Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer.

Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers **Marks & Spencer** and **Harrods**, and the British food retailer **Co-op Group.** The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “**Scattered Spider**,” whose other recent victims include multiple airlines.

The U.K.’s **National Crime Agency** (NCA) declined verify the names of those arrested, saying only that they included two males aged 19, another aged 17, and 20-year-old female.

Scattered Spider is the name given to an English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. The **FBI** warned last month that Scattered Spider had recently shifted to targeting companies in the retail and airline sectors.

KrebsOnSecurity has learned the identities of two of the suspects. Multiple sources close to the investigation said those arrested include **Owen David Flowers**, a U.K. man alleged to have been involved in the cyber intrusion and ransomware attack that shut down several **MGM Casino** properties in September 2023. Those same sources said the woman arrested is or recently was in a relationship with Flowers.

Sources told KrebsOnSecurity that Flowers, who allegedly went by the hacker handles “bo764,” “Holy,” and “Nazi,” was the group member who anonymously gave interviews to the media in the days after the MGM hack. His real name was omitted from a September 2024 story about the group because he was not yet charged in that incident.

The bigger fish arrested this week is 19-year-old **Thalha Jubair**, a U.K. man whose alleged exploits under various monikers have been well-documented in stories on this site. Jubair is believed to have used the nickname “**Earth2Star**,” which corresponds to a founding member of the cybercrime-focused Telegram channel “**Star Fraud Chat**.”

In 2023, KrebsOnSecurity published an investigation into the work of three different SIM-swapping groups that phished credentials from T-Mobile employees and used that access to offer a service whereby any T-Mobile phone number could be swapped to a new device. Star Chat was by far the most active and consequential of the three SIM-swapping groups, who collectively broke into T-Mobile’s network more than 100 times in the second half of 2022.

Jubair allegedly used the handles “Earth2Star” and “Star Ace,” and was a core member of a prolific SIM-swapping group operating in 2022. Star Ace posted this image to the Star Fraud chat channel on Telegram, and it lists various prices for SIM-swaps.

Sources tell KrebsOnSecurity that Jubair also was a core member of the **LAPSUS$** cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including **Microsoft**, **Nvidia**, **Okta**, **Rockstar Games**, **Samsung**, **T-Mobile**, and **Uber**.

In April 2022, KrebsOnSecurity published internal chat records from LAPSUS$, and those chats indicated Jubair was using the nicknames **Amtrak** and **Asyntax**. At one point in the chats, Amtrak told the LAPSUS$ group leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.

As shown in those chats, the leader of LAPSUS$ eventually decided to betray Amtrak by posting his real name, phone number, and other hacker handles into a public chat room on Telegram.

In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.

That story about the leaked LAPSUS$ chats connected Amtrak/Asyntax/Jubair to the identity “**Everlynn**,” the founder of a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers. In such schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

The roster of the now-defunct “Infinity Recursion” hacking team, from which some member of LAPSUS$ hail.

Sources say Jubair also used the nickname “**Operator**,” and that until recently he was the administrator of the **Doxbin**, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. In May 2024, several popular cybercrime channels on Telegram ridiculed Operator after it was revealed that he’d staged his own kidnapping in a botched plan to throw off law enforcement investigators.

In November 2024, U.S. authorities charged five men aged 20 to 25 in connection with the Scattered Spider group, which has long relied on recruiting minors to carry out its most risky activities. Indeed, many of the group’s core members were recruited from online gaming platforms like Roblox and Minecraft in their early teens, and have been perfecting their social engineering tactics for years.

“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age,” said **Allison Nixon**, chief research officer at the New York based security firm Unit 221B. “Cybercriminals arrested at 15 or younger need serious intervention and monitoring to prevent a years long massive escalation.”

UK Arrests Four in ‘Scattered Spider’ Ransom Group

Google says it's Gemini AI will soon be able to access your messages, WhatsApp, and utilities on your phone. But we're struggling to see that as a good thing.

If you’re an Android user, you’ll need to take action if you don’t want Google’s Gemini AI to have access to your apps. That’s because, regardless of your previous settings, Google now allows Gemini to interact with third-party apps.

Through Gemini extensions, it already had the ability to integrate with apps to lend a helping hand and make Google Assistant obsolete. From an email I received in April from Google Gemini:

> **Gemini uses info from your devices and services to help you**
> 
> Gemini uses this info to provide more customized and context-aware help. Gemini accesses certain system permissions and data, like call and message logs, contacts (to help you keep in touch), and screen content (to help you act on it).
> 
> **Gemini works with apps**  
> Gemini can respond with real-time info from other tools, apps, and services like Google Keep and YouTube. To allow connected apps to generate helpful responses, Gemini shares some of your info with them. You can manage your apps in your settings.  

Then further on, it said:

> **Gemini activity and your choices**    
> When you use Gemini, Google collects your activity, like your chats (including recordings of your Gemini Live interactions), what you share with Gemini (like files, images, and screens), product usage information, feedback, and info about your location. This data is stored in Activity (if it’s on), reviewed by trained reviewers, and used to improve Google services, including generative AI.

The bit about trained reviewers was enough for me to decide against using it. There are many AI options that offer a lot more privacy.

But now, according to a Ars Technica, Google has sent an email to Android users that takes it one step further.

_Image courtesy of ArsTechnica_

> “We’ve made it easier for Gemini to interact with your device  
> We’re updating how Gemini interacts with some of the apps on your Android device.  
> Gemini will soon be able to help you use your Phone, Messages, WhatsApp, and utilities on your phone, **whether your Gemini Apps Activity is on or off**.
> 
> This change will **start automatically rolling out** on July 7, 2025.  
> If you don’t want to use these features, you can turn them off in the Apps settings page.
> 
> **If you have already turned these features off, they will remain off.**
> 
> For more details on how these features work with your data, please see the Gemini Apps Privacy Hub.”

_Note: I did not receive this email and the Gemini app is not on my phone. That could be because I’m using a Samsung phone and Samsung offers Bixby as a virtual assistant. It might be my location: sometimes Europe gets these features later. Or potentially the phone is too old (2019)._

**Good news or not?**

While Google presents this as happy news, we’re not in full agreement. Google enabling Gemini to access third-party apps promises exciting AI-driven features but also introduces significant privacy, security, and control challenges.

Android users who want to protect their data and limit AI access should check their app permissions and disable unnecessary AI integrations. However, it turns out, this is not easy. First off, there is a contradiction in Google’s statements. In one place it says the change will automatically start rolling out and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” But in another place it claims, “If you have already turned these features off, they will remain off.”

This is confusing, and even well-versed users are having problems finding the appropriate settings.

All we can do is advise you to make your own, informed, decisions as much as you can:

*   If Android introduces notifications or permission prompts for Gemini access, pay close attention and deny access where possible.
*   Regularly check app permissions in **Settings** > **Privacy** > **Permission Manager** and revoke permissions that are not essential, especially those related to sensitive data (contacts, messages, microphone, camera).
*   If possible, keep your Android OS and apps updated to benefit from security patches and improved privacy controls.
*   Don’t underestimate the importance of an active anti-malware solution on your Android phone.

If Google wants users to be happy about new features, than we’d prefer it announce them and then explain how those who like them can enable them. Don’t turn on settings that we’ve never asked for.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 No thanks: Google lets its Gemini AI access your apps, including messages 

Coca-Cola and its bottling partner CCEP targeted in separate cyber incidents, with the Everest ransomware gang and the Gehenna hacking group claiming data breaches involving sensitive employee and CRM data.

Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are facing separate cyberattack claims from two distinct threat groups. The Everest ransomware gang says it has breached Coca-Cola’s systems, while another group named Gehenna (aka GHNA) is offering what it claims is a massive database stolen from CCEP’s Salesforce environment.

****Everest Ransomware Targets Coca-Cola****

The Everest ransomware group has listed Coca-Cola as a victim on its dark web leak site, sharing screenshots that suggest access to internal documents and personal information of 959 Employees. These include visa and passport scans, salary data, and other HR-related records.

According to samples reviewed by Hackread, the breach appears to affect Coca-Cola’s operations in the Middle East, with several files indicating that the Dubai office at the Dubai Airport Free Zone (DAFZ) may have been the specific target.

Everest has released samples that contain employee identification details and documents that typically circulate within HR departments. The nature of the leaked files indicates that personally identifiable information (PII) is involved.

Screenshot from the dark web leak site of the Everest ransomware gang (Image credit: Hackread.com)

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, commented on the tactics: “Initial research points to tactics like harvesting credentials and targeting Active Directory, though those claims aren’t always reliable. If this attack is genuine, it suggests Coca-Cola’s cybersecurity investments may not have been enough to stop it.”

****Gehenna Claims Major Breach at Coca-Cola Europacific Partners****

In a separate incident, the Gehenna hacking group claims to have breached CCEP’s Salesforce dashboard earlier this month. The group says it exfiltrated more than 23 million records, dating back to 2016, containing sensitive customer relationship management (CRM) data.

The data allegedly includes 7.5 million Salesforce account records (6GB), 9.5 million customer service cases (52GB), 6 million contact entries (5GB), and over 400,000 product records (300MB).

Gehenna shared samples on a public data breach forum, which included case logs referencing Coca-Cola Enterprises Norway, complete with customer support history and contact details.

The group also posted a message aimed at CCEP employees, stating that they are “open to offers” and warning that they “have more where that came from.” Gehenna also claimed responsibility for previous incidents affecting Samsung Germany and Royal Mail, adding weight to the seriousness of their statement.

The group has also provided contact information via Telegram and appears to be actively soliciting a response from Coca-Cola Europacific Partners.

The screenshot shows Gehenna’s post about CCEP’s alleged breach (Image credit: Hackread.com)

Both incidents come amid an uptick in cyberattacks targeting large multinational corporations, particularly those holding customer and employee data at scale. The tactics used by Everest and Gehenna reflect different approaches, ransomware extortion and data leak-based pressure, but the goal is similar to making money out of stolen information.

Coca-Cola and CCEP have not publicly confirmed the breach at the time of writing.

John Bambenek, President at Bambenek Consulting, noted the broader risk with cloud platforms: “As companies adopt more SaaS solutions, it opens new doors for threat actors. SaaS platforms often lack the logging and security visibility that traditional infrastructure provides.”

He advised that “Organizations need to prioritize integrating SaaS logs into their SIEM and building detections for suspicious behaviour like large-scale data lookups from a single user account to avoid being caught off guard.”

Nevertheless, both groups appear to be active and well-resourced. Whether through law enforcement action or internal response, a public statement may help clarify the real impact behind the claims.

Coca-Cola, Bottling Partner Named in Separate Ransomware and Data Breach Claims

Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild.
The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw.
"Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to

Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android malware turns phones into malicious tap-to-pay machines 

Hacker leaks 144GB of sensitive Royal Mail Group data, including customer info and internal files, claiming access came via supplier Spectos. Investigation underway!

Royal Mail Group, the UK’s centuries-old postal institution, has allegedly suffered a massive data breach resulting in the leak of 144GB of internal files, customer information, and marketing data. The breach was first made public on the cybercrime forum **Breach Forum** by a user known as GHNA.

**144GB of Leaked Data**

As seen by the Hackread.com research team, GHNA published a post on Monday, March 31, 2025, stating: _“Today, I have uploaded 144GB of data from Royal Mail Group for you to download (courtesy of Spectos, again). Thanks for reading, and enjoy!”_

The post included a screenshot of what appears to be a Zoom meeting recording between Royal Mail Group and Spectos, a German-based data analytics and performance management firm.

