Use your favorite password manager with Android Oreo

Security experts recommend strong, unique passwords for each service that you use. For most of us, however, it can be difficult to manage credentials across multiple websites and apps, especially if you’re trying to keep track of everything in your head.

In Android 8.0 Oreo, we made it simpler to use Autofill with a password manager, like LastPass, Dashlane, Keeper, or 1Password. Particularly on tiny devices like your phone, autofill can make your life easier by remembering things (with your permission), so that you don’t have to type out your name, address, or credit card over and over again.

With the new autofill services in Oreo, password managers can access only the information that’s required in order to autofill apps, making your data more secure. There’s a specific list of password managers (which you can find in Android Settings) that meet our security and functional requirements, and we’ll be continuing to grow this list over time. If you already use a password manager, then you’ll be able to try the new experience today.


How does it work?

Setting up Autofill on your device is easy. Simply go to Settings, search for “Autofill,” and tap “Autofill service.” If you already have a password manager installed, it will show up in this list. You can also tap “Add service” to download the password manager of your choice from the Play Store.

Once you’ve set a password manager as your Autofill service, the information stored in that app will show up in Autofill whenever you fill out forms (for example, your saved username and password will show up as a suggestion when you’re logging into an app for the first time).

We include Google as an autofill service on all devices running Android 8.0 and above, which lets you use data that you already have saved in Chrome to fill in passwords, credit cards, addresses, and other personal information.


Language and input settings


Autofill service settings: here you can pick the app that you would like to use as your Autofill service

Whether you use Google or another password manager from the Play Store, the new Autofill experience on Oreo makes it easier to securely store and recall commonly typed information, like passwords and credit card numbers.

from Official Google Blog


Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.



from Threat Research – Cisco Blog

New Android Malware Secretly Records Phone Calls and Steals Private Data

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguised as a fake anti-virus application, dubbed "Naver Defender."



, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.

Talos researchers published Monday

technical details

about two recent variants of KevDroid detected in the wild, following the initial


of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.

Though researchers haven’t attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "

Group 123

," primarily known for targeting South Korean targets.

The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:

  • record phone calls & audio
  • steal web history and files
  • gain root access
  • steal call logs, SMS, emails
  • collect device’ location at every 10 seconds
  • collect a list of installed applications

Malware uses an open source library, available on


, to gain the ability to record incoming and outgoing calls from the compromised Android device.

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim’s phone calls, one of the variants even exploits a

known Android flaw

(CVE-2015-3636) to get root access on the compromised device.

All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.

"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.

"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."

Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.

How to Keep Your Smartphone Secure

Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.

Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:

  • Never install applications from 3rd-party stores.
  • Ensure that you have already opted for Google Play Protect.
  • Enable ‘verify apps’ feature from settings.
  • Keep "unknown sources" disabled while not using it.
  • Install anti-virus and security software from a well-known cybersecurity vendor.
  • Regularly back up your phone.
  • Always use an encryption application for protecting any sensitive information on your phone.
  • Never open documents that you are not expecting, even if it looks like it’s from someone you know.
  • Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
  • Keep your device always up-to-date with the latest security patches.

from The Hacker News

Google Services Blocked on Uncertified Devices

After testing waters for more than a year, Google has finally pulled the plug and began blocking access to Google Play services on uncertified devices. Why Google took this step, who is affected, and what it means for the end users? Let’s try to find out.

Google Play Services Certification

In March 2017, Google rolled out a Google Play Services update that had a very minor addition. At the very bottom of its settings page, the Services would now display device certification status.

This is how it looks on an uncertified device:

What is this all about?

In order to use Google Play Services (the most prominent of which is the Google Play Store), smartphone manufacturers must sign a MADA agreement with Google. This agreement places certain restrictions on OEMs; for example, the agreement explicitly prohibits participants from “forking” Android, or manufacturing Android-based devices that are not Google certified. This, for example, is the reason why Amazon does not manufacture a single Google-certified device, as Amazon Fire OS is a classic Android fork. In addition, the terms of agreement disallow manufacturers pre-installing non-Google application stores (such as Amazon App Store or Yandex.Store), and require prominent placement of Google search bar and certain Google apps.

