New Android adware found in 200 apps on Google Play

Security researchers have found a new kind of mobile adware hidden in hundreds of Android apps, and downloaded more than 150 million times from Google Play.

The malware masquerading as an ad-serving platform, dubbed SimBad by researchers at security firm Check Point, infected more than 200 apps which, likely unbeknownst to the app developer, would open a backdoor to install additional malware as a way to outsmart Google’s app store scanning. Once installed, the downloaded malware also removes the app icon and persists in the background, loading each time the device boots up.

Once the malware retrieves its instructions from the command and control server, the malware runs through lists of web addresses in the background, serving ads to generate fraudulent revenue.

Check Point provided a list of the apps, which Google pulled from Google Play following a disclosure by the security researchers. The list can be found here. Google’s removal from the app store does not delete the app from users’ devices.

The top ten downloaded games amount to 55 million downloads alone:

• Snow Heavy Excavator Simulator (10,000,000 downloads)
• Hoverboard Racing (5,000,000 downloads)
• Real Tractor Farming Simulator (5,000,000 downloads)
• Ambulance Rescue Driving (5,000,000 downloads)
• Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
• Fire Truck Emergency Driver (5,000,000 downloads)
• Farming Tractor Real Harvest Simulator (5,000,000 downloads)
• Car Parking Challenge (5,000,000 downloads)
• Speed Boat Jet Ski Racing (5,000,000 downloads)
• Water Surfing Car Stunt (5,000,000 downloads)

Some of the games, mostly simulation games — hence the malware’s name — date back on Google Play to March 2017, said Aviran Hazum, mobile threat intelligence team leader at Check Point, in an email to TechCrunch.

Hazum said the malware might be an adware for now, but has the potential to evolve into a larger threat.

A Google spokesperson, when reached, did not respond provide comment. The search giant typically doesn’t discuss app removals, largely because it’s an issue that keeps occurring. It’s far from the first time Google was forced to remove apps from its supposedly vetted app store. But time and again, the company had to react to dozens of bad apps that slip through its scanning efforts.

Google’s official figures put the number of apps it removed las year at about 700,000.

Google starts pulling unvetted Android apps that access call logs and SMS messages

from Android – TechCrunch https://ift.tt/2TII6FY
via IFTTT

Apple’s streaming service could feature content from partners

A report from Bloomberg shares some of the details about the long-rumored video streaming service from Apple. The company should unveil this service at a press conference in Cupertino on March 25.

While Apple has been working on a ton of original content for its new streaming service, Bloomberg says that most of them won’t be ready for the launch later this month. Apple will probably share some teasers on stage, but the launch lineup will mostly feature third-party content.

Apple is probably talking with everyone, but many premium cable channels still have to make up their mind about Apple’s streaming service. HBO, Showtime and Starz have to decide whether they want to be part of the launch by Friday.

It’s unclear if Apple is going to feature some or all content from those partners. Many of them already have a streaming service on their own. And you can already access their libraries from the TV app on your Apple TV or iOS device.

Apple could streamline the experience by letting you subscribe to various content bundles in its own streaming service. Amazon already provides something similar with Amazon Prime Video Channels. Netflix and Hulu will likely remain independent services as they compete directly with Apple’s original content effort.

When it comes to Apple’s other announcement, the company should also unveil its Apple News subscription on March 25. Apple acquired Texture last year and has been working on a digital magazine subscription for a while.

Unsurprisingly, it looks like Apple News' magazine service is prepared to launch on macOS too pic.twitter.com/df0oyJXvjF

— Steve Troughton-Smith (@stroughtonsmith) March 12, 2019

Once again, details are still thin for this new service when it comes to pricing, availability outside of the U.S. and content.

Last month, the WSJ reported that Apple has been working with Goldman Sachs on a credit card that would integrate deeply with the Apple Wallet app. Given that Apple’s event is about services, let’s see if the company talks about this new product as well.

from Apple – TechCrunch https://ift.tt/2UyHa4h

Taika Waititi will write and direct ‘Time Bandits’ series for Apple

Taika Waititi, the comedic filmmaker best known for directing “Thor: Ragnarok,” has signed on to co-write and direct the pilot of a “Time Bandits” series currently in development for Apple.