Spectos has previously been mentioned in association with other leaks, raising questions about whether the vector for this attack was a direct compromise of **Royal Mail’s infrastructure** or a third-party breach involving vendors with deep system access.

The alleged breach gave the hacker access to a wide range of sensitive data. The leaked archive contains 293 folders and 16,549 files, totaling 144GB. The exposed records include:

*   **Customer Personally Identifiable Information (PII):** Names, full addresses, postal codes, and shipping details, including sender data like business names and services used.

*   **Internal Communications:** Video recordings of meetings, most notably Zoom calls between Spectos and Royal Mail staff.

*   **Operational Data:** Delivery route datasets, post office location information, and backend SQL databases.

*   **Marketing Infrastructure Data:** Mailchimp mailing list exports showing subscriber metadata, campaign tags, and detailed consent information.

Screenshot: Hackread.com

**The Hacker: Who Is GHNA?**

A closer look at the hacker’s activity reveals that they have been active on Breach Forums since late 2024. GHNA has built a growing reputation by leaking or selling access to several high-profile organizations across multiple industries. Their posts include:

*   **Multi-billion dollar software firms and solar industry players**

*   **Samsung Electronics (Germany) – Leaked customer satisfaction ticket data**

*   **Touchworld Technology LLC and Liberty Latin America – Source code repositories**

*   **Access to American and European software companies, including CRM and staking platforms**

*   **Crypto-focused targets, such as a staking company and a casino (both verified, with one marked as sold).**

Several of these listings have been tagged as “VERIFIED” by the forum’s moderation team, and some have already been sold, indicating that GHNA is not only gaining access to sensitive environments but actively monetizing them.

The Royal Mail Group breach appears to be one of the largest GHNA has published in terms of raw data volume. However, the variety of their previous listings suggests this is part of a broader campaign or ongoing **access-as-a-service operation**.

Screenshot: Hackread.com

****Third-Party Connection: Spectos In the Spotlight****

Spectos’ name appears multiple times in the breach materials, including in internal documents and recorded video calls. It is unclear whether Spectos was the breach vector or simply involved in the data Royal Mail was managing at the time.

The hacker’s comment, “Courtesy of Spectos, again”, suggests that Spectos may have played a role in how the data was accessed. Given the amount and type of leaked content, it’s possible the compromise happened through a shared system, an integration point, or within Spectos’ own infrastructure.

Royal Mail has acknowledged the situation. In an email to Hackread.com, the company stated, _“We are aware of an incident which is alleged to have affected Spectos, a supplier of Royal Mail. We are working with the company to investigate the issue and establish what impact, if any, there may be regarding their data.”_

So far, Spectos has not released any public statement about the incident.

****Past Breach: Royal Mail’s Security Challenges Continue****

This incident is the latest in a series of cybersecurity challenges faced by the Royal Mail Group. In early 2023, the company was **targeted by the LockBit ransomware gang**, causing major operational disruptions. That attack shut down Royal Mail’s international parcel delivery systems for weeks and forced the organization to issue emergency contingency plans.

That earlier attack was tied to financially motivated ransomware operators. This time, there’s no ransom demand, but the breach might point to a rising interest in Royal Mail’s data, either from opportunistic hackers or those taking advantage of weak links in the company’s vendor network.

****Impact and Ongoing Analysis****

While the breach hasn’t been confirmed by Royal Mail directly, the company has acknowledged the issue through their vendor, Spectos. If the data is genuine, it could have a wide impact. For customers, it means their details are now out there, which could lead to **scams, spam, or even identity theft**.

For Royal Mail Group, it puts more pressure on how they handle private data and who they trust to help manage it. And for regulators, it might lead to more questions about whether the company is doing enough to protect people’s information.

At the time of writing, the investigation is ongoing, and no further comment has been made by either Royal Mail or Spectos.

