NYU Wordpress Theme

“Blabby” Apps Sharing Data With Facebook

On February 22nd, The Wall Street Journal (“WSJ”) reported that 11 iOS and Android apps were purportedly sharing sensitive data with Facebook in apparent violation of Facebook’s own policies.The WSJ further reported that tests showed that the Facebook collects data from numerous apps within seconds of data entry by the user. This appears to be the case even when a user has not logged into Facebook and even if a user does not have a Facebook account. Following the initial WSJ report, the WSJ reported that certain apps ceased sending data to Facebook.

Governor Cuomo has called on two state agencies, the New York Department of State and the Department of Financial Services to investigate the issue of apps sharing data without explicit user consent. Further, Governor Cuomo has also asked federal regulators to “step up and help us put an end to this practice and protect the rights of consumers”. Reuter’s reports that “New York’s financial services department does not traditionally supervise social media companies directly, but has waded into digital privacy in the financial sector and could have oversight of some app providers that send user data to Facebook”.

For more information, please see: 

Facebook Location Services Update for Android Users

Facebook has updated the location controls for Android devices to give users an additional option, offering similar options to those available on iOs devices. Prior to this update, if you shared Facebook location information on an Android device, your location information would be shared even when not using the app. Android users will now have the following 3 choices with respect to Location Services in the Facebook app:

  • Never: Your app can’t access your precise location
  • While Using: Your app can access your precise location while you’re using the app
  • Always: Your app can access your precise location even when you’re not using the app

Facebook has advised users that it is not changing user specified choices, nor does this update allow them to collect any new information. Users who have not enabled Location Services do not need to do anything, but Facebook requests that Android users who have enabled Location Services review their location settings to confirm their setting preference is correctly reflected.
 
Apparently the next major Android update, Android Q, is going to allow users location control settings similar to iOs “only while the app is in use”.

Resources:

Triout Android Spyware Reprise

Android malware, dubbed Triout has re-emerged posing as the trusted online privacy application, Psiphon, to trick users into downloading it. The legitimate “com.psiphon3” package is available in Google’s app store, Google Play and is advertised as a privacy tool that enables access to the open internet. The application has over 50 million installs and over 1 million reviews. The malicious version is bundled with Triout and is not available via Google Play.

Triout acts as spyware that collects device data and can record phone calls, log incoming text messages, record videos, access/take photos, and access location information. It also comes bundled with three adware components, Google Ads, Inmobi Ads and Mopub Ads. Both the legitimate and malicious Psiphon application have a similar look and equivalent functionalities, but the malicious version uses v91 of the original application when distributing Triout spyware.  The current version of the legitimate application is v241.

Recommendations:

  • Download apps from official marketplaces only.
  • Keep your device OS (operating system) and applications up to date.

Resource:

Executive Impersonation Phishing Campaign Alert

There are reports of a widespread business email compromise (BEC) phishing campaign across multiple industries which involves impersonation of a senior executive and targets other senior executives within an organization. The spoofed email states that a planned board meeting needs to be rescheduled and requests participation in a Doodle poll to identify a new date for the meeting. The poll requests entry of personal information via an Office 365 credential theft site. Additional known facts include:

  • The subject line of these emails has consistently appeared as: New Message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
  • The Doodle poll links to an Office 365 credential theft site, with a primary domain ending in web.core.windows.net.

The following is a sample of the phishing message:

screenshot of sample phsihing message with text "You have a new message: Please review new dates for availability - we have expanded the choices." Below the text is a "Participate now" button.

Image courtesy of GreatHorn

On mobile devices, the phishing message may appear as follows:

Screenshot showing phishing message above on a mobile device. Appears from "Note to self" to "You".

Image courtesy of GreatHorn

Resource:

Cry Tekk, Ransomware + Phishing Alert

