Weekly Cybersecurity News

This week we bring you the latest cybersecurity news. A new strain of Android banking malware known as ToxicPanda allows cybercriminals to commit on-device fraud (ODF) and execute fraudulent banking transactions. The trojan has been targeting users in Europe and Latin America and is predominant in Italy and Portugal. Our security and privacy app Malloc detects malware such as ToxicPanda abusing accessibility services and warns users.

There has been increasing scrutiny by authorities against Meta and Facebook regarding its targeted advertisement business for its practices and policies detrimental to user privacy. South Korea's privacy watchdog has imposed a $15 million fine on Meta for illegally collecting sensitive personal information from nearly 980,000 Facebook users without their consent. Similarly, the Consumer Financial Protection Bureau (CFPB) is investigating Meta for allegedly acquiring and using consumers' financial data from third parties for its targeted advertising.

To know more about these developments and other news, read the article below.

New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

A new strain of Android banking malware known as ToxicPanda has compromised over 1,500 devices, enabling criminals to execute fraudulent banking transactions. The malware focuses on using account takeover (ATO) techniques, specifically on-device fraud (ODF), to bypass security measures like two-factor authentication (2FA). Researchers have linked ToxicPanda to a Chinese-speaking threat actor and noted that its functionality resembles that of a previous malware named TgToxic. It disguises itself as popular applications and utilizes Android's accessibility services to gain extensive permissions, allowing it to manipulate user inputs, intercept one-time passwords (OTPs), and remotely control infected devices. The discovery follows reports of other Android malware exploiting similar vulnerabilities, indicating a rising trend of sophisticated attacks targeting users across multiple regions, predominantly in Italy and Portugal.

Source: The Hacker News

Fake Avast Antivirus Sites Are Spreading SpyNote Android Malware

A recent report reveals that fake Avast Antivirus sites are distributing a new variant of SpyNote malware, disguised as "Avastavv.apk," to trick Android users. This malware mimics the Avast brand, leading victims to inadvertently grant it extensive permissions that allow for comprehensive data theft, including access to cameras, microphones, and private messages on apps like WhatsApp and Instagram. The malware utilizes phishing domains that closely resemble the legitimate Avast website and employs advanced techniques to avoid detection, making it particularly effective against cryptocurrency wallets and other sensitive data. Users are urged to download apps solely from Google Play and regularly check installed applications and permissions for any suspicious activity to protect against such threats.

Source: Cyber Insider

Google fixes two Android zero-days used in targeted attacks

Google addressed two high-severity Android zero-day vulnerabilities (CVE-2024-43047 and CVE-2024-43093) in its November security update, as part of a broader fix for 51 vulnerabilities overall. The flaws were actively exploited in targeted attacks, with CVE-2024-43047 associated with a use-after-free flaw in Qualcomm components affecting the Android kernel, and CVE-2024-43093 related to elevation of privilege issues in the Android Framework. The vulnerabilities affect Android versions 12 to 15, with critical security updates also applied to vulnerabilities in Qualcomm's proprietary components. Users are advised to update their devices via Settings to mitigate risks associated with these vulnerabilities.

Source: Bleeping Computer

Default iOS Settings Make Locked iPhones Vulnerable to Attacks

The default settings on locked iPhones can make them vulnerable to privacy and security threats, specifically due to accessible features like Siri, message previews, and contact details. Security researcher Lambros of Pen Test Partners highlights that, when left unchanged, these settings allow unauthorized users to exploit the device for malicious purposes, such as sending misleading messages to contacts. To enhance security, users are advised to disable Siri on the lock screen, limit message preview visibility, and utilize Apple's “Find My” feature for device tracking and data protection. By making these adjustments, users can significantly reduce the risks associated with their devices being lost or stolen.

