Category Archives: Link list

Privacy warning over Pokémon Go app for iOS as it grabs full access to players’ Google accounts

Posted on by

As if there weren’t enough headlines about malicious bogus Pokémon Go apps for Android, and thieves using the game ambush and rob unsuspecting players, privacy concerns have now been raised about the iOS edition of the app.

Adam Reeve found that players of the iOS version of Pokémon Go who signed into the app via Google, were unwittingly giving the Nintendo game – developed by Nantic – full access to their Google account:

Let me be clear – Pokemon Go and Niantic can now:

  • Read all your email
  • Send email as you
  • Access all your Google drive documents (including deleting them)
  • Look at your search history and your Maps navigation history
  • Access any private photos you may store in Google Photos
  • And a whole lot more

And they have no need to do this – when a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.

Other players of Pokémon Go – including popular security tweeter @SwiftOnSecurity – confirmed that the app had grabbed full access to their Google accounts.

I like to imagine this is a cockup rather than a conspiracy, and that the game’s developers do not have any malicious intent, but this really doesn’t sound good at all.

Hopefully a new fixed version of the Pokémon Go app for iOS will be released sooner rather than later.

In the meantime, players may wish to revoke the game’s access to their Google account.

Continue reading Privacy warning over Pokémon Go app for iOS as it grabs full access to players’ Google accounts

Android users warned of malicious Pokémon Go app

Posted on by

Security researchers at Proofpoint have discovered a malicious Pokémon Go app that installs a backdoor on Android devices:

Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.

The malicious app hasn’t sneaked its way onto the official Google Play store, so any victims would need to install it from an unofficial third-party store.

Although Proofpoint says that it hasn’t seen any reports of the malicious app infecting users in the wild, the current mania for Pokémon Go (its international roll-out is apparently being “paused” while Nintendo wrestles with its overloaded servers) may mean that there are some avid gamers who could put themselves at risk.

The official Android Google Play store doesn’t have a spotless record when it comes to keeping malware out, but it certainly appears to do a better job than many of the unpoliced unofficial Android app stores out there.

If you’re an Android user and care about your security and privacy, only download apps from a legitimate store and always pay attention to the permissions they request.

Continue reading Android users warned of malicious Pokémon Go app

Apple devices held for ransom, massive iCloud account hack rumours

Posted on by

Steve Ragan of CSO Online:

“On July 1, Alanna Coca noticed her iPad had started beeping. When she opened the cover, the lock screen had a message displaying a phrase in Russian – “Dlya polucheniya parolya, napshite na email” – followed by a Gmail address.”

“Roughly translated, the phrase was telling her that in order to receive a password, she’ll need to email the address displayed.”

Such attacks aren’t unusual (you may remember a message from Russian hacker Oleg Pliss popping up on some users’ iMacs, iPhones and iPads back in 2014), and are perpetrated by a hacker putting a victim’s device into lost mode after breaking into their Apple ID account.

A message sent by the hacker to the locked device asks for the victim to get in touch to arrange the ransom payment, and may even make a veiled threat that the device’s data will be erased if cash is not transferred promptly.

What spices things up a little more this time is that Ragan reports rumours of a massive data breach at Apple potentially impacting 40 million iCloud accounts.

That may be nonsense, of course – it’s possible that accounts have fallen under the control of hackers because of less sensational reasons – such as poor password choices, phishing or reusing the same password on multiple sites.

What is clear is that some Apple users are having their devices hijacked by extortionists. So make sure that you have a unique, hard-to-crack, hard-to-guess password protecting your Apple ID account.

And, if you haven’t already done so, I strongly recommend enabling two-step verification on your Apple ID account to make it harder for hackers to break in.

Read more on CSO Online.

Continue reading Apple devices held for ransom, massive iCloud account hack rumours

US government tells Symantec and Norton Antivirus users to apply security patches immediately

Posted on by

Google security researcher Tavis Ormandy has uncovered critical vulnerabilities in a range of Symantec and Norton Antivirus products, which could be exploited by malicious hackers to launch attacks.
Here’s the skinny from the United States Computer Eme… Continue reading US government tells Symantec and Norton Antivirus users to apply security patches immediately

Big news in the anti-virus industry. Avast to acquire AVG for $1.3 billion

Posted on by

Two of Europe’s most famous anti-virus companies, famous for their free product editions and founded in what was at the time Czechoslovakia, are looking to become one.

How much money is on the table from Avast to acquire AVG? A tidy $1.3 billion.

Here is what Avast CEO Vince Steckler has to say:

“Under an agreement signed with AVG, Avast will be making an offer ($25 per share or about $1.3 billion in total) to buy all shares of AVG’s stock which AVG’s board is recommending their shareholders accept. If the AVG shareholders do accept, following the various governmental regulators approvals, AVG will become part of Avast and we will jointly work on a great future together. We expect this to take a few months.”

“I do think this combination is great for our users. We will have over 250 million PC/Mac users enabling us to gather even more threat data to improve the protection to our users. In mobile, our combined 160 million mobile users will be used to improve protection as well as to provide an important stepping stone into the Internet of things. Additionally, we will be gaining some exciting mobile technology designed to protect families on line. In SMB, we will be better able to support our business users with a larger geographic footprint, better technical support, and the best technologies from our two companies.”

When those early pioneers started writing anti-virus software in their back bedrooms in the late 1980s and early 1990s, they can never have imagined things would grow so big.

Read Avast’s corporate press release here.

Continue reading Big news in the anti-virus industry. Avast to acquire AVG for $1.3 billion

Android users warned of HummingBad malware, as millions of devices infected

Posted on by

Checkpoint researchers report that a cybercrime gang called Yingmob is using the HummingBad malware to exploit millions of Android devices around the world:
Yingmob uses HummingBad to control 10 million devices globally and generate $300,000 per month … Continue reading Android users warned of HummingBad malware, as millions of devices infected

Could your selfies be held to ransom? Alleged Instagram account hacker arrested

Posted on by

The incredibly cool-sounding Titan, the North West of England’s regional organised crime unit, have arrested a 16-year-old boy from Croxteth, Liverpool, on suspicion of hacking an Instagram account.

The Liverpool Echo quotes Detective Chief Superintendent Chris Green, the head of Titan:

“Our on-going enquiry centres on the alleged blackmailing of someone in another part of the country whose Instagram account, with many thousands of followers, was hacked and taken control of by someone else.”

“The victim then received messages from the offender asking for a ransom to be paid in return for access to their Instagram account being given back.”

“Another allegation is possibly related is the hacking of someone’s online shopping account whereby goods were re-directed to another person’s address.”

Computer equipment has been seized by law enforcement officers and will be examined by digital forensics experts.

It’s clear to me that this is just more evidence that 2016 is becoming the year of online extortion – online attackers are recognising that there is money to be made through extortion, whether it be demanding a ransom to be paid for the safe return of data, the suspension of a DDoS attack against a website, or the recovery of a social media account.

Past victims of Instagram hackers have included artist Rachel Ryle, who had her account hijacked by a spammer and lost 35,000 followers and a sizeable sponsorship deal as a result.

Earlier this year it was reported that Instagram was beginning to roll out some form of two-factor authentication/two-step verification to better protect users’ accounts.

As Instagram’s parent company Facebook does provide two-step verification (in the form of Login Approvals) one would hope that the wind is blowing in the right direction…

However, I have not been able to confirm that the security feature is available to the Instagram masses yet. If you have more details on whether Instagram users can enable 2FA or 2SV yet, please leave a comment.

Continue reading Could your selfies be held to ransom? Alleged Instagram account hacker arrested