OEMS who signed the agreement must certify their Android devices with a Google-approved lab. Such certification, among other things, ensures compatibility and compliance with Android Compatibility Definition Document. Among other things, the Document defines a lot of security-related functions such as enforcing full-disk encryption on devices released with Android 6.0 and newer, or ensuring that the fingerprint scanner and other forms of biometric identification are disabled immediately after the boot until the device is unlocked with a passcode (or pattern) at least once.

Finally, the lab certifies that the device ROM does not include malware, which was a huge problem a few years back (and could be still a problem with many Chinese manufacturers).

Apparently, not all Android OEMs would choose the straightforward patth. Many smaller manufacturers, particularly those in China (e.g. Bluboo, Meizu, Xiaomi), would opt to ignore Google certification and release non-compliant devices with Google services. While most such devices were only available to the Western consumer through Chinese online outlets, some phones (such as the global versions of Meizu Pro 6 and Pro 6 Plus) were officially brought to Europe and sold through local retail and online stores including Amazon.

Meizu smartphones sold in Europe employ what Meizu thought to be a smart trick. Out of the box, the device does not have Google Play services installed, so it does not violate anyone’s intellectual property. After initial setup (which obviously does not allow restoring backups from Google Drive), the user can voluntarily open the Meizu App Store and download the so-called “Google Installer”.

Once downloaded, the app obtains and installs Google services including Google Framework, Google Play Services, Calendar Sync and Google Play Store. The app is not made by Meizu; it is the user’s responsibility to obtain and to use the app to gain access to Google services.

Other than that, Meizu smartphones are a compatibility disaster. They don’t have encryption at all (let alone forced encryption), and they completely ignore Google’s security requirements (in particular, enabling the fingerprint reader immediately after boot). There would be no way such a device would pass Google certification.

Meizu was not alone. Some OEMs would release their smartphones with “unofficial” (extracted from other ROMs) Google services, often pre-installing malware alongside. Apparently, Google was never happy about it. The company set a goal to make things right.

The first step Google made in March 2017 added Google certification status to the bottom of the settings list. At the same time, Google started contacting vendors to inform them that Google will start enforcing certification in near future. Vendors were given an option to sign the MADA agreement, in which case their existing non-certified devices would be grandfathered. Vendors who did not sign the agreement, or who did not certify their devices, would be risking to have Google Play services blocked from their devices.

In Google now blocks GApps on uncertified devices, but lets custom ROM users be whitelisted, Mishaal Rahman from XDA Developers reported that Google has started entirely locking out newly built uncertified firmware from accessing Google services.

If the user is attempting to set up a new uncertified Android device, they may be disallowed from signing in to their Google Account. This only happens if the uncertified device is running a recently built firmware (according to Mishaal, the change went into effect March 16th and affects any software builds made after this date by checking for the build date).

If you are a regular consumer and have just purchased the device, you may turn to the vendor to request that they certify the device (or, better yet, simply return the device back to the store, as such post-factum certification is very unlikely to happen). Custom ROM users who deliberately installed non-certified software can whitelist individual devices by visiting (which currently redirects to The registration process is not the simplest one, but still allows users of custom ROMs to access Google services, so power users may opt to install Magisk instead, which fixes access to Google services without requiring device registration.

Device makers will have to contact Google to have the device certified by going through the proper certification channel.

The Meaning of It

Google services certification is not meant to block or limit the use of custom ROMs. We are yet to see what happens if a user installs a custom ROM on a device that was properly certified by the vendor (it could be that the device would be whitelisted by IMEI). Instead, Google is going after unscrupulous manufacturers who bypass the proper certification channels in order to slip their malware-ridden, highly insecure devices to unsuspecting consumers. Does it really work? It seems to be working as intended. We have recently heard that the newer Meizu Pro 7 smartphone has been properly certified.