Source: Cyber Insider

South Korea Fines Meta $15 Million for Illegally Collecting Information on Facebook Users

South Korea's privacy watchdog has imposed a $15 million fine on Meta for illegally collecting sensitive personal information from nearly 980,000 Facebook users without their consent. This penalty stems from a four-year investigation that revealed Meta analyzed users' likes and clicks to gather sensitive data related to political views, religion, and other preference, sharing this information with about 4,000 advertisers. The commission criticized Meta for insufficient privacy safeguards, which allowed hackers to exploit inactive user pages, resulting in data breaches. This is part of a broader trend of increased scrutiny and penalties against Meta by South Korean authorities, including previous fines for similar privacy violations involving user consent and targeted advertising practices.

Source: Security Week

Federal agency investigating how Meta uses consumer financial data for advertising

The Consumer Financial Protection Bureau (CFPB) is investigating Meta for allegedly acquiring and using consumers' financial data from third parties for its targeted advertising, which may be a violation of the Consumer Financial Protection Act. This inquiry is amid rising regulatory scrutiny over Meta’s privacy practices and its methods of targeting advertisements for financial products and services. While Meta has reported significant revenue growth in its advertising business, it claims that the CFPB's allegations are unfounded and that the potential for legal action could lead to financial penalties. This case adds to a series of privacy-related challenges Meta has faced, including a large settlement with the FTC and a fine from the European Union.

Source: The Record

Canada orders TikTok to shut down its business operations in the country due to 'national security risks'

Canada has ordered TikTok to cease operations in the country, citing national security risks associated with the app and its parent company, ByteDance. Although the app itself is not banned, the order requires TikTok to wind up all business activities, following a thorough review by Canadian intelligence agencies. This decision aligns with previous actions, such as the ban on TikTok from government devices, and mirrors concerns raised by the United States regarding the app's ties to China. In response, TikTok plans to challenge the order in court, arguing that the shutdown will lead to the loss of hundreds of local jobs and asserting that it remains committed to supporting its Canadian user base.

Source: engadget

Hundreds of code libraries posted to NPM try to install malware on dev machines

An ongoing security threat has seen hundreds of malicious packages uploaded to the Node Package Manager (NPM) repository, targeting developers by masquerading as legitimate libraries related to Puppeteer and Bignum.js, among others. Researchers highlighted that these packages utilize typosquatting, mimicking legitimate package names to trick users into installing malware. The malicious code accesses an Ethereum smart contract to conceal its true origin, making it difficult to trace the IP addresses of the servers it contacts for further payloads. This campaign serves as a stark reminder of the ongoing risks of supply chain attacks, urging developers to meticulously verify package names before installation.

Source: arsTechnica

Flaw in Right-Wing ‘Election Integrity’ App Exposes Voter-Suppression Plan and User Data

A security flaw in the right-wing nonprofit True the Vote's VoteAlert app exposed sensitive user information and revealed a California election worker's involvement in an illegal voter-suppression scheme, prompting an investigation into her actions. The vulnerability, which has since been patched, allowed anyone inspecting the app's source code to access the email addresses of users who reported or commented on claims of voter fraud. True the Vote, known for promoting unsubstantiated allegations of widespread voter fraud, failed to adequately respond to inquiries about the data breach. The exposed scheme included demands for IDs based on perceived citizenship, despite California's laws not requiring ID for most voters. This incident underscores the ongoing tensions surrounding voter integrity claims and the use of technology in election-related activities.

Source: Wired

The rise of the Surveillance Databases

Surveillance databases are increasingly being developed by governments and international organizations, utilizing personal and biometric data from millions of people for purposes such as counter-terrorism and migration control. This trend raises significant concerns, including mass data harvesting, regulatory voids, and the lack of independent oversight and human rights impact assessments. Private companies play a key role in creating these databases through public-private partnerships that often lack transparency and necessary safeguards, leading to potential human rights abuses. Additionally, organizations like the EU and UN face criticism for supporting these systems without adhering to their own human rights standards. Advocacy groups are working to expose these practices, challenge the unregulated development of surveillance systems, and push for legal and policy safeguards to protect human rights.

Source: Privacy International