The series is being co-produced by Anonymous Content, Paramount Television and Media Rights Capital. Deadline broke the news of Waititi’s involvement.

The “Time Bandits” series was first announced last year. It’s based on the cult classic Terry Gilliam film of the same name, which follows a young boy who tags along with a group of dwarfs as they jump through space and time, hoping to get rich and encountering a long list of famous semi-historical figures (Sean Connery as Agamemnon! John Cleese as Robin Hood!) in the process

This is one of a number of projects that Waititi has coming out this year — he’s also an executive producer on the FX adaptation of “What We Do in the Shadows” (the vampire comedy he wrote, directed and starred in with Jemaine Clement), a director on “The Mandalorian” (the live-action Star Wars series for Disney+) and his next film “Jojo Rabbit” is due for release this fall.

And while we’ve been reporting for more than a year on all the movies and shows Apple has been commissioning, we may finally, finally get the first official details on the company’s streaming plans at an event on March 25.

Apple sends out invites for March 25 ‘special event’

from Apple – TechCrunch https://ift.tt/2UvIzIF

Apple sends out invites for March 25 ‘special event’

Apple sent out invites to reporters this afternoon for a March 25 special event at the Steve Jobs Theater in Cupertino.

Reports have suggested that the company will focus its keynote on the content side of its business. The invite offers some key hints that the video content service will be on full display at the invite, mainly a film reel countdown timer that eventually reveals the phrase “It’s show time.”

Here's a gif of the animation pic.twitter.com/YD3QZLi9Kf

— Matthew Panzarino (@panzer) March 11, 2019

Apple has been seeding a ton of TV shows and delivering plenty of announcements about the content that it has in the pipeline, but we’ve strangely heard quite little about the underlying platform or subscription that Apple has planned beyond media reports.

 

 

from Apple – TechCrunch https://ift.tt/2J9ctkL

Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can be easily discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.

Not even Box’s own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts, and customer data were among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

• Amadeus, the flight reservation system maker, which left a folder full of documents and application files associated with Singapore Airlines. Earlier this year, researcher found flaws that made it easy change reservations booked with Amadeus.

• Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.

• Television network Discovery had more than a dozen folders listed, including database dumps of millions of customers names and email addresses. The folders also contained some demographic information and developer project files, including casting contracts and notes and tax documents.

• Edelman, the global public relations firm, had an entire project proposal for working with the New York City mass transit division, including detailed proposal plans and more than a dozen resumes of potential staff for the project — including their names, email addresses, and phone numbers.

• Nutrition giant Herbalife left several folders exposed containing files and spreadsheets on about 100,000 customers, including their names, email addresses and phone numbers.

• Opportunity International, a non-profit aimed at ending global poverty, exposed a list of donor names, addresses and amount given exposed in a massive spreadsheet.

• Schneider Electric left dozens of customer orders accessible to anyone, including sludge works and pump stations for several towns and cities. Each folder had an installation “sequence of operation” document, which included both default passwords and in some cases “backdoor” access passwords in case of forgotten passwords

• Pointcare, a medical insurance coverage management software company, had thousands of patient names and insurance information exposed. Some of the data included the last four-digits of Social Security numbers.

• United Tissue Network, a whole-body donation non-profit, exposed a body donor information and personal information of donors in a vast spreadsheet, including the prices of body parts.

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

Box spokesperson Denis Roy said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

The cloud giant said it plans to reduce the unintended discovery of public files and folders.

Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.

Amadeus spokesperson Alba Redondo said the company decommissioned Box in October and blamed the exposure on an account that was “misconfigured in public mode” which has now been corrected and external access to it is now closed. “We continue to investigate this issue and confirm there has been no unauthorized access of our system,” said the spokesperson, without explanation. “There is no evidence that confidential information or any information containing personal data was impacted by this issue,” the spokesperson added. We’ve asked Amadeus how it concluded there was no improper access, and will update when we hear back.

Pointcare chief executive Everett Lebherz confirmed its leaking files had been “removed and Box settings adjusted.” Edelman’s global marketing chief Michael Bush said the company was “looking into this matter.”

Herbalife spokesperson Jennifer Butler said the company was “looking into it,” but we did not hear back after several follow-ups. (Butler declared her email “off the record,” which requires both parties agree to the terms in advance, but are printing the reply as we were given no opportunity to reject the terms.)

