return their files. (ThreatPost, CISA) 


Can’t get enough Talos? 

Cisco Talos Warns of Small-Time Cybercrime Ramp Up
Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass
Talos Takes Ep. #108 (XL Edition): On Air with Cisco Talos Incident Response
Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution
Threat Roundup for Aug. 5 - 12



Upcoming events where you can find Talos 


Ukraine Independence Day: A Talos livestream (Aug. 24, 2022) 
Livestreamed on Talos' LinkedIn and Twitter



Security Insights 101 Knowledge Series (Aug. 25, 2022) 
Virtual 



Cisco Security Solution Expert Sessions (Oct. 11 & 13)

Virtual 



Most prevalent malware files from Talos telemetry over the past week  


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c     
MD5: a087b2e6ec57b08c0d0750c60f96a74c     
Typical Filename: AAct.exe     
Claimed Product: N/A       
Detection Name: PUA.Win.Tool.Kmsauto::1201  


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
MD5: 8c69830a50fb85d8a794fa46643493b2  
Typical Filename: AAct.exe  
Claimed Product: N/A   
Detection Name: PUA.Win.Dropper.Generic::1201  



SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7 
MD5: 0e4c49327e3be816022a233f844a5731 
Typical Filename: aact.exe 
Claimed Product: AAct x86 
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 


SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 
MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in. 

Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.  

With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass. 

In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “...we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced. Android has its own version of this released in 2018 that only allows users to turn on a Lockdown Mode to disable their device’s fingerprint reader and facial ID scan, only allowing users to log in using only a PIN, password or pattern. However, this feature is turned off immediately after the user successfully logs in again and must be manually re-enabled every time.  

Some individual apps have taken their own steps, like the menstrual cycle-tracking app Flo, which recently announced a new Anonymous Mode that allows users to completely remove their personal data from the app.  

These features should become not only the norm, but the opposite. Much like browser cookies are now thanks to the GDPR, users should have to opt out of these types of modes rather than opting in. I’m skeptical that will ever happen, but if device and app manufacturers are serious about protecting users’ data, users should instead have to tell the device “Yes, I want to use the fingerprint reader and take on the inherent risk” or “yes, I don’t care if you sell my data to third-party advertisers.” 

Right now, these features are buried in a few layers of settings menus, and in the case of Android, it’s not even a permanent change.  

Some startups are trying to solve this problem by going back to the era of “dumb” phones, like The Light Phone, which doesn’t have any web browsing features, or the Mudita Minimalist phone that pretty much only sends calls and text messages and plays music.  

I’m a hypocrite here. Because if one day I was suddenly told I couldn’t check my fantasy football lineups on my phone or didn’t have streaming access to podcasts, I’d probably click whatever big red button there was to turn those features back on. But at the very least, that option should be presented as a big red button and not something you have to Google to figure out how to turn it on.  

**The one big thing **

While not necessarily the most discussed aspect of Russia’s invasion of Ukraine, it’s important to look at how vital Ukrainian farming is to the world’s food supply chain. And as state-sponsored cyber attacks continue against Ukraine, the potential for grain and food shortages in Europe continues to rise. As Joe Marshall points out in our latest blog post, there are several knock-on effects that could happen if Ukraine’s food production and transportation system were to be disrupted by a major security event.  

> **Why do I care? **The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. Potential cyber attacks on this industry could induce things like a slowdown in production, shipping delays, loss of economic value or supply shortages.  **So now what? **For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency in your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber attack.   

**Top security headlines from the week**

As many as 1,900 users of encrypted messaging app Signal could have had their login authentication codes stolen as part of a recent data breach against Twilio. Twilio is a popular gateway other web platforms use to send SMS or voice messages. Signal began notifying users this week of the issue, with one victim saying the attackers used the Twilio access to re-register a new device associated with the user’s phone number, allowing them to send and receive messages from their Signal app. Cloudflare was also a target of the phishing attack, with actors sending users phony text messages warning them their login had been changed, sometimes even contacting the target’s family members. (The Verge, Ars Technica) 

Some of the world’s top security experts, hackers and defenders unveiled new research at the Black Hat and DEF CON conferences last week. The slate of talks, presentations and exhibits brought to light several high-profile vulnerabilities, including two severe issues in the Zoom video conferencing app. Other heavily discussed topics include the spread of disinformation and election security. In a more lighthearted demonstration, one researcher even showed a way to jailbreak the Linux system on a John Deere tractor to play the video game “Doom” on its center console. (Politico, The Guardian, The Verge) 

The U.S. Cybersecurity and Infrastructure Security Agency is warning of an uptick in attacks from the Zeppelin ransomware, specifically against critical infrastructure. Threat actors are buying into the ransomware-as-a-service to spread the malware, using SonicWall firewall and remote desktop protocol vulnerabilities to initially breach targeted networks, according to a new CISA advisory. Zeppelin has a new multi-encryption tactic. Once the malware is on a victim’s network, it executes the ransomware multiple times and creates different IDs and encrypted file extensions so the victim can’t simply use one decryption key to return their files. (ThreatPost, CISA) 

**Can’t get enough Talos? **

*   Cisco Talos Warns of Small-Time Cybercrime Ramp Up
*   Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass
*   Talos Takes Ep. #108 (XL Edition): On Air with Cisco Talos Incident Response
*   Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution
*   Threat Roundup for Aug. 5 - 12

**Upcoming events where you can find Talos **

Livestreamed on Talos' LinkedIn and Twitter

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** a087b2e6ec57b08c0d0750c60f96a74c     

**Typical Filename:** AAct.exe     

**Claimed Product:** N/A       

**Detection Name:** PUA.Win.Tool.Kmsauto::1201  

**MD5:** 8c69830a50fb85d8a794fa46643493b2  

**Typical Filename:** AAct.exe  

**Claimed Product:** N/A   

**Detection Name:** PUA.Win.Dropper.Generic::1201  

**MD5:** 0e4c49327e3be816022a233f844a5731 

**Typical Filename:** aact.exe 

**Claimed Product:** AAct x86 

**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**MD5:** f1fe671bcefd4630e5ed8b87c9283534 

**Typical Filename:** KMSAuto Net.exe 

**Claimed Product:** KMSAuto Net  

**Detection Name:** PUA.Win.Tool.Hackkms::1201

Threat Source newsletter (Aug. 18, 2022) — Why aren't Lockdown modes the default setting on phones?

