Dark patterns are design decisions that are meant to fool users into carrying out acts that breach their privacy and overshare information without the knowledge or consent of the user. Google was also accused of using dark patterns, which relate to design choices that were employed.

Last Monday, the state of Indiana issued a press release in which it said that “Google utilizes location data obtained from Indiana customers to develop extensive user profiles and target advertising,” but that “Google has deceived and misled users about its methods since at least 2014,” the statement read.

After being sued by the states, the search and advertising giant was ordered to pay $9.5 million to the state of District of Columbia and $20 million to the state of Indiana. The lawsuits brought by the states said that the firm monitored the whereabouts of users without the users’ prior agreement.

The payment is in addition to the $391.5 million that Google agreed to pay to 40 states last month in order to resolve similar charges. The firm is currently being pursued in court for location monitoring in two further cases in the states of Texas and Washington.

In accordance with the terms of the settlement, the company has been mandated to provide users who have Location History and Web & App Activity enabled with information regarding whether or not their location data is being collected, as well as instructions for how users can disable the settings and delete the data.

In addition, it is anticipated that Google will keep up a web page that details all of the categories and sources of location data that it collects, and that it will refrain from sharing the precise location information of users with third-party advertisers without first receiving their express consent.

In addition to this, it will be required to automatically destroy any location data that was obtained from a “device or from IP addresses in Web & App Activity within 30 days” of the information being obtained.

The Mountain View-based business said in November 2022 that it has brought out a number of privacy and transparency changes that let users to automatically remove location data associated with their accounts and that the lawsuits are based on “outdated product rules.”

In addition, Google said that it would begin offering more “specific” information on the Web & App Activity management. In addition, Google will establish an information center and a new toggle that will allow users to switch off both the Location History settings and the Web & App Activity settings and remove historical data in “one easy step.”

The post Google Agrees to Pay $29.5 Million to Settle Lawsuits Regarding the Tracking of Users’ Locations appeared first on Information Security Newspaper | Hacking News.

The main attraction of these services is Huawei AppGallery, the company’s own app store that works essentially in the same way as the Play Store. Specialist Dylan Roussel has investigated the operation of the Huawei app, discovering an API that takes the name of a package as a parameter and returns a JSON object with the details of the application. This finding aroused Roussel’s curiosity, so he decided to continue investigating until he knew what else he could find.

For his tests, the researcher tested the API with the app package name AppGallery:

{
  "app": {
    ...
    "name": "AppGallery",
    "openCount": 0,
    "openCountDesc": "",
    "openurl": "",
    "permissions": [],
    "pkgName": "com.huawei.appmarket",
    "price": "0",
    "productId": "",
    "rateNum": "0",
    "recommImg": "",
    "releaseDate": "2022-04-20 17:03:53",
    "sha256": "2e1a1ce4e86cbfc87f05411a2585e557af78b893f6be85f8f6cb93f889faee05",
    "size": "50347219",
    "tagName": "",
    "updateDesc": "",
    "url": "https://appdlc-dre.hispace.dbankcloud.com/dl/appdl/application/apk/40/4037feaa91cf453ca2dd1ebf444aedaa/com.huawei.appmarket.2204201539.apk?sign=mw@mw1651866832368&maple=0&distOpEntity=HWSW",
    "version": "12.1.1.302",
    "versionCode": 120101302
  },
  ...
}

The API returns various details, including some IDs, app version, logos and other images, descriptions, system permissions, and pricing. In addition, the API also returns a URL to the app in AppGallery, from where it is possible to download the app.

After trying this search on a free app, it was time to try a paid app. Roussel used the package name of a paid app, also getting the download link with the same type of sign parameter at the end; at the conclusion of the test, the researcher was able to download the application and use it normally.

The researcher decided to continue with his tests to prove that this was not just a mistake. By using the package names of two apps and a mobile game, Russel was able to download and use these tools; It is worth mentioning that the game had a license check, which could not prevent the researcher from using the game without paying.

For Roussel, it is hard to believe that AppGallery is affected by such a simple error, considering that in repository stores the work of dozens of developers who seek profit through this medium.

The good news is that Huawei is already aware of this bug, although it will take a few more days to complete a functional solution. Everything is expected to be fixed by May 25.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to download paid applications for free from Huawei AppGallery: New vulnerability found appeared first on Information Security Newspaper | Hacking News.

In total, the analysis revealed the detection of 200 malicious applications that hide code from dangerous malware variants, capable of putting users of the affected devices in serious trouble.

Simple tools, complex issues

One of the main threats identified is Facestealer, a spyware variant capable of stealing Facebook access credentials, allowing subsequent phishing campaigns, social engineering, and invasive advertising. Facestealer is constantly updated and there are multiple versions, making it easy for them to get into the Play Store.

Daily Fitness OL is described as a fitness tool, offering exercise routines and demonstration videos. Although there doesn’t seem to be anything wrong with this app, an in-depth analysis shows that the app’s code hides a load of The Facestealer spyware.

When a user opens this app, a request is sent to hxxps://sufen168.space/config to download their encrypted settings. This setting sends the user a message requesting to log in to Facebook, after which the app launches a WebView to load a malicious URL. Subsequently, a snippet of JavaScript code is injected into the loaded website, allowing the theft of the user’s credentials.

Once the user logs into their Facebook account, the app collects the cookies and the spyware encrypts the collected information to send it to a remote server.

Other malicious apps, such as Enjoy Photo Editor or Panorama Camera, also hide Facestealer loads and have a very similar attack process, although they may vary in some stages or methods.

Risk for crypto investors

Experts have also identified more than 40 fraudulent cryptocurrency apps disguised as legitimate tools, even taking their image or using similar names. The developers of these tools seek to get affected users to buy supposed Premium versions at high costs with fake ads.

Tools like “Cryptomining Farm Your Own Coin” do not demonstrate invasive behaviors even in test environments, so they effectively evade security mechanisms in the Play Store. However, when trying to connect a Bitcoin wallet to this application, a message appears asking the user to enter their private keys, a clear red flag alerting that something’s wrong.

A sample of the code was developed using Kodular, a free online suite for mobile app development. Trend Micro notes that most fake cryptocurrency apps use the same framework.

The analyzed app only loads a website and does not even have capabilities to simulate mining processes or cryptocurrency transactions.

The uploaded website mentions users who can participate in a cloud mining project in order to lure them to the true start of the attack. Next, threat actors ask users to link a digital wallet to this website, in an attempt to collect private keys, which are further processed with no encryption at all.

Although the malicious applications were reported to Google and have already been removed from the official store, the researchers believe that the company must considerably improve security measures in the Play Store, as many developers of malicious applications continue to find methods to evade the security of the app repository, putting millions of users at risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post More than 200 apps on Play Store with millions of downloads are stealing users’ passwords and sensitive information appeared first on Information Security Newspaper | Hacking News.

GO Keyboard – Emojis & Themes is described as an app for keyboard customization, with more than 1,000 themes, emojis and fonts for the user to add to their devices. In its Google Play Store profile, it can be seen that the app has more than 100 million downloads and even assure its users that their confidential information will never be collected, something that we could already doubt.

Since the app is still on the Play Store, any Android user might assume that this is a reliable tool. Unfortunately, sometimes unscrupulous developers manage to evade the security mechanisms of the application repository, either by hiding dangerous variants or, as in this case, by requesting highly invasive permissions on the affected systems.

According to Christl, the GO Keyboard code contains a total of 27 trackers, which allow collection data about certain characteristics of a smartphone or user activities, mainly for marketing purposes. Among the trackers used by GO Keyboard are Amazon Advertisement, Facebook Ads, Facebook Analytics and Google AdMob.

The app also contains code signed by myTarget, an advertising platform provided by Mail.Ru Group and including all major Russian-speaking social networks.

As if that were not enough, at the time of its installation GO Keyboard requests 27 permissions on the system, including access to the precise location of the device, execution of the service in the foreground, access to network connections, full access to the network, use of the device’s camera, audio recording, access, modification and deletion of the contents of the SD card, and prevent the device from sleeping. Specialists at Exodus, which detects whether mobile apps contain third-party tracking code, find it worrisome that a simple tool to customize a smartphone’s keyboard requests so many permissions on the affected systems.

