Google Play downloads sneaky apps for data collection • The Register

in letters Google pulled a series of Android apps with more than 46 million downloads from its Google Play Store after security researchers announced the shadow giant that the code contained some sneaky data collection code.

Apps included a speed camera radar, several Muslim prayer apps, a QR scanner, a WiFi mouse tool, a weather app and others.

A Panama-based company, Measurement Systems, developed the code, according to AppCensus co-founder Joel Reardon, whose mobile app testing company discovered the overly curious software, reported it to Google and published research on how it works.

According to Wall Street Journalwho first reported the story, Measurement Systems has ties to a Virginia defense provider that performs cyber-intelligence, network defense, and intelligence interception work for U.S. national security agencies.

Google removed apps from March 25, but said they could be reinstated if they removed the risky code to comply with Google Play Store’s rules for collecting users’ data. Some of the apps did this and were already back on sale on April 6th.

“All apps on Google Play must comply with our policies, regardless of the developer. When we find that an app violates these policies, we take appropriate action,” a Google spokesman said. The register.

Infosec people spot open Fox News database

Fox News said it has secured an open database after security detectives at Security Discovery warned the news organization about the security incident waiting to happen.

Fox News, for its part, said the open database was in a development environment, not a live production environment, and that no customer records were revealed.

“We were contacted in October 2021 by Security Dynamic about what would properly be characterized as a general enterprise development environment that primarily contains an archive snapshot of public video metadata such as program descriptions and talent bios,” a spokesman said in an email to The register.

“In addition, there was a list of corporate email addresses as well as URLs, other IDs and environments that were no longer in use at the time of discovery,” the statement continued. “This environment did not service any Fox News applications or systems. The database was secured within hours of receiving the Security Dynamic report in accordance with our responsible disclosure policies.”

Security Discovery co-founder Jeremiah Fowler, who worked with the research team at website building information firm Website Planet, discovered the non-password-protected database. They said the 58 GB dataset contained nearly 13 million records spanning inventory information, internal emails, usernames, employee ID numbers and associated station information.

“A directory contained 65,000 names of celebrities, cast members and production crew members and their internal FOX ID reference numbers,” the threat researchers wrote. “The records also captured a wide range of data points, including event logs, host names, host account numbers, IP addresses, interface, device data, and more.”

Despite Fox News’ assurances that this was a test environment, Fowler and friends noted that many records were labeled “prod,” which is typically an abbreviation for production records.

But even in a development environment, this data can pose a security risk, as these environments often use the same storage repositories, middleware, and infrastructure as live production environments, the threat researchers added.

In addition, the security researchers made it clear that they were not suggesting that any customer or user data was compromised, and they welcomed the Fox security team for having acted “quickly and professionally” to close the exposed database. Still, “any non-password-protected database could potentially allow anyone to insert malicious code into the network,” they noted.

Autodesk corrects errors with high severity

Autodesk has fixed several serious vulnerabilities, which, if exploited, could allow attackers to run malicious code on infected machines and steal sensitive information.

Security firm Fortinet’s threat research team discovered the bugs affecting Autodesk’s DWG TrueView, Design Review, and Navisworks, and reported them to the software provider. Its research team also provided a review of all seven vulnerabilities.

Both companies encourage users to apply the patches ASAP.

The first five errors, CVE-2022-27525, CVE-2021-40167, CVE-2022-27526, CVE-2022-27527 and CVE-2022-25797, are memory corruption vulnerabilities.

CVE-2022-27525 Affects Autodesk Design Review. It’s caused by a malformed Design Web Format (DWF) file, “which causes an out-of-bounds memory write due to incorrect boundary control,” Fortinet explained.

If exploited, this vulnerability could allow cybercriminals to execute arbitrary, malicious code through a specially crafted DWF file.

CVE-2021-40167 affects the same product and is also caused by a buggy DWF file. It can allow a hacker to leak memory within the context of the application.

CVE-2022-27526, which could also be used to leak memory, affects Autodesk Design Review product. An incorrectly designed Truevision (TGA) file causes this error. Specifically, the TGA file “causes an out-of-bounds memory access, due to incorrect boundary control when manipulating a pointer to an assigned buffer,” Fortinet said.

CVE-2022-27527 effects Autodesk Navisworks. It is caused by a malformed PDF file which also leads to out-of-bounds memory access.

The fifth memory corruption error, CVE-2022-25797, caused by a malformed DWG file, affects DWG Trueview and can allow a criminal to execute arbitrary code using a maliciously crafted DWG file.

CVE-2022-27523, a buffer-overload vulnerability in Autodesk DWG TrueView, could allow a remote attacker to leak sensitive data using a maliciously crafted DWG file.

And finally, CVE-2022-27524, is an out-of-bounds bulge in DWG TrueView that could be exploited to leak sensitive data.

CISA, D-Link calls for retirement of routers’ extended lifespan

CISA has advised anyone using certain older D-Link routers to take them offline before crooks find and exploit a critical vulnerability in remote performance execution.

On Monday, CISA added the RCE error, called CVE-2021-45382, to its catalog of known exploited vulnerabilities. It is available in all series of H / W revisions D-Link DIR-810L, DIR-820L / LW, DIR-826L, DIR-830L and DIR-836L routers via the dynamic domain name system function (DDNS) in the binary ncc2- file .

The ncc2 service enables some firmware and language file upgrades through the web interface. But as Malwarebytes Labs researcher Pieter Arntz explained, “it appears that the ncc2 service on the affected devices has been provided with a number of available diagnostic hooks.”

If exploited, this will allow an attacker to call these hooks without approval. “These files appear to be reproduced when queried and can be used to both query the given device for information, as well as enable on-demand diagnostic services,” he added.

The software bug got a CVSS score of 9.8, which means that it is crucial that users address it right away. However, because the affected routers are obsolete, D-Link does not issue any patches to the vulnerable devices.

Both CISA and D-Link suggest that you withdraw these models ASAP before a cybercriminal finds it vulnerable.

And if you’re still not convinced, there’s a proof-of-concept on GitHub that makes it really easy for all malicious perpetrators to remotely take over the vulnerable devices and then execute malicious code.

Cybercriminals still exploit Spring4Shell

Illegals continue to exploit the vulnerability to remotely execute Java Spring framework a week after security researchers discovered the nasty software bug.

One week after the first outbreak, Check Point Research said it has seen about 37,000 attempts to allocate the vulnerability, called “Spring4Shell”.

While organizations across the globe have been hit by the error, Europe was hardest hit, according to the security business.

In the first four days after discovery, 16 percent of organizations worldwide experienced exploitation attempts. But in Europe, that figure jumped to 20 percent. Australia and New Zealand are in second place with 17 percent, followed by Africa (16 percent), Asia (15 percent), Latin America (13 percent) and North America (11 percent).

Perhaps not surprisingly, the software vendor industry felt the most pain from Spring4Shell. According to Check Point, 28 percent of companies in this sector were affected by the vulnerability. Education and research organizations were second most affected, with 26 per cent affected. And insurance / legal, ISPs / MSPs and financial / banking institutions came in third with 25 percent.

Although it noted that its own CloudGuard AppSec customers were not vulnerable, “If your organization uses Java Spring and does not use CloudGuard AppSec, review your software immediately and update to the latest versions by following the official Spring Project Guide,” the security firm advised . ®

Leave a Comment