Polar Flow for Android version 5.7.1 stores the username and password in clear text in a file on mobile devices.

    # Trovent Security Advisory 2110-01 ######################################Insecure data storage in Polar Flow Android application#######################################################Overview########Advisory ID: TRSA-2110-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2110-01Affected product: Polar Flow Android mobile application (fi.polar.polarflow)Affected version: 5.7.1Vendor: Polar Electro, https://flow.polar.comCredits: Trovent Security GmbH, Karima HebbalDetailed description####################The Polar Flow app is a sports, fitness and activity analyzer which allows to planand monitor training, daily activity and sleep.Trovent Security GmbH discovered that the application stores the username andpassword in clear text in a file on the mobile device.Severity: MediumCVSS Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)CVE ID: N/ACWE ID: CWE-312Proof of concept################Content of the file /data/data/fi.polar.polarflow/shared_prefs/UserData3.xml:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<?xml version='1.0' encoding='utf-8' standalone='yes' ?><map>    <string name="current_device_id">no_device</string>    <int name="last_version_code" value="5070103" />    <string name="base_url">https://www.polarremote.com/v2/users/54871065</string>    <string name="last_name">Ptest</string>    <int name="key_initial_view_resource_id" value="2131363187" />    <boolean name="valid_ver_two" value="true" />    <long name="problem_phone_message_time" value="1634888249727" />    <boolean name="new_blogs_available" value="true" />    <string name="address_json">{"city":"\u003cscript\u003ealert(1)\u003c/script\u003e","countryCode":"DE","modified":"2021-10-22T07:37:53.000Z"}</string>    <string name="profile_json">{"favoriteSports":[]}</string>    <string name="password">Test2021</string>    <string name="last_blog_sync_time">2021-10-22T09:37:18.309</string>    <long name="user_id" value="54871065" />    <boolean name="initial_remote_sync_executed" value="true" />    <string name="preferred_blog_language">en</string>    <int name="key_training_diary_tab" value="0" />    <string name="first_name">Ptest</string>    <int name="should_show_problem_phone_message" value="2" />    <string name="username">ptesttest11@gmail.com</string></map>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################We recommend not to store sensitive information in clear text on the mobiledevice.Fixed in version 6.3.0, verified by Trovent.History#######2021-10-18: Vulnerability found2021-12-15: Vendor contacted2022-01-20: Contacted vendor again2022-01-21: Vendor replied that the vulnerability will be checked2022-01-28: Vendor replied, the vulnerability will be fixed in a future update2022-07-27: Vendor contacted, asking for status2022-08-09: Vendor replied, the vulnerability is fixed since version 6.3.02022-08-17: Trovent verified remediation of the vulnerability2022-08-18: Advisory published

Polar Flow Android 5.7.1 Secret Disclosure

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday.

The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” according to the advisory posted by Google.

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes, which previously handled this process, according to Branch, a company that offers various linking options for mobile applications.

“Instead of assigning window.location or an iframe.src to the URI scheme, in Chrome, developers need to use their intent string as defined in this document,” the company explained on its website. Intent “adds complexity” but “automatically handles the case of the mobile app not being installed” within links, according to the post.

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, according to MITRE’s Common Weakness Enumeration site.

“When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application,” according to a post on the site. “This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.”

**Fending Off Exploits**

As is typical, Google did not disclose specific details of the bug until it is widely patched to avoid threat actors taking further advantage of it, a strategy that one security professional noted is a wise one.

“Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws,” observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable, in an email to Threatpost.

 Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project. These all could be affected if an exploit for a vulnerability is released, he said.

“It is extremely valuable for defenders to have that buffer,” Narang added.

While the majority of the fixes in the update are for vulnerabilities rated as high or medium risk, Google did patch a critical bug tracked as CVE-2022-2852, a use-after-free issue in FedCM reported by Sergei Glazunov of Google Project Zero on Aug. 8. FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, according to Google.

**Fifth Chrome 0Day Patch So Far**

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In July, the company fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8 tracked as CVE-2022-1096 and under active attack also spurred a hasty patch.

February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.

Google Patches Chrome’s Fifth Zero-Day of the Year

**SAN FRANCISCO, Aug. 17, 2022 —** The Open Source Security Foundation (OpenSSF), a cross-industry organization hosted at the Linux Foundation that brings together the world's most important software supply chain security initiatives, on Wednesday announced 13 new members from leading financial services, technology, employment, software development, cybersecurity, telecommunications, and academic sectors.

New premier member, Capital One, joins the OpenSSF Governing Board. New general member commitments come from Akamai, Indeed, Kasten by Veeam, Scantist, SHE BASH, Socket Security, Sysdig, Timesys, and ZTE Corporation. New associate members include Eclipse Foundation, Purdue University, and TODO Group. "We are excited to welcome new members to the OpenSSF," says Brian Behlendorf, General Manager of OpenSSF. "As open source software security vulnerabilities continue to draw attention from governments and businesses around the world, interest in the work of the OpenSSF has been rapidly increasing."

"A growing community of organizations, developers, researchers, and security professionals are investing the time and resources needed to strengthen open source security," said Jamie Thomas, OpenSSF Board Chair and IBM Enterprise Security Executive. "New members of OpenSSF are joining at a time when cross-industry collaboration and innovation are needed more than ever to proactively respond to pervasive cybersecurity threats."

