apps – Tech Today w/ Ken May

Malicious apps with >1 million downloads slip past Google defenses twice

Enlarge / One of the fee-based services ExpensiveWallpaper apps subscribed users to. Researchers recently found at least 50 apps in the official Google Play market that made charges for fee-based services without the knowledge or permission of users. The apps were downloaded as many as 4.2 million times. Google quickly removed the apps after the researchers reported them, but within days, apps from the same malicious family were back and infected more than 5,000 devices. The apps, all from a family of malware that security firm Check Point calls ExpensiveWall, surreptitiously uploaded phone numbers, locations, and unique hardware identifiers to attacker-controlled servers. The apps then used the phone numbers to sign up unwitting users to premium services and to send fraudulent premium text messages, a move that caused users to be billed. Check Point researchers didn’t know how much revenue was generated by the apps. Google Play showed the apps had from 1 million to 4.2 million downloads. Packing heat ExpensiveWall—named after one of the individual apps called LovelyWall—used a common obfuscation technique known as packing. By compressing or encrypting the executable file before it’s uploaded to Play, attackers can hide its maliciousness from Google’s malware scanners. A key included in the package then reassembled the executable once the file was safely on the targeted device. Although packing is more than a decade old, Google’s failure to catch the apps, even after the first batch was removed, underscores how effective the technique remains. Read 3 remaining paragraphs | Comments

More:
Malicious apps with >1 million downloads slip past Google defenses twice

Researchers report >4,000 apps that secretly record audio and steal logs

(credit: Ron Amadeo) A single threat actor has aggressively bombarded Android users with more than 4,000 spyware apps since February, and in at least three cases the actor snuck the apps into Google’s official Play Market, security researchers said Thursday. Soniac was one of the three apps that made its way into Google Play , according to a blog post published Thursday by a researcher from mobile security firm Lookout. The app, which had from 1,000 to 5,000 downloads before Google removed it, provided messaging functions through a customized version of the Telegram communications program. Behind the scenes, Soniac had the ability to surreptitiously record audio, take phones, make calls, send text messages, and retrieve logs, contacts, and information about Wi-Fi access points. Google ejected the app after Lookout reported it as malicious. Two other apps—one called Hulk Messenger and the other Troy Chat—were also available in Play but were later removed. It’s not clear if the developer withdrew the apps or if Google expelled them after discovering their spying capabilities. The remaining apps—which since February number slightly more than 4,000—are being distributed through other channels that weren’t immediately clear. Lookout researcher Michael Flossman said those channels may include alternative markets or targeted text messages that include a download link. The apps are all part of a malware family Lookout calls SonicSpy. Read 4 remaining paragraphs | Comments

Taken from:
Researchers report >4,000 apps that secretly record audio and steal logs

Majority of Android VPNs can’t be trusted to make users more secure

(credit: Ron Amadeo) Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic. Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google’s official Play Market finds that the vast majority of them can’t be fully trusted. Some of them don’t work at all. According to a research paper that analyzed the source-code and network behavior of 283 VPN apps for Android: 18 percent didn’t encrypt traffic at all, a failure that left users wide open to man-in-the-middle attacks when connected to Wi-Fi hotspots or other types of unsecured networks 16 percent injected code into users’ Web traffic to accomplish a variety of objectives, such as image transcoding, which is often intended to make graphic files load more quickly. Two of the apps injected JavaScript code that delivered ads and tracked user behavior. JavaScript is a powerful programming language that can easily be used maliciously 84 percent leaked traffic based on the next-generation IPv6 internet protocol, and 66 percent don’t stop the spilling of domain name system-related data, again leaving that data vulnerable to monitoring or manipulation Of the 67 percent of VPN products that specifically listed enhanced privacy as a benefit, 75 percent of them used third-party tracking libraries to monitor users’ online activities. 82 percent required user permissions to sensitive resources such as user accounts and text messages 38 percent contained code that was classified as malicious by VirusTotal , a Google-owned service that aggregates the scanning capabilities of more than 100 antivirus tools Four of the apps installed digital certificates that caused the apps to intercept and decrypt transport layer security traffic sent between the phones and encrypted websites Apps that intercepted and decrypted TLS traffic. The researchers—from Australia’s Commonwealth Scientific and Industrial Research Organization, the University of South Wales, and the University of California at Berkeley—wrote in their report: Read 3 remaining paragraphs | Comments

Taken from:
Majority of Android VPNs can’t be trusted to make users more secure

Microsoft Outlook Is Getting Ready To Cannibalize Calendar App Sunrise

Microsoft’s been upping its app game for awhile now, and the one that’s received the most attention is Outlook. Earlier this year, Microsoft redesigned Outlook to look just like Acompli , an email client it bought months earlier. Now Sunrise, a super-great calendar app recently acquired by Microsoft, will also be sacrificed for the Outlook greater good. Read more…

An Android Porn App Takes Your Photo and Holds It to Ransom

Users of the “Adult Player” Android app are in for a shock: it’s emerged that the Android app has been secretly taking photos of users – and wants their cash in exchange for deletion. Read more…

Amazon Underground has completely free apps, including in-app extras

Free apps sometimes try to rope you into in-app purchases to make a profit. Not so with Amazon’s new approach to free software, though, as the online retailer is offering over $10, 000 in apps, games and even those in-app add-ons at no cost. Yes, it sounds too good to be true on the surface, but Bezos & Co. will compensate developers based on how long you use their apps. Amazon will shell out per-minute payments in exchange for developers nixing any fees, which means for the software is free to download and use. GdgtSpot reports that the company’s “Free App of the Day” promotion is no more, so it looks like Underground will replace it. Since Google Play’s rules don’t allow for apps that serve up other apps or games, you’ll have to download the Underground app directly from Amazon. And when you do, look for the “Actually Free” designation for items that are included in the new initiative. Filed under: Software , Mobile , Amazon Comments Source: Amazon Tags: amazon, amazonunderground, app, apps, mobilepostcross, software, underground

Read the article:
Amazon Underground has completely free apps, including in-app extras

Amazon’s Giving Away 26 Premium Android Apps and Games For Free

Amazon’s running another one of their signature Android app giveaways , highlighted this time around by the likes of Plants vs. Zombies , Wolfram|Alpha , Runtastic PRO , and Osmos HD . If you own an Android device, take a minute to check out the full list and download anything you might want before the deal ends. [ Amazon Appstore ] Read more…

More here:
Amazon’s Giving Away 26 Premium Android Apps and Games For Free

Google’s iOS App Just Got a Material Design Makeover And Much More

Google Search now has a completely new look for iOS , though it’s one many Android users will be familiar with. The Search team is bringing Android Lollipop’s Material Design language to the Search app along with lots of other features and optimization for iPhone 6 and iPhone 6 Plus. Read more…

You Can Now Stream All the Disney Movies You Own on Android

At the start of the year, Disney launched an app for iOS which allows you to stream all the Disney, Pixar, and Marvel movies you own. Now, it’s arrived on Android, too. Read more…

Taken from:
You Can Now Stream All the Disney Movies You Own on Android

An App Can Tell If Addicts Are Faking Withdrawal Tremors To Get a Fix

If your body is used to consuming alcohol every day, and you suddenly stop cold turkey, you’re going to experience withdrawal symptoms including tremors. They’re treatable with benzodiazepine drugs, but often times those can be abused by addicts who fake tremors in order to get a prescription. Spotting those fake tremors isn’t always easy, so researchers at the University of Toronto have created a smartphone app that’s incredibly hard to fool. Read more…

Follow this link:
An App Can Tell If Addicts Are Faking Withdrawal Tremors To Get a Fix