Apple to undercut popular law-enforcement tool to unlock iPhones

Home Screen iPhone with Badges

Apple remains committed to user privacy. So much so, it’s about to severely curtail a popular way law enforcement agencies crack iOS devices. 

According to Reuters, Apple has decided to change the default settings in iOS to cut off communication through the USB port when the device hasn’t been unlocked in the past hour. In doing so, the company aims to protect all customers, especially in countries where phones are readily obtained by police or by criminals with extensive resources.

Currently, forensic companies like GrayShift, Cellebrite, and others connect through the USB port to bypass security provisions that limit how many password guesses can be made on a device before it freezes or erases data. Under new USB Restricted Mode settings, this will no longer be possible on devices after one hour.

According to Reuters:

Apple representatives said the change in settings will protect customers in countries where law enforcement seizes and tries to crack phones with fewer legal restrictions than under U.S. law. They also noted that criminals, spies and unscrupulous people often use the same techniques. Even some of the methods most prized by intelligence agencies have been leaked on the internet.

The iPhone maker confirms the switch has been documented on the beta versions of iOS 11.4.1 and iOS 12. It will be made permanent in a future general release.

In a prepared statement, the company notes:

We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data. We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.

Naturally, this switch might not sit well with law enforcement. However, it shouldn’t come as a surprise. Apple has long fought legislation or other ways to force technology companies to maintain access to users’ communications. In 2016, for example, it went to court to challenge an order that required it to break into an iPhone 5c used by a killer in San Bernardino. Eventually, the FBI found another way to break into the phone.

Back in May, it was discovered iOS 11.4 included a new feature called USB Restricted Mode. Under that iOS version, Apple imposed a seven-day window during which accessories can use the USB data connection over the Lightning port. In iOS 11.4.1 and iOS 12, it looks like further restrictions are coming.



Why Is Your Location Data No Longer Private?

The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels? These are some of the questions we’ll explore in this article.

In 2015, the Federal Communications Commission under the Obama Administration reclassified broadband Internet companies as telecommunications providers, which gave the agency authority to regulate broadband providers the same way as telephone companies.

The FCC also came up with so-called “net neutrality” rules designed to prohibit Internet providers from blocking or slowing down traffic, or from offering “fast lane” access to companies willing to pay extra for certain content or for higher quality service.

In mid-2016, the FCC adopted new privacy rules for all Internet providers that would have required providers to seek opt-in permission from customers before collecting, storing, sharing and selling anything that might be considered sensitive — including Web browsing, application usage and location information, as well as financial and health data.

But the Obama administration’s new FCC privacy rules didn’t become final until December 2016, a month after then President-elect Trump was welcomed into office by a Republican controlled House and Senate.

Congress still had 90 legislative days (when lawmakers are physically in Congress) to pass a resolution killing the privacy regulations, and on March 23, 2017 the Senate voted 50-48 to repeal them. Approval of the repeal in the House passed quickly thereafter, and President Trump officially signed it on April 3, 2017.

In an op-ed published in The Washington Post, Ajit Pai — a former Verizon lawyer and President Trump’s pick to lead the FCC — said “despite hyperventilating headlines, Internet service providers have never planned to sell your individual browsing history to third parties.”

FCC Commissioner Ajit Pai.

“That’s simply not how online advertising works,” Pai wrote. “And doing so would violate ISPs’ privacy promises. Second, Congress’s decision last week didn’t remove existing privacy protections; it simply cleared the way for us to work together to reinstate a rational and effective system for protecting consumer privacy.”

Sen. Bill Nelson (D-Fla.) came to a different conclusion, predicting that the repeal of the FCC privacy rules would allow broadband providers to collect and sell a “gold mine of data” about customers.

from Krebs on Security

Watch out: photo editor apps hiding malware on Google Play

Thanks to Chen Yu of SophosLabs for her research.

SophosLabs has discovered apps in Google Play harbouring Guerilla ad clicker malware.

The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps.

Guerilla ad clicker

SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google.

Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users.

The apps harbouring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files.

That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realising.

The new batch of Guerilla apps display a few technical differences from those removed from Google Play earlier this year.

Like the earlier apps, the latest ones hide their payloads in their asset folders as text files. This time around the apps use the filenames atop.txt or atgl.txt.

In an apparent effort to avoid detection, the JAR files now arrive encrypted, with the DES algorithm, and are decrypted on the phone.

