Weekly Cybersecurity News

We have the latest cybersecurity news for you from this week. LinkedIn has been fined $335 million by Ireland’s Data Protection Commission (DPC) for violating the GDPR by using member data for advertising without obtaining proper consent. Android and iOS are both facing ever-growing threats from malware and spyware. An Android trojan has been identified by researchers that can steal account credentials and mimics incoming calls from bank representatives. Its new updated variant uses accessibility service for greater control over the infected device and has been targeting users in South Korea. On iOS, a more powerful variant of LightSpy malware has come to the surface that infects iOS devices, especially the out-of-date ones, by exploiting critical vulnerabilities, and it comes with various destructive capabilities like “contact list wiping” and “system component deletion.”

To know more about these developments and other news, read the article below.

Android Trojan that intercepts voice calls to banks just got more stealthy

Researchers have identified new variants of the FakeCall malware, an advanced Android Trojan that intercepts calls to bank customer support, rerouting them to attacker-controlled numbers to extract sensitive information. First highlighted in 2022, FakeCall not only steals account credentials but can also simulate incoming calls from bank representatives, enhancing its deceitful tactics. Recent updates have made the malware more stealthy through heavily obfuscated code, making detection more difficult. Notable new features include various receivers for Bluetooth and screen activity monitoring, alongside an Accessibility Service that grants extensive control over the user interface and automated permission granting for malicious actions. It predominantly targets South Korean banks but has expanded language support, prompting Android users to exercise caution around app installations.

Source: arsTechnica

LightSpy iOS Malware Upgraded To Include 28 Plugins With Destructive Capabilities

The LightSpy iOS malware has been significantly upgraded, featuring 28 distinct plugins, including several with destructive capabilities targeting system operations, such as disrupting the boot process. Discovered by ThreatFabric, this advanced version (7.9.0) improved upon its predecessor by expanding its infrastructure and utilizing critical vulnerabilities like CVE-2020-9802 and CVE-2020-3837 to gain unauthorized access and elevated privileges on devices running iOS versions up to 13.3. The malware communicates via five active Command and Control (C2) servers using WebSocket connections and implements sophisticated features such as AES ECB encryption and a SQL database for command storage. Despite its capabilities, the malware's effectiveness can be limited by iOS update cycles, though it particularly targets users in regions with restricted access to those updates, notably China and Hong Kong. This update highlights the ongoing threat that sophisticated malware poses to iOS users, despite Apple's security measures.

Source: Cybersecuritynews

LinkedIn hit with $335 million fine for using member data for ad targeting without consent

LinkedIn has been fined €310 million ($335 million) by Ireland’s Data Protection Commission (DPC) for violating the GDPR by using member data for advertising without obtaining proper consent. The DPC found that LinkedIn's practices lacked transparency and did not provide users with adequate, informed, or unambiguous consent, constituting a serious violation of data protection rights. This fine is among the largest imposed under the GDPR, following previous significant penalties against other tech giants like Meta and Amazon. While LinkedIn maintains its compliance with data protection laws, it has committed to amend its ad practices to align with the DPC's requirements following an extensive investigation initiated by a complaint made in 2018.

Source: The Record Media

Fitness app Strava betrays location of Biden, Trump, and other leaders

A recent investigation by the French newspaper Le Monde has revealed that the fitness app Strava, used by US Secret Service agents and other security personnel for world leaders, has unintentionally exposed sensitive information regarding the movements of figures like Joe Biden, Donald Trump, and Emmanuel Macron. The app, popular among its 120 million users for tracking workouts, has led to potential security breaches by making the locations and activities of security agents publicly accessible, particularly during critical events. Notably, data from Strava allowed for the identification of specific hotels where Biden was staying during sensitive discussions in San Francisco. The US Secret Service acknowledged that while staff are discouraged from using personal devices while on duty, they can use social media off-duty, raising concerns about associated risks, such as stalking and robbery, especially highlighted by past studies on fitness data vulnerabilities.

