Search This Blog

Showing posts with label Mobile Security. Show all posts

Customers Deceived by Google for Collection of User Location Data

 

The Federal Court of Australia observed that somewhere between January 2017 and December 2018, Google LLC and Google Australia Pty Ltd (together, Google) deceived customers in a world-first compliance action by ACCC on personal location information gathered from Android mobile devices. 

As a result of the 2019 legal proceedings against Google, the Australian Competition and Consumer Commission (ACCC) has stated that the rulings represent an "important victory for consumers" over protecting online privacy. Google deceived Android users to believe that the tech giant will only collect personal information, the ACCC said. 

“This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers,” ACCC Chair Rod Sims said. “Today’s decision is an important step to make sure digital platforms are upfront with consumers about what is happening with their data and what they can do to protect it.” 

The Court ruled that in the initial installation Google misrepresented the setting of 'Location History' as the only Google Account setting which impacted whether Google obtained, maintained, or used personally identifiable information on the location of a device once consumers had created a new Google Account. In reality, Google was also able to capture, store and use personal location data during activation through a different Google Account setting entitled 'Web & App Activity.' Though this setting was set by default.

Also between 9 March 2017 and 29 November 2018, customers were deceived by the fact that Google didn't bother to tell them that perhaps the configuration was related to the collection of personal location data after they had accessed the 'Web & App Activity settings on their Android system. The Court held that the actions of Google could trick the audience. 

“We are extremely pleased with the outcome in this world-first case. Between January 2017 and December 2018, consumers were led to believe that ‘Location History’ was the only account setting that affected the collection of their location data, when that was simply not true,” Mr. Sims said. He also added, “Companies that collect information must explain their settings clearly and transparently, so consumers are not misled. Consumers should not be kept in the dark when it comes to the collection of their location data.” 

The Court rejected the claims of the ACCC concerning certain declarations by Google on how users could prevent Google from obtaining and then using the location information and the purposes for which Google uses its personal location information. Though the ACCC seeks declarations, fines, instructions for publishing, and conformity orders.

Russian expert give tips on how to protect yourself from "eavesdropping" on your smartphone

A smartphone can "eavesdrop" on its owner, said information and computer security expert Sergei Vakulin. In an interview with Radio Sputnik, he explained who might need to record conversations and how to protect sensitive information

Some smartphone applications may record our conversations when we do not expect them to. Moreover, we ourselves provide them with this opportunity, giving them permission to access the microphone during the installation of the application, explained the expert on information and computer security Sergei Vakulin.

According to him, advertisers are primarily interested in obtaining such information.

"The app can spy on you to analyze your data and sell. Not just to collect it, but to sell it. We often have the situation where you took a loan from one bank, and you immediately get a call from another bank and offer another loan. Selling data - this is already a banal topic," the expert said in an interview with Radio Sputnik.

He clarified that once the app has gained access to the microphone, it will be able to turn it on whenever it wants, not just during a phone call. Sergey Vakulin claims that the recording function can be turned on even on a locked device.

"If you've given the app permission to access the microphone, it will be able to 'listen' to you even when it's locked. If you have access, the app can turn on the microphone at any time it wants and collect information," the expert explained.

According to him, you can protect yourself from eavesdropping by limiting the number of applications with access to the microphone.

Also, for particularly important conversations you can buy a phone without the ability to connect to modern communication networks.

"If you look closely at many officials and billionaires, both Russian and foreign, they walk around with push-button phones. A pushbutton phone will be very difficult to listen to, because there is no 3G, LTE and so on," explained Sergei Vakulin.

WhatsApp Clients Resort to Other Messaging Platforms

 

WhatsApp has told its two billion clients they should permit it to share information with its parent organization Facebook if they wish to keep utilizing it. All WhatsApp clients would not be able to proceed with the service except if they accept the new terms by 8 February. The stage said the update will empower it to offer features, for example, shopping and payments. 

Message platforms Signal and Telegram have both seen a gigantic surge in downloads around the world over after a questionable update to WhatsApp's terms and conditions. 

