Researchers at Avast Threat Labs say that more than 100 different low-cost Android devices from manufacturers like ZTE, Archos, and myPhone come with malware pre-installed. Users in more than 90 countries, including the US, are said to be infected. The good news is there’s a fix.

According to the report, this adware variant has been in the wild for three years. It’s called “Cosiloon” and was first noticed by Dr. Web in 2016. Because it’s located in the device’s firmware, it’s extremely difficult to remove. Avast has detected its presence on 18,000 of its users’ devices, so far. 

Fido might be man's best friend, but smart devices designed to track pets' movements and activity could be your worst enemy if attackers manage to capitalize on any of the dozen vulnerabilities researchers recently observed in them.

In a May 22 blog post, Kaspersky Lab researchers Roman Unuchek and Roland Sako warn that malicious hackers could exploit flaws found in these IoT products or their corresponding mobile apps to disable the devices' services, cause them to receive and execute commands from an unauthorized party, or perform man-in-middle attacks that intercept transmitted data. 

Google is being sued in the high court for as much as £3.2bn for the alleged “clandestine tracking and collation” of personal information from 4.4 million iPhone users in the UK.

The collective action is being led by former Which? director Richard Lloyd over claims Google bypassed the privacy settings of Apple’s Safari browser on iPhones to divide people into categories for advertisers. Lawyers for Lloyd’s campaign group Google You Owe Us told the court information collected by Google included race, physical and mental heath, political leanings, sexuality, social class, financial, shopping habits and location data. 

It's starting to feel like everyone in charge of our sensitive data might be incompetent. It's only been a day since Securus, the company that helps police track phones, was apparently hacked. Now, according to security site KrebsOnSecurity, tracking firm LocationSmart leaked real-time location data on its own web site.

LocationSmart aggregates real-time data on the location of subscribers' mobile phones. It's all opt-in, but Krebs reported that anyone could access this information for any AT&T, Sprint, T-Mobile and Verizon phones on the company's web site without a password or any other form of authentication. The vulnerability has been taken offline, said Krebs, but man what a mistake.

In its latest effort to fend off cryptocurrency scams, the Securities and Exchange Commission launched its own fake initial coin offering website today called the Howey Coin to warn people against fraudulent cryptocurrencies.

The name is a tongue-in-cheek reference to the Howey Test that the SEC uses to determine whether an investment is a security, which the Commission would therefore have legal jurisdiction over. Click ‘Buy Coins Now’ on the Howey Coins site and you’ll be redirected to an SEC page that states: “We created the bogus HoweyCoins.com site as an educational tool to alert investors to possible fraud involving digital assets like crypto-currencies and coin offerings.” 

Thieves siphoned hundreds of millions of pesos out of Mexican banks, including No. 2 Banorte, by creating phantom orders that wired funds to bogus accounts and promptly withdrew the money, two sources close to the government’s investigation said.

Hackers sent hundreds of false orders to move amounts ranging from tens of thousands to hundreds of thousands of pesos from banks including Banorte, to fake accounts in other banks, the sources said, and accomplices then emptied the accounts in cash withdrawals in dozens of branch offices. The thieves transferred more than 300 million pesos ($15.4 million). 

Four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.

In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart. The story blew up because a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance.

Google is under investigation in Australia following claims that it collects data from millions of Android smartphone users, who unwittingly pay their telecom service providers for gigabytes consumed by the activity, regulators said on Tuesday.

Responding to the latest privacy concerns surrounding Google, a spokesman for the U.S. based search engine operator said the company has users’ permission to collect data. “Any charges for transmission of data over a cellular connection, including any location-related data, would be governed by a user’s mobile carrier plan,” Google said in a statement. 

Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers' credit card information, according to infosec biz Pen Test Partners this week. The research was conducted over several years, said Pen Test's Ken Munro. "In most cases they are pretty secure, although whether the Wi-Fi works or not is another matter," he added.

But in a handful of cases Munro was able to bridge the wireless network to the wired network and find a database server containing default credentials, enabling him to access the credit card data of customers paying for the Wi-Fi, including the passenger's name, email address and card details. 

Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access.

Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy. The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests.