Archive for Apps

Google Or Samsung Android Cameras Could Be Spying On You

Researchers at Checkmarx say they have discovered vulnerabilities in Google and Samsung smartphone apps that could allow hackers to remotely spy on users using their phone’s camera and speakers.

Study

The proof-of-concept (PoC) study results, highlighted on the Checkmarx blog reveal how the Checkmarx Security Research Team cracked into the apps that control android phone cameras (firstly using a Google Pixel 2 XL and Pixel 3) in order to identify potential abuse scenarios.

The team reported finding “multiple concerning vulnerabilities” (CVE-2019-2234) which stemmed from “permission bypass issues”.  The team later found that camera apps from other vendors i.e. Samsung are also affected by the same vulnerabilities.

The Checkmarx team have since shared a technical report of their findings with Google, Samsung, and other Android-based smartphone OEMs to enable those companies to find fixes.

What Could Happen?

According to Checkmarx, the vulnerabilities mean that a hacker could use a rogue application (that has no authorised permissions) to take control of another person’s Android phone camera app.  This could allow the attacker to take photos and/or record videos as well as to gain access stored videos and photos, GPS metadata embedded in photos, and even to locate the user by taking a photo or video and parsing the proper EXIF data.

The researchers also found a way to enable a rogue app to force camera apps to take photos and record video even when a phone was locked or the screen is turned off, or when a user was is in the middle of a voice call.

One particularly worrying aspect of the Checkmarx findings is that if the video can be initiated during a voice call the receiver and the caller’s voices can be recorded.  This could allow eavesdropping that could enable an attacker to discover potentially sensitive personal data or to gather information that could be used for extortion.

Google

According to Checkmarx, after they shared their findings with Google, the Checkmarx team were notified by Google that the vulnerabilities weren’t confined to the Google Pixel product line but also extended to products (Android) by other manufacturers.  For example, Samsung also reportedly acknowledged that the flaws impact their Camera apps and said that they had begun taking mitigating steps. Checkmarx reports that Google has said that the problem has now been addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. Also, a patch has been made available to all Google partners.

What Does This Mean For Your Business?

It is very worrying that hundreds-of-millions of smartphone users may have been facing a serious privacy and security risk without being aware of it.  For business users, this may have left them open to industrial espionage and security threats, although there is no evidence that real hackers have exploited the vulnerabilities prior to them coming to light.

When it comes to smartphone apps, the best practice is to ensure that all apps on your device are kept updated. Other defensive actions you can take regarding your phone apps include checking the publisher of an app, checking which permissions the app requests when you install it, and deleting any apps from your phone that you no longer use.  It’s also now important to be aware of the threat posed by fake apps, and you may wish to contact your phone’s service provider or visit the high street store if you think you’ve downloaded a fake malicious/suspect app.

Microsoft Announces New, Integrated ‘Office’ Suite App For Mobile Devices

Microsoft has announced that it is working towards the launch of its ‘Office’ mobile app (currently only available in public preview) which integrates Word, Excel, and PowerPoint mobile apps into a single app.

The ‘Office’ Vision

Microsoft says that the mobile app, called simply ‘Office’, represents their vision for what a productivity solution would look like if first built for mobile devices.

The idea is that users have all their Office documents together in one place, can reduce the need to switch between many different apps, and can reduce the amount of space that they use on their phone compared to multiple installed apps.

“Simple, Integrated Experience”

The ‘Office’ app is intended to provide users with what Microsoft describes as a “simple, integrated experience”.

The app combines Word, Excel, and PowerPoint, access to recent and recommended documents stored in the cloud or on a user’s device, the ability to search for documents across a user’s organisation if using a work account, and easy access to Sticky Notes e.g. for reminders and writing down ideas.

What Can You Do?

Microsoft’s Tech Community web pages say that users of ‘Office’ will be able to create content “in uniquely mobile ways” such as snapping a picture of a document and turning it into an editable Word file with just the press of a button or transforming a picture of a table into an Excel spreadsheet so that users can quickly work on the data. Also, a new Actions pane in the app will enable users to complete tasks such as creating PDFs with their camera and signing PDFs just by using their finger or scanning QR codes to open files and links.