As per information from analytics firm Sensor Tower, Signal was downloaded all around the world multiple times the week before WhatsApp declared the change on 4 January and 8.8 million times the week after. This included big surges in India, where downloads went from 12,000 to 2.7 million, the UK from 7,400 to 191,000, and the US from 63,000 to 1.1 million. In a progression of tweets, Signal said a few people were detailing issues with creating groups and postponements to verification codes showing up in light of the fast development but that it was addressing the issues. 

Telegram has proved to be even more popular, with downloads booming all around the world from 6.5 million for the week starting 28 December to 11 million over the next week. In the UK, downloads went from 47,000 to 101,000. Furthermore, in the US they went from 272,000 to 671,000. During the same period, WhatsApp's worldwide downloads shrank from 11.3 million to 9.2 million. 

One industry watcher said he didn't think this fundamentally spoke to a major issue for WhatsApp, which has been downloaded 5.6 billion times since its launch in 2014. 

"It will be hard for opponents to break user habits, and WhatsApp will keep on being one of the world's most popular and broadly utilized messaging platforms," said Craig Chapple, mobile insights strategist at Sensor Tower. 

WhatsApp reassured its clients that it doesn't keep logs of every individual who is messaging, it can't see your shared location, it doesn't share your contacts to Facebook, and that groups can stay private. It likewise exhorts clients that they actually have the choice to set messages to disappear and that they can't download their information. WhatsApp's clarification may figure out how to reassure a few clients that the privacy changes aren't as troubling as first dreaded, yet for other people, it might have come past the point of no return.

Rogue: An Android Malware That Gives Hackers Full Control Over a Phone

 

Another sort of Android malware that provides hackers with nearly-full access to a client's Android cell phone is doing rounds on underground forums. Colloquially known as 'Rogue' Remote Administration Tool (RAT), the malware infects victims with a keylogger – permitting attackers to effectively monitor the utilization of sites and applications to take usernames and passwords, just as more delicate data like a client's financial data. The malware, as per reports, is accessible on underground forums for as low as $29.99 (generally Rs 2,200).

This low-cost malware undermines a full-scale takeover of a victim's cell phone, observing the GPS area on the target, taking screenshots, utilizing the camera to take pictures, secretly recording sound from calls, and more. The virus does this while being hidden from the owner of the cell phone. All an attacker requires is their own cell phone to give commands on an infected device. This malware has been detailed by cybersecurity researchers at Checkpoint Research as a mix of two past groups of Android RATs - Cosmos and Hawkshaw - and exhibits the advancement of malware improvement on the dark web. 

Rogue is crafted by Triangulum and HeXaGoN Dev, known Android malware creators that have been selling their vindictive products on underground markets for quite a long while. For the development of Rogue, the malware creator evidently joined forces with HexaGoN Dev, which specializes in the building of Android RATs. Beforehand, Triangulum bought projects from NexaGoN Dev. "The mix of HeXaGon Dev's programming skills and Triangulum's social marketing abilities clearly posed a legitimate threat," Check Point's security researchers note.

While there is no single manner by which hackers introduce Rogue, it is normally pushed on a victim's cell phone either by phishing, malevolent applications, or other such techniques. In the wake of being downloaded on a cell phone, Rogue asks for permissions that it needs for the hacker to remotely get to a cell phone. When the permissions are in all actuality, Rogue registers itself as the device administrator and conceals its icon from the home screen. 

The best way to try not to succumb to this is to not click on suspicious links or download applications from outside sources other than Google Play and Apple App Store. Further, it is additionally imperative to ensure all security updates are installed on the device.

Kaspersky announced the creation of the new smartphones with protection from hackers

A smartphone with a secure Kaspersky will have minimal functionality, said the head of Kaspersky Lab, Eugene Kaspersky. According to him, it will have its own basic applications and browser, but the smartphone has other tasks, it's security.

"There will be minimal functionality, but don't wait for beauty, both Android and iOS, this smartphone will perform other special tasks," said Mr. Kaspersky. "The device can call and send SMS, of course, there will be an office suite, its own browser with minimal functionality and a standard set of applications, such as an alarm clock, calculator, and so on,” added he.

