A single threat actor has aggressively bombarded Android users with more than 4,000 spyware apps since February, and in at least three cases the actor snuck the apps into Google's official Play Market, security researchers said Thursday.
Soniac was one of the three apps that made its way into Google Play, according to a blog post published Thursday by a researcher from mobile security firm Lookout. The app, which had from 1,000 to 5,000 downloads before Google removed it, provided messaging functions through a customized version of the Telegram communications program.Read more
Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.
The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copyfish, a browser extension that performs optical character recognition, also had their account hijacked. In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed.Read more
Researchers at RedLock, working within the Cloud Security Intelligence team, say they've discovered hundreds of organizations exposing sensitive data via Google Groups, pinning the cause on basic configuration issues.
"A customer-controlled configuration error in the Google Groups sharing settings has led to the exposure of sensitive data such as personally identifiable information (PII), including employee salary compensation details, sales pipeline data, customer passwords, names, email addresses and home addresses at hundreds of companies," an advisory shared with Salted Hash explains.Read more
A form of Android ransomware which threatens to send the victim's private information and web history to all of their contacts has been discovered in the official Google Play app store.
LeakerLocker doesn't actually encrypt the victims' files, but instead claims to have made a backup of data stored on the device and threatens to share it with all of the user's phone and email contacts. Those behind the malware demand $50 in exchange for not leaking personal data including photos, Facebook messages, web history, emails, location history and more, playing on fears of potential embarrassment rather than any form of cryptography.Read more
EU antitrust regulators are weighing another record fine against Google over its Android mobile operating system and have set up a panel of experts to give a second opinion on the case, two people familiar with the matter said.
Assuming the panel agrees with the initial case team's conclusions, it could pave the way for the European Commission to issue a decision against Alphabet's Google by the end of the year. The Commission in April last year charged Google with using its dominant Android mobile operating system to shut out rivals following a complaint by lobby group FairSearch, U.S.-based ad-blocking and privacy firm Disconnect Inc.Read more
EU antitrust regulators hit Alphabet unit Google with a record 2.42-billion-euro fine on Tuesday, taking a tough line in the first of three investigations into the company's dominance in searches and smartphones.
It is the biggest fine the EU has ever imposed on a single company in an antitrust case, exceeding a 1.06-billion-euro sanction handed down to U.S. chipmaker Intel in 2009. The European Commission said the world's most popular internet search engine has 90 days to stop favoring its own shopping service or face a further penalty per day of up to 5 percent of Alphabet's average daily global turnover.Read more
Attackers that have set up a malicious site can use users’ account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications.
The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process.Read more
Here’s a surprise announcement from Google: It will stop scanning the inboxes of Gmail’s free users for ad personalization at some point later this year. Google already doesn’t do this for business users who subscribe to its G Suite services, but until now, it routinely scanned the inboxes of its free users to better target ads for them.
It then combined that information with everything else it knows about its users to build its advertising profiles for them. Diane Greene, Google’s senior VP for Google Cloud, says the company made this decision because it “brings Gmail ads in line with how we personalize ads for other Google products.”Read more
Microsoft Rewards has launched in the UK, and aims to tempt more people over to Bing. It’s the company’s latest attempt to poach Google’s users, and arguably the most desperate so far. Microsoft will reward you for using the Bing search engine, with points you can exchange for a number of freebies.
You’ll need to be signed into Bing with your Microsoft account, in order to earn points. Each Bing search will get you three points, but this will be doubled if you’re also using Edge, Microsoft’s answer to Google Chrome. ‘Level 1’ users can earn up to 60 points per day, simply by searching for 10 things through Bing.Read more
A new Google Chrome bug has been uncovered, which reportedly allows websites to record audio and video, without alerting the user or providing any visual indicators. Although the bug requires users to grant it permission to access audio and video features, it could potentially be used for spying on targets.
The bug was reportedly discovered by AOL developer Ran Bar-Zik, who reported the flaw to Google. However, Google said that it doesn't consider the issue to be valid security vulnerability, indicating that there is no quick fix on the way. Bar-Zik told that he came across the bug at work, when handling a website that ran WebRTC code.Read more