These findings have already been shared with Google, although the app is still available on the Play Store and its developers don’t seem to have made any changes. In addition, there are hundreds of applications that maintain similar practices, accumulating millions of downloads and exposing users to all kinds of risks. As usual, the recommendation for Android users is to uninstall this app from their devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post GO Keyboard, an app with over 100 million downloads, has full access to the phone and contains tracking code from 20 companies, including Google, Facebook, Amazon and the Russian government appeared first on Information Security Newspaper | Hacking News.

The maximum bounty for successful reports through Google’s program is $1 million USD, applicable for remote code execution issues on the Titan M chip, used in Pixel devices. Via Twitter, Google detailed: “Vulnerabilities in Android 13 Beta discovered between 04/26/22 and 05/26/22 are eligible for a reward payment of up to $1.5 million USD for a full chain of remote code execution exploits on Titan M.”

On the other hand, reports of data mining errors in Titan M could be rewarded with up to $750,000 USD during this special period, as opposed to the $500,000 usually paid to researchers.

Finally, code execution errors in Android components such as secure element, reliable execution environment and kernel could receive up to $375,000 USD. Just a month ago, Google announced that the rewards offered by eligible vulnerability reports from Google Nest and Fitbit would be doubled, with the tech giant still looking to incentivize ongoing collaboration with independent security specialists.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post You can earn 1.5 million dollar by finding vulnerabilities in Android 13 Beta appeared first on Information Security Newspaper | Hacking News.

While it was already possible to make these requests in cases of doxing or leaking of bank details, the update will allow users to request the removal of other content that appears in search results, including personal contact information. Google will also allow the removal of additional information that may pose a risk of identity theft, such as access credentials to online platforms.

According to the report, the following records may be considered personal contact information:

• Government identification numbers, including social security numbers, tax identification keys and the like depending on the country in question
• Bank account numbers and credit cards
• Images of handwritten signatures
• Images of identity documents
• Medical records
• Physical addresses, phone numbers and email addresses

On the processes that are implemented when receiving one of these requests, Google ensures that they evaluate all the content of websites that may incur in the exposure of confidential data, trying not to limit the availability of other useful data for users. The company also looks at whether content users want to remove is part of public or government records; if so, the request is inadmissible.

Although this is undoubtedly good news, users should remember that removing this content from the results in Google Search, this will not remove the content from the Internet. To do this, it is necessary to communicate directly with the administrators of the website in question.

Google continues to implement changes to its policies in order to improve the privacy experience of its users. In recent days it was revealed the application of a new measure to allow users under the age of 18 to request the removal of any image of theirs from image search results. The parents and guardians of minors may also carry out this procedure.

Full information about these requests and other security and privacy measures implemented by Google is available on the company’s official communication channels.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Now you can ask Google to remove your phone number, email address, physical address and other personal contact data from Search Results. Learn how to do it appeared first on Information Security Newspaper | Hacking News.

These attacks have finally brought consequences for Zoom, which will have to pay $85 million USD as part of a settlement following the class action lawsuit filed by multiple users, including individuals and organizations. In addition to paying the compensation in cash, Zoom also pledged to implement some changes to its business practices.

According to a report, the plaintiffs claim that the company’s security practices and measures have allowed constant violations of its privacy and security. For example, in an incident reported two years ago, St. Paul’s Lutheran Church in San Francisco was hosting a Bible study class in which most of the participants were elderly; shortly after the video call started the platform would have allowed an intruder to take control of the session.

“The attackers hijacked computer screens and disabled control buttons while forcing users to watch pornographic videos,” the plaintiffs claim. The organizer was unable to regain control of the session, so he asked participants to leave and re-enter the call, although this did not restrict access to the intruder.

Zoom-bombing isn’t the only problem the platform faces. The plaintiffs also claim that Zoom has shared data with third parties such as Google, LinkedIn and Facebook illegally, intentionally manipulating their end-to-end encryption protocols.

Zoom agreed to implement dozens of changes to its business practices, hoping that these changes will have a significant impact on strengthening security in Zoom sessions, in addition to reviewing its data protection methods to prevent unwanted leaks.

Mark Molumphy, one of Zoom’s lawyers, considers this to be an innovative arrangement, adding that the platform will implement improved security practices in the future, ensuring that users are fully protected.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zoom is set to pay $85 million USD as part of a class-action settlement; users traumatized by hackers and pranksters irrupting in their meetings appeared first on Information Security Newspaper | Hacking News.

Trinity College Dublin researcher Douglas Leith published a paper titled “What Data Do the Google Dialer and Messages Apps on Android Send to Google?” in which he discusses how these phone call and messaging apps communicate with Google Play Services and the Google Firebase Analytics service.

According to Leith, the data sent by Google Messages includes a hash of the text in the message, which allows linking the sender and receiver in an exchange of messages. In addition, the data sent by Google Dialer includes the time and duration of users’ calls, data that also allows linking the two numbers involved in a call.

“Google collects other records such as the timing and duration of interactions between its users without offering a way to decide that their information is not sent to the company’s servers,” the researcher adds.

Google Messages (com.google.android.apps.messaging) is installed on more than a billion Android phones and is included with devices from phone operators such as AT&T and T-Mobile, as well as being pre-installed on Huawei, Samsung and Xiaomi devices. Google Dialer or Phone by Google, (com.google.android.dialer), has a similar scope.

Pre-installed versions of these apps don’t have a privacy policy section to specify what user information will be collected, a move Google requires all third-party developers to adhere to. In addition, when requesting information about the data collected, Google did not confirm that the metrics identified by the researcher are being collected.

While Google Play Services explains that these apps collect user data, it simply points out that it is done for security reasons and for the improvement of some Google services. These arguments do not explain the collection of metadata from messages and phone calls.

The researcher concluded his report by listing some of the measures that Google has committed to implement to change this situation, including:

• Review the app’s onboarding flow to notify users that they are using a Google app
• Stop the collection of the sender’s phone number by the CARRIER_SERVICES log source, the 5 SIM ICCID and a message text hash sent/received by Google Messages
• Stop logging call-related events in Firebase Analytics from Google Dialer and Messages

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Do not use Google Dialer and Messages; these apps send your call logs, contacts, and call timing data to Google appeared first on Information Security Newspaper | Hacking News.

Specialists have detected a new Instagram phishing campaign in which threat actors use an email supposedly sent from this social media platform arguing that the user has to respond to an alleged “Instagram claim”. In the following screenshot, we can observe that the message is in plain text and in the subject line it simply mentions “INSTAGRAM SUPPORT”, just like in the sender’s line.

According to the report, this phishing and social engineering campaign is aimed at employees of an insurer in the U.S., under the guise of Instagram Support. The message was sent from a legitimate Outlook domain, and the hackers employed various techniques to evade Google’s email security mechanisms.

As for the content of the message, it states that the target user was reported because their activity on Instagram violates copyright laws. The attackers strategically designed this message with the clear intention of creating a sense of urgency in the user and forcing him to click on the attached link, setting a limit of 24 hours to respond to the alleged report.

As you can guess, the link redirects the user to a fraudulent website with a fake Instagram account verification page; you can even see the Meta logos and the web browser used. On this site the target user is asked to enter their Instagram login credentials and complete a supposed verification form.

If the target user falls into the trap, their login credentials will be sent to a C&C server controlled by the hackers, so these sensitive logs will be completely exposed.

This is an active campaign and can be highly harmful to affected organizations and users, so it will be necessary to follow some recommendations to avoid a catastrophic scenario. The risks of this and other phishing campaigns can be reduced by following the following recommendations:

• Be careful before opening any unsolicited email. No legitimate company or organization requests personal information without prior contact
• Do not download attachments or click on links included in these messages
• Use different login credentials for your personal applications and business applications. Using the same passwords increases the risk of exposure in case hackers can access one of your passwords 
• Use multi-factor authentication for your online platforms whenever possible

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Never-seen-before Instagram phishing scam that can defraud any user appeared first on Information Security Newspaper | Hacking News.

Cloud Armor supports the definition of custom expressions, as well as providing a set of preconfigured WAF rules that are based on the OWASP ModSecurity core rule set to identify some of the most common cyberattacks.

This solution inspects incoming HTTP requests and compares them to user-defined rule-based policies. The Cloud Armor service can be configured to allow or deny a request to the underlying application based on the rules triggered by certain requests.

The Cloud Armor WAF component has a non-configurable HTTP request body size limit of 8 KB. In other words, Cloud Armor will only inspect the first 8192 bytes or characters of an HTTP POST request body. This is similar to the limitation of the WAF developed by Amazon Web Services (AWS), although in the case of Cloud Armor, the limitation is not such a widespread function.

Kloude cybersecurity specialists mention that Cloud Armor does not display a message or notice when configuring WAF rules from the web UI, and they can only find a reference to the 8 KB limit in a notice included in an informative article.

A threat actor could create a specially crafted HTTP POST request, exceeding the 8KB limit that hides a payload in the 8192 byte of the request body.

The risks arising from the exploitation of this vulnerability depend on the characteristics of the underlying system; according to experts, the attacked endpoint must accept and process HTTP POST requests in order to exploit other flaws. This attack will not have significant consequences if the endpoint does not accept HTTP POST requests.

In cases where system features allow, exploiting the flaw would allow other known attacks to be chained, including the widely exploited RCE vulnerability in Log4j.

Cloud Armor users are encouraged to check Google’s official platforms to find the most up-to-date information about this security risk and the best ways to mitigate exploitation risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Anyone can bypass the Google and AWS Web Application Firewall (WAF) with an 8 KB POST request appeared first on Information Security Newspaper | Hacking News.

While the company reserved technical details about the vulnerabilities due to the risk of active exploitation, some descriptions of the detected issues were published, including:

• CVE-2022-0603: Use-after-free flaw in Chrome File Manager
• CVE-2022-0604: Dynamic storage buffer overflow in tab groups
• CVE-2022-0605: Use-after-free flaw in Webstore API
• CVE-2022-0606: Use-after-free flaw in ANGLE
• CVE-2022-0607: Use-after-free flaw on GPU
• CVE-2022-0608: Integer overflow in Mojo
• CVE-2022-0609: Use-after-free flaw in Animation
• CVE-2022-0610: Inappropriate implementation in Gamepad API

For cybersecurity specialists, use-after-free errors remain the most frequent and efficient way to exploit flaws in Chrome browsers. Five of these vulnerabilities are use-after-free bugs, so 26 of these flaws have already been detected in Chrome during 2022 alone.

The term use-after-free refers to an error in a system’s memory when a program cannot clear the pointer to memory after releasing it. Another common threat to web browser users is buffer overflow errors, which can result in a critical scenario for critical data stored on vulnerable systems.

Web browser users should update to version 98.0.4758.102 to mitigate the risk of exploitation. This update will be issued in the coming days, so users should limit the exposure of their systems while patches are ready. Check the version of Chrome that your system is running in the browser Settings.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day vulnerabilities in all Chrome browser versions affect millions of users appeared first on Information Security Newspaper | Hacking News.

Although the company has not revealed extensive details about this flaw, it is mentioned that the error relates to Android’s wireless NFC code, which contains additional verification to make sure that a size parameter is not too large. Google may not want to share information about the failure due to the potential exploitation.

In addition to this flaw, Google addressed five high-severity vulnerabilities in android’s System component, including privilege escalation bugs in Android 11 and 12, and a denial of service (DoS) flaw in Android 10 and 11.

The System component isn’t the only Android implementation affected by the vulnerabilities. The report also points to the finding of five severe errors in the Android Framework component whose exploitation would allow high privileges to be obtained on vulnerable systems; these flaws could be chained with other bugs for additional attacks.

These flaws were addressed in update package 2022-02-01. An additional set of patches, issued this week, address a high-severity bug in System, one flaw in Amlogic’s Fastboot component, five bugs in MediaTek’s code, three in Unisoc code, and 10 high-severity flaws in Qualcomm’s code. Users should only apply these updates if their devices have these chipsets.

Users of Google Pixel devices will be the first to receive these updates to download and install, although the rest of the manufacturers will not have to wait too long to access the patches. Users should stay on top of each new update, as the company doesn’t usually send notifications for installation, a process that’s not without criticism of Android.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical remote code execution vulnerability in Android 12 affects millions of smartphones appeared first on Information Security Newspaper | Hacking News.