Resolving the systemic issues that led to major security vulnerabilities like the Log4shell incident emphasizes the urgency and importance of the work of OpenSSF. A recent Cyber Safety Review Board report declared that Log4j has become an "endemic vulnerability" that will be exploited for years to come and that the 10-point mobilization plan introduced earlier this year at the Open Source Software Security Summit II by the OpenSSF will improve the resiliency and security of open source software.

OpenSSF will host a full day of sessions on Tuesday, Sept. 13, at OpenSSF Day EU on the eve of Open Source Summit Europe (OSS EU) in Dublin. Working Group leaders and community members will host sessions, panels, and fireside chats about ongoing work to secure the software supply chain and the future of open source security. Registration and attendance are free for all those attending the OSS EU.

**Premier Member Quote**

**Capital One**

"Today some of the most groundbreaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world's technology leaders as we collaborate to strengthen the software security supply chain. As a highly regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community."

*   Chris Nims, EVP of Cloud & Productivity Engineering at Capital One

**General Member Quotes**

**Akamai**

"Improving the security of open source software — so central to the internet ecosystem — is one of the most critical security challenges we face today. Only by gaining visibility into the network and the software supply chain can we reliably address security flaws when they occur at the code level. The technology community must support the open source communities we depend on with financial and technological resources to limit our collective risk_._ As a leading security and cloud services provider, we look forward to contributing to the Open Source Security Foundation and helping to advance this important work."

*   Robert Blumofe, EVP and CTO, Akamai

**Kasten by Veeam**

"We are honored to be part of the Open Source Security Foundation (OpenSSF) and champion this initiative alongside our peers. Kasten by Veeam has an open source heritage, and with Kubernetes data protection as our core offering, security remains a critical underpinning for Kasten K10 design and implementation. As Kubernetes adoption continues to fuel Digital Transformation journeys for enterprises, more attention is rightfully being placed on security, especially with the inexorable rise of ransomware attacks. Kasten by Veeam is committed to ensuring the security and data protection of cloud native environments to better protect business applications."

*   Gaurav Rishi, Vice President of Products and Partnerships at Kasten by Veeam

**Scantist**

"On one hand, the software industry is benefiting substantially from the rapid growth of open source, which has become the basic building blocks of the digital world. On the other hand, open source security is becoming more critical and all these risks are multiplied by the interdependent nature of open source. Now as a member of OpenSSF, we would like to contribute to the OpenSSF missions based on our recent research on open source ecosystem analysis to provide a quantitative view to understand the complexity and security of open source. We want to become the active participant, evangelist and ambassador for OSS governance in southeast Asia to promote open source software supply chain security."

*   Dr. Liu Yang，Professor at Nanyang Technological University, Singapore and Co-Founder of Scantist

**SHE BASH**

"Since our inception, SHE BASH has witnessed a variety of predatory industry practices that get shielded from extensive scrutiny via the protective veil of closed source. At our core, open source software is a public institution that enables everyone to build their future.

"The combination of decades of apathy and the incentive mechanisms that sustain a culture of 'don't care' has allowed our company to stand out among tech's largest and most culpable companies. We have always considered 'best practice first' as one of the main value propositions we can provide as a company, albeit a small one. Open Source Software provided us the level playing field to make differences in key technological shifts within the public sector, and the evolution of these shifts are the development of best practices born from the open source that sustains all software life today. It's a true honor to be of assistance to the work OpenSSF is leading to remedy large structural mistakes that grew from decades of neglect."

*   Cameron Banowsky, Co-founder and CTØ, SHE BASH

**Socket Security**

"As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source dependency usage. Modern applications use thousands of dependencies written by hundreds of maintainers, and installing even one package leads to dozens of transitive dependencies coming along for the ride. Unfortunately, it is far too easy for a bad actor to infiltrate the software supply chain and wreak havoc. That's why Socket is proud to join OpenSSF and do our part to make open source safe for everyone with our industry-leading approach to software composition analysis which is used by thousands of companies to detect and prevent supply chain attacks. The Socket team is excited to work with other OpenSSF member companies to safeguard the open source ecosystem for everyone."

*   Feross Aboukhadijeh, Founder and CEO, Socket Security

**Sysdig**

Sysdig is proud to be part of OpenSSF and work together to help guide open source security standards and secure the software supply chain. As a cloud security company built on open source, we believe the industry must come together to strengthen software for the common good. Having created and contributed Falco to the CNCF to help secure the runtime, we look forward to continuing open collaboration in the OpenSSF. The future of security is open, and what we do now will shape software forever."

*   Edd Wilder-James, Vice President, Open Source Ecosystem at Sysdig

**Timesys**

"With software supply chain breaches up more than 650%, securing the software supply chain is a big focus. We've been working for more than 5 years developing technology to help secure, monitor, and maintain open source-based embedded Linux and Android devices from exposures and vulnerabilities. We are so excited to be joining up on this community effort with OpenSSF and to be a part of the Linux Foundation again. By sharing technology and collaborating to build ecosystems that accelerate open-source technology development, device manufacturers and consumers everywhere will be able to rest easier knowing they are secure."

*   Atul Bansal, CEO of Timesys

**ZTE Corporation**

"We are very pleased to join the OpenSSF. As a world-leading communication equipment manufacturer, more and more open source software is used by us. While actively embracing open source software, it also brings unprecedented risks to software supply chain security. ZTE Corporation has made many efforts to control and manage risks, and regard them as our top priority. After joining the OpenSSF, ZTE Corporation works with a group of members with similar visions and goals to promote the development of open source software supply chain towards a more secure direction."