Public Preview and Only On Phones

The Office app is currently available in public preview for Android and iOS, can be downloaded and used for free, and doesn’t require a sign-in to use it.  Those with work, school, or personal Microsoft Accounts can, however login and gain access to their files stored in the cloud via the app.

Microsoft has said that it will continue to support and invest in the existing Word, Excel, and PowerPoint mobile apps (‘Office’ isn’t replacing them), and that the new ‘Office’ app is currently only available for phones, although plans are afoot to extend this to tablets.

What Does This Mean For Your Business?

Back in February, Microsoft announced its new, free “Office” app for Windows 10 as an update to the former My Office app, and as a way for those who do have a 365 subscription and have Microsoft’s apps installed on their device to open Office from the Office app, and those who don’t have a subscription to be automatically directed to the online version.  This latest announcement of the preview stage, available to all, soon-to-be-launched ‘Office’ mobile app is a progression of Microsoft’s move to publicise, raise awareness about, and get more people using its (free) versions of Office.  This will also help Microsoft adapt and compete with rivals, such as Google, and appeal to business and other existing Microsoft Office users who are now used to being able to carry out most of their business on-the-go with mobile devices and apps.  Some of the features, such as taking a picture of a document and turning that into an editable file are likely to add value for many business users who are spending less time at the desktop.

The new app could mean time-savings (not switching between multiple apps), convenience and greater leverage of mobile capabilities for users, and for Microsoft, it offers them a way to keep existing users loyal to their OS and Office Suite, gain new users, and stay competitive in a rapidly evolving mobile working market.

“Stalkerware” Partner-Spying Software Use Rises By 35% In One Year

Kaspersky researchers have reported a 35 per cent rise in the number of people who have encountered the use of so-called ‘stalkerware’ or ‘spouseware’ software in the first 8 months of this year.

What is Stalkerware?

Stalkerware (or ‘spouseware’) is surveillance software that can be purchased online and loaded onto a person’s mobile device. From there, the software can record all of a person’s activity on that device, thereby allowing another person to read their messages, see screen activity, track the person through GPS location, access their social media, and even spy on the mobile user through the cameras on their device.

Covert, Without Knowledge or Consent

The difference between parental control apps and stalkerware is that stalkerware programs are promoted as software for spying on partners and they run covertly in the background without a person’s knowledge or consent.

Unlike legitimate parental control apps, such programs run hidden in the background, without a victim’s knowledge or consent. They are often promoted as software for spying on people’s partners.

Most Stalkerware needs to be installed manually on a victim’s phone which means that the person who intends to carry out the surveillance e.g. a partner, needs physical access to the mobile device.

Figures from Kaspersky show that there are now 380 variants of stalkerware ‘in the wild’ this year, which is 31% more than last year.

Most In Russia

Kaspersky’s figures show that this kind of surveillance software is most popular in Russia, with the UK in eighth place in Kaspersky’s study.

What Does This Mean For Your Business?

Unlike parental control apps which serve a practical purpose to help parents to protect their children from the many risks associated with Internet and mobile phone use, stalkerware appears to be more linked to abuse because of how it has been added to a device without a user’s consent to covertly and completely invade their privacy.  This kind of software could also be used for industrial espionage by a determined person who has access to a colleague’s mobile phone.

If you’d like to avoid being tracked by stalkerware or similar software, Kaspersky advises that you block the installation of programs from unknown sources in your smartphone’s settings, never disclose the passwords/passcode for your mobile device, and never store unfamiliar files or apps on your device.  Also, those leaving a relationship may wish to change the security settings on their mobile device.

Kaspersky also suggests that you should check the list of applications on your device to find out if suspicious programs have been installed without your consent.