Guerilla decryption

The affected packages are:

Title Package Name Downlaods Publisher
Ladies World com.channe.ladiesworld 50000+ Chenxy
Happy photos com.flower.hphoto 50000+ chandrahegang
Beauty camera 1000+ bai xiongshu
S-PictureEditor com.aeapp.utli.edit 50000+ bai xiongshu
Collage maker 2018 com.YtApp.collage.edit 100000+ bai xiongshu
Gallery com.Aeapp.gaIlery.pls  5000+ bai xiongshu
Collage Maker 100000+ bai xiongshu
S Photo Plus 100000+ LiaoAny
CollagePlus com.aml.tpho.edit 100000+ LiaoAny
Photo Studio 10000+ elaine.wei
Collage Studio 5+ elaine.wei
Photo Studio Plus com.uil.cls.edit 10000+ elaine.wei
Collage Studio Pro com.old.clo.pic 10+ elaine.wei
Hot Chick com.ndun.hotchick 10000+ Sunshine Fun
Popular video 5000+ Phoenix bird Tech Limited
Music play 1000+ Jiangxi Huarui Network technology company
Photo collage edit 10+ Jiangxi Huarui Network technology company
Pic collage com.UIApp.pic.collage 50+ Jiangxi Huarui Network technology company
Super Photo Plus com.HwA.slp.photopls 1+ kowloon
Bees collage com.HwA.bee.pisc kowloon
Superb Photo kowloon
Sweet Collection com.zwws.sweetcollection 10000+ TopFun Families
Pic collage 5+ Shenzhen coronation plus Technology Co.. Ltd.
K music 10+ Shenzhen coronation plus Technology Co.. Ltd.

What to do?

In all areas of cybersecurity we recommend a strategy of defence in depth.

The safest place to get your Android apps is still Google Play. Although malware is found there fairly regularly, it’s still news when it happens. Google Play isn’t perfect but it’s a far safer environment than other, unregulated, app repositories.

Because no app review process can ever be perfect, we recommend running security software on your phone too, such as Sophos’s free Sophos Mobile Security for Android.

from SophosLabs blog

Mobile Menace Monday: re-emergence of a fake Android AV

Back in early 2013, a new mobile antivirus (AV) company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who gave it such a label, adding it to a list of malware detections. Shortly after, Armor for Android contacted the security company I worked for at the time and demanded their detection be removed.

As a rebuttal, I wrote a blog to fire back with evidence that there was no way this AV company could be legitimate—despite it being on Google Play. I never published that blog because I was thrown off by something that had me questioning everything: the AV company was tested by a reputable antivirus testing company. Even more off-putting, it landed a high score to receive an official certification! How could a Fake AV be certified by a respectable AV test company?

I left the blog alone and let the subject die. But recently, Armor for Android appears to have made a comeback. Let’s take a look at how they were gaming the system five years ago, and what new tricks they’re up to now.

Cheating the system

Suddenly, Armor for Android was competing with everyone else in the industry after only a couple months. But how? Simple. They were cheating. I remember vividly that the naming conventions they used to detect malware were the same as other well-received anti-malware mobile scanners. To be fair, many in the industry use similar naming conventions. However, the ones used by Android for Armor were EXACTLY the same as other companies. It was obvious they were stealing other company’s detections. But how?

Share, but don’t steal

VirusTotal is a company that everyone in the software security industry uses to share detections with the world. You can simply upload a file, even an Android APK, to and several antivirus/anti-malware scanners will return results. This can aid the typical user in finding out if a file is malicious. In addition, it helps point security researchers in the right direction in determining for themselves if something is malicious. What isn’t allowed is stealing directly from VirusTotal to produce your results. Not only is this against the terms of service, it is a deadly sin among everyone in the security industry.

But that is exactly what Android for Armor does. By using a network analyzer tool and running Android for Armor, you can see traffic to and from VirusTotal. The detailed data reveals that they indeed steal the detections of others. Pretty easy to do well on a test when you’re peeking over the shoulder of the smartest kids in class!

Showing their real intentions

Android for Armor could have stopped there. They had already duped Google Play. In addition, they clearly had the money to pay for an expensive test to receive certification. Instead, they decided to proceed with tactics used by other Fake AV malware. The following evidence is what I found years ago, but regrettably never published.

Back in 2013, I was playing a free game downloaded from Google Play. In exchange for the app being free, I agreed to receive non-aggressive ads, as many of us do. What I saw was a series of different links using scare tactics:

Click to view slideshow.

As a young mobile researcher, I did what all of us would have done and clicked on these links to see down which rabbit holes it would me. The first hop was this one:

Onward down the rabbit hole, I clicked Download & Scan FREE Now, and it started to download a file named Scan-For-Viruses-Now.apk (more on this app in a bit).

After the download, I landed on a known Armor for Android web page that instructs you to allow unknown sources and again to download and install an app.