*   Xiang Shuming, Director of OSS Compliance and Security Governance, ZTE Corporation

Additional Resources

*   View the complete list of the 89 OpenSSF members
*   Watch the recent August OpenSSF Town Hall
*   Contribute efforts to one or more of the active OpenSSF working groups and projects

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain

The best end-to-end encrypted messaging app has a host of security features. Here are the ones you should care about.

In times of uncertainty, people rightly often turn to the encrypted messaging app Signal. Whether it’s to protect sensitive conversations amid social unrest or to keep your communications private after the fall of _Roe v. Wade_, Signal represents most people’s best way to communicate safely. And thanks in part to a $50 million infusion in 2018 from Brian Acton, the former WhatsApp CEO and current interim Signal Foundation CEO, the once niche app is more accessible than ever.

Signal’s popularity often spikes in times of strife or when alternatives seem more precarious. In May 2020, as police brutality protests swept US cities, daily Signal downloads nearly tripled from their average, according to analytics company Apptopia. It saw another surge in January 2021 after WhatsApp, which end-to-end encrypts personal chats using the Signal Protocol, botched the messaging around a privacy policy update. Apptopia now estimates Signal has more than 600 million active monthly users. All of those people can take advantage of end-to-end encryption, which means that no one—not the government, their phone company, or Signal itself—can read the contents of messages as they pass between devices.

Signal is not the only messaging app to offer end-to-end encryption; iMessage has it, as do stand-alone apps like Telegram. But Signal stands apart, both for its rich features and the fact that its code has been open source for years, meaning cryptographers have had plenty of opportunities to poke and prod it for flaws.

WIRED has long encouraged readers to adopt Signal. Here, we’re offering tips on how to get the most out of it once you do.

_Updated August 2022: Signal has added a few new features since we first ran this story, which are now reflected below._

Know Its Limits

For those who are new to encrypted messaging, the most important thing to remember is that it’s not magic. Having Signal on your phone does not make you invincible. Nearly 2,000 users found that out the hard way this month. Signal uses communications firm Twilio to verify users’ phone numbers and send out device registration codes via SMS messages. So when attackers successfully breached Twilio through a recent phishing campaign, they were able to access those SMS codes for some 1,900 Signal accounts and potentially register a victim’s phone number with their own device.

Signal says all affected users “can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected.” But the attackers were able to take over at least one account and pose as that person on Signal. It’s a potent reminder that even an app that’s designed around security can have weak spots.

Most importantly, remember that if you’re messaging with someone who doesn’t have Signal installed, nothing’s encrypted. It only works for Signal-to-Signal communications. And make sure you have a strong password on your phone in the first place, since anyone who has physical access to your device can still read your messages.

Signal also has a desktop app, which should be plenty secure for the vast majority of people; just be aware that desktop environments face a litany of threats. And using Signal on multiple devices means more places your messages can be compromised or stolen.

Get Set Up Safely

When you join, Signal requires you to provide a phone number that essentially serves as your user name. This doesn’t mean you have to use your actual phone number, though. To avoid giving it up, use a Google Voice number instead.

To do so, head to Google Voice in your browser, log in with a Google account, and select a new phone number. Google will ask you to verify it by providing your actual phone number, where it’ll send a code that will let you complete your registration. You can now use that Google Voice number for your Signal account, keeping it separate from your main line. (Heads up: If you don't place a call or receive a single text to your Google Voice number every six months, Google will reclaim that number. If that happens, you can get it back within 45 days. So make sure to shoot your Google Voice number a text at least once every few months.)

You should feel comfortable letting Signal access your device’s contacts; it stores that information on your phone, not in the cloud. The app does periodically send truncated, hashed phone numbers back to Signal’s servers, which is how it checks if any of your contacts are also using it, but the company also says it discards that information “immediately.” That way, the app can alert you when one of your contacts signs up for Signal; if you’d rather not get those updates, tap **Settings**, then **Notifications**, and toggle off **Contact Joined Signal**.

(Note: Android users can access Signal’s **Settings** menu either by tapping their profile icon or selecting the menu under the three dots in the upper-right corner, then tapping **Settings**. iOS users will need to tap their profile icon and then Settings to access the full menu.)

On Android, you can make Signal your default messaging app by going to **Settings** > **Apps & notifications** > **Advanced** > **Default Apps** > **SMS app**, and picking **Signal**. Just remember that not everyone you text has it installed and that an iOS user you’re texting with might check their Signal app less often than they do iMessage. (iOS still doesn’t let you change the default messaging app, sorry!)

One of the most critical settings to enable is profile PINs, which will make it easier for you to keep your account data even when you transfer devices and to protect your contact lists, profile information, settings, and more. You can set one up when you join or head to **Privacy** > **Signal PIN** in your app settings to set or change yours anytime. The introduction of PINs was controversial among cryptography hard-liners, who questioned whether the so-called Secure Value Recovery they were tied to introduced potential vulnerabilities. It didn’t help that Signal had at first made the PINs mandatory. You can opt out now by going to the **Create PIN** screen and tapping **Select more**, then **Disable PIN**. Just remember that if you do so, you won’t be able to bring your contacts with you to a new device, and sensitive account information may be more vulnerable.

Lastly, once you have your PIN set up, enable **Registration Lock** by going to **Settings** > **Account** and toggling on **Registration Lock**. With this feature enabled, attackers won’t be able to take over your account and register it to a new device in the way they did through the Twilio hack mentioned above.

Protect Your Screen

It’s important to make sure that what happens in Signal stays in Signal. This means keeping people from seeing what you’re doing there from a lock screen or when switching apps. There’s not much point in having an app for sensitive messages if they just pop up on your display whenever you receive one.