Source: Cyber News

Bumble, Hinge, Instagram, and Facebook already know who you'd vote for

Research reveals that dating and social media apps are the most aggressive in collecting sensitive data regarding users' political and religious beliefs, with 74 out of 100 prominent apps analyzed engaging in such practices. This data collection, often justified for app functionality or analytics, can raise significant risks, including potential data breaches and unauthorized access, as evidenced by past incidents involving apps like Bumble and Facebook. Experts argue that users should approach sharing such personal information with caution, especially since many Americans express concerns over data privacy. Recommendations to safeguard personal data include refraining from disclosing optional information and regularly reviewing app permissions and privacy settings.

Source: Techradar

UK court says dissident can sue the Saudi government for targeting him with spyware

The UK High Court has permitted Yahya Assiri, a Saudi dissident, to sue the Saudi government for allegedly using zero-click spyware to target him, marking a significant step towards accountability for human rights violations. Assiri, currently residing in the U.K., claims he was attacked with Pegasus spyware between 2018 and 2020, which has been widely used against activists and journalists by oppressive regimes. The Saudi government argues its sovereignty protects it from such lawsuits; however, Assiri believes the court's ruling could deter future human rights abuses. He has expressed a willingness to drop the lawsuit in exchange for the release of other jailed activists and a genuine intent from the Saudis for reform. This case could escalate tensions around spyware use and state accountability in the international arena. Human Rights Watch described the ruling as a critical step towards justice.

Source: The Record Media

Russian Malware Campaign Targets Ukrainian Recruits Via Telegram

A recent analysis by Google has uncovered a Russian malware campaign specifically targeting Ukrainian military recruits through Telegram, associated with a group identified as UNC5812. This campaign, first detected in September 2024, involves the use of a Telegram persona called "Civil Defense," which claims to provide free software for tracking military recruiters. The malicious activities aim to install Windows and Android malware on devices of potential recruits, facilitating sensitive information theft. Notably, the campaign runs parallel to influence operations designed to undermine Ukrainian military mobilization efforts, encouraging users to share negative experiences related to recruitment centers. The findings emphasize the continued significance of messaging apps in facilitating cyber activities amid the ongoing conflict in Ukraine.

Source: Infosecurity Magazine

UK proposes new data protection regime, hopes for ￡10 billion economic boost

The U.K. government has introduced a new Data Use and Access Bill, aiming to overhaul the country's data protection framework and potentially boost the economy by ￡10 billion over the next decade. This legislation, similar to previous proposals, seeks to address concerns about the compatibility of U.K. data protection with EU standards post-Brexit, amidst debates over regulatory light-touch versus compliance costs for businesses. Key provisions include reducing bureaucratic requirements for police data access, improving data sharing in the NHS, establishing digital identity services, and creating a National Underground Asset Register to prevent costly accidents. The bill also enhances the powers of the Information Commissioner’s Office to better regulate data use. Labour's approach emphasizes collaboration with the EU and seeks to balance robust data protection with innovation in the tech sector, while addressing the need for improved infrastructure and data quality in public services.

Source: The Record Media

Apple Rolls Out Major Security Update to Patch macOS and iOS Vulnerabilities

Apple has launched a significant security update addressing 90 vulnerabilities across macOS, iOS, iPadOS, watchOS, tvOS, and visionOS as of October 29, 2024. This update includes crucial patches to prevent breaches, such as allowing unauthorized access to contacts and location information through Apple's Find My service, and vulnerabilities that can lead to denial-of-service (DoS) attacks and unauthorized bypassing of the Login Window. Additionally, iOS and iPadOS users face potential exposure of private data, including contact photos, even when devices are locked. The visionOS 2.1 update addresses over 25 security flaws, with several vulnerabilities attributed to various cybersecurity researchers. Apple emphasizes the importance of keeping software updated to protect user security.

Source: Infosecurity Magazine

Apple Invites Scrutiny of AI Service with Million-Dollar Bounties

Apple has announced a new initiative to enhance the security and privacy of its Private Cloud Compute (PCC) system, inviting security researchers to participate in verifying its integrity. As part of this initiative, Apple introduced a comprehensive Security Guide, a Virtual Research Environment (VRE) that allows developers to analyze PCC, and expanded its Security Bounty program with rewards up to $1 million for reporting critical vulnerabilities. These efforts aim to foster transparency and collaboration within the security community, improving the overall security of Apple's cloud-based AI services. The release includes source code for key components and aims to ensure the non-targetability of user requests while maintaining robust privacy protections.

Source: Cyber Insider