So far, Kaspersky Lab does not plan to have an App store on its OS, but this is possible in the future. "Most likely, first we will make our own, and then we will be ready to attract other app stores," said Eugene Kaspersky.

At the same time, he said that smartphones on the Kaspersky operating system may appear next year. The company agreed with a Chinese smartphone manufacturer to install a new OS. 

He noted that the company does not plan to enter the platforms Google and Apple and try to replace them. "Our task is to create a secure phone that is almost impossible to hack, for processing secret and confidential information of both government officials and enterprises, and infrastructure management," said the head of Kaspersky Lab.

It’s interesting to note that Kaspersky Lab has been creating an operating system designed for maximum protection of equipment and operating on the principle of "everything is forbidden that is not allowed" for several years.

Over 600 Million Users Download 25 'Fleeceware' Apps from the Play Store


Researchers at security firm Sophos has discovered a new set of Android apps present on the Google Play Store that contain fleeceware. Notably, these apps have been downloaded and installed by over 600 million unsuspecting Android users.

The term 'Fleeceware' was first coined in September 2019 by cybersecurity firm Sophos in aftermath of an investigation that led to a new kind of financial fraud on the authentic Google Play Store.

Fleeceware is a new addition to the cybersecurity ecosystem, referring to the exploitation of the trial period mechanism in Android apps which generally is provided before one is charged for the full version from his signed up account.

Normally, users who register for an Android app's trial period are required to cancel the same manually in order to avoid being charged. However, it's common among users to simply stop using the app by uninstalling it in case they don't like it. The action of uninstalling is read by the developers as trial period being canceled and hence it doesn't result in the due amount being charged from the user account.

The UK based, a cybersecurity company, Sophos told that it identified over two-dozen android apps containing fleeceware, these apps were charging somewhere around $100 and $240 per year for apps as basic and mainstream as barcode readers, calculators, and QR scanners.

Suspecting the unusually high number of downloads on these apps, analyst Jagadeesh Chandraiah says, it's likely that these apps have resorted to third-party pay-per-install services to raise up the download counts. He also suspects the five-star reviews being fake and bought in order to better the apps ranking on the Play store and hence lure a large number of users.

Warning the users in their report, Sophos told, "If you have an Android device and use the Google Play Store for apps, you should rigorously avoid installing these types of “free trial” apps that offer subscription-based charges after a short trial."

"If you do happen to have a free trial, make sure you understand that merely uninstalling the app does not cancel the trial period. Some publishers require you to send a specific email or follow other complicated instructions to end the free trial before you are charged, though you might just need to log into your Google Pay to cancel. Keep copies of all correspondence with the publisher, and be prepared to share that with Google if you end up disputing the charges." the report further read.

ICQ and Signal are the most secure messengers in Russia, says Vladimir Zykov


Vladimir Zykov believes that ICQ messenger is safer than WhatsApp, but this does not solve the problems. iOS and Android operating systems contain many vulnerabilities that are exploited by hackers.

Choosing a messenger for use, Russians are guided mainly by the advice of friends and their own feelings, said Vladimir Zykov, head of the Association of Professional Network Users and Messengers. The expert is sure that ICQ and Signal messengers are the safest in Russia. But few people use them.

In General, any messenger for a smartphone does not guarantee absolute security, because a vulnerable operating system controls the messenger.

"But if you choose secure mobile software, then the probability of hacking, of course, decreases," said the expert.

According to the expert, the situation is due to the fact that most applications run on mobile devices running the operating systems iOS and Android, developed by American companies Apple and Google. Therefore, they have access to Russian accounts.

"That is, in fact, their owners can connect to your phone and calmly watch from the screen everything that you have there," said he.

Earlier, the creator of Telegram and VKontakte Pavel Durov sharply criticized Facebook. The entrepreneur is unhappy with the protection of information in the WhatsApp messenger.
According to Durov, the application is a kind of Trojan that are not connected in any way with the messenger. This is due to the policy of the American company, which deliberately leaves security vulnerabilities.

WhatsApp, at the same time, is one of the most common messengers among Russians. In addition to it, the Viber application is popular. However, as experts say, these services do not really have high security.

Researchers Found Android Apps on Google Play that Steal Personal Data of Victims and Pose Other Threats



Security researchers identified seven new malicious apps present on Google Play Store that infect devices with adware and malware while laying open the system's backdoor access which ensures a smooth installation of any new functionality that comes along with the application. Other threats include battery drainage and excessive consumption of mobile data.

In recent times, with the mobile malware penetrating its roots in the cyber world, there have been a number of new discoveries from security researchers where they warn of malicious android apps that request sketchy permissions and contain malware. Android platform's openness, flexibility, and excess control are the key factors which make it all the more attractive to the users and likewise, cybercriminals. As a downside, it also provides a more vulnerable space for criminals to exploit by posting adware infected apps to serve marketing interests and steal sensitive user data. These apps can take different forms and mostly, share a similar code structure which indicates a direct link between the developers.

These malicious apps are configured to download and consequently install APKs from a GitHub repository, hence attackers are handling the GitHub communication very sophisticatedly, as a part of which they effectively wait to bypass detection by security officers and malware detection agencies.

Attackers have embedded a GitHub URL within the malicious app code which sets the basis for evading Google Play protect scan. However, while security researchers somehow managed to unearth the configuration data of the malicious apps and related URLs, they were directed to Adware APK which is triggered right after the installation of the infected app. The APK halts for a timeframe of 10 minutes after being triggered to execute the malicious motives.

Here, the aforementioned malicious apps have been posted by three different developers as listed below:

iSoft LLC (Developer) – Alarm Clock, Calculator, Free Magnifying Glass
PumpApp (Developer) – Magnifying Glass, Super Bright LED Flashlight
LizotMitis (Developer) – Magnifier, Magnifying Glass with Flashlight, Super-bright Flashlight

As a security measure for the continuously expanding mobile malware, Google tied up with various mobile security companies that would assist them in detecting bad apps before they hit a download mark over million. Users who have already installed these dropper apps are recommended to uninstall them manually.

Food blogger Jack Monroe lost 5000 Euros in phone number theft



"I lost 5000 Euros when my phone number was hacked and re-used on another sim card," says Jack Monroe. The culprits then successfully received her two-time verification information and obtained her bank and cash records."I was already concerned about the safety and had several steps in check," said Jack in a tweet. The industry was not able to address the "sim-jacking," says a privacy campaigner. The blogger expressed her anger in a tweet when she was told, 'although she would get her mobile number back in no time, the amount stolen will take time to refund.' "The cash taken has cost me very much - I'm a self-engaged freelancer and I have to work for every cent that I make," she tweeted.

The food writer is recognized for her cost-effective recipes and her support for campaigns against poverty. Sim-jacking, or Sim-swapping, is when culprits switch a mobile number with another Sim and use it as their own. This is done by criminals pretending as a consumer who wants to shift to a separate mobile service provider but doesn't want to change the phone number.

While personal information is required before requesting a sim transfer, the information is sometimes already available on the internet. - In this case, Ms. Monroe's date of birth, for instance, was retrieved from the internet. In other cases, the shop keepers or sim providers are often tipped for sim-jacking.

The first sign of sim hijacking for the victim is when their phone stops functioning. "The cases of sim-swapping in England are rare but there have been instances in other parts of the world. The industry is unable to combat the problem of sim-jacking," said Pat Walshe, Director, Privacy Matters, to BBC. The task of sim swapping is not common but one can do it easily if they want to, says Pat.

If ever caught in sim-jacking, the victims should always report the incident to their mobile operator or the ICO (Information Commissioner's Office). "The case should now push the ICO to inquire whether mobile operators and shop owners are actively following the protocol to protect services and data under telecommunication privacy laws," said Pat. The Global System for Mobile Communications, commonly known as 'GSMA' has made an alternative mobile identification verifier known as Mobile Connect. The ICO has been contacted by BBC, regarding the data theft problems.

