Pixel phones are known for their strong security features, particularly in protecting the cellular baseband, which is the processor handling LTE, 4G, and 5G communications. While basebands in smartphones are often vulnerable to attacks due to performance constraints, Pixel has implemented security hardening measures for years. Google claims that the Pixel 9 implements the most secure baseband to date, addressing a critical attack vector exploited by researchers.
The cellular baseband manages a smartphone’s network connectivity and processes external inputs, including those from untrusted sources. In the past, researchers documented multiple attacks relying on to target mobile devices. Threat actors can remotely carry out these kinds of attacks through protocols like IMS.
“malicious actors can . In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client.” reads .
Baseband firmware can be affected by vulnerabilities, making it a significant attack vector. Exploiting baseband bugs can lead to remote code execution.
Experts warn that most smartphone basebands lack exploit mitigations commonly used in software development. Zero-day brokers and can exploit these vulnerabilities to target mobile users and deploy malware like . Baseband exploits are frequently listed in exploit marketplaces with low payouts, indicating their abundance. In response, Android and Pixel have strengthened their Vulnerability Rewards Program, prioritizing the identification and resolution of connectivity firmware vulnerabilities.
Pixel has added proactive defenses over the years, key security measures implemented in the Pixel 9 series include:
Additionally, bug detection tools like are used during testing to patch bugs before shipping.
“Security hardening is difficult and our work is never done, but when these security measures are combined, they significantly increase Pixel 9’s resilience to baseband attacks.” concludes the announcement. “Pixel’s proactive approach to security demonstrates a commitment to protecting its users across the entire software stack. Hardening the cellular baseband against remote attacks is just one example of how Pixel is constantly working to stay ahead of the curve when it comes to security.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Google Pixel)
]]>Apple released updates to fix two vulnerabilities, respectively tracked as CVE-2024-44207 and CVE-2024-44204.
The company addressed the vulnerability by improving checks. The flaw was reported by Michael Jimenez and an anonymous researcher.
The vulnerability CVE-2024-44207 may allow threat actors to capture short snippets of audio messages in Messages before the microphone indicator is activated.
The vulnerability CVE-2024-44204 is a logic issue that could potentially enable VoiceOver to read aloud users’ saved passwords. The issue was addressed with improved validation, it was reported by the researcher Bistrit Dahal.
Apple is not aware of attack in the wild exploiting the above vulnerabilities.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, )
]]>Researchers from Kaspersky discovered a new version of the in multiple apps uploaded to the Google Play store. The malware was hidden in popular applications and game mods.
Kaspersky researchers the Necro Trojan in 2019, the malicious code was in the free version of the popular PDF creator application CamScanner app.
The new version of the Necro loader infected both apps in Google Play and modified versions of Spotify, Minecraft, and other popular applications in unofficial sources.
The new version of the Necro loader uses obfuscation and steganography techniques to evade detection. It can perform various malicious actions, including displaying ads in invisible windows, downloading and executing DEX files, installing applications, opening links in hidden WebView windows, executing JavaScript, and creating tunnels through the victim’s device. The malicious code can also potentially subscribe to paid services.
According to the experts, the malicious apps in the Google Play Store have been downloaded 11 million times (Wuta Camera 10+ million downloads, Max Browser 1+ million downloads). The actual number of infected devices could be higher due to Necro’s spread through unofficial app sources.
“The new version of the Necro Trojan has infected various popular applications, including game mods, with some of them being available on Google Play at the time of writing this report.” reads the published by Kaspersky. “The combined audience of the latter exceeds 11 million Android devices.”
The researchers believe that the malware found its way to the Play Store through a tainted software developer kit (SDK) used to integrate advertising capabilities into the apps.
Necro malware is primarily delivered through modded versions of popular apps and games available on unofficial sites and app stores. These apps activate the Coral SDK, which sends an encrypted POST request to a command-and-control (C2) server, containing details about the compromised device and the host app. The C2 server responds with a JSON file that includes a link to a PNG image file and metadata like MD5 and version info. This PNG file contains a payload hidden via steganography. The SDK extracts the main payload, a Base64-encoded Java archive (JAR) file, from the image.
Necro has a modular structure, the plugins are downloaded from the C2 server to allow it to support multiple capabilities including:
The analysis of Happy SDK likely revealed a different variant of Necro that doesn’t have a modular architecture.
This indicates that Necro is highly adaptable, and capable of downloading new iterations of itself, potentially adding new features.
Between August 26th and September 15th, security solutions blocked over 10,000 Necro attacks globally, with most of the infections in Russia, Brazil, and Vietnam.
“The Necro Trojan has once again managed to attack tens of thousands of devices worldwide. This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection.” concludes the report. “The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)
]]>ThreatFabric researchers discovered a new version of the Android banking trojan Octo, called Octo2, that supports more advanced remote action capabilities needed for Device Takeover attacks.
