Weekly Cybersecurity News

This week we bring you the latest cybersecurity news. A new Android spyware campaign, dubbed "FireScam," is spreading via a fake Telegram Premium app on a phony version of the RuStore app store. This malicious app steals sensitive data such as notifications and messages, sending it to the attackers' Firebase Realtime Database. The campaign highlights the growing trend of cybercriminals disguising malware as legitimate apps to deceive users.

Apple will pay $95 million to settle a class-action lawsuit alleging that its Siri voice assistant violated users' privacy. The lawsuit claimed that Siri routinely recorded private conversations and disclosed them to third parties, such as advertisers. This was triggered unintentionally by users activating Siri with phrases like "Hey, Siri". The settlement covers millions of users and includes a payout for each Siri-enabled device.

To learn more about these developments and other news, read the article below.

FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'

A new Android spyware threat named FireScam poses a significant global risk by using a fraudulent Telegram Premium app to deliver information-stealing malware. Researchers indicate that this campaign reflects a growing trend whereby malicious actors disguise malware as legitimate applications to evade detection, exploiting platforms like Firebase for data collection. Initiated through a phishing site, FireScam can monitor and collect sensitive data from victims, including messages and notifications. Experts stress that as mobile malware becomes more sophisticated, implementing real-time scanning and continuous monitoring is crucial for defending against such threats, particularly in recognizing suspicious app behaviors before data is compromised.

Source: Dark Reading

Apple to pay $95 million to settle Siri privacy lawsuit

Apple has agreed to pay $95 million to settle a proposed class action lawsuit alleging that its Siri voice assistant violated user privacy by recording private conversations without authorization. The plaintiffs claimed that Siri unintentionally activated and recorded conversations, including mentions of specific products and services, which then led to targeted advertisements. This settlement covers a class period from September 17, 2014, to December 31, 2024, and affects potentially tens of millions of class members who could receive up to $20 per Siri-enabled device. Although Apple denies any wrongdoing, it has agreed to this settlement, which reflects about nine hours of its profit, to resolve the claims. A similar lawsuit involving Google's Voice Assistant is also proceeding in the same district, represented by the same law firms.

Source: Reuters

Google warns of legit VPN apps being used to infect devices with malware

Recent findings from Google's Managed Defense team reveal that attackers are using popular VPN applications to inject malware, specifically a backdoor known as Playfulghost. This malware employs SEO poisoning techniques to manipulate search engine results, making malicious applications appear legitimate. Victims are often victims of phishing attacks, where they are tricked into downloading infected files or using compromised VPN software. Once installed, Playfulghost grants attackers extensive control over infected devices, enabling activities like keylogging, screenshot capture, and file management. This incident serves as a crucial reminder to exercise caution when downloading software and to prioritize reputable sources for applications.

Source: TechRadar

Android malware found on Amazon Appstore disguised as health app

A malicious Android spyware app named 'BMI CalculationVsn' was discovered on the Amazon Appstore, disguised as a health tool that steals data from infected devices. The app was removed from the store after being reported, but users who downloaded it must manually remove it and perform a full scan. The spyware conducts several harmful actions, including starting a screen recording service and intercepting SMS messages, particularly one-time passwords. It emphasizes the risk of dangerous apps slipping through reviews in legitimate stores, urging users to only install applications from well-known publishers and to scrutinize requested permissions.

Source: Bleeping Computer

iPhone Sharing the Photos by Default to Apple

A new feature in iOS 18, “Enhanced Visual Search,” allows iPhones to share photo data with Apple by default, raising serious privacy concerns. This function, designed to help users identify landmarks and natural elements in their photos, operates by sending image metadata to Apple's servers without user consent, potentially risking sensitive information. Developer Jeff Johnson criticized this change, noting it contradicts Apple's previous commitment to user privacy, encapsulated in their slogan, “What happens on your iPhone, stays on your iPhone.” Johnson questioned the integrity of Apple's data handling practices, especially given the risks of software vulnerabilities. Users can adjust this setting in their device's settings, but the situation underscores the need for greater transparency from Apple regarding its data-sharing policies.