Telecom Major Airtel Exposes a Major SIM-Swapping Racket


Telecom major Airtel exposes a major SIM-swapping racket that could hijack users' premium numbers and enable the hackers to commit online banking fraud via fake Aadhaar cards.

The complaint filed by Stanely Agenlo, head of facilities, Bharti Airtel, on September 19 reads, ""It has come to Airtel's notice that the Point of Sale have (sic) involved in fraudulent SIM swap of the mobile numbers by forging Proof of Address/Proof of Identity documents of the original customers..."

18 mobile numbers were identified by Airtel in a complaint to the Cyber Crime Police, CID, Bengaluru, where SIM cards were swapped by its retail agents utilizing the 'forged' Aadhaar papers from January 1 to September 19 this year.

The sham was exposed when customers called Airtel helplines saying their numbers had ceased to working all of a sudden and their SIM cards referred to be related to certain 'fancy' numbers ending with digits like 12345, 77777, 33333 and 00000.

“It is suspected these SIM cards might have been used for committing online bank fraud. Further, an internal inquiry by Bharati Airtel disclosed that there is a deep-rooted nexus between the POS retailers and impersonators. The agents committed the above act from January 1to till date,” said Airtel's complaint.

While CID has registered a FIR under the Information Technology Act, 2008 and has already identified a couple of the accused, their sources state that: “We learnt the accused provided SIM cards to customers from other states. But we are not sure of the reason behind the offence; it could be online fraud or just a fancy number racket. But looking at the scale of the fraud, it is unlikely to be limited to fancy numbers alone.”

Police, nonetheless, states that the scam may include thousands of numbers where duplicate SIM cards were procured by adapting to forged identities and address-proof documents, a device progressively being utilized by fraudsters and hackers alike.

When approached for a comment Airtel declined to react on the progress made.

Criticism against Google Play Store on the Rise about Malware-Laced Apps




Google Play Store has come in for a serious criticism as of late, with various alerts about malware-laced apps which have frequently been on the store for quite a long time, or even years, and which have been installed by a huge number of users.

This most recent cautioning concerns four VPNs and two selfie apps, with in excess of 500 million installs between them, all of which contain harmful adware and which look for hazardous system permissions that can exact serious harm.

Regardless of significant efforts to clean house the issue stays pervasive and users stay in danger.

Google Play Protect is therefore one storefront intended to make preparations against application vulnerabilities and, in 2018, Google “detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%."
However, once more the warnings still remain that dangerous applications are as yet accessible for install on Google's official store.

First was a notice from security researcher Andy Michael around four Android VPNs that are 'bombarding devices' with false ads—creating income for their operators to the detriment of the organizations setting the advertisements.

Second, was a notice from security researchers at Wandera that two camera filter apps with more than 1.5 million installs between them have been tainting devices with adware.

In any case Google's Android (and Apple's iOS) is making it progressively simple for users to track permissions granted and application misuse now and every user has been informed to take advantage of every one of the protections set up, clicking with caution and keeping their smartphones protected from the would-be-intruders to every extent they can.

This is all in light of the fact that the clever malware attacks still exist out there—and they can be very difficult to detect.

Google about to Roll Out One of the Most Awaited Features



In 2018, Google broke headlines for tracking its users location even after they disabled the sharing of location history via their privacy settings.

There were complaints against the company, stating, "Google represented that a user ‘can turn off Location History at any time. With Location History off, the places you go are no longer stored.’ This simply was not true."

In the wake of receiving intense criticism over location history, Google came up with necessary adjustments which now allow users to stop the tech giant from tracking them, except for the applications in which location data is of utmost importance such as Waze and Google Maps.

In an attempt to make Google Maps even more secure and trustworthy, the company added enhanced security features related to location privacy in Android 10; to further better the services and regain the lost user trust, Google is planning to add Incognito Mode to Google Maps and the feature is said to be in testing.

Users can always put restrictions on the location data collected by Google Maps by signing out of their Google account, but it will come at the cost of their convenience, therefore, Google is planning to introduce Incognito Mode which can be turned on by the users in the same way they do it for Youtube or Google Chrome to delink the search or navigation data from their main Google account.