If, for example, you find out that someone e.g. a partner/ex-partner has installed surveillance software on your devices, and/or does appear to be stalking you, the advice is, of course, to contact the police and any other relevant organisation.

Facebook ‘News’ Tab on Mobile App

Facebook has launched the ‘News’ tab on its mobile app which directs users to unbiased, curated articles from credible sources in a bid to publicly combat fake news and help restore trust in its own brand.

Large US Cities For Now

The ‘News’ tab on the Facebook mobile app, which will initially only be available to an estimated 200,000 people in select, large US cities, is expected by Facebook to become so popular that it could attract millions of users.

What?

The News tab will attempt to show users stories from local publishers as well as the big national news sources.  The full list of publishers who will contribute to the News tab stories has not yet been confirmed, although online speculation points to the likes of (U.S. publishers initially) Time, The Washington Post, CBS News, Bloomberg, Fox News and Politico.  It has not yet been announced when the service will be available to UK Facebook users. It has been reported that Facebook is also prepared to pay many millions for some of the content included in the tab.

Why?

Facebook has been working hard to restore some of the trust lost in the company when it was found to be the medium by which influential fake news stories were distributed during the UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election.  There is also the not-so-small matter of 50 million Facebook profiles being shared/harvested (in conjunction with Cambridge Analytica) back 2014 in order to build a software program that was used to predict and generate personalised political adverts to influence choices at the ballot box in the last U.S. election.

Facebook CEO, Mark Zuckerberg, was made to appear before the U.S. Congress in April to talk about how Facebook is tackling false reports, and even recently a video that was shared via Facebook (which had 4 million views before being taken down) falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Helping Smaller Publishers Too

Also, Facebook acknowledges that smaller news outlets have struggled to gain exposure with its algorithms, and that there is an opportunity to deliver more local news, personalised news experiences, and more modern digital-age, independent news.  It is also likely that, knowing that young people get most of their news from online sources but have been moving away to other platforms, this could be a good way for Facebook to retain younger users.

Working With Fact-Checkers

Back in January, for example, Facebook tried to help restore trust in its brand and publicly show that it was trying to combat fake news by announcing that it was working with London-based, registered charity ‘Full Fact’ who would be reviewing stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Personalisation

The News tab will also allow users to see a personalised selection of articles, the choice of which is based upon the news they read. This personalisation will also include the ability to hide articles, topics and publishers that users choose not to see.

The Human Element

One of the key aspects of the News tab service that Facebook sees as adding value, keeping quality standards high, and providing a further safeguard against fake news is that many stories will be reviewed and chosen by experienced journalists acting as impartial and independent curators.  For example, Facebook says that “Unlike Google News, which is controlled by algorithms, Facebook News works more like Apple News, with human editors making decisions.”

Not The First Time

This is not the first time that Facebook has tried offering a news section, and it will hopefully be more successful and well-received than the ‘Trending News’ section that was criticised for bias in the 2016 presidential election and has since been phased out.

What Does This Mean For Your Business?

Only last week, Mark Zuckerberg found himself in front of the U.S. Congress answering questions about whether Facebook can be trusted to run a new cryptocurrency, and it is clear that the erosion of trust caused by how Facebook shared user data with Cambridge Analytica and how the platform was used to spread fake news in the U.S. election have cast a long shadow over the company.  Facebook has since tried many ways to regain trust e.g. working with fact-checkers, adding the ‘Why am I seeing this post?’ tool, and launching new rules for political ad transparency.

Users of social networks clearly don’t want to see fake news, the influences of which can have a damaging knock-on effect on the economic and trade environment which, in turn, affects businesses.

The launch of this News service with its human curation and fact-checking could, therefore, help Facebook kill several birds with one stone. For example, as well as going some way to helping to restore trust, it could increase the credibility of Facebook as a go-to trusted source of quality content, enable Facebook to compete with its rivals e.g. Google News, show Facebook to be a company that also cares about smaller news publishers, and act as a means to help retain younger users on its platform.

