Tag Archive for: app’

Official Beijing 2022 Olympics Mobile App Is Marred by Security Flaws, Researchers Say


A mobile app that’s mandatory for all participants in next month’s Winter Olympics in Beijing contains security flaws that could make it easy for a hacker to steal sensitive personal information, cybersecurity researchers in Canada warn.

The China-built app, My 2022, will be used to monitor the health of attendees, as well as facilitate information sharing, leading up to and throughout the 2022 Games. Technicians with Citizen Lab, a human rights-focused cybersecurity and censorship research group at the University of Toronto, said they found the app failed to authenticate the identity of certain websites, leaving transfers of personal data open to attackers.

In a report released Tuesday, Citizen Lab also said the app didn’t properly encrypt sensitive metadata transmitted through the app’s messaging function, which meant any eavesdropper operating a Wi-Fi hot spot could discover who users are communicating with and when.

The researcher found the vulnerabilities in the iOS version of the app after downloading it and creating an account, said

Jeffrey Knockel,

one of the authors of the report. They weren’t able to create an account on the Android version of the app but found similar vulnerabilities by testing its publicly available features, he said.

Beijing has been put on high alert ahead of the Olympics, with authorities trying to quickly stamp out Covid-19 outbreaks wherever they pop up.



Photo:

Kevin Frayer/Getty Images

Citizen Lab said the vulnerabilities were similar to those frequently found in other Chinese apps, which led it to believe they are more likely to be the result of China’s lax enforcement of cybersecurity standards than part of an intentional government effort to steal data.

Apple

and Google, the maker of Android, didn’t immediately respond to requests for comment. The Beijing Olympic Committee didn’t respond to a request for comment.

The Beijing 2022 handbook for athletes and officials…

Source…

Delete ‘Christmas Sticker’ Joker App Now: 3 Steps to Remove Malware


A new alert is being issued to all Android users who like downloading apps. They should be careful of the Joker malware, which is a malicious program that can steal personal information and force extra charges on an infected device.

For most Android users, downloading apps from the Google Play Store is a safe and secure method. This is because of its built-in Play Protect system that keeps track of harmful programs.

Unfortunately for Android users, the infamous Joker malware has proven time and again that it can evade the Google Play Store antivirus. The malware was recently spotted in the Android app “Christmas Stickers.”

Christmas Sticker: A Joker App

According to earlier reports, the Joker malware has deceived more than 500,000 Android users up to date. It was initially spotted in an app called Color Message.

This malicious malware also hid inside apps like: Beauty Camera Phone Editor, Battery Charging Animation Wallpaper and Multi-Language Keyboard, OneSuper Launcher, Simple Blood Suga and Colorful Wallpaper.

More recently, malware analyst Tatyana Shishkova identified the Joker code on the app Christmas Stickers. There were, unfortunately, more than 1,000 installations of the app since December 21, 2021.

Joker Malware: Android Issues

Once installed, the Joker app activates malware that is difficult to detect and contain. It sometimes disguises itself as a legitimate app icon, which fools most mobile security.

Joker malware starts its attack by gaining access and permission over the infected device. This lets it install a few more viruses which help it run its programs smoothly.

Afterward, Joker malware manipulates the device’s SMS functions to subscribe to unwanted premium services. This forces victims to pay a significant bill to their communications provider.

Lastly, the Joker malware tries to mine all available credentials on the device, like the user’s account and passwords. Be warned that information like this is often sold on the dark web for scam and phishing purposes.

Read Also: iPhone 14…

Source…

A Teen Took Control of Teslas by Hacking a Third-Party App


On Friday, Russia did the previously unimaginable: It actually arrested a bunch of ransomware operators. Not only that, but members of the notorious group REvil, which has been behind some of the biggest attacks of the last several years, including IT management firm Kaseya and meat giant JBS. Russian president Vladimir Putin had previously given ransomware hackers a free pass. It’s not clear yet whether this was a calculated political move, a sign of a broader crackdown, or both, but it’s certainly a watershed moment.

As everyone scrambles to find Log4j in their systems—no easy task for even well-resourced companies—the FTC has set strict deadlines for patching the very bad, no good vulnerability in the ubiquitous logging library. It’ll be unlikely if not impossible for everyone to find it in time, which speaks more to the fragile and opaque nature of the open source software world than the FTC’s aggressive timeline.

Telecoms around the world have pushed back against Apple’s Private Relay, a not-quite-VPN that bounces your traffic through a couple of servers to give you extra anonymity. T-Mobile in the US recently blocked it for customers who had parental control filters. It’s unclear why they’ve taken those measures against Apple and not the many, many VPNs that work unfettered, but it may have to do with the potential scale of Apple customers who could sign up for the service.

In other Apple privacy news, iOS 15 brought with it a new report that shows you what sensors your apps are accessing and what domains they’re contacting. It’s a lot of information all at once; we helped break down how to read it

North Korean hackers had a “banner year” in 2021, stealing nearly $400 million of cryptocurrency. And while Israeli spyware vendor NSO Group insists that it has controls in place to prevent abuses of its product, dozens of journalists and activists in El Salvador had their devices infected with Pegasus, NSO’s signature product, as recently as November.  

And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

A 19-year-old security researcher named David Colombo detailed this week how he…

Source…

Philly’s 311 app is on the fritz, and the city is redirecting users to an unsecured website


Christopher Sherman is a self-described “superuser” of the Philly 311 app. Graffiti removal, missed trash pickup, abandoned cars — the Fishtown resident says he’s reported 408 incidents to City Hall to date.

“It’s a wonderful app when it works,” said Sherman, 40, who works in IT. “I don’t have to know the right department to call or be friends with my councilperson because the streetlight’s out.”

Now a decade old, Philly 311 is a powerful tool for residents to request basic city services. But when Sherman opens the app on his Android phone now, he gets an unfortunate message: “Whoops, something went wrong.”

The source of that “whoops?”

Philly 311′s app has been on the fritz for some users for at least a month. City officials confirmed two problems so far: The Facebook login function for users has been broken since December and, as of this week, an unknown number of Android users like Sherman now have no access to the mobile app at all.

“Unfortunately, we cannot quantify how many Android users have been affected,” said city spokesperson Irene Contreras-Reyes.

And while it’s unclear how many of the app’s users were impacted, The Inquirer has heard numerous complaints from residents who say they’ve been having problems logging into the app since last month and could not find easy explanations.

Responding to The Inquirer’s questions, officials also inadvertently revealed another cyber security issue: The online 311 portal sits on an unsecured website.

With problems piling up on the mobile app, officials have been referring frustrated users to the city’s online 311 site to file their service requests. But the link takes people to a webpage that browsers identify as unsecure, meaning user data could be vulnerable to hackers.

Officials on Friday could not explain why or for how long the government-run site had been using an unsecure connection, but a “multidisciplinary team” was assigned to investigate the issue after The Inquirer asked questions.

“We’ll get answers to this question by next week since this involves multiple areas, not only 311,” Contreras-Reyes said.

According to 311 data, residents lodged at least 50,000 complaints per month…

Source…