Very odd for a legitimate AV company to instruct mobile users to download directly from their website rather than pointing them to Google Play.

Double chance of infection

Further analyzing the downloaded app, Scan-For-Viruses-Now.apk, it’s a version of Armor for Android that insists on a payment of $1.99 to scan the device. Check the fine print, because that ends up being $1.99 per week, or $103.48 a year. But hey, they have a certification by an AV testing form, right?

Click to view slideshow.

It appears Scan-For-Viruses-Now.apk downloads just in case you weren’t falling for the last web page asking to allow unknown sources and stating IMPORTANT! You must now INSTALL, OPEN and ACTIVATE. Also, if allowing unknown sources was disabled on your device, it would have been a last chance effort, since Scan-For-Viruses-Now.apk wouldn’t have been able to download and install. In my opinion, none of this looks like the practices of a legitimate AV company.

Re-emergence of a classic

Just a couple of days ago, an APK came into our mobile intelligence system with a different name, but very familiar set of behaviors. It was clearly a repackaged variant of Armor for Android, but this time called Android’s Antivirus.

Click to view slideshow.

Swiftly, we added a detection called PUP.Riskware.Armor.

Warning about Fake AVs

Fake AVs like the one described above have been around for a long time and come in many different forms. Some can be extremely dangerous. For legitimate antivirus/anti-malware programs to do their jobs, special permissions must be given. For instance, Malwarebytes for Android uses device administration as required to remediate nasty ransomware. As a respectable anti-malware company, you have our word that we will never use device administration rights for erasing mobile devices or other nefarious actions.  However, give those same rights to a malicious Fake AV app, and you could be in trouble.

Fake AV or legitimate

Because of the elevated permissions needed, consumers need to take extra caution when choosing a mobile antivirus/anti-malware scanner. Unfortunately, it’s often hard to tell what is a Fake AV versus a legitimate antivirus/anti-malware mobile app—especially when Fake AVs creep into Google Play and take time to create a convincing website. As a consumer, do your research to pick respectable software companies. Does the company have a deep, respectable blog (like this one)?  How long have they been around? When in doubt, you can always rely on Malwarebytes products to keep you safe from the latest threats!

Denial of entry

Although I never published that blog way back when, I did stand my ground to classify Armor for Android as a fake AV. Now, as a researcher at Malwarebytes, I continue to fight against shady fake AV companies in the mobile space. I helped detect Armor for Android as a fake Android AV years ago. I’ll do the same for any other company looking to take advantage of mobile customers. Stay safe out there!

The post Mobile Menace Monday: re-emergence of a fake Android AV appeared first on Malwarebytes Labs.

from Malwarebytes Labs

Fake Teleg’e’ram on Google Play

Recently, the Russian government ordered the immediate blocking of the messaging app Telegram and requested its removal from the Apple App Store and Google Play Store. In reviewing activities around this matter, Zscaler ThreatLabZ researchers noticed a fake Telegram app making the rounds in the Google Play Store. Zscaler informed Google about the fake app and it was promptly removed from the store. 

Because Telegram is partially open-source, we initially thought this fake Telegram app was a regular app implementing Telegram APIs. However, upon further analysis, we found that the fake app had been repackaged, in which case it is possible that a developer simply decompiled the original Telegram app and added advertisement libraries. We also noticed that the name and icon of the fake app changes after installation. Our analysis is detailed below. 

App Details 

Name: Telegraph Chat (which changes to Teleg’e’ram after installation) 
Package Name: com.telegeram.anydev
Hash: 1f188831ec559566f8746e5e57bb1fcbb0f30ead
VT count: 2/62 (at time of analysis) 

The screenshot below shows the fake Telegram app (left) and the original Telegram app (right). The fake app portrayed itself as Telegraph Chat and the Play Store description of the app was precisely the same as the original Telegram app. The only differences were that the term Telegram was changed to Telegraph Chat and the app icon was slightly altered after installation.

Fig 1: Fake app vs original app (Google Play Store)


The screenshot below on the left shows the app as it appears in Google Play, displayed as Telegraph Chat. The screenshot on the right shows how the app changes after installation, displaying a different icon and name, Telegeram (notice the extra “e”).

Fig 2: Fake app name/icon change


As soon users try to open the app, they are bombarded with different types of ads. Below is a screenshot of banner ads inside the app (left) and an interstitial ad (right). 

Fig 3: Ads displayed by fake app


In one instance, we also noticed an obfuscated piece of code sent by the server that contained a Play Store link to browser named Silver Mob US Browser. We could not analyze this app because it had been removed from Google Play Store before our investigation began. The screenshot below shows the response and further functionality. 