Banking App Fraud On The Rise

A recent report from cyber-security company RSA has highlighted a significant rise in fraud via fake banking apps.

Number of Attacks Has Trebled

The Fraud and Risk Intelligence (FRI) team at RSA have noted a tripling of the number of fraud attacks via fake mobile banking apps in the first six months of this year with rogue mobile app fraud generally up by a staggering 191 per cent.

Fake Mobile Apps Exploit Digital Finance Trust

Not only did the 40,344 fraud attacks represent a 63 per cent rise, but 29 per cent of those attacks were recorded as coming from fake mobile apps.

In fact, the report identified an 80 per cent rise in the use of financial malware in the first half of this year, highlighting how cyber-criminals are using the transformation of finance to the digital world and the increasing trust of users in financial apps and digital financial transactions as a way in.

Changing

Tech and finance commentators have noted that as companies offer more convenient digitised financial initiatives to customers e.g. open banking, and as this has necessitated customers engaging in more digital touchpoints, it has led to a widening of the potential ‘attack surface’ that criminals can take advantage of.

Could Banks Do More?

An Immuniweb report from August this year noted that a massive 98 per cent of the world’s100 leading financial technology (fintech) startup companies are vulnerable to web and mobile app attacks, and that 97 of the 100 largest banks are also vulnerable to web and mobile attacks which could facilitate a breach of sensitive data.

The Immuniweb report also highlighted mobile financial apps as being a problem area with all mobile apps tested showing at least one ‘medium risk’ security vulnerability, and 97 per cent having at least two medium/high-risk vulnerabilities. The tests also showed that over 50 per cent of mobile app backends have serious SSL/TLS misconfigurations or privacy issues which could be traced to not having robust-enough web server security.

This has led to some speculation that banks and other financial organisations could be doing more to help close potential security loopholes in their apps, thereby offering better protection to customers.

What Does This Mean For Your Business?

Mobile apps offer banks and other financial organisations a way to offer convenience and added value to their customers who want to be able to manage their finances on the go. However, legitimate app security problems, a proliferation of fake/rogue financial apps and a widening of the potential attack plane that this brings to consumers who increasingly trust their finances to mobile digital transactions have increased the attack plane and the risks that businesses and consumers face.

As users of banking and other financial apps, we can help protect ourselves by sticking to some basic security procedures such as not clicking on links in unfamiliar messages or texts (to avoid loading malware), keeping a close eye on our bank transactions, and by being very cautious when downloading apps of any kind. For example, to minimise the risk of falling victim rogue/fake apps, you should check the publisher of an app, check which permissions the app requests when you install it, delete any apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.

Tech Tip – Any.do

Any.do is an award-winning to-do list, calendar, planner and reminders app that can help you to increase your productivity and stay on top of things.

The app allows you to add tasks and manage shared projects, and to create a prioritised to-do list that you can actually stick to.

The app also gives you classic, location-based, recurring, missed call, and follow-up meeting reminders, while providing a calendar that can be turned into a powerful productivity tool.  You can also use hands-free to add tasks and voice commands to manage your to-do lists.

The Any.do app is available on the Google Play Store and on Apple’s App Store.

Tech Tip – Twobird

New email client app ‘Twobird’ allows you to put all your emails in one place and create notes and reminders on the fly (and attaches the notes on emails).

Twobird has been billed as “a new kind of email app” that offers email at the speed of live chat.  It includes all your everyday tools – writes emails, creates notes, set reminders and assign to-dos — all in your inbox. If, for example, if you’ve scheduled an appointment it will alert you at just the right time.

Features include:

– Remind: allowing you to schedule an email or note to appear in your inbox later.

– Low Priority: so you can set aside automated messages so you don’t get distracted.

– Pinned and Recent: this lets you keep important notes and conversations easily accessible.

– Tidy Up: archives any inactive conversations so your inbox stays fresh.

Twobird is available in the Google Play store.