In order to activate Incognito Mode, users can simply choose the option from their Google account avatar and they will be informed about the app being in incognito mode by a black status bar and the marker indicating the location will turn into dark from blue to mark the change.

To enable the feature, users are recommended to install Preview Maps version 10.26 or higher and for those who are not a part of Preview Maps test group, wait until the company releases it on a wider scale.


Hackers Exploiting a Critical Weakness in Mobile Phones to Track Location



The interface designed for the usage of cell carriers is being exploited heavily by attackers. It allows the cell carriers to get in direct touch with the SIM cards inside subscribers' smartphones, the interface can be employed by the carriers for allowing subscribers to make use of the data stored on their SIM card to provide account balances along with other specialized services.

Hackers can secretly track the location of subscribers by exploiting the interface and giving commands to acquire the IMEI identification code of device; the Simjacker exploit further allows them to carry out actions such as making calls or sending messages.

According to the researchers at AdaptiveMobile Security, the working of the Simjacker exploit is not limited to a few devices, rather, it can be carried out on a wide range of mobile phones, irrespective of their software or hardware.

Unfolding the various aspects of the attack, Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits told Ars, “This attack is platform-agnostic, affects nearly every phone, and there is little anyone except your cell carrier can do about it.”

While commenting on the issue, Karsten Nohl, the chief scientist at SRLabs, told Ars, “We could trigger the attack only on SIM cards with weak or non-existent signature algorithms, which happened to be many SIM cards at the time,”

 “AdaptiveMobile seems to have found a way in which the same attack works even if signatures are properly checked, which is a big step forward in attack research.” He added.

iPhone hacking sites were also after Android, Windows users


Those hackers Google’s researchers sussed out earlier this week apparently went after more than just iPhone users. Microsoft’s operating system along with Google’s own were also targeted, according to Forbes, in what some reports are calling a possibly state-backed effort to spy on the Uighur ethnic group in China.

Google’s Threat Analysis Group was the first to discover the scheme earlier this year (news of the campaign was first disclosed Thursday). It involved a small group of websites aiming to infect visitors’ devices to gain access to their private information, including live location data and encrypted information on apps like on WhatsApp, iMessage, and Telegram. These websites were up for two years, during which thousands of visitors purportedly accessed them each week.

In February, Google notified Apple of 14 vulnerabilities the site’s malware exploited, which the company fixed within days with iOS 12.1.4. Apple disclosed in that update that the flaws, referred to as “memory corruption” issues, were fixed with “improved input validation.” The company hasn’t publicly addressed Google’s account of the hack since the news broke earlier this week.

While the Google team only reported iPhone users being targeted by this attack, sources familiar with the matter told Forbes that devices using Google and Microsoft operating systems were also targeted by these same sites. Thus widening the potential scale of an already unprecedented attack.

Whether Google found or shared evidence of this is unclear, as is whether the attackers used the same method of attack as they did with iPhone users, which involved attempting to sneak malicious code onto users’ phones upon their visit to the infected websites. When asked about these reported developments, a Google spokesperson said the company had no new information to disclose. We also reached out to Microsoft and will update this article with their statements.

Sensors existing in smartphones themselves present a gateway to hackers.

According to a study led by an Indian-origin scientist Shivam Bhasin, NTU Senior Research, data from your smartphone sensors can reveal PINs and passwords to hackers and allow them to unlock your mobile devices. Researchers from Nanyang Technological University (NTU) in Singapore used sensors in a smart phone to model which number had been pressed by its users, based on how the phone was tilted and how much light is blocked by the thumb or fingers.

Instruments in smart phones such as the gyroscope and proximity sensors represent potential security vulnerability, said researchers.

Utilizing machine learning calculations  and algorithms and a combination of data gathered from six different sensors found in smartphones, the researchers accomplished in unlocking Android smart phones with 99.5 per cent precision in just three tries, while tackling a phone that had one of the 50 most basic and common PIN numbers.

The team of specialists took Android phones and installed a custom application which gathered information from six sensors: accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor.

"When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9," said Bhasin.

Albeit every individual enters the security PIN on their phone in a different way, the researchers demonstrated that as information from more individuals is fed to the algorithm after some time, the success rates improved.

