Well hello there! Welcome to your weekly digest of the mobile security news that matters -- #MobSec5.
|
August 7 · Issue #67 · View online |
|
Well hello there! Welcome to your weekly digest of the mobile security news that matters – #MobSec5.
This edition includes:
- Infamous mobile banking malware family continues to evolve
- Survey says security and privacy are key factors in users’ decisions to sign-up for mobile apps
- Apple pulls VPN apps from the App Store in China
Thanks for reading. Have a great weekend, be good, and stay safe.
|
|
A new era in mobile banking Trojans | Securelist
“In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.” Android malware from the Svpeng family was one of the first to abuse Android’s screen overlay or “draw on top” functionality in an attempt to trick users into giving up credentials. Read our blog post about Android overlay malware and what users can do to protect themselves against it.
|
Five new threats to your mobile device security | CSO Online
“While Apple and Android have made strides in creating more secure and robust operating systems, malicious actors continue to pump out new and more deceptive malware. What’s more, security is still not a top priority in app design, with some apps allowing users to store or pass credentials in the clear or by using weak encryption.” One example of Google improving the security of the Android operating system is its SafetyNet Attestation API. The API allows an app to check whether it’s running on a known, standard build of Android (and not a modified, rooted, or potentially compromised device). Rooted Android devices are a potential security threat to mobile apps and users because the rooting process sidesteps security features in standard Android builds and makes the user an administrator. We recently conducted a Google SafetyNet Attestation API study and found that less than 1 percent of the popular Google Play™ store apps we tested used the feature. And not all of those apps implemented the API properly. One app in particular performed a local attestation check, which puts the trust in the client — a bad security model.
|
5 Ways to Improve the User Experience of Mobile App Onboarding | Clutch.co
“When it comes to the app onboarding process, users want clarity, security, and ease, according to Clutch’s new survey on mobile app onboarding.” The survey reveals that a mobile app’s security and privacy practices play a critical role in users’ decision whether or not to use it. Ninety percent of survey respondents said the security of the personal information they share during registration is important to them, and 75 percent said it’s very important. Eighty-two percent of respondents said understanding why an app needs certain pieces of personal information and requests certain permissions (e.g., location services or camera access) is important to them as they consider signing up for an app. Instill users’ trust in your mobile app by certifying your app’s security, privacy and compliance. NowSecure can help with software for custom app analysis and deep-dive penetration testing or with our managed services.
|
Amazon suspends sales of BLU phones due to alleged spyware, BLU denies wrongdoing | Android Police
“BLU is one of many low-end phone manufacturers, known for its dirt-cheap unlocked Android phones. But back in November, a security firm discovered spyware on some BLU phones sold in the United States, prompting Amazon to stop selling the affected devices until the issue was resolved.”
This is the second time Amazon has halted sales of BLU mobile phones due to allegations that the phones violate users’ privacy. Most recently, researchers claim that BLU mobile phones send MAC addresses, IMEIs, phone numbers, cell phone tower IDs, and lists of installed apps to servers in China.
|
Defeating Samsung KNOX With Zero Privilege [Black Hat USA 2017 slides] | Speaker Deck
“In this talk I will describe how I used an exploit chain to defeat the Samsung KNOX 2.6 with zero privilege, including KASLR bypassing, DFI bypassing, SELinux fully bypassing and privilege escalation.”
|
Reckless IV: Lawyers for Murdered Mexican Women’s Families Targeted with NSO Spyware | The Citizen Lab
“Lawyers for families of 3 slain Mexican women were sent infection attempts with NSO Group’s spyware after questioning official accounts of the killings.”
|
The DEA Met With Controversial iPhone Hackers NSO Group | Motherboard
“The news highlights law enforcement agencies’ increased interest in using hacking tools and malware, as well as NSO’s efforts to enter the lucrative US market.”
|
Announcing Nearby Connections 2.0: fully offline, high bandwidth peer to peer device communication | Android Developers Blog
“At I/O this year, we spoke about a refresh to the Nearby Connections API that can provide high bandwidth, low latency, encrypted data transfers between nearby devices in a fully-offline P2P manner. Today we’re announcing the availability of this API across all Android devices running Google Play services 11.0 and up.”
|
Apple Removes Apps From China Store That Help Internet Users Evade Censorship | The New York Times
“The world’s most valuable company appears to have pulled down the apps amid China’s deepening crackdown on tools that evade internet controls.” Apple removed a number of VPN apps from the App Store in China because the apps’ developers didn’t have a government-issued license to operate a VPN. Some were surprised by Apple’s acquiescence in light of the company refusing to help the FBI unlock an iPhone last year. The two situations are different according to Apple CEO Tim Cook who said “In the case of the U.S., the law in the U.S. supported us. It was very clear. In the case of China, the law is very clear there. Like we would if the U.S. changed the law here, we have to abide by them in both cases.”
|
Destination PWND: Safes, ATMs, phones all fall to Vegas hax0rs | The Register
“We’ve seen the pathetic state of the US electronic voting system exposed, claims of advanced eavesdropping at the Standing Rock camps and elsewhere, killer car washes and the awards for this year’s biggest blunders and best research.”
|
Google Wants Symantec Certificates Replaced Until Chrome 70 | SecurityWeek.Com
“After several months of debate, Google has released its final proposal in the case of Symantec’s certificate authority (CA) business. All Symantec-issued certificates must be replaced by the time Google releases Chrome 70 next year.” An article on the CSO website suggests that Symantec has decided to avoid the issue altogether by selling its SSL/TLS and IoT businesses to Digicert.
|
New Bill Seeks Basic IoT Security Standards | Krebs on Security
“Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras.”
|
Nation-states are biggest cyber threat for drug and medical device makers | Help Net Security
“Government-sponsored hackers were seen as the biggest threat to cyber security among infosec executives at drug and medical device makers.”
|
Alexa, are you listening? | MWR Labs
“The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering.”
|
Congress asks U.S. agencies for Kaspersky Lab cyber documents | Reuters
“A U.S. congressional panel this week asked 22 government agencies to share documents on Moscow-based cyber firm Kaspersky Lab, saying its products could be used to carry out ‘nefarious activities against the United States,’ according to letters seen by Reuters.”
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
|
|
|