Google Play pulls sneaky data-harvesting apps with 46m+ downloads

Plus: Fox News learns to use database passwords, Autodesk patches high-severity bugs, and CISA says retire old D-Link routers


In brief Google pulled a slew of Android apps with more than 46 million downloads from its Google Play Store after security researchers notified the cloud giant that the code contained some sneaky data-harvesting code.

Apps included a speed camera radar, several Muslim prayer apps, a QR scanner, a WiFi mouse tool, a weather app and others. 

A Panama-based company Measurement Systems developed the code, according to AppCensus co-founder Joel Reardon, whose mobile app testing firm discovered the overly nosy software, reported it to Google, and published research about how it works. 

According to the Wall Street Journal, which first reported the story, Measurement Systems has ties to a Virginia defense contractor that does cyber-intelligence, network-defense and intelligence-intercept work for US national security agencies. 

Google removed the apps as of March 25, but said they could be re-listed if they removed the dodgy code to comply with Google Play Store's rules for collecting users' data. Some of the apps did this, and were already back for sale as of April 6.

"All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action," a Google spokesperson told The Register.  

Infosec folk spot open Fox News database

Fox News said it has secured an open database after bug hunters at Security Discovery alerted the news organization about the security incident waiting to happen.

For its part, Fox News said the open database was in a development environment, not a live, production environment, and that no customer records were exposed.

"We were contacted in October of 2021 by Security Dynamic about what would correctly be characterized as a general company development environment primarily containing an archival snapshot of public video metadata such as program descriptions and talent bios," a spokesperson said in an email to The Register

"Additionally, there was a list of business email addresses as well as URLs, other ID's and environments that were no longer in use at the time of discovery," the statement continued. "This environment did not service any Fox News applications or systems. The database was secured within hours following the receipt of the report from Security Dynamic in accordance with our responsible disclosure policy."

Security Discovery co-founder Jeremiah Fowler, working with the research team at website building info firm Website Planet, discovered the non-password protected database. They said the 58GB dataset contained almost 13 million records that spanned storage information, internal emails, usernames, employee ID numbers and affiliate station information.

"One folder contained 65k names of celebrities, cast and production crew members and their internal FOX ID reference numbers," the threat researchers wrote. "The records also captured a wide range of data points including event logging, host names, host account numbers, IP addresses, interface, device data, and much more."

Despite Fox News' assurances that this was a test environment, Fowler and friends noted that many records were labeled "prod," which is typically an abbreviation for production records. 

But even in a development environment, this data could pose a security risk as these environments often use the same storage repositories, middleware and infrastructure as live production environments, the threat researchers added.

Additionally, the security researchers made it clear that they aren't implying any customer or user data was at risk, and they applauded the Fox security team for acting "fast and professional" to close the exposed database. Still, "any non-password protected database could potentially allow someone to insert malicious code into the network," they noted. 

Autodesk patches high-severity bugs

Autodesk has patched multiple high-severity vulnerabilities that, if exploited, could allow attackers to run any malicious code on infected machines and steal sensitive information. 

Security firm Fortinet's threat research team discovered the bugs, which affect Autodesk's  DWG TrueView, Design Review and Navisworks, and reported them to the software provider. Its research team also provided a run-down of all seven vulns.

Both companies urge users to apply the patches ASAP.

The first five bugs, CVE-2022-27525, CVE-2021-40167, CVE-2022-27526, CVE-2022-27527 and CVE-2022-25797, are memory corruption vulnerabilities. 

CVE-2022-27525 affects Autodesk Design Review. It's caused by a malformed Design Web Format (DWF) file, "which causes an out-of-bounds memory write due to an improper bounds check," Fortinet explained.

If exploited, this bug can allow cybercriminals to execute arbitrary, malicious code via a specially crafted DWF file. 

CVE-2021-40167 affects the same product and is also caused by a buggy DWF file. It could allow an attacker to leak memory within the context of the application.

CVE-2022-27526, which could also be exploited to leak memory, affects Autodesk's Design Review product. A malformed Truevision (TGA) file causes this bug. Specifically, the TGA file "causes an out-of-bounds memory access, due to improper bounds checking when manipulating a pointer to an allocated buffer," Fortinet said.

CVE-2022-27527 effects Autodesk Navisworks. It's caused by a malformed PDF file, which also leads to out-of-bounds memory access.

The fifth memory corruption bug, CVE-2022-25797, caused by a malformed DWG file, affects DWG Trueview and could allow a criminal to execute arbitrary code using a crafted DWG file.

CVE-2022-27523, a buffer over-read vulnerability in Autodesk DWG TrueView, could allow a remote attacker to leak sensitive data using a malicious DWG file.

And finally CVE-2022-27524, is an out-of-bounds vuln in DWG TrueView that could be exploited to leak sensitive data.

CISA, D-Link urge end-of-life router retirement

CISA has advised anyone using certain older D-Link routers to take them offline before miscreants find and exploit a critical remote control execution vulnerability.

On Monday, CISA added the RCE bug, dubbed CVE-2021-45382, to its catalog of known exploited vulnerabilities. It exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the dynamic domain name system (DDNS) function in the ncc2 binary file.

The ncc2 service allows for some firmware and language file upgrades via the web interface. But as Malwarebytes Labs researcher Pieter Arntz explained, "the ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available."

If exploited, this would allow an attacker to call these hooks without authentication. "These files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand," he added. 

The software bug received a 9.8 CVSS score, which means it's critical that users address it immediately. But because the affected routers are end-of-life, D-Link isn't issuing any patches for the vulnerable devices. 

Both CISA and D-Link suggest that you retire these models ASAP, before a cyber criminal finds the vuln.

And if you still aren't convinced, there's a proof-of-concept on GitHub, which makes it really easy for any evil doers to remotely take over the vulnerable devices and then execute malicious code.

Cybercriminals still exploiting Spring4Shell

Miscreants continue to exploit the Java Spring framework remote code execution vulnerability a week after security researchers discovered the nasty software bug.

A week after the initial outbreak, Check Point Research said it's seen about 37,000 attempts to allocate the vulnerability, dubbed "Spring4Shell."

While organizations around the globe have been affected by the bug, Europe was the hardest hit, according to the security shop. 

In the first four days after post discovery, 16 percent of orgs worldwide experienced exploitation attempts. But in Europe, that number jumped to 20 percent. Australia and New Zealand ranked second, at 17 percent, followed by Africa (16 percent), Asia (15 percent), Latin Americas (13 percent) and North America (11 percent).

Perhaps unsurprisingly, the software vendor industry felt the most pain from Spring4Shell.  According to Check Point, 28 percent of companies in this sector were impacted by the vulnerability. Education and research orgs were the second-most affected, with 26 percent impacted. And insurance/legal, ISPs/MSPs, and finance/banking institutions tied for third place at 25 percent.

While noting its own CloudGuard AppSec customers were not vulnerable, "If your organization is using Java Spring and not using CloudGuard AppSec, immediately review your software and update to the latest versions by following the official Spring project guidance," the security firm advised. ®

Broader topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022