Malloc Privacy Weekly

Welcome to this week's edition of Malloc Privacy — your trusted source for understanding the events from the past week in the world of cybersecurity. The German antitrust authority has charged Apple with abusing its market power over its app tracking tool, known as App Tracking Transparency. The regulator claims that Apple gives itself preferential treatment by making it harder for competing apps to access user data for advertising, potentially impacting their revenue streams. Apple maintains that the feature prioritizes user privacy and plans to work with the German authority. If found in breach of antitrust rules, Apple could face hefty fines.

Chinese hackers from the group Salt Typhoon continue their cyber espionage activities targeting telecoms and universities globally. Despite being exposed and sanctioned, they have recently compromised Cisco routers by exploiting vulnerabilities, highlighting the group's persistence and the vulnerability of network devices. Their access to telecom infrastructure potentially enables them to intercept calls and texts, raising significant concerns about the security of communications.

To learn more about these developments and other news, read the article below.

Apple fixes security flaw allowing third-party access to locked devices

Apple has addressed a significant security flaw in its mobile operating systems that allowed third-party access to locked devices, potentially used in a highly sophisticated attack on targeted individuals. The vulnerability enabled removal of restricted mode, which is crucial for protecting data access on devices that have been locked for over an hour. This flaw, affecting various iPhone and iPad models, was identified by The Citizen Lab, known for tracking spyware on devices belonging to journalists and activists. The Cybersecurity and Infrastructure Security Agency (CISA) has officially noted this vulnerability, highlighting its importance in the realm of digital security.

Source: The Record

German regulator charges Apple with abuse of power over app tracking tool

The German antitrust authority has charged Apple with abusing its market power through its controversial App Tracking Transparency (ATT) feature, a move resulting from a three-year investigation. The Federal Cartel Office stated that Apple's tracking tool creates barriers for competing app publishers by limiting their access to essential user data necessary for advertising, ultimately benefiting Apple's own interests. If Apple does not address these concerns, it could face daily fines and further legal action. The case, prompted by complaints from various industry stakeholders, marks a significant moment in clarifying that privacy claims cannot be used to justify anti-competitive practices. This situation highlights ongoing tension in the digital advertising ecosystem, where the balance between user privacy and competitive fairness is under scrutiny.

Source: Reuters

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

The Chinese hacker group known as Salt Typhoon has continued its aggressive hacking campaign against telecommunication networks worldwide, despite heightened scrutiny and sanctions from the US government. Recent reports indicate that the group has breached multiple US telecoms and internet service providers, exploiting vulnerabilities in Cisco routers to gain unauthorized access. Using targeted strategies, they have successfully infiltrated networks, including those of universities globally, leaving significant concerns about national security and the potential for ongoing espionage. The cybersecurity firm Recorded Future highlights that, even after their activities were publicized, there has been no significant decrease in the volume or velocity of their attacks, underlining the persistent threat posed by this group and the vulnerabilities present in telecommunications infrastructure.

Source: Wired

Spyware maker caught distributing malicious Android apps for years

An Italian spyware company, SIO, has been linked to the distribution of malicious Android apps that mimic popular applications like WhatsApp, aimed at stealing private data from users. Security researchers discovered this spyware, named Spyrtacus, confirming its capabilities to capture various sensitive information, including text messages, contacts, and call recordings. This incident highlights the extensive reach of government-backed spyware companies and their ability to implement pedestrian hacking techniques. Investigations suggest that these malicious apps might have been used by Italian law enforcement, although it's unclear who the specific targets were. The situation underscores ongoing concerns about surveillance practices in modern cybersecurity landscapes.

Source: Tech Crunch

Android's New Feature Blocks Fraudsters from Sideloading Apps During Calls

Google is introducing a new security feature for Android that aims to enhance protection against scammers during phone calls. This feature, currently in Android 16 Beta 2, blocks users from changing sensitive settings such as sideloading apps or granting accessibility access while on a call. Users attempting to perform these actions will receive a warning about potential scams. This initiative targets the telephone-oriented attack delivery (TOAD) method that cybercriminals use, which often creates a false sense of urgency through SMS and calls. Additionally, Google has expanded its measures to prevent sideloading of malicious apps and strengthen overall mobile security for users in various regions.