To turn off Signal lock screen notifications on iOS, go to your phone’s **Settings** > **Notifications**, then scroll down and tap **Signal** > **Show Previews** > **Never**. On Android, the process is similar. From your home screen, head to **Settings**, then **Apps & Notifications**, where you can turn off all notifications. If you need more granular control, you can find that in the Signal app itself, where the steps are the same no matter what platform you’re on. Tap your profile, then **Notifications**, then **Show**, where you can choose whether to display the name, content, and actions for an incoming text; just the name; or nothing at all. You can also mute notifications for a specific conversation for a set amount of time by tapping on a message thread, then the contact header, and then **Mute**. You can silence a contact’s notifications for an hour, a day, a week, or a year.

If you’re on Android and want to enable Signal notifications, you may want to disable smart replies by going to **Settings** > **Apps & Notifications** > **Notifications** > **Advanced** and making sure “**Suggested actions and replies**” are turned off. Google says it keeps smart replies private by processing them locally on your device, but the safest bet is to limit Signal’s interactions with the rest of the operating system.

Signal also has a Screen Lock feature that requires your password—or FaceID or TouchID, whatever you use to get into your phone—to view the app’s contents. Within the Signal app on either platform, tap your profile, then **Privacy**, then toggle the **Screen Lock** option to on. Android gives you a little more granularity, with a **Screen Lock Inactivity Timeout** option that lets you set the feature to kick in after a certain amount of time. 

You’ll also want to enable **Screen Security**, which keeps Signal contents from showing up in your app switcher. On Android, select your profile, then **Privacy**, and switch on **Screen Security**. If you use iOS, go to your profile, tap **Settings** > **Privacy**, and enable **Hide Screen in App Switcher**.

Make Messages Disappear

While you can always delete messages manually along the way, that action only applies to your own phone. The people you’re chatting with still have it on their devices. To ensure that the conversation is deleted on both ends of a thread, you should embrace “disappearing messages” instead.

Signal now allows you to enable disappearing messages on all new chats by default, which we highly recommend. Go to **Settings** > **Privacy** > **Default Timer for New Chats**, and select the length of time you want your messages to disappear by default. You can choose preset options ranging from 30 seconds to four weeks, or set whatever custom time you like. Note that enabling this setting only applies to new chats and won’t override the settings for chats you were in before turning it on.

You can also tweak your disappearing message settings for individual chats. From within a chat, tap on the name of your contact. Toggle over **Disappearing Messages** and set the amount of time you want them to be live before they vanish. A timer icon will show up in your thread; either of you can change the disappearing time by tapping on it and adjusting it as needed. That’s also how you can disable disappearing messages altogether within a particular chat.

It’s a handy feature, but a quick reminder that people can still screenshot your conversations to keep a record, so don’t assume they’re gone forever—especially if you don’t trust whoever’s on the other end of the line.

Place an Encrypted Call

Signal’s not just for messages; you can make end-to-end encrypted voice and video calls from the app as well. To do so, just tap the pencil icon within the app like you would to start a chat. Pick a contact, then select either the video icon or phone icon, depending on which type of call you’d like to make.

Signal also now allows group video calls. If you already have a group created, tap on the chat, then select the video icon. If you want to create a new group, select the **pencil icon** > **New Group**, select the contacts you’d like to include, and tap **Next**. Give your group a name, and hit **Create**. Then tap the video icon.

An important note here: If you do make calls from Signal on iOS, make sure to first head to **Privacy** within the app and toggle off **Show Calls in Recents**. Otherwise, your Signal call history will sync with iCloud, creating an unnecessary record of your conversation. And if you’re extra cautious, go to **Settings** > **Privacy** and toggle on **Always Relay Calls**; that’ll route your calls through Signal’s servers and hide your IP address in the process.

Send Photos and Videos

As with other messaging apps, you can use Signal to send photos and videos—with a privacy-friendly media feature that sets it apart.

First things first: If you take a photo from within Signal—just tap the camera icon either from your contact list or within a chat—it doesn’t automatically save to your camera roll, which means it doesn’t get backed up to your cloud photo library. That’s good! The fewer ways you can accidentally leave a trail, the better. If you want to keep an image for posterity, you can tap the save icon in the upper right corner. Otherwise, just send it and move on.

You can also make sure that your photo and video don’t stay on the recipient’s device long. Before you hit send, note the infinity icon next to the chat bubble. That means the media you’re about to share can be viewed indefinitely. Tap it once, though, and it’ll switch to a **1x**, meaning that the photo or video will disappear from the conversation as soon as it’s been viewed. A record will remain in the thread that media was shared, but the image itself will no longer be visible.

Extra Measures

This list is not 100 percent comprehensive. Some features are too minor to mention; others are intended for niche use cases. But there are a few other stray tips that might be helpful to know as you get used to using Signal.

**Read Receipts:** Some people feel strongly about these! If you’re one of them, head to **Settings** > **Privacy** and toggle them off when you’re in the app.

**Stickers:** As part of its long-term quest to find broad appeal, Signal recently added a limited selection of stickers to liven up your secret chats. (Incorporating them required some tricky encryption itself.) Just tap the sticker icon in the chat compose window to peruse your options.

**Emoji Reactions:** Similarly, Signal finally expanded its emoji reaction options in June 2020. From seven basic choices, the app broadened the palette to a full range of faces, animals, foods, buildings, and yes, smiling poop. To add a reaction, just hold down on the response, then tap the three horizontal dots to access the full keyboard.

**Block Party:** Block! Block! Block! Block! To shut down unwanted conversations, either tap on the user’s name from within a chat and toggle over **Block This User**, or strike preemptively by tapping your profile icon, then **Privacy** > **Blocked** > **Add Blocked User**, and then the party you don’t want to hear from.