So while a vindictive application will most likely be unable to effectively figure a PIN  instantly after installation, but by using machine learning, it could gather information from a huge number of users over time from each of their phones to take in their PIN entry pattern and then dispatch an attack later when the success rate is substantially higher.

The study demonstrates how gadgets with apparently strong security can be attacked using a side-channel, as sensor information could be redirected by vindictive applications to keep an eye on the user behaviour and help to access the PIN  and password data, said Professor Gan Chee Lip from NTU.

To keep Mobile phones secure, Dr Bhasin encourages users to have PINs with more than four digits, combined with other validation techniques like one-time passwords, two-factor confirmations, and unique finger impression or facial recognition.

Be careful with whom you share your Jio Hotspot!

If you are sharing your Jio internet with others via mobile hotspot, you should know what is the risk that you are taking.  Our research shows that sharing your Jio with others puts your sensitive information in their hands.

The person who is using your Jio Internet can easily log into your Jio account. All they have to do is download the MyJio app and click "SIGN IN WITH SIM". 

Steps to replicate:
Step 1:
    You should have two phones - one with Jio Sim and another one with non-Jio SIM(make sure you have not installed Jio app in the second phone yet).

Step 2:
    Turn on Wi-Fi hotspot in the Jio phone and connect from your non-Jio phone

Step 3:
    Install Jio app from playstore and open.  When it is asking for authentication, click "SIGN IN WITH SIM". Now you will be able to access the Jio account from your non-Jio mobile.

View/Modify Details:
After logging in, it is possible to view sensitive information including name, date of birth, mobile number, alternate contact work, address, photo, usage details.  Also, some of the details can be edited.



Once you are logged in, the session is getting maintained even if you are disconnected from the Jio network.

Account lockout:
If you mistakenly log out from the Jio-phone when it is logged in the non-Jio phone, you won't be able to log in to your Jio app unless the other person logs out from the app.

If the victim has installed Jio Security app, it is possible for an attacker to track the current location or see the last location details.

Let's say that you are in public place and a stranger(attacker) asking for Internet connection to check his email.  If you share the Internet, it is enough for the attacker to steal your sensitive information.

The issue can be resolved by adding OTP Check when doing authentication.

We thank Suriya Prakash from Cyber Security & Privacy Foundation(CSPF) for helping us with this research.

Tapjacking in Android devices can lead to malware download

The functionality of overlaying multiple activities in Android API can be combined with handling of events to trick users into downloading malicious applications without the user's knowledge.

The authorization  « android.permission.SYSTEM_ALERT_WINDOW » existing since the first version of the developer API and affecting even the last version of the application « Google Play Store »  can be used to create alerts which always stays on the top e.g. low battery levels which are used in the systems. Now, this alert window can be not touchable.

This not touchable window can be programmed so that touch events are never transmitted to this window or touch events can be automatically transmitted to underlying activity. So, utilizing the android API functionality a different event window can be placed underneath this not touchable window.

Since the alert window can be utilized to communicate touch events to an underlying window, the attacker can place buttons and images at right locations for the victims to touch it. It would then be relayed to the window beneath which would cause a application to be downloaded without any intent of the user.

Increasingly as the users have become alert towards downloading apps which ask for control to contacts, texts or images, the challenge to the attackers lie in tricking the users to  download without even showing the app terms and policies. 

So,this "tapjacking" can be applied by attackers to lead users to download malicious apps. It can be conducted in games or any other kinds of applications. Though a theoretical security issue till now, technically, this method can be exploited to infect all kinds of Android devices, irrespective of the version. It has been tested on Nexus 4 under Android 4.3,Android 4.4 and Nexus 5 under Android 4.4 by NES security lab and a notification has been sent to the Android security team for its resolution.

Lookout Prediction says More mobile malware expected in 2012 : Malwarenomics

Lookout Mobile Security released "Malwarenomics: 2012 Mobile Malware Predictions" .  The report says mobile malware attack will be increased in 2012, more malware will masquerade as legit apps and leads to fake sites.