Hacker Leaks 144GB of Royal Mail Group Data, Blames Supplier Spectos

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

Before the official faculty profiles of renowned Indiana University, Bloomington (IU) data privacy professor Xiaofeng Wang and his wife disappeared and the FBI raided two of the couple’s homes last week, the school is said to have been reviewing for months whether the professor received unreported research funding from China, WIRED has learned.

Indiana University contacted Wang in December to ask about a 2017-2018 grant in China that listed Wang as a researcher, according to an unsigned statement that appears to be written by a Purdue University professor and long-time collaborator of Wang seen by WIRED. The statement says that the author believed IU was concerned that Wang allegedly failed to properly disclose the funding to the university and in applications for US federal research grants.

The statement has been circulating among cybersecurity and privacy scholars at universities around the world in recent days and was sent to WIRED by three separate sources. It claims that Wang had explained the funding situation to IU, then was told in February that the school would continue looking into the matter.

Alex Tanford, a professor emeritus at Indiana University and the IU Bloomington Chapter president of the American Association of University Professors, says Wang reached out to him and said that he had been accused of alleged research misconduct. Tanford says he provided Wang guidance as a member of the faculty board of review. IU did not answer WIRED’s questions regarding any probes into Wang.

“The charge seemed trivial—that he had failed to properly disclose who was principal investigator on a grant application and had not fully listed all his coauthors on an article,” Tanford tells WIRED of the allegations. He says Wang wanted to know if the university had the right to lock him out of his office and computer, as he was in the middle of ongoing research.

Research papers Wang published between 2017 and 2018 list funding from places like the National Science Foundation, National Institutes of Health, the US Defense Advanced Research Projects Agency, the US Army Research Office, Google, and Samsung, according to a WIRED review of his publications from the time period.

Wang regularly collaborated with researchers at the Institute of Information Engineering (IIE) at the Chinese Academy of Sciences, a government-funded cybersecurity research lab. In papers, Wang and his coauthors disclosed that the IIE scholars received funding from sources such as the National Natural Science Foundation of China, but that Wang was being supported by US grants. It’s not uncommon for professors at US institutions to collaborate with researchers in China, and there's no public evidence to suggest that the arrangements were improper.

According to the unsigned statement’s title and metadata, it appears to have been authored by Ninghui Li, a computer science professor at Purdue who has collaborated on research with Wang since at least 2006. The pair also serve together on the board of the ACM Special Interest Group on Security, Audit, and Control (SIGSAC), which aims “to develop the information security profession by sponsoring high quality research conferences and workshops,” according to the Association for Computer Machinery’s website. Li did not respond to emailed requests for comment nor a voicemail left on his office phone.

Jason Covert, one of attorneys representing Xiaofeng Wang and his wife, Nianli Ma, a library systems analyst whose employee profile was also removed by Indiana University, tells WIRED that Wang and Ma are both “safe” and that neither of them have been arrested. Their legal team is not currently aware of any pending criminal charges against them, and while the couple’s attorneys have viewed a search warrant from the Department of Justice, Covert says they have not received a copy of the affidavit establishing probable cause.

Wang is considered among the top researchers in the field of privacy, data security, and biometric privacy, and his sudden disappearance came as a shock to many of his academic peers. Wang joined IU in 2004 and is the lead principal investigator of the multidisciplinary Center for Distributed Confidential Computing, which he established in 2022 with an almost $3 million grant from the National Science Foundation (NSF), according to a since-deleted bio on IU’s website. As part of his application for the NSF funding and other US federal research grants, Wang would have been required to disclose other grants he already received or were currently pending review.

On March 28, the FBI searched two home addresses associated with Wang. The same day, IU also reportedly terminated Wang’s job via an email sent by provost Rahul Shrivastav, which WIRED obtained and was first reported by The Indiana Daily Student. The email also said it was understood that Wang had recently accepted a position with a university in Singapore, a detail also repeated in the statement attributed to Li.