**Message Requests:** As of August 2020, you can also approve or block other Signal users when they first reach out to you, without their knowing that you’ve seen their incoming message or call. If you do block someone, they won’t get any indication other than remaining in limbo. And the feature also blocks strangers from adding you to group chats, a popular spammer tactic. It’s similar to what you’ve likely already experienced in Facebook Messenger or Twitter direct messages and will be increasingly useful as Signal’s user base expands.

**Private Type:** On Android, third-party keyboard apps can retain a record of what you type and swipe; not ideal when you’re trying to send private messages. Under **Privacy**, go ahead and toggle on **Incognito Keyboard** to keep them in the dark.

**Change your number:** If you get a new phone number or want to change the number you use with your Signal account, the app now allows you to do so without losing everything. The feature doesn’t work in all situations or with every version of the app or operating system, so check the details here.

That should be enough to get you started! Just remember, as you get used to the advanced settings and figure out what combination of disappearing messages and screen locking works for you, that you’ve already taken the most important step of all: downloading Signal in the first place.

How to Use Signal Encrypted Messaging

By Waqas
Another day, another set of nasty applications on the official Google Play Store. The growing efforts of cyber-criminals…
This is a post from HackRead.com Read the original post: 35 malicious apps found on Google Play Store, installed by 2m users

****Another day, another set of nasty applications on the official Google Play Store.****

The growing efforts of cyber-criminals to have malicious apps listed on the Google Play Store have resulted in some of the most widely used smartphone applications being exposed to malware and banking trojans in recent years.

Despite efforts made by Google to enhance security, researchers continue to expose malicious campaigns that use innovative tactics to get around corporate safety controls.

Now, the IT security researchers at Bitdefender have identified 35 malicious applications on the Play Store with over two million downloads. These apps are designed with methods of action that allow them to masquerade as legitimate ones by changing their names and icons and bombarding the victim’s device with advertisements.

According to Bitdefender, these ads help cybercriminals achieve their monetary goals along with directing victims to malicious sites or links that drop additional malware on the targeted devices.

In their **blog post**, BitDefender’s research team stated that the cybercriminals behind the campaign used several methods to trick victims into keeping the malicious apps on their devices. For instance, some of the apps offered version updates that allowed the attackers to hide and evade detection on the device.

> Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims. Most of the time, users can choose to delete the application if they don’t like it. But these new malicious apps trick victims into installing them, only to change their name and icons and even take some extra steps to conceal their presence on the device.
> 
> Bitdefender

However, one positive aspect of this report is that BitDefender identified the malicious campaign using its (soon to be unveiled) behavioral technology designed to analyze malicious app activity after installation.

Behavioral technology in cybersecurity can be used to track malware behavior across all channels, including websites and social media platforms. This data can then be used to improve the security and user experience in real-time.

> Bitdefender identified the malicious apps using a new real-time behavioral technology designed to detect precisely these dangerous practices, among many others. This new technology is slowly being rolled out to our customer base and will become available to everyone in the coming months.
> 
> Bitdefender

**List of Malicious Apps**

1.  gb.tolltwentytwo.ikey
2.  com.smart.tools.wifi
3.  jkdf.gds.gds.g
4.  com.newsoft.camera
5.  hj.jk.jikj.jkj
6.  finze.lockgti.dae.cag
7.  kk.f.ea.tew.t
8.  sc.qs.vak
9.  zzhse.ge.ge.ge.e
10.  ice.ccylice.volume
11.  ck.lad.secret
12.  smart.ggps.lockakt
13.  am.asm.master
14.  com.charging.show
15.  joao.de.def.e.aew
16.  ifa.nod.vys
17.  qu.motor.astrolog
18.  ice.ccylice.colorize
19.  gb.blindthirty.funkeyfour
20.  com.voice.sleep.sounds
21.  com.creator.smartqrcreator
22.  com.xmas.girlsartwallpaper
23.  gb.theme.twentythreetheme
24.  gb.fiftysubstantiated.wallsfour
25.  com.xmas.artgirlswallpaperhd
26.  gb.packlivewalls.fournatewren
27.  gb.labcamerathirty.mathcamera
28.  gb.mega.sixtyeffectcameravideo
29.  gb.actualfifty.sevenelegantvideo
30.  de.eightylamocenko.editioneight
31.  gb.helectronsoftforty.comlivefour
32.  gb.crediblefifty.editconvincingeight
33.  gb.convenientsoftfiftyreal.threeborder
34.  gb.sixtycreativecyber.magiceleganttwo
35.  gb.convincingmomentumeightyverified.realgamequicksix

**Protection Against Malicious Apps**

With more than two billion active Android devices, it is no wonder that the Google Play Store is a target for malware developers. It’s no secret that the Google Play Store is home to some nasty malware including **DawDropper**, **Joker**, **SharkBot**, **Xenomorph,** and many more.

However, at the same time, it is one of the most secure platforms to download Android apps. So how can you protect your phone from all of the bad stuff? Here are a few tips:

1.  First, make sure you’re running the latest version of Android. Google is constantly working to improve security on the platform, so newer versions of Android are less vulnerable to attack.  
    
2.  Next, take a look at the app permissions before installing anything from the Play Store. If an app asks for more permissions than it needs, that’s a red flag that it might be up to no good.  
    
3.  Install a reputable security app from the Play Store. This will add an extra layer of protection to your device, catching any malware that slips through the cracks.  
    
4.  Only download apps from trusted sources. This means avoiding third-party app stores and websites – Stick to the Google Play Store.  
    
5.  Finally, check reviews before downloading an app. If an app has a lot of negative reviews, it’s probably not worth your time. (**_Read how fake reviews cause 50% of threats against Android_**).

1.  **Play Store Apps Caught Spreading Android Malware to Millions**
2.  **BRATA Android malware factory resets phones after stealing funds**
3.  **New MaliBot Android Malware Found Stealing Personal, Banking Data**
4.  **Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets**
5.  **New Russian Android Malware Tracks GPS Location and Spies on Victims**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

35 malicious apps found on Google Play Store, installed by 2m users

In Sony Xperia series 1, 5, and Pro, an out of bound memory access can occur due to lack of validation of the number of frames being passed during music playback.

May 18, 2022

**Research by:** Slava Makkaveev, Netanel Ben Simon

**Introduction**

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The ALAC issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file. In addition, an unprivileged Android app can use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine.

In this study, we focus on mobile devices.

**OpenMAX Codecs**

Open Media Acceleration (OpenMAX or OMX) is the set of C-language programming interfaces that provides abstractions useful for multimedia processing.

On Android devices, the Stagefright media playback engine integrates OpenMAX to recognize and use custom hardware-based multimedia codecs.

**Figure 1:** OpenMAX in Android media.

While Android provides built-in software codecs for common media formats, a hardware manufacturer can add an OpenMAX codec to decode/encode a specific one.

All media codecs presented on the device are listed in the /vendor/etc/media_codecs.xml file. According to the OpenMax specification, the codec name and content type must be declared for each codec.

**Figure 2:** Built-in software codecs.

An OpenMAX codec is a dynamic library that implements the corresponding decoding/encoding logic. The relationship table between the codec name and the library name is built into the OpenMAX Core library /vendor/lib/libOmxCore.so. On MediaTek devices, the /vendor/etc/mtk_omx_core.cfg configuration file contains this table in text format.

**Figure 3:** Core configuration.

Both MediaTek and Qualcomm provide custom OpenMAX decoders for the ALAC format. The ALAC declaration is shown in Figure 4, where the first line refers to MediaTek devices and the second line to those belonging to Qualcomm.

**Figure 4:** ALAC decoder declaration.

/vendor/lib/libMtkOmxAlacDec.so is the OpenMAX ALAC library on MediaTek devices and /vendor/lib/libOmxAlacDecSw.so is the library on Qualcomm. Media service /vendor/bin/hw/[email protected] loads the ALAC library when requested by an Android app, and then calls it to decode the supplied frames.

A malicious .m4a audio file can be used to attack a device even when played in a safe app based on the Android media framework. In addition, a malicious app can use a harmful frame to attack the privileged [email protected] service.

**Requesting frame decoding from the app**

The Android framework provides the android.media.MediaCodec class to access low-level media codecs.

We can create the ALAC decoder by using its name.

The configure method can be used to tune the decoder. A Codec-specific Data (csd-0) array allows us to set the frame length and bit depth parameters that we want to control in order to exploit the vulnerabilities.

To pass an arbitrary frame to the decoder for processing:

The Android app does not require any permissions to initiate decoding. To attack the media service, all we need to do is to prepare a malformed frame that causes the vulnerability.

**The ALAC vulnerabilities****MediaTek**

A quick look at the libMtkOmxAlacDec.so library showed that it is more likely based on the Shairport source code than on the code published by Apple. In fact, both sources are quite similar and have the same security issues.

The MtkOmxAlacDec::InitAlacDecoder method is responsible for initializing the ALAC decoder based on the csd-0 information provided by the app or included in the audio file header. The method calls the alac_init function, which fills an internal object with the audio parameters and allocates working buffers to store the decoded data.

The setinfo_max_samples_per_frame field of the alac object is initialized with the frame length (the first DWORD of the csd-0), and the setinfo_sample_size field is initialized with the bit depth.

The frame length times 4 of the heap memory is allocated as the outputsamples_buffer_a buffer. No integer overflow check is performed. In the 32-bit media server, if the provided frame length is greater than or equal to 0x40000000, the wrong amount of memory is allocated.

The MtkOmxAlacDec::DecodeAudio method is responsible for decoding the audio frame. It calls the alac_decode_frame function passing the alac object, the decoding frame, and an output buffer for decoded data as arguments.

The variable outputsamples is the number of samples to decode. As you can see, it is initialized with the setinfo_max_samples_per_frame at the beginning of the function, which is the maximum possible value of samples per frame. However, this variable can be corrected by the actual number of samples, the value of which is encoded in the frame itself. There are no validations associated with the outputsamples, so an invalid number could be provided. For example, in the frame in Figure 5, the number of samples is 0x41414141.

**Figure 5:** Malformed ALAC frame.

Several code snippets like the one shown below are implemented in the alac_decode_frame function to decode the frame data.

As you can see, outputsamples \* setinfo_sample_size bits are decoded from the input frame into the outputsamples_buffer_a buffer, the size of which is setinfo_max_samples_per_frame \* 4. We control all the involved values: the outputsamples, the setinfo_sample_size, the setinfo_max_samples_per_frame, and the decoding content.

For a heap data leak, we set the outputsamples and the setinfo_max_samples_per_frame to be larger than the input frame. In this case, the contents of the heap after the frame buffer are “decoded” to the outputsamples_buffer_a, which is then copied to the output buffer.

To overwrite the heap, we set the setinfo_max_samples_per_frame to be smaller than the input frame. In this case, the data is decoded outside the outputsamples_buffer_a buffer as determined by what we set in the outputsamples.

In Figure 6, you can see the crash dump caused by the malformed frame shown in Figure 5. The test device is the Xiaomi Redmi Note 9T 5G (MediaTek MT6853 Dimensity 800U 5G chipset) with MIUI Global 12.5.2.0 OS.

**Figure 6:** Crash dump of MediaTek’s ALAC decoder.

All of the described vulnerabilities can be exploited as they provide both read and write primitives.

**Qualcomm**

The ALAC decoder implemented by Qualcomm has exactly the same issues as the MediaTek’s decoder.

The OpenMAX libOmxAlacDecSw.so library is a wrapper over the libAlacSwDec.so, which is based on the source code shared by Apple.