The new malware has already targeted users in European countries, including Italy, Poland, Moldova, and Hungary.
Octo2 is linked to the malware, first identified in 2016, which also gave rise to another variant called in 2021.
In 2024, the Octo’s source code was leaked online, allowing other threat actors to create their own version. This leak likely prompted the original threat actor’s release of a new version, Octo2.
Over the years, Octo malware campaigns targeted regions worldwide, including Europe, the USA, Canada, the Middle East, Singapore, and Australia. Octo operates as Malware-as-a-Service, and its new version, Octo2, is being offered to existing users at the same price with early access. The researchers believe that many threat actors using Octo1 will switch to Octo2, expanding its global reach. Research indicates that Octo2 can block push notifications from specific apps, suggesting that cybercriminals are already targeting users of these apps as part of their attacks.
“These samples from the first campaigns observed were masquerading as Google Chrome, NordVPN, and “Enterprise Europe Network” applications.” . “However, as we said previously, we can expect threat actors behind Octo2 to not limit their activity and continue targeting users of mobile banking all over the world.”
ThreatFabric observed serving as the first stage of the installation in Octo2 campaigns they have monitored. Upon launch, Zombinder will request the installation of an additional “plugin” which is Octo2, thus successfully .
Octo2 has been significantly improved, the authors enhanced stability during remote control sessions and improved its anti-detection and anti-analysis techniques. Key improvements include:
There is presently no evidence to suggest that Octo2 is propagated via the Google Play Store, indicating that users are likely either downloading them from untrusted sources or being tricked into installing them via social engineering.
“The emergence of this Octo2 variant represents a significant evolution in mobile malware, particularly in the context of banking security. With enhanced remote access functionality, sophisticated obfuscation methods, and the wide availability of its predecessor’s source code, Octo2 is poised to remain a dominant force in the mobile malware landscape together with its older variants based on the leaked source code.” concludes the report. “This variant’s ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customised by different threat actors, raises the stakes for mobile banking users globally. “
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Android)
]]>Telegram has updated its privacy policy informing users that it will share users’ phone numbers and IP addresses with law enforcement in response to valid legal requests.
The company CEO announced the policy update this week. Telegram will comply with requests from law enforcement if the user under investigation is found to be violating the platform’s rules.
“If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.” .
In a message on its Telegram Channel, Durov revealed that over the last few weeks, a dedicated team of moderators, leveraging AI, has worked on its platform to identify and remove problematic content from the app.
“To further deter criminals from abusing Telegram Search, we have updated our Terms of Service and Privacy Policy, ensuring they are consistent across the world. We’ve made it clear that the IP addresses and phone numbers of those who violate our rules can be disclosed to relevant authorities in response to valid legal requests.” Durov wrote on its . “These measures should discourage criminals. Telegram Search is meant for finding friends and discovering news, not for promoting illegal goods. We won’t let bad actors jeopardize the integrity of our platform for almost a billion users.”
Durov also revealed that the Search on Telegram was enhanced allowing to find public channels and bots.
The policy appears to be under development, the independent website 404Media first reported that previously, Telegram’s policy that user data would only be shared with authorities in cases of confirmed terror-related suspicions, following a court order.
Data shared with authorities will be disclosed in the company’s quarterly transparency reports, accessible via a .
At the time of this writing, the bot displays the following message: “We are updating this bot with current data. Please come back within the next few days.”
Durov also revealed that Telegram had improved its search feature, which is known for widespread abuse to sell and promote illegal goods. He said a dedicated team has been working over the last few weeks to remove problematic content from the platform’s search results.
At the end of August, French prosecutors formally charged Telegram CEO Pavel Durov with facilitating various criminal activities on the platform, including the spread of child sexual abuse material (CSAM), enabling organized crime, illicit transactions, drug trafficking, and fraud. The authorities announced a formal investigation of Durov following .
Durov was indicted and French authorities released under judicial supervision with a ban on leaving the French territory.
Telegram CEO spent more than eighty hours in police custody before being charged on August 28 with twelve offences, including “complicity in administering an online platform to enable illicit transactions as part of an organized gang,” refusal to provide necessary information for lawful interceptions, “complicity in the dissemination of child pornography by an organized gang,” drug trafficking, fraud, criminal association, and money laundering by an organized gang. Durov has been placed under judicial supervision and is prohibited from leaving French territory.
Pavel Durov was also “placed under judicial supervision, including the obligation to post a €5 million bail, the obligation to report to the police station twice a week, and the ban on leaving French territory ,” said the Paris prosecutor’s office on Wednesday.