The statement says Wang planned to start at the unnamed Singaporean university on June 1, 2025, and requested a leave of absence from Indiana University in early March. But IU responded by “putting him on administrative leave, removing his IU homepage, and disabling his IU email address,” it claims.

Wang’s new job offer “would be irrelevant in any event because it is for \[the\] next academic year and would not justify firing him,” Tanford says. Terminating his employment via an email was a violation of university policy, Tanford claims, which prohibits firing a tenured professor without cause, and requires a 10-day notice and a hearing before a faculty board of review, if requested by the staff member. “The faculty is deeply concerned. If the administration can fire a tenured professor without due process and in violation of a policy approved by our trustees, none of us is safe,” he says.

Reached for comment, an IU spokesperson declined to answer detailed questions from WIRED about prior communications between the university and Wang and the school’s decision to fire him.

“Indiana University was recently made aware of a federal investigation of an Indiana University faculty member,” university spokesperson Mark Bode tells WIRED in an emailed statement. “At the direction of the FBI, Indiana University will not make any public comments regarding this investigation. In accordance with Indiana University practices, Indiana University will also not make any public comments regarding the status of this individual.”

The FBI has so far not commented on the reason for its activities surrounding Wang’s properties. In a statement sent to WIRED, Indianapolis-based spokesperson Chris Bavender says, “The FBI conducted court authorized law enforcement activity at homes in Carmel and Bloomington, Indiana last Friday. We have no further comment at this time.”

WIRED could not immediately reach Wang or Ma for comment directly, but Covert, their attorney, provided a statement on their behalf.

“Prof. Wang and Ms. Ma are thankful for the outpouring of support they have received from colleagues at Indiana University and their peers across the academic community,” the statement reads. “They look forward to clearing their names and resuming their successful careers at the conclusion of this investigation.”

To many in the academic research community, the events surrounding Wang and another Chinese-born scholar in Florida who was fired recently are reminiscent of the China Initiative, a US Department of Justice campaign launched under the first Trump administration to combat cybercrime and economic espionage. Critics accused the program of unfairly targeting Chinese-born researchers and broader Asian-immigrant and Asian-American academic communities.

The DOJ abandoned the program under the Biden administration in 2022 after it lost or withdrew charges in a number of associated cases. At the time, a top DOJ official said it had “helped give rise to a harmful perception” that there are lower standards for prosecuting conduct related to China, and people with ties to the country are treated differently. But several congressional efforts have since sought to resurrect the program or start similar law enforcement campaigns, including a 2023 bill that passed the House but not the Senate last year.

“We, like many other organizations and individuals, have broad concerns that the end of the \[China Initiative\] is just in name but does not reflect a change in fact and substance,” Jeremy Wu, the coorganizer of APA Justice, a nonprofit organization that advocates against racial profiling, said in a March webinar at the Michigan State University. Wu declined WIRED’s request to comment on the events surrounding Wang.

Matthew Green, a professor at Johns Hopkins University who specializes in cryptography and cryptographic engineering says that, while he doesn’t know Wang personally, he is troubled by how secretive Indiana University has been about the circumstances that led to his alleged firing. “This is not normal behavior by a university,” Green tells WIRED.

Green says he worries that cases like Wang’s could make young engineers from China think twice about studying at American universities, and even motivate talented researchers who have lived in the US for decades to instead consider working abroad. “We may lose a huge amount of expertise,” Green says.

Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency.

Sometimes the updates we install to keep our devices safe do a little bit more than we might suspect at first glance. Take the October 2024 Android Security Bulletin.

It included a new service called Android System SafetyCore. If you can find a mention of that in the security bulletin, you’re a better reader then I am. It wasn’t until a few weeks later, when a Google security blog titled 5 new protections on Google Messages to help keep you safe revealed that one of the new protections was designed to introduce Sensitive Content Warnings for Google Messages.

Sensitive Content Warnings is an optional feature that blurs images that may contain nudity before viewing, and when an image that may contain nudity is about to be sent or forwarded, it will remind users of the risks of sending nude imagery and preventing accidental shares.