The ALACDecoder::Init method allocates the mMixBufferU buffer to store the decoded data. The buffer size is 4 times the frame length specified in the csd-0 and controlled by the attacker.

The ALACDecoder::Decode method decodes ALAC frames. Again, there is no verification of the number of samples provided in the frame.

Depending on the numSamples and the size of the input frame, the mMixBufferU buffer can be overflowed with the input frame or filled with leaked data.

In Figure 7, you can see the crash dump of Qualcomm’s ALAC decoder. The test device is the Sony Xperia XZ Premium.

**Figure 7:** Crash dump of Qualcomm’s ALAC decoder.

**Conclusion**

We discovered several vulnerabilities in the Apple lossless audio codec that are relevant for smartphones with MediaTek and Qualcomm chipsets. Two thirds of all smartphones sold in 2021 are vulnerable.

The issues we found could be used by an attacker for RCE on a mobile device via a malicious audio file, or for LPE from an unprivileged Android application. The attacker could gain access to user conversations and stored media.

MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Check Point’s customers _remain fully protected_ against such threats while using Harmony Mobile Security.

CVE-2022-23747: #ALHACK: One codec to hack the whole world - Check Point Research

Google’s new mobile operating system has arrived. Take back some control with these privacy and security tips.

It's late summer in the northern hemisphere, which means new phone operating systems are coming. In a few weeks, Apple will release iOS 16 to millions of iPhones and iPads around the world. Google, meanwhile, has already made the latest version of Android available—on some phones you can now download Android 13.

The newest version of the Android operating system is more “evolution than revolution,” with the majority of changes smaller than in previous iterations. But Android’s security team is trying to simplify people’s privacy options throughout Android 13. This version of the OS involves changes under the hood for app developers and some streamlined security options for users.

You probably don’t spend a lot of time thinking about the privacy and security settings on your phone. However, whenever you download a new operating system, it’s worth spending a few minutes scrolling and tapping through all the options you haven’t touched in the past 12 months. Here’s what you should take a look at on Android 13.

Clamp Down on App Permissions

In Android 12, Google introduced “nearby device” permissions. This was designed to stop your headphones app from requesting your precise location when it was trying to wirelessly connect to your headphones. Android 13 expands on these controls to stop apps from using Wi-Fi permissions to collect your location data. In their code, app developers have to specify that they will never use Wi-Fi APIs to access location information.

Android’s **Privacy dashboard** has also been updated. The dashboard, which can be accessed through **Settings >** **Privacy**, shows the permissions you have given apps to use—this includes the apps that can access your camera, contacts, and multiple other sensors and types of data. It will now show which apps have used each permission over the past seven days, rather than just 24 hours.

Some of the privacy changes in Android 13 don’t require you to do anything, but it is worth knowing about them anyway. For instance, the OS will start deleting your clipboard history automatically after a short period of time so that apps don’t snoop on the information you previously copied. Also, from now on, apps that use Google’s advertising ID, which is a unique code assigned to your device, must declare the ad ID permission in their documentation. “If your app does not declare this permission when targeting Android 13 or higher, the advertising ID is automatically removed and replaced with a string of zeroes,” Google says.

Photo Picker

When you want to use a photo you’ve taken in another app—for instance, as a Twitter profile photo or to share images with friends—your device uses Photo Picker. This loads up a screen that includes the photos on your device and gives you the option to use them in the app you’re in. The new privacy changes in Android 13 mean you won’t automatically give an app access to all your photos and videos. Instead, the photo picker will now only give the app access to the photos you allow it.

In addition, Android’s developer pages state that if apps want to use images, audio, or video that other apps have created, they must explicitly say the type of files they want access to and give you clear prompts that this will happen.

More Notification Control

Few things are more infuriating than apps that send a constant barrage of notifications. And there are some notifications you may not want appearing on your screen for anyone nearby to see. While it has been possible to control app notifications for some time, Android 13 is making it easier to do so from the outset. Now, when you open up an app for the first time or use it for the first time in a while, you’ll be asked if you want it to send you notifications. Spammy notifications, be gone.

Other Security and Privacy Options

While you’re thinking about your phone’s privacy settings, it’s worth taking some time to flick through your device’s other options to boost your overall protection. It’s possible there are previous changes that you’ve missed. The vast majority of the settings below can be changed by visiting **Settings** on your Android and then following the specific options.

In the **Security** section, Android provides you with an overview of your device’s status. It will show you when the last security update was applied, let you set a screen lock and fingerprint or biometric unlocking (if your device supports them), and let you go through Google’s wider security checkup that looks at the current state of your accounts. (Later this year, Android will introduce a new **Security & privacy** option that will put all of these settings in one place.)

In the **Privacy** menu, there are a few things you should change. The **Privacy dashboard**, as described above, will show you which apps have used which sensors and data on your phone in the past seven days. After looking at this, you should tap on **Permission manager**, where you’ll be presented with all the sensors and types of data that your phone can give to apps. These range from your location and camera access to your calendar and files. You should look through each of the permissions and decide if an app really needs access to them to function.

Next in **Privacy**, you should open **Google location history** and **Activity controls**. Both of these options are linked to your wider Google account(s), but the settings here allow you to control what data Google keeps about you—it’s a lot. Using these options, you can wipe your web and activity data, the locations Google keeps on your movements, and details such as YouTube search history.

Then head to **Privacy** and **Ads**. Here you can use **Reset advertising ID** to change the ID Google has assigned to your phone. This advertising ID is used by apps and advertisers across the web to track your interests and show you potentially creepy personalized advertising. As well as resetting your ad ID, there’s an option to **Delete advertising ID**, meaning “apps can no longer use this advertising ID to show you personalized ads.”

Finally, while you’re thinking about your digital privacy and security, you should make sure you are using a password manager to protect your online life and using multi-factor authentication wherever possible.

Tag

#android