All articles tagged with #mobile security
Researchers found 1,575 vulnerabilities across 10 Android mental-health apps with more than 14.7 million total installs, including insecure URI handling, local data exposure, hardcoded API endpoints, and weak token generation, potentially exposing therapy transcripts and other sensitive data; it's unclear if the issues have been fixed.
Researchers have uncovered a new Android click-fraud Trojan family that uses TensorFlow.js to visually identify ad elements and automatically click them. It runs in two modes: phantom, which uses a hidden WebView-based browser to load pages and a loaded ML model to tap the correct UI elements, and signalling, which streams a live video of the virtual screen via WebRTC to allow attackers to perform actions in real time. The malware is distributed through Xiaomi GetApps by infected games, and via third-party APK sites and Telegram/Discord channels promoting modified apps. Impact includes battery drain and higher data usage; users are advised to avoid sideloading apps outside Google Play.
The article advocates for moving away from Google's control of Android towards open-source alternatives like PostmarketOS, emphasizing the importance of open platforms for user freedom, privacy, and innovation. It discusses the challenges posed by corporate control, security concerns, and regulatory issues, urging collective effort and legislative action to promote open technology and reduce dependency on proprietary systems.
ClayRat is a sophisticated Android spyware campaign targeting users in Russia by impersonating popular apps like WhatsApp and TikTok through fake websites and Telegram channels. It can exfiltrate sensitive data, take photos, and propagate itself by sending malicious links to contacts. The malware uses obfuscation and fake app installers to bypass security measures, and while Google Play Protect offers some protection, the threat highlights ongoing risks from pre-installed apps with elevated privileges.
A vulnerability in the Unity game engine could allow malicious code to target Android users' crypto wallets, with patches being rolled out to fix the issue. Users are advised to update their games, avoid sideloading apps, and practice good security hygiene to protect their wallets. The vulnerability affects Unity projects dating back to 2017 and could potentially lead to device compromise or credential theft.
You can repurpose old Android or iPhone devices as security cameras by installing free apps like Alfred Camera, positioning them in strategic locations, and powering them with a nearby source, providing an affordable way to enhance home security and monitor your property remotely.
Google is ending the ability to sideload unverified apps on Android devices to enhance security and ensure all app developers are verified, marking a shift away from a key feature that distinguished Android from iOS.
The FBI warns iPhone and Android users about a surge in QR code-based scams where malicious codes are used to steal personal and financial information, urging caution and avoidance of unknown QR codes to prevent malware infections and data theft.
The FBI warns against replying to unknown or suspicious text messages, which are increasingly used by organized criminal gangs for scams like fraud and romance schemes. Experts recommend verifying sender identities independently and using tools like Australia's Truyu app or MalwareBytes' Scam Guard to detect and prevent these scams, which pose significant risks to personal data and finances.
The TSA warns travelers to avoid public WiFi and USB charging stations at airports due to cybersecurity risks like data theft and malware, emphasizing the importance of using secure connections and trusted charging sources to protect personal information during travel.
AT&T has introduced a new feature called Wireless Account Lock, allowing customers to prevent unauthorized changes to their accounts and protect against SIM swapping attacks by enabling a simple switch in the myAT&T app, with similar protections offered by other major US carriers like T-Mobile and Verizon.
Android 16 will introduce a new security feature that alerts users to potential Stingray surveillance by detecting connections to suspicious or insecure mobile networks, helping to protect against digital eavesdropping and fake cell towers, although full protection depends on hardware support and upcoming device updates.
A $1 phone scanning tool developed by iVerify has detected seven instances of Pegasus spyware among 2,500 scans, highlighting the widespread use of such malware globally. The tool's development required significant investment due to the locked-down nature of mobile operating systems like iOS and Android. The findings, to be presented at a security conference, underscore the need for accessible spyware detection tools, as evidenced by the tool's role in identifying spyware on devices linked to political figures and activists. This development challenges the assumption that mobile devices are inherently secure.
The FBI has issued a warning about potential cyber attacks from China targeting American infrastructure, specifically through vulnerabilities in iPhone and Android text messaging. The hacking campaign, known as Salt Typhoon, has reportedly compromised major telecom companies like AT&T, Verizon, and Lumen Technologies. To protect communications, the FBI advises using encrypted messaging apps like Signal and WhatsApp, and ensuring devices receive timely updates and employ strong multi-factor authentication.
Cybersecurity firm iVerify has detected new infections of the Pegasus spyware, developed by NSO Group, on mobile devices of ordinary professionals and civilians, challenging the belief that such spyware only targets high-profile individuals. Their Mobile Threat Hunting feature found a 2.5 per 1,000 scan infection rate, revealing a more widespread issue than previously thought. The findings highlight significant gaps in current mobile security practices and emphasize the need for more robust, user-accessible security measures.