Source: The Hacker News

Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification

Google has introduced SafetyCore, a new feature for Android 9+ devices that enhances on-device content classification without performing client-side scanning. This service, which utilizes machine learning, securely classifies specific content only when requested by apps, ensuring user privacy and control. While similar to features in Apple's iMessage, SafetyCore's goal is to combat spam, scams, and malware rather than detect illegal content, addressing privacy concerns associated with broader client-side scanning methods. The rollout requires devices to have at least 2GB of RAM and is compatible with Android Go, emphasizing Google’s commitment to protecting users while managing sensitive content effectively.

Source: The Hacker News

Play Store now warns you that the app you're looking at might be bad

The Google Play Store has introduced a new feature that provides app quality warnings to help users better understand the performance of apps before downloading them. A yellow alert box will appear on an app's page if it has issues such as frequent uninstalls, lower user engagement, or a small user base compared to similar apps. This aims to give potential users more contextual information, enhancing their decision-making process regarding app quality, beyond just the ratings and download numbers. While these warnings do not indicate that an app is inherently dangerous, they offer valuable insights into its overall usage trends.

Source: Android Authority

Report claims reCAPTCHA has caused 819 million hours of wasted human time, and billions in Google profits

A recent study reveals that reCAPTCHA, commonly used to distinguish between humans and bots, is largely ineffective, resulting in an astonishing 819 million hours of wasted time for users and generating billions in revenue for Google through cookie tracking. Despite its widespread use, the system can often be bypassed by sophisticated bots, rendering it almost obsolete for security purposes. The study suggests that the primary function of reCAPTCHA may actually be to serve as a tracking and data-gathering tool rather than a legitimate security measure, facilitating Google's profit from labeled data. Alternatives like invisible challenges are emerging, which utilize behavioral analysis to enhance security without hindering user experience, offering a more effective solution to curb DDoS attacks and other security threats.

Source: Tech Radar

Not even emoji are safe from hackers - smiley faces can be hijacked to hide data

A security researcher has developed a method to hide invisible text within emoji using Unicode variation selectors, which can store data without altering the emoji's visible appearance. While this technique is not applicable for malicious uses like malware, it could potentially be used for watermarking or circumventing human moderation. The method allows for secret messages to be encoded and preserved through copy-pasting, raising concerns about possible abuse. Although AI tools can help detect these hidden messages, current models do not natively decode them, indicating a need for automated detection systems to mitigate potential misuse.

Source: Tech Radar

Citizen Lab Report Uncovers Major Security Flaws in RedNote App

Citizen Lab has revealed critical security vulnerabilities in the RedNote app, a popular Chinese social media platform with over 300 million users. The app is found to transmit user data with insufficient encryption, exposing browsing activity, device metadata, and personal files to potential attackers. Key issues include unencrypted multimedia traffic, vulnerabilities in specific Android versions, and leakage of sensitive device metadata due to weak encryption methods linked to third-party SDKs. Despite efforts for responsible disclosure, there has been no response or fix from RedNote or the third-party companies involved. This raises significant concerns, especially for users outside China, as these vulnerabilities can lead to surveillance by ISPs and other malicious actors. Users are advised to utilize a trusted VPN to secure their data while using the app.

Source: Cyber Insider

Zero-Day Flaws Found in Qardio Heart Health iOS & Android Apps

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert regarding multiple zero-day vulnerabilities in the Qardio Heart Health mobile applications for iOS and Android, as well as the QardioARM A100 blood pressure monitor. These flaws could potentially lead to unauthorized access to sensitive personal information, disruption of device functionality, and extraction of firmware files. The vulnerabilities include the exposure of private data, a denial of service risk through unencrypted Bluetooth connections, and unauthorized firmware access. CISA recommends mitigating risks by disabling Bluetooth when not in use and ensuring apps are from trusted sources, as Qardio has not yet responded to collaboration requests for addressing these issues. The vulnerabilities pose a significant risk, particularly in healthcare settings.

Source: Cyber Insider

Apps sold location data for US military and intelligence personnel serving overseas

A Florida-based data broker discovered last year sold location data of US military and intelligence personnel serving overseas, raising significant privacy concerns. The data was sourced from various mobile apps linked to a Lithuanian ad-tech company, illustrating how ordinary apps collect sensitive information, sometimes without clear justification. These agreements often allow for the resale of location data, despite vague terms that might enable third-party exploitation. Investigations revealed the broker, Datastream, sold precise data from devices likely belonging to military personnel, prompting Senator Ron Wyden to demand accountability. Experts note this incident highlights a broader issue of advertising companies functioning as surveillance entities, calling attention to the urgent need for regulations to protect sensitive personal data from being sold.

Source: 9To5Mac