Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

The Hacker News

More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication, Comparitech said.

Full article

Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability

The Hacker News

Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert.

Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a release published on April 29th.

We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours, F-Secure researchers had previously warned in an advisory last week.

Full article

49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets

The Hacker News

Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies.

The 49 browser add-ons, potentially the work of Russian threat actors, were identified (find the list here) by researchers from MyCrypto and PhishFort.

Full article

Hackers Used Local News Sites to Install Spyware On iPhones

The Hacker News

A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.

According to research published by Trend Micro and Kaspersky, the “Operation Poisoned News” attack leverages a remote iOS exploit chain to deploy a feature-rich implant called ‘LightSpy’ through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.

Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim’s device and load it with malware.

Full article

Critical RCE Bug Affects Millions of OpenWrt-based Network Devices

The Hacker News

A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.

Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.

Full article

Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme

The Hacker News

More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

Dubbed “Tekya,” the malware in the apps imitated users’ actions to click ads from advertising networks such as Google’s AdMob, AppLovin’, Facebook, and Unity, cybersecurity firm Check Point Research noted in a report shared with The Hacker News.

“Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on),” the researchers said.

Full article