Durov was charged with refusing to provide information required by authorities to carry out legal interceptions. To avoid pretrial detention Durov paid a €5 million bail and cannot leave France, and must report to authorities twice a week. The arrest is linked to a judicial investigation opened in France in July 2024, focused on Telegram’s lack of moderation, which have allowed extremist and malicious activities to proliferate on the platform.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Telegram)
]]>Ukraine’s National Coordination Centre for Cybersecurity (NCCC) has banned the messaging app on government agencies, military, and critical infrastructure, due to national security concerns. The ban does not affect Ukrainian citizens.
On September 19, Ukraine announced the ban on Telegram during a meeting focused on threats to national security posed by the use of the Telegram messenger, especially during the ongoing conflict between Russia and Ukraine.
Kyrylo Budanov, the chief of Ukraine’s Defence Intelligence, warned that Russian intelligence could spy on Ukrainian entities potentially accessing Telegram users’ data, including deleted messages.
“The Chief of the Defence Intelligence of Ukraine Kyrylo Budanov provided substantiated evidence that russian special services have access to personal correspondence of Telegram users, even deleted messages, as well as their personal data.” reads the announcement published by the National Security and Defense Council of Ukraine.
“I have always stood for freedom of speech, but the issue of Telegram is not a matter of freedom of speech, it is a matter of national security,” said Budanov.
Representatives of the Security Service of Ukraine and the General Staff of the Armed Forces of Ukraine warned that Russia-linked threat actors are actively using Telegram for cyberattacks, spreading phishing and malware, geolocating users, adjusting missile strikes, etc.
“In order to minimise these threats, it was decided to ban the installation and use of Telegram on the official devices of government officials, military personnel, employees of the security and defence sector, as well as enterprises operating critical infrastructure.” continues the announcement. “The only exceptions will be those for whom the use of this messenger is part of their official duties.”
Despite the ban on military and government devices, Ukrainian users rely heavily on Telegram to communicate and receive news on ongoing conflicts.
At the end of August, French prosecutors Telegram CEO Pavel Durov with facilitating various criminal activities on the platform, including the spread of child sexual abuse material (CSAM), enabling organized crime, illicit transactions, drug trafficking, and fraud. The authorities announced a formal investigation of Durov following .
Durov was indicted and French authorities released under judicial supervision with a ban on leaving the French territory.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Ukraine)
]]>The ‘ feature in WhatsApp allows users to send photos, videos, and voice messages that can only be viewed once by the recipient.
Recipients cannot forward, share, or copy the “View Once” media, and they cannot take screenshots or screen recordings of it.
However, a bug in the feature in its browser-based web app allows recipients to re-view the messages and save the picture and video, which should vanish immediately after being displayed on the recipient’s device. The popular instant messaging app also prevents users from taking screenshots.
The “” feature is available only on mobile devices but not on the web app and was first supported in 2021.
The researchers Tal Be’ery from Zengo X Research Team discovered the flaw and published technical details of the issue this week.
The researchers responsibly disclosed their findings to Meta but decided to publicly disclose the issue after discovering it was already being exploited in the wild. They aimed to protect the privacy of WhatsApp users and provided a of the blog for further details.
“The View once media messages are technically the same as regular media messages, only with the “view once” flag set. Which means it’s the virtual equivalent of putting a note on the picture that says “don’t look”. All that is required for attackers to circumvent it, is merely to set this flag to false and the “view once” media immediately becomes “regular” media and can be downloaded, forwarded and shared.” reads the published by Tal Be’ery.
“Given its media URL, the View once media can be downloaded by any client, no authentication is needed (reader still needs the decryption key sent with the message). Again making the task of limiting the exposure of the media to controlled environments and platforms impossible “
The researchers built an unofficial WhatsApp client app using Baileys, an open-source implementation of the WhatsApp Web API, to demonstrate how to bypass the “View once” feature. They reported their findings to Meta but later discovered that others had already found and exploited the issue earlier in the year. These malicious users modified the message flag from “view once” to “false” using either a modified WhatsApp Android app or a web extension.
“To actually solve this issue, WhatsApp needs to apply a proper Digital Rights Management (DRM) solution that also verifies there is hardware support in place for such DRM. Such frameworks are provided by and and other modern Operating Systems.” suggest the expert.
“A less robust but easier solution would be to have the sender send the “view once” message only to the primary device ( mobile ) and not to companion linked devices ( web, desktop). Please note it will only defeat extensions and is not relevant against patched mobile clients.”
WhatsApp has yet to reveal when it plans to address the issue.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, mobile)
]]>
Google addressed a high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), in its Android operating system that is under active exploitation in the wild.
The vulnerability CVE-2024-32896 is a privilege escalation in the Android Framework component.
“there is a possible way to bypass due to a logic error in the code.” reads the published by NIST National Vulnerability Database (NVD). “This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.”
Google addressed the issue with the release of the Android Security Bulletin for September 2024.
“There are indications that may be under limited, targeted exploitation.” the Bulletin for September 2024.
In June 2024, Google of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” the advisory.