Additional resources:

from Advanced Password Cracking – Insight

Mobile Menace Monday: Fake WhatsApp can steal info from your phone

Last month, a blogger at My Online Security reported receiving a spam comment containing WhatsApp Plus. Going through the process, they downloaded an APK of this so-called WhatsApp Plus. Where they ended was as stated,

I am not certain exactly what this does, but from the sandbox reports it looks like it has the potential to steal information, photos, phone numbers etc from your mobile phone.  

Indeed, they are correct, as this is a variant of Android/PUP.Riskware.Wtaspin.GB, a Fake WhatsApp riskware that dates back to mid-2017.  But what makes this variant unique is where it leads us.

Whats in a Fake WhatsApp?

As our dear My Online Security blogger did, I too went through the process and downloaded/installed the APK aforementioned in the linked blog. Upon opening the app is the following greeting:

Of special interest is the gold logo in the middle with a URL and handle. Onward, I clicked on AGREE AND CONTINUE to find, oh no, I was out of date!

The message states, Please go to Google Play Store to download latest version — nah, I’d rather click the DOWNLOAD button. Where I was redirected was intriguing.

Into another realm of Fake WhatsApp

Where I landed was on the above URL from the shiny gold logo. Everything on the webpage is written in Arabic.

Here I was on the official website to download Watts Plus Plus WhatsApp—that unusual name could very well be an awkward Google translate, by the way.  Among numerous ads (a developer needs to make some ad revenue after all) was text explaining this developer’s WhatsApp version. Below is the (very) rough translation, with minor condensing to the most pertinent information:

What is Watts Plus Plus Whatsapp Plus?

Is a copy of WattsPlus developed by Abu, there may be no confidence in some users in the download of Whatsapp Plus, but this version has been checked files Wats through special programs and the result is positive is safe , and the version of Watts Plus is updated Abu periodically for the  last issue is a special version of the fans of Watts AP Plus:

Secure:  The antivirus software code has been checked, the Watsp files are encrypted in the Watspec servers and cannot be decrypted and can only be decrypted by Wattsp itself.

Updated to the latest version:  Watts August the company issued almost every two days a simple update, and is almost updated copies of our own every two months periodically until the copies contain only critical updates.

Four numbers in the same phone: In this version you can run up to four numbers in the same phone without a routine or any difficulty


Hide the last appearance of friends completely with the property of hiding the reading and reception, and the disappearance of the current writing and running and hide that you have played a clip and your voice. And hide that you watched the case of your friend (Alasturi).

The possibility of changing the program line completely to many of the ready lines

Provides the security feature of the application by placing a secret number cannot open the application without it.

Provides security for conversations by placing a secret number cannot open the conversation without him.

You can send more than 100 photos at once to your friends.

And many other features

Hide what you saw the situation:  You can in the latest version of WhatsApp + WhatsApp Plus WhatSapp Plus AbuSamad AlRifa’i Hide that you watched the status of friends from privacy options from the top menu.

What is the best feature in WhatsApp Plus WhatsApp Plus What isApp Plus Abu Sadam Rifai  If we activate this option, no one will be able to see you online forever and will not show the date of your last appearance and no one will know you are online even while you are on the wattage .

Hide the second health:  The sender of the messages will not be able to tell you that you received the message.

Hides the blue ones:  The sender cannot tell you that you read the message but in return you know that he has read the messages and only shows you the blue ones.

Hide the current writing:  You can also in the new version and the latest version of WhatsApp + WhatsApp Plus whatsapp plus Abu Saddam Al – Rifai  hide hiding or typing on the other end of the conversation.

Hides recording:  When recording a track.

Hide playback signal:  ie, the sender cannot tell you have listened to the audio track.

Two-way operation:  You can run two versions of Wattsp on one device without a router by downloading Watts 1 and Watts 2.

See the status of people without entering the conversation:  You can see the status of people connected or last seen from the main screen of the program.

What stood out to me was all the abilities to hide oneself in various ways—very spy-like behavior.

Onward to the next version

Sifting through all the ads stating they were the download button, I finally came across the true download link. After updating, I once again came to the same screen shown above with the gold logo. This time, after pressing the AGREE AND CONTINUE button, the next screen asked to verify a phone number.

After doing so, a changelog appeared with fixes to the app’s hiding features.

