Domain: lookout.com
Stories and comments across the archive that link to lookout.com.
Stories · 4
-
Google Pulls 500+ Backdoored Apps With Over 100 Million Downloads From Google Play (helpnetsecurity.com)
Orome1 shares a report from Help Net Security: Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins. The apps in question represent a wide selection of photo editors, Internet radio and travel apps, educational, health and fitness apps, weather apps, and so on, and were downloaded over 100 million times across the Android ecosystem. Lookout researchers did not name the apps that were found using the malicious SDK, but notified Google of the problem. The latter then proceeded to clean up house, either by removing the offending apps altogether, or by forcing app developers to upload an updated version with the invasive features (i.e. the Igexin SDK) removed. "Users and app developers have no control over what will be executed on a device after the remote API request is made. The only limitations on what could potentially be run are imposed by the Android permissions system," the researchers pointed out. "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server. Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality -- nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server." -
Google Plans To Alter JavaScript Popups After Abuse From Tech Support Scammers (bleepingcomputer.com)
An anonymous reader writes: Chromium engineers are discussing plans to change how JavaScript popups work inside Chrome and other similar browsers. In a proposal published on the Google Developers portal, the Chromium team acknowledged that JavaScript popups are consistently used to harm users.
To combat this threat, Google engineers say they plan to make JavaScript modals, like the alert(), confirm(), and dialog() methods, only work on a per-tab basis, and not per-window. This change means that popups won't block users from switching and closing the tab, putting an end to any overly-aggresive tactics on the part of the website's owner(s).
There is no timeline on Google's decision to move JavaScript popups to a per-tab model, but Chromium engineers have been debating this issue since July 2016 as part of Project OldSpice. A similar change was made to Safari 9.1, released this week. Apple's decision came after crooks used a bug in Safari to block users on malicious pages using popups. Crooks then tried to extort payment, posing as ransomware. -
Apple's TouchID Fingerprint Scanner: Still Hackable
electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats." -
Apple's TouchID Fingerprint Scanner: Still Hackable
electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."