As usual, the IT giant did not provide technical information about attacks exploiting the above issue.
The maintainers of GrapheneOS, an Android-based, open source, privacy and security-focused mobile operating system, that CVE-2024-32896 results from the partial mitigation of another flaw tracked as .
The experts pointed out that while these vulnerabilities are not exclusive to Pixel devices, the mitigations only addressed the issues on Pixels. The vulnerabilities involve interrupting reboots for wipes via the device admin API, applicable to all devices. CVE-2024-32896 is a full fix included in Android 14 QPR3, while CVE-2024-29748 was a Pixel-specific mitigation in the bootloader. The full solution now allows wipe-without-reboot in Android 14 QPR3.
Follow me on Twitter: and and Mastodon
(Security Affairs – hacking, CVE-2024-32896)
]]>Many Google Pixel devices shipped since September 2017 have included dormant software that could be exploited by attackers to compromise them. Researchers form mobile security firm iVerify reported that the issue stems from a pre-installed Android app called “Showcase.apk,” which runs with excessive system privileges, allowing it to remotely execute code and install remote package.
“iVerify discovered an Android package, “Showcase.apk,” with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017.” reads the report. “The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level”
The issue allows the app to retrieve its configuration file over unsecured HTTP from a single AWS-hosted domain, exposing millions of Android Pixel devices to man-in-the-middle (MITM) attacks. Threat actors could exploit this flaw to inject malicious code, execute commands with system privileges, and take over devices, potentially leading to serious cybercrimes and data breaches.
The “Showcase.apk” package, developed by Smith Micro, is part of the firmware image on millions of Android Pixel phones, potentially enhancing sales in Verizon stores.
The app “Showcase.apk” cannot be removed through the standard uninstallation process, and Google has yet to address the vulnerability. The app is preinstalled in Pixel firmware and included in Google’s OTA updates for Pixel devices. The experts pointed out that although the app is not enabled by default, it can be activated through various methods, one of which requires physical access to the device.
The flawed app is called (“com.customermobile.preload.vzw”) and dozens of permissions for its execution.
The app has been present since August 2016 [, ], but there is no evidence that this vulnerability has been exploited in the wild.
“The application fails to authenticate or verify a statically defined domain during retrieval of the application’s configuration file. If the application already maintains a persistent configuration file, it is unclear if additional checks are in place to ensure the configuration parameters for command-and-control or file retrieval are up to date.” continues the report. “The application uses unsecure default variable initialization during certificate and signature verification, resulting in valid verification checks after failure”
The application is vulnerable because its configuration file can be altered during retrieval or transit to the targeted phone. It also fails to handle missing public keys, signatures, and certificates, allowing attackers to bypass the verification process during downloads.
It is important to highlight that an attacker needs physical access to the device and the user’s password to exploit this flaw.
Google said the issue is not a vulnerability in Android or Pixel systems and announced that the app will be removed from all supported in-market Pixel devices with an upcoming Pixel software update.
Google is also notifying other Android OEMs.
iVerify noted that the concern is serious enough that Palantir Technologies is opting to ban Android devices from its mobile fleet over the next few years.
“The Showcase.apk discovery and other high-profile incidents, like running third-party kernel extensions in , highlight the need for more transparency and discussion around having third-party apps running as part of the operating system. It also demonstrates the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices.” concludes the report. “Further, why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown. The concern is serious enough that Palantir Technologies, who helped identify the security issue, is opting to remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Android)
]]>
Google fixed a high-severity flaw, tracked as CVE-2024-36971, impacting the Android kernel. The IT giant is aware that the vulnerability has been actively exploited in the wild. The company did not share details of the attacks exploiting this vulnerability.
The vulnerability is a remote code execution impacting the kernel.
“There are indications that CVE-2024-36971 may be under limited, targeted exploitation.” reads the published by Google.
The vulnerability was by Clement Lecigne of Google’s Threat Analysis Group (TAG). The TAG team investigates attacks carried out by nation-state actors and .
Android Security Bulletin for August 2024 addressed a total of 47 vulnerabilities in Framework (13), System (1), Kernel (1), Arm components (2), Imagination Technologies (1), MediaTek components (1), Qualcomm components (21), and Qualcomm closed-source components (7).
The vulnerabilities addressed by Google include Elevation of Privileges, DoS, Remote Code Execution, and Information disclosure.
“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed.” continues the advisory.
In June 2024, Google of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” the advisory.
As usual, the IT giant did not provide technical information about attacks exploiting the above issue.
The Pixel Update Bulletin provides details of security vulnerabilities and functional improvements for supported Google Pixel devices. The company addressed all the flaws detailed in the bulletin with the release of the security patch levels of 2024-06-05 or later and the June 2024 Android Security Bulletin.
In June 2024, Google of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” the advisory.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Android)
]]>