Fig 4: Download link leading to ‘removed’ Play Store app


Adware, such as this example, presents a threat, because it is capable of providing links that can lead users to download highly malicious Android apps. 

In our analysis, we noticed that the fake app performed original Telegram app’s messaging functions, but other functions were missing. We tried calling to other numbers, which is a functionality in the original Telegram, but the fake app stopped working, as shown in the message below:

Fig 5: Fake app fail.


Telegram is a popular app with 200 million users, according to its own reports. But with the confusion brought about the actions of the Russian government, bad actors have seized an opportunity to present an app that may trick users searching for Telegram into downloading a malcious app. This technique is often used when an app is popular (see Pokemon GO) or, in this case, in the news.

Fake versions of popular apps are an ongoing problem, and once such an app has been downloaded on a mobile device, it is easy for the developer to open a gateway for more downloads and installation of malware. 

Users should always take appropriate precautions before installing any app, even in trusted stores like Google Play or Apple App Store. One effective precaution is to read other users’ reviews before installation.  


Fig 6: Google Play reviews for fake Telegram app


ThreatLabZ will continue to track and ensure coverage for fake Android apps to protect Zscaler customers.


from Zscaler Research

Improving the Advanced Protection Program for iOS users

Last October, Google launched the Advanced Protection Program, our strongest level of account security, designed to protect the overlooked segment of our users who face an increased risk of sophisticated attacks. These users may be journalists, activists, business leaders, political campaign teams, and others who feel especially vulnerable.

Today we’re announcing that Advanced Protection now supports Apple’s native applications on iOS devices, including Apple Mail, Calendar, and Contacts. This allows iOS users to enroll in the program without having to adjust how they use Google services on their Apple devices.

To protect you from accidentally sharing your most sensitive data with fraudulent apps or web services, Advanced Protection places automatic limits on which apps can gain access to your Google data. Before today, this meant that only Google applications were able to access your data if you were enrolled in the program.

With today’s update, you can now choose to allow Apple’s native iOS applications to access your Gmail, Calendar, and Contacts data. When you sign into iOS native applications with your Google account, you will get instructions on how to complete the sign-in process if you’re enrolled in Advanced Protection. We’ll continue to expand the list of trusted applications that can access Google data in the future. 

Layers of security protections

In addition to these updates, you’ll continue to benefit from Advanced Protection’s other safeguards. To provide you with the strongest defense against phishing, Advanced Protection goes further than traditional 2-Step Verification, requiring you to use a physical Security Key to sign back into your account after you’ve logged out, or anytime you sign in on a new device. Advanced Protection also helps block fraudulent access to your account by adding extra steps to the account recovery process to prevent people from impersonating you and pretending they’ve been locked out of your account.

Our goal is to make sure that any user facing an increased risk of online attacks enrolls in the Advanced Protection Program. Today, we’ve made it easier for our iOS users to be in the program, and we’ll continue our work to make the program more easily accessible to users around the globe. Get started at

from Official Google Blog

Use your favorite password manager with Android Oreo

Security experts recommend strong, unique passwords for each service that you use. For most of us, however, it can be difficult to manage credentials across multiple websites and apps, especially if you’re trying to keep track of everything in your head.

In Android 8.0 Oreo, we made it simpler to use Autofill with a password manager, like LastPass, Dashlane, Keeper, or 1Password. Particularly on tiny devices like your phone, autofill can make your life easier by remembering things (with your permission), so that you don’t have to type out your name, address, or credit card over and over again.

With the new autofill services in Oreo, password managers can access only the information that’s required in order to autofill apps, making your data more secure. There’s a specific list of password managers (which you can find in Android Settings) that meet our security and functional requirements, and we’ll be continuing to grow this list over time. If you already use a password manager, then you’ll be able to try the new experience today.


How does it work?

Setting up Autofill on your device is easy. Simply go to Settings, search for “Autofill,” and tap “Autofill service.” If you already have a password manager installed, it will show up in this list. You can also tap “Add service” to download the password manager of your choice from the Play Store.

Once you’ve set a password manager as your Autofill service, the information stored in that app will show up in Autofill whenever you fill out forms (for example, your saved username and password will show up as a suggestion when you’re logging into an app for the first time).

We include Google as an autofill service on all devices running Android 8.0 and above, which lets you use data that you already have saved in Chrome to fill in passwords, credit cards, addresses, and other personal information.


Language and input settings


Autofill service settings: here you can pick the app that you would like to use as your Autofill service

Whether you use Google or another password manager from the Play Store, the new Autofill experience on Oreo makes it easier to securely store and recall commonly typed information, like passwords and credit card numbers.

from Official Google Blog