**Wait! What?**

Yes, there is now a service on my phone that checks whether your pictures are “decent enough” to send or share? I’m not oblivious to the many users that would be better off with such a service, but I’m not so sure they’d appreciate it.

However, what really concerned me is the fact that Google is looking at my incoming and outgoing pictures. I use end-to-end-encrypted (E2EE) messaging for a reason. The content is for me and the receiver, and no-one else, and that definitely includes Google.

But, again, no mention of SafetyCore in that blog or what will provide the Sensitive Content Warnings feature with the necessary data.

So, you can imagine the surprise and outrage when users found this service which doesn’t show up on the regular list of running applications that has permissions to do almost anything on the device.

And by looking up what this app called SafetyCore was all about, all of the above starts to make sense.

Google PlayStore says:

> “SafetyCore is a Google system service for Android 9+ devices. It provides the underlying technology for features like the upcoming Sensitive Content Warnings feature in Google Messages that helps users protect themselves when receiving potentially unwanted content. While SafetyCore started rolling out last year, the Sensitive Content Warnings feature in Google Messages is a separate, optional feature and will begin its gradual rollout in 2025. The processing for the Sensitive Content Warnings feature is done on-device and all of the images or specific results and warnings are private to the user.”

Google goes on to reassure:

*   The developer says that this app doesn’t collect or share any user data. 
*   The developer says that this app doesn’t share user data with other companies or organizations. 
*   The developer says that this app doesn’t collect user data.
*   The developer has committed to follow the Play Families policy for this app. 

Google promises that it only rates our pictures and does not collect or share them, but this feature has almost Artificial Intelligence (AI) written all over it. As we all know, an AI needs to be trained, and training an AI locally on your phone is hardly an option. I wish it had the necessary power, but it doesn’t.

I for one don’t see how the secretly installed service measures up to what the feature has to offer. But obviously everyone is entitled to their own opinion and the device is yours to do with as you please.

**How to uninstall or disable SafetyCore**

The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so.

So, if you wish to uninstall or disable SafetyCore, take these steps:

1.  **Open Settings**: Go to your device’s Settings app
2.  **Access Apps**: Tap on ‘Apps’ or ‘Apps & Notifications’
3.  **Show System Apps**: Select ‘See all apps’ and then tap on the three-dot menu in the top-right corner to choose ‘Show system apps’
4.  **Locate SafetyCore**: Scroll through the list or search for ‘SafetyCore’ to find the app
5.  **Uninstall or Disable**: Tap on Android System SafetyCore, then select ‘Uninstall’ if available. If the uninstall option is grayed out, you may only be able to disable it
6.  **Manage Permissions**: If you choose not to uninstall the service, you can also check and try to revoke any SafetyCore permissions, especially internet access

Note: depending on the software version and manufacturer of your device, these instructions may be slightly off. I personally couldn’t test them because my Samsung has not received the October patch yet due to the patch gaps.

If you’d like to learn more about AI and encrypted messaging, we recommend listening to our podcast The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01)

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android happy to check your nudes before you forward them 

While AI-generation services and major camera makers are adopting the specification for digitally signed metadata, creating a workflow around the nascent ecosystem is still a challenge.

Source: Thapana\_Studio via Shutterstock

The effort to establish digitally verifiable images, video, and other content using signed metadata known as Content Credentials promises an internet where users can easily determine the source of media and whether it is authentic. An easy-to-use implementation of that vision is still under construction.

The brainchild of the Coalition for Content Provenance and Authenticity (C2PA), Content Credentials allow the signing of a metadata audit trail — a manifest — that accompanies images and other media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Content Credentials show each of those steps as part of an audit log, which provides people with information about whether the content they are viewing is real or has been somehow modified. The companies behind the standard include internet providers, software makers, device technology makers, and media giants.