When reached, an Apple spokesperson did not comment by the time of publication.

Discovery, Opportunity International, Schneider Electric, and United Tissue Network did not return a request for comment.

Data “dumpster diving” is not a new hobby for the skilled, but it’s a necessary sub-industry to fix an emerging category of data breaches: leaking, public, and exposed data that shouldn’t be. It’s a growing space that we predicted would grow as more security researchers look to find and report data leaks.

This year alone, we’ve reported data leaks at Dow Jones, Rubrik, NASA, AIESEC, Uber, the State Bank of India, two massive batches of Indian Aadhaar numbers, a huge leak of mortgage and loan data, and several Chinese government surveillance systems.

Adversis has open-sourced and published its scanning tool.

Here’s what to expect in cybersecurity in 2019

from Apple – TechCrunch https://ift.tt/2UtsqDy

Elizabeth Warren reportedly also wants to break up Apple

Massachusetts Senator and 2020 presidential candidate Elizabeth Warren made waves yesterday when she outlined her plan for breaking up big tech companies like Amazon, Google and Facebook. Now, The Verge reports Warren also wants to break up Apple.

Specifically, Warren believes Apple should not be able to both run the Apple App Store and distribute apps in it.

“It’s got to be one or the other,” Warren told The Verge. “Either they run the platform or they play in the store. They don’t get to do both at the same time.”

Warren’s proposal includes passing legislation to designate companies that offer marketplaces, exchanges or platforms for connecting third-parties with annual global revenues of more than $25 billion as “platform utilities.”

“These companies would be prohibited from owning both the platform utility and any participants on that platform,” Warren wrote on Medium yesterday. “Platform utilities would be required to meet a standard of fair, reasonable, and nondiscriminatory dealing with users. Platform utilities would not be allowed to transfer or share data with third parties.”

That would mean Amazon, for example, would not be able to sell its Amazon Basics line of products on its marketplace. Same goes for Apple, under Warren’s proposal.

“If you run a platform where others come to sell, then you don’t get to sell your own items on the platform because you have two comparative advantages,” Warren said. “One, you’ve sucked up information about every buyer and every seller before you’ve made a decision about what you’re going to sell. And second, you have the capacity — because you run the platform — to prefer your product over anyone else’s product. It gives an enormous comparative advantage to the platform.”

I’ve reached out to Warren’s media team and will update this story if I hear back.

Elizabeth Warren wants to break up Google, Amazon and Facebook

from Apple – TechCrunch https://ift.tt/2EQxRWw

Apple could launch augmented reality headset in 2020

According to a new report from Ming-Chi Kuo (via 9to5mac), a reliable analyst on all things Apple, the company has been working on an augmented reality headset and is about to launch the device. This pair of glasses could go into mass production as early as Q4 2019 and should be available at some point during the first half of 2020.

It’s still unclear what you’ll be able to do with this mysterious headset. Kuo says that it’ll work more or less like an Apple Watch. You won’t be able to use the AR headset without an iPhone as it’ll rely heavily on your iPhone.

The glasses will act as a deported display to give you information right in front of your eyes. Your iPhone will do the heavy lifting when it comes to internet connectivity, location services and computing. I wouldn’t be surprised if the AR headset relies on Bluetooth to communicate with your iPhone.

Kuo’s report doesn’t say what you’ll find in the headset. Apple could embed displays and sensors so that the AR headset is aware of your surroundings. An AR device only makes sense if Apple puts sensors to detect things around you.

Apple has already experimented with augmented reality with its ARKit framework on iOS. Developers have been able to build apps that integrate digital elements in the real world, as viewed through your phone cameras.

While many apps have added AR features, most of them feel gimmicky and don’t add any real value. There hasn’t been a ton of AR-native apps either.

One interested use case for augmented reality is mapping. Google recently unveiled an augmented reality mode for Google Maps. You can hold your phone in front of your face to see arrows indicating where you’re supposed to go.

Apple has also been rebuilding Apple Maps with its own data. The company isn’t just drawing maps. It is collecting a ton of real world data using LiDAR sensors and eight cameras attached on a car roof. Let’s see if Apple Maps will play an important part in Apple’s rumored AR headset.

from Apple – TechCrunch https://ift.tt/2IZk4lV