Source: gbhackers

Is 10,000 steps a day worth your personal data? How 80% of fitness apps are selling your privacy

Recent research shows that 12 out of 15 popular fitness apps actively share user data with third parties, effectively compromising privacy for users. Notably, 80% of these apps transmit data such as device locations, emails, and user IDs to external entities. Among the most data-hungry apps, Strava and Fitbit collect 21 unique types of data, while the most privacy-conscious app, Centr, gathers only three types. Additionally, some apps are found to collect sensitive information, including racial background and health-related data. Free apps are the worst offenders in terms of data sharing, as they rely on selling user information for revenue, making it crucial for users to evaluate privacy practices and consider paid subscriptions when possible.

Source: TechRadar

Apple fined in Brazil for letting controversial ‘FaceApp’ improperly collect user data

Apple and Google have been fined R19million (approximately US 3.1 million) in Brazil for allowing the controversial app FaceApp to collect user data improperly. A judge ruled that both companies violated the Brazilian Civil Rights Framework for the Internet by not preventing the app from collecting sensitive data without user consent and failing to provide necessary privacy policy translations. In addition to the fines, the companies must pay R500 (US 82) in compensation to each Brazilian user of FaceApp since June 2020. Both Apple and Google argue that they do not control the app’s terms of use and privacy policies, yet the judge emphasized their active role in enabling FaceApp's operations, allowing for the potential of court appeals.

Source: 9to5Mac

Experts predict malware may impact 39% of free Android VPNs by 2025

Experts predict a significant rise in VPN scams throughout 2025, with 39% of free Android VPNs potentially being compromised by malware, and 80% of free VPNs expected to embed tracking features. Nearly 60% may sell user data to third parties for monetization, putting users of free services, which account for nearly half of the VPN user base in the US, at major risk. With security vulnerabilities rampant, such as IP address leaks affecting 84.5% of free VPNs, users are advised to choose reputable paid VPN services or secure freemium options that maintain privacy and safety. The proliferation of misleading VPN ads and fake reviews is further complicating user choice, leading to increased exposure to unreliable and malicious applications.

Source: TechRadar

Android 15 sideloading restrictions are a raw deal for users

Android 15 introduces significant new sideloading restrictions aimed at enhancing user security but may compromise the platform's historically open nature. These changes require users to manually approve sensitive app permissions, which complicates the process for power users, modders, and developers who rely on the flexibility of sideloading for app customization and beta testing. While Google’s intent to protect users from malware and scams is understandable, the increase in security measures risks alienating the community that has contributed to Android's popularity. The new system, alongside the Play Store Integrity API, could severely impact modding capabilities and the use of older or unsupported devices, raising concerns about the future openness of the Android ecosystem as it begins to mirror the restrictions of competing platforms like iOS.

Source: Android Police

Telegram reports spike in sharing user data with law enforcement

Telegram has reported a significant increase in the number of data requests it has fulfilled for law enforcement agencies over the past year, notably following the arrest of CEO Pavel Durov in August 2024. In a marked shift from previous years, Telegram provided user data to U.S. authorities on 900 occasions, impacting 2,253 users, compared to just 14 requests affecting 108 users in most of 2024. Additionally, the app handed over data to Indian authorities on 14,641 occasions, affecting 23,535 users, and to UK authorities 142 times, impacting 293 users. This rise in compliance appears to coincide with a changed approach in handling abuse reports, diverging from its earlier strict policies on user data privacy.

Source: Tech Crunch

Pegasus Spyware Maker NSO Liable for 1,400 WhatsApp User Hacks

In a landmark ruling, the U.S. District Court for the Northern District of California has held NSO Group liable for hacking 1,400 WhatsApp users with its Pegasus spyware, marking a significant legal precedent for accountability in the spyware industry. The court found that NSO violated the federal Computer Fraud and Abuse Act and California's Comprehensive Computer Data Access and Fraud Act, intentionally exploited WhatsApp's infrastructure to deliver malicious code, and breached the platform's terms of service. NSO's failure to comply with court-ordered discovery, including withholding key evidence and the full source code of Pegasus, resulted in sanctions against the company. This case underscores the risks posed by spyware and reinforces the notion that illegal activities targeting innocent users will not be tolerated, as articulated by Meta following the ruling. A trial to assess damages is forthcoming.

Source: Cyber Insider