Tag Archive for: app’

Security Experts Blow the Top off Mobile Wallet App Scam Targeting Chinese Users

/in


Cybersecurity researchers at Slovak cybersecurity firm ESET have peeled back the layers of a sophisticated cryptocurrency scam targeting Chinese users.

The scammers created counterfeits of legitimate Android and iOS digital wallet applications to redirect cryptocurrency funds. “These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” reported senior researcher at Slovak cyber security firm ESET, Lukáš Štefanko. Trojan horse apps targeted Android users without a genuine app. In contrast, iOS users could have installed authentic and counterfeit apps.

The counterfeit wallet services were promoted via fake wallet websites targeting Chinese users and recruiting intermediaries through Telegram and Facebook groups to dupe visitors into downloading the app.

When did it start?

Investigations beginning in May 2021 revealed a single criminal group as the individuals responsible for creating “trojan horse” wallet services that copied the functionality of the original applications, incorporating malicious code responsible for redirecting crypto assets. The malicious code was injected into the app in places that would escape cursory examination.

“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” said Štefanko. This presents a secondary threat since other criminals eavesdropping on this unsecured link could steal the seed phrases.

Hack can spread, warns expert

ESET found multiple groups promoting the trojan horse applications on Telegram, the messaging application and sharing them on 56 Facebook groups. All communication on the Telegram groups was done in Chinese. Individuals promoting these applications were promised a 50% cut of the stolen crypto.

The fake iOS applications were not available on the Apple App Store but rather through malicious sites and used configuration profiles unauthorized by Apple. Thirteen fake Android apps masquerading as Jaxx Liberty Wallet on Google’s Play Store were removed from the marketplace by Jan. 2022, not before…

Source…

Insecure APIs Threaten Mobile App Security – What To Do

/in


For most mobile apps, it’s not much of an exaggeration to describe them as a collection of APIs all tied together with a wrapper.

 

In fact, without connectivity, many mobile apps can’t function at all, because they depend on APIs to connect to back-end services. And that’s a big problem for developers, because, unfortunately, these APIs are frequently insecure — even in very sensitive apps.

 

A study of banking, fintech and cryptocurrency exchanges found that practically every single one of the mobile apps researchers reverse engineered contained hardcoded API keys and tokens. The exact number was a whopping 99%!  This includes usernames and passwords to third-party services.  

 

Worse yet: All the APIs tested had vulnerabilities that enabled researchers to change PIN codes and transfer funds in and out of accounts. And if apps that control end-users’ money are this insecure, the situation is not going to be any better for apps that work with far less sensitive data and assets than people’s bank accounts.

 

Certainly, cybercriminals are paying attention.

 

By this year in 2022,Gartner predicts APIs will become the largest attack vector. It stands to reason. API keys in mobile apps and code repositories provide hackers with the means they need to attack back-end servers and access valuable assets, such as customer accounts and production servers.

 

But securing APIs is not simply a matter of willpower. Developers haven’t neglected API security because they are lazy or unconcerned. API security is complex, difficult and time-consuming. It requires highly specialized skills that are in short supply. And while much of the DevOps cycle is automated, mobile API security implementation is largely manual.

 

Simply put, in the aggressive mobile app marketplace, publishers must churn out new apps and features at a rapid pace to remain competitive. Implementing strong API security would substantially extend development cycles and break budgets.

 

A recent global survey of 10,000 mobile consumers found that a solid majority (63%) value security and malware protection of equal or even greater importance than they do features.  This shows…

Source…

War and the app economy, Google’s Messages update, Telegram ‘TV’ – TechCrunch

/in


Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy.

The app industry continues to grow, with a record number of downloads and consumer spending across both the iOS and Google Play stores combined in 2021, according to the latest year-end reports. Global spending across iOS, Google Play and third-party Android app stores in China grew 19% in 2021 to reach $170 billion. Downloads of apps also grew by 5%, reaching 230 billion in 2021, and mobile ad spend grew 23% year over year to reach $295 billion.

Today’s consumers now spend more time in apps than ever before — even topping the time they spend watching TV, in some cases. The average American watches 3.1 hours of TV per day, for example, but in 2021, they spent 4.1 hours on their mobile device. And they’re not even the world’s heaviest mobile users. In markets like Brazil, Indonesia and South Korea, users surpassed five hours per day in mobile apps in 2021.

Apps aren’t just a way to pass idle hours, either. They can grow to become huge businesses. In 2021, 233 apps and games generated over $100 million in consumer spend, and 13 topped $1 billion in revenue. This was up 20% from 2020, when 193 apps and games topped $100 million in annual consumer spend, and just eight apps topped $1 billion.

This Week in Apps offers a way to keep up with this fast-moving industry in one place, with the latest from the world of apps, including news, updates, startup fundings, mergers and acquisitions, and suggestions about new apps to try, too.

Do you want This Week in Apps in your inbox every Saturday? Sign up here: techcrunch.com/newsletters

Russia’s app economy shuts down

Image Credits: Mika Baumeister / Unsplash

As the Russia-Ukraine war continued this week, the app ecosystem also saw further impacts. As businesses pulled out of Russia, the ability for Russian consumers to transact on the app stores and in apps is similarly being impacted. This week, Google announced it was suspending Google Play’s billing system for users in Russia in the “coming days,” which means Russian users won’t be able to purchase apps…

Source…

WhatsApp launches new browser extension to make its web app more secure

/in


Shortly after WhatsApp’s dev team enabled simultaneous multi-device support on its beta version, it also announced a new browser extension. The add-on is called Code Verify and its sole purpose is to ensure the web version of WhatsApp is secure enough and the end-to-end encryption hasn’t been compromised.

WhatsApp launches new browser extension to make its web app more secure

WhatsApp says that after it launched the multi-device support, it’s seeing an increasing number of WhatsApp web logins. And the web app is naturally less resilient against attacks. So the Code Verify ensures the same level of security as a native app on Windows, iOS or Android.

The browser extension itself is very simple. It merely compares the presented hash code with the one uploaded to a trusted and secure Cloudflare. If everything is alright, the extension gives you the green light to proceed with your conversations.

Source

Source…