Security researchers have uncovered 89 malicious Google Chrome extensions on the official Chrome store that can inject ads, code to secretly mine cryptocurrency, and load a tool to record and replay a person's browsing activities. This collection of extensions affected over 423,000 users and was used to form a new botnet called "Droidclub."
In November 2017, Princeton's Center for Information Technology highlighted the use of legitimate session-replay scripts on popular, high-traffic websites by third-party analytics firms. These scripts are used to record and replay a user's visit to a website, allowing the site owner to figure out what the user saw.Read more
Sensitive information about the location and staffing of military bases and spy outposts around the world has been revealed by a fitness tracking company.
The details were released by Strava in a data visualisation map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others. The map, released in November 2017, shows every single activity ever uploaded to Strava – more than 3 trillion individual GPS data points, according to the company. The app can be used on various devices including smartphones and fitness trackers like Fitbit to see popular running routes in major citie.Read more
Similar to Uber’s “God View” scandal, Lyft staffers have been abusing customer insight software to view the personal contact info and ride history of the startup’s passengers.
One source that formerly worked with Lyft tells that widespread access to the company’s backend let staffers “see pretty much everything including feedback, and yes, pick up and drop off coordinates.” When asked if staffers, ranging from core team members to customer service reps, abused this privilege, the source said “Hell yes. I definitely looked at my friends’ rider history and looked at what drivers said about them. I never got in trouble.”Read more
A state law enforcement officer, apparently without the knowledge of his own agency, purchased malware that can intercept social media messages, emails, and much more.
Although it’s unclear why the investigator bought the malware, which requires physical access to a smartphone to install, this is the first known case of a US state law enforcement officer purchasing such a tool. In a similar way to how surveillance technology such as Stingrays has trickled down to local agencies, the news highlights how spying software is not limited to federal agencies such as the FBI or DEA, but has spread, in some form, to more regional forces.Read more
IN 2018, YOU'D be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, so that the stranger two tables away at the coffee shop can't pull your secrets off the local Wi-Fi. That goes double for apps as personal as online dating services.
But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken: As one application security company has found, Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops.Read more
Sega has said it is looking into claims that a trio of its Sonic games for Android are leaking personal data.
Security company Pradeo said late last week that it had discovered the Android games -- Sonic Dash, Sonic the Hedgehog Classic, and Sonic Dash 2: Sonic Boom -- were leaking user location data and device info. Based on the download ranges offered by the Play Store, collectively the leaks could impact between 120 million and 600 million users. Among the tracking and advertising issues, the security firm also said it found two issues that could result in man-in-the-middle attacks, and a bagful of others that could potentially lead to encryption weakness and denial of service.Read more
Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages, siphoning private data off phones and allowing adversaries to open reverse shell modules on targeted devices, giving attackers ultimate remote control.
Researchers said the malware was developed three years ago and has evolved significantly since then to include 48 unique commands in it most recent iteration. Several of those features have never been seen before in Android malware, according to researchers at Kaspersky Lab who discovered the Skygofree strain last year and disclosed its findings Tuesday.Read more
There’s more misery ahead for Huawei, which just saw AT&T pull out of a deal to carry its first smartphone, and fellow Chinese tech firm ZTE.
The duo are well known for their growing smartphone businesses worldwide, but it is their more established telecom networking and equipment units that are again under fire in Washington. A new bill introduced to Congress proposes a ban preventing branches of the U.S. government from working with service providers that use any equipment from either company for security reasons. The bill is sponsored by Texas-based Republican Michael Conaway, who is leading the investigation into Russia’s alleged election interference.Read more
In 2013, Edward Snowden revealed that the National Security Agency was legally collecting millions of Americans’ phone calls and electronic communications—including emails, Facebook messages, and browsing histories—without a warrant.
Congress has now decided not only to reauthorize these programs, but also to expand some of their most invasive techniques. The spying initiatives Snowden brought to light are authorized under Section 702 of the 2008 FISA Amendments Act, which was set to expire later this month. On Thursday, Congress voted down an effort to reform Section 702, and instead passed a bill that expanded warrantless surveillance.Read more
Early last year, a piece of Mac malware came to light that left researchers puzzled. They knew that malware dubbed Fruitfly captured screenshots and webcam images, and they knew it had been installed on hundreds of computers in the US and elsewhere, possibly for more than a decade.
Still, the researchers didn't know who did it or why. An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.Read more