In the last year, major camera makers — Canon, FujiFilm, Leica, Nikon, and Sony — announced support for the Content Credentials standard, but only a few models with the capability have hit the market. Leica has released its second camera with the technology, the Leica SL3-S. At this year's Consumer Electronics Show in January, Samsung announced its upcoming Galaxy S25 mobile phone will support Content Credentials, but only to label images that have been edited by AI. It will not label the original photo taken with the smartphone's camera.

And other major smartphone makers, such as Apple, have not announced support for the standard yet.

Meanwhile, computer-based editing software that supports Content Credentials is mainly limited to Adobe's products. As a founder of the content-authenticity movement, Adobe has extensive support for Content Credentials in its own products — such as a beta feature in Photoshop and tagging images generated with its generative AI service, Adobe Firefly.

Still, some islands of functionality have appeared: Images from OpenAI's DALL-e and Adobe's Firefly are labeled with Content Credentials tagging them as AI-generated, while end-to-end services, such as Truepic, use the technology in its platform to digitally sign and authenticate images.

It's a good start, but an end-to-end workflow requires more: Cameras or smartphones to generate signed images, support for Content Credentials in a wide variety of image-editing software, and the ability to view authenticated metadata on social media and websites.

"It is crucial to ensure that Content Credentials are enabled on all devices throughout the entire workflow—from capture to editing to sharing," says Nico Köhler, head of product experiences for Leica Camera AG. "This requires that all tools and platforms involved in the process support Content Credentials. ... Ensuring compatibility across the entire workflow is key to preserving the authenticity of the content."

**Where Does the Content Credential Work?**

Closed end-to-end ecosystems that incorporate the Content Credentials specification show the potential of the digital authentication feature.

Truepic, for example, essentially created its own end-to-end authenticated image service based on Content Credentials, allowing companies to know the provenance of images. Credit bureaus can request authenticated images of office locations to verify legitimate businesses, dispensing with the need for expensive on-site visits. Insurance companies can request photos of damaged assets from policyholders, avoiding deepfake and edited photos from claiming fictitious damages.

Because smartphones do not yet have the Content Credential technology embedded in the device, Truepic requires its app be used to take photos and video.

"We believe that unless a digital process is backed and secured by image and data authentication, enterprises will not be able to address or even understand the amount of fraud they are missing," says Mounir Ibrahim, chief communications officer at Truepic. "With widespread adoption of credentials, businesses will have a stronger foundation for detecting tampering and ensuring content authenticity, but they will still need a trusted verification platform that can ingest, analyze, and validate digital content at scale and within their environments."

**Interoperable Workflow is Still Not Ready**

While different manufacturers are releasing specific implementations of Content Credentials, creating an end-to-end workflow for images — from creation to editing to distribution to end users — continues to be a challenge.

In early February, for example, Cloudflare tackled one small part of a typical workflow, the content delivery network, announcing that its CDN service would preserve image credentials, even through automated compression and image resizing. Most current infrastructure inadvertently strips away the Content Credential or invalidates the signature by transforming the image.

The Cloudflare changes allow its Images service to add actions to the Content Credential manifest and re-authenticate using the company's credentials, Will Allen, head of privacy and media products at Cloudflare, wrote in a blog post describing the feature.

"When you use Images to resize or change the file format to your images, these transformations will be cryptographically signed by Cloudflare," he said. "This ensures, for example, that the end-user who sees the photograph on your website can use an open-source verification service ... to verify the full provenance chain."

The Content Credential ecosystem at work. A picture taken with a Leica camera is edited with Adobe Photoshop, with each stage documented in the credential. Source: Contentcredential.org/verify using Leica image

Yet, even companies that are forging ahead with their own services look forward to when the wrinkles in the interoperability are ironed out. Truepic's Ibrahim, for example, argues that greater support is the end goal.

"Although closed ecosystems and business processes are where our clients are deriving the most benefit today, we see this as the first step to a more authentic internet," he says. "Interoperable standards will be the essential foundation to a more trusted digital ecosystem and shared global economy."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#samsung