Click to view slideshow.

Clicking OK to the changelog, what appears to be a functioning version of WhatsApp opens.

Click to view slideshow.

WhatsCode…ur…what’s in the code

The incriminating code of Android/PUP.Riskware.Wtaspin.GB is within receivers, services, and activities starting with This code is in various fake WhatsApp APKs. The only difference of the aforementioned version from above is the code points to the Arabic webpage to update.

After analyzing several different versions of PUP.Riskware.Wtaspin.GB, it appears all have different URLs from which to update. Thus, everyone is just copy catting the original source code and adding their own “update” website. So, who is the original author of this riskware? Is the Arabic developer, Abu, the originating author?

The code of this riskware is complex. The webpage of the developer claiming to be owner—not so complex. Although I won’t completely rule out the possibility, let’s just say I am skeptical.

No matter the true author or origin of this fake Whatsapp, I suggest sticking with the real WhatsApp on Google Play. Although Google Play has its faults, it’s tremendously safer than some of the sources I came across researching this riskware. Stay safe out there!

The post Mobile Menace Monday: Fake WhatsApp can steal info from your phone appeared first on Malwarebytes Labs.

from Malwarebytes Labs

Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure

We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER. This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLocker Android ransomware).

We further delved into HiddenMiner and found the Monero mining pools and wallets connected to the malware, and learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This indicates a rather active campaign of using infected devices to mine cryptocurrency.

HiddenMiner uses the device’s CPU power to mine Monero. There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.

This is similar to the Loapi Monero-mining Android malware, which other security researchers observed to have caused a device’s battery to bloat. In fact, Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s.

HiddenMiner is found in third-party app marketplaces. So far, it’s affecting users in India and China, but it won’t be a surprise if it spreads beyond both countries.

Figure 1. Screenshot for one Monero wallet address’s status

Infection Chain
HiddenMiner poses as a legitimate Google Play update app, popping up as complete with Google Play’s icon. It requires users to activate it as a device administrator. It will persistently pop up until victims click the Activate button. Once granted permission, HiddenMiner will start mining Monero in the background.

Figure 2. The malicious app’s screen requiring users to activate it as device administrator

Technical Analysis
HiddenMiner uses several techniques to hide itself in devices, such as emptying the app label and using a transparent icon after installation. Once activated as device administrator, it will hide the app from the app launcher by calling setComponentEnableSetting(). Note that the malware will hide itself and automatically run with device administrator permission until the next device boot. The DoubleHidden Android adware employs similar techniques.

Figure 3. An illustration of how HiddenMiner hides itself: an empty app label and transparent icon after installation (left), then disappearing once granted device administration permissions (right)

HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis. It checks if it’s running on an emulator by abusing an Android emulator detector found on Github.

Figure 4. Code snippet showing how HiddenMiner bypasses Android emulators based on our sandboxing detection and analysis

Figure 5. Code snippet showing how HiddenMiner mines Monero

Abusing Device Administration Permission
Users can’t uninstall an active system admin package until device administrator privileges are removed first. In HiddenMiner’s case, victims cannot remove it from device administrator as the malware employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. It takes advantage of a bug found in Android operating systems except Nougat (Android 7.0) and later versions.

Figure 6. Code snippet showing how HiddenMiner prevents removal of device administrator privileges

Google resolved this security issue in Nougat and later Android OSs by reducing the privileges of device admin applications so they can no longer lock the screens (if it is part of the app’s feature). Device admin will no longer be notified via the onDisableRequested() context. These tactics aren’t new: certain Android ransomware and information stealers (i.e. Fobus) employed these to gain a foothold in the device.

Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.

Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise:
Related hashes (SHA-256) detected as ANDROIDOS_HIDDENMINER (package name as

  • 7FBF758FEAF4D992B16B26AC582A4BDCFC1A36B6F29B52FC713A2B8537F54202
  • E62C034516F28A01ABD1014D5D9CAA7E103AE42C4D38419C39BC9846538747FA
  • 975A12756CA4F5E428704F7C553FD2B2CCC12F7965DD61C80BEC7BCBA08C1B37
  • FD30B04CE4A732FB830A03C1A0AC0FBB0972C87307E515646239B0834156FA0E
  • D21899BDAB5B1D786D8FC6C133385650A4CDA2B71A394B1F8DDC5C0EC39F1523
  • BF9C41EE9D4A718F6B6958EC2E935395E79882B0EBEE545E2C84277DBA70A657
  • B924A8EC7CFC1D5DDD9828467D7FC583FA6B35F441170D171C7A084FFD1799AD
  • B40E2EEF49EDB271BBA2E5AD15C773E6EBDF4BFE5822AD93DDFE20847B8F9D67
  • 419629E1644B0179F0AE837FE3F8D80C6E490A59838E485EEDA048BF8DF176D2
  • 3039B2FF2E1EDB522FFADAEAED8B0CEE1519CFA56FABE7CE6F0F6A50816D026D
  • 1C24C3AD27027E79ADD11D124B1366AE577F9C92CD3302BD26869825C90BF377
  • 0156051E50544F9F725B75E32E0ACE888E53FBC79CAC50835B9A9EB39F0FCA84

 Monero wallets/addresses related to HiddenMiner:

  • pool[.]minergate[.]com
  • monero[.]hashvault[.]pro
  • monero[.]hashvault[.]pro
  • supportxmr[.]com
  • 49Bq2bFsvJFAe11SgAZQZjZRn6rE2CXH
  • 43QGgipcHvNLBX3nunZLwVQpF6Vbobm
  • 486GAqHxZnCYNcN2V1SEASSoWmifzXZ

The post Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure appeared first on .

from TrendLabs Security Intelligence Blog

The Android Security 2017 Year in Review has good news for enterprises

Device security is of paramount importance to enterprises. It’s why the Android Security team (and many other teams at Google) continuously work to improve protections across more than 2 billion active Android devices.

To ensure customers, partners, and Android users are up to date on our ongoing work, we recently published the fourth annual Android Security Year in Review. This document details improvements to Google’s security offerings in Android, updated platform features, and key metrics that inform our initiatives.

While the report provides a broad view of the breadth of the security work across the ecosystem, there are important highlights for our enterprise users.

Enterprise-grade security in Android

In 2017 we launched Google Play Protect, Android’s built-in device, data, and apps security scanning technology. Google Play Protect protects users from potentially harmful apps (PHAs) in real-time and uses cloud-based services for analyzing device and app data to identify possible security concerns.

Every day, Google Play Protect automatically reviews more than 50 billion apps, other potential sources of PHAs, and checks devices, warning users about potential harm. These automatic reviews enabled us to remove nearly 39 million PHAs last year.

PGA install rates
The installation of potentially harmful apps (PHAs) from outside the Google Play store saw a significant drop in 2016.

Enterprises can leverage Google Play Protect with managed Google Play, a curated Google Play Store for enterprise customers. By using managed Google Play, an organization can ensure that team members are selecting prescribed apps for work that are secured through Google Play Protect. Last year, the number of 30-day active devices running managed Google Play increased by 2,000 percent.

We also introduced a bundle of new security features in Android Oreo, making it safer to get apps, dropping insecure network protocols, providing more user control over identifiers, and hardening the kernel.

In its second year, the Android Security Rewards program paid researchers $1.28 million in 2017 for work identifying potential vulnerabilities in Android. We also introduced the Google Play Security Rewards Program for developers that discover and disclose select critical vulnerabilities in apps hosted on Play.

Additionally we launched zero-touch enrollment, a fast and secure method for simplified provisioning of corporate-distributed devices. Our focus on security starts from the moment a device is powered on, through deployment, and during daily interaction with apps and services.

Looking ahead

Our efforts continue into 2018. We recently launched the Android Enterprise Recommended program for OEMs, which addresses the pain point that many organizations face when choosing devices for large deployments. Our program features a curated selection of devices that meet common requirements for security (including which devices are getting regular security patches), and supported features, all validated by Google.

For a more detailed look at all of the Android security improvements during the last year, see the dedicated Security Blog or read the full security report at

from Official Google Blog