Tech Tip – Telegram

Telegram describes itself as the fastest messaging app on the market, and uses a unique, distributed network of data centres around the globe so that’s it’s not only a simple, fast, secure messaging service that’s synced across all your devices, but also has added features and an ease of operation that many prefer to WhatsApp.

Everything on Telegram (chats, groups, media, etc.) is encrypted using a combination of 256-bit symmetric AES encryption.  Also, the app has a clean interface, there are no adverts, and Telegram offers powerful photo and video editing tools.

Telegram is available on the Google Play Store and Apple’s App Store.

Joker Malware Found In 24 Apps In Google Play Store

Security researcher Aleksejs Kuprins of CSIS cybersecurity services company has discovered 24 apps which have been available for download in the Google Play Store that contain ‘Joker’ malware.

What Is Joker Malware?

Joker malware is a spy and premium subscription bot that makes money by simulating clicks. If, for example, a Joker infected app is downloaded, the malware delivers a second-stage component which silently simulates the interaction with advertisement websites, and steals the victim’s SMS messages, their contact list and their device information.

One of the silent automated interactions with advertisement websites includes simulation of clicks and entering of the authorisation codes for premium service subscriptions.

One specific example of what Joker can do, given by Mr Kuprins on the CSIS tech blog is that in in Denmark, Joker can silently sign a victim up for a 50 DKK (6,71 EUR) per week service by automating interaction with a premium offer’s webpage, entering the offer code, waiting for a SMS message with a confirmation code and extracting it, and finally submitting the code to the offer’s webpage to authorise the premium subscription.

Which Apps?

The 24 apps harbouring the ‘Joker’ malware, which have been installed more than 472,000 times are: Advocate Wallpaper, Age Face, Altar Message, Antivirus Security – Security Scan, Beach Camera, Board picture editing, Certain Wallpaper, Climate SMS, Collate Face Scanner, Cute Camera, Dazzle Wallpaper, Declare Message, Display Camera, Great VPN, Humour Camera, Ignite Clean, Leaf Face Scanner, Mini Camera, Print Plant scan, Rapid Face Scanner, Reward Clean, Ruddy SMS, Soby Camera and Spark Wallpaper.

Only Targets Certain Countries

The good news is that ‘Joker’ malware only attacks targeted countries and that most of the infected apps contain a list of these targeted Mobile Country Codes (MCC) meaning that the victim has to be using a SIM card from one of these countries to receive the second stage payload.  The bad news is that the UK is one of those targeted countries.

Google On Top Of Things

Despite there being 24 apps identified so far, Mr Kuprins has reported that Google has stayed on top of things during his investigation and has been removing all the offending apps without the need for prompting.

Not The First Time

Back in January last year, Security researchers discovered 36 fake and malicious apps for Android that could harvest data and track a victim’s location, masquerading as security tools in the trusted Google Play Store.

What Does This Mean For Your Business?

Google Play is a trusted source for apps, and it’s worrying that hundreds of thousands of customers may have the affected apps from Google Play.  In this case, Google has responded relatively quickly and has deleted infected apps where they have been found.

The obvious advice to android phone users is to check the list of infected apps and delete any on your phone that match. If you think you may have been affected by Joker via an app it may be a good idea to check your Google Play account for any unauthorised subscriptions, check your credit card or bank statements as far back as June of this year, and let your contacts know that you may have been infected (because Joker steals your phone’s contact list).

To minimise the risk of falling victim to damage caused by fake apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.

This latest discovery of infected apps on Google’s Play Store should prompt the company to make even greater efforts to police the apps that it offers there.

Tech Tip – Canva

If you’d like a free, graphic design app that can help you to improve your business and social media communications then Canva may be the app for you.

Canva is a versatile graphic design app: full editor, Instagram story maker, video maker, video editor, logo maker and poster maker, enabling you to easily stay on brand and create some very professional logo and poster designs with your photos and videos.

Canva also provides a great way to design your Instagram Highlight cover and create a logo and banner for social networks (Facebook, Pinterest and Twitter).

You can get Canva on the Google Play Store and Apple’s App Store.