Money seems the most significant motivation behind the most egregious mobile malware Lookout studied:
When mobile malware producers are able to steadily increase profits from infections more than they pay to infect devices, the industry will grow rapidly. There are a number of trends seen in 2011 that we expect to carry over into 2012 (perhaps at a greater rate) that will drive down the cost of infection and drive up profitability.

From their 2011 research on mobile threats, the company identified some specific instances where consumers should use extra caution when downloading apps or clicking links on their phone:

  • Visiting third party app stores. Lookout found that malware writers often test malware in alternative app markets before trying to place it in the Android Market or App Store. When discovered, malware is usually pulled more quickly from these primary distributors than it is from alternative markets. The likelihood of you encountering malware on an alternative app store increases dramatically.
  • Downloading gaming, utility and porn applications. Be careful to check reviews on these apps before you download. We found that these types of apps are most likely to have malware hidden inside of them.
  • Clicking on a shortened URL (e.g. bitly link) in an SMS message or on a social networking site. Users are three times more likely to click on a phishing link on their mobile device than they are on their PC (Trusteer 2011). Because we expect malware writers to increase web-based distribution, it’s time to start using extra caution when clicking on links on our mobile phones.
  • An app asks you to click “OK”. Don’t “auto pilot” through the prompts an app shows you in order to perform a certain function or deliver a service. Sometimes these apps are greyware, which hide in fine print that they will charge you via premium rate text messages.
  • Clicking on in-app advertisements. Not all advertisements are bad. In fact, most are okay. But some are examples of malvertising and could direct you to a malicious website, prompt you to download malware, or violate your privacy. When clicking on ads, you need to make sure that the ad directs to where you expect to be directed.

Apple Exiles Charlie Miller( A Serial Hacker) for publishing iPhone exploit

 Apple exiles a Security Researcher Charlie Miller from its developer program.Apple just sent a clear message to malicious hackers and security researchers alike: Keep your hands off the App Store.

He has exposed lot of critical vulnerabilities in Apple's Mac and mobile platforms.  Recently, he has found a way to sneak a fully-evil app onto your phone or tablet, right under Apple’s nose.



At the SysCan conference in Taiwan next week, Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using his method–and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick–an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

After few hours, Apple send an email that informed "This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple".

Video Demo of iPhone Bug:


In February, Apple invited security researchers to become part of its developer program to test its Lion operating system. Miller says he had already paid for his own developer license. “They went out of their way to let researchers in, and now they’re kicking me out for doing research,” Miller says. “I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

According to Forbes, the Miller’s application has now been removed from the App Store.

Free AVG Mobilation Application for Android ~ Anit Malware



Android becomes popular , at the same time  malware for Android mobiles started to increase rapidly.  In order to provide mobile security AVG released AVG Mobilation App for Android.  There are two versions available , Free and Pro.   They offer the full "pro" version with a value of around € 7

AVG Pro
"AVG Pro Mobilation" scans Android under individual applications, and media files for viruses. In addition, you can locate your cell phone using GPS on a Google Map. This is especially handy if you have lost your Android device, or it was even stolen. However, you must advance your device via e-mail address registered on the app

The security app also allows you to create backups in order to recover critical applications and data at any time. This service is still in beta phase. Next you delete with "AVG Pro Mobilation" individual tasks that reduce the speed of your mobile phone.

How safe are Mobilation AVG Pro
Exclusive to the Pro version of AVG Mobilation app you will also receive protection from virus-infected message. Also, you can block spam messages with the app.

The anti-virus feature is updated regularly, of course. New features in this version, however you will not be recorded via an update - unless you purchase "AVG Pro Mobilation" later bought.

AVG Anti-virus Free
"AVG Anti-Virus Free" Android scans under a single application, and media files for viruses. In addition, you can locate your cell phone using GPS on a Google Maps map. This is especially handy if you have lost your Android device, or it was even stolen.

The free app that allows to create backups in order to recover critical applications and data at any time. Next you delete with "AVG Anti-Virus Free 'individual tasks that reduce the speed of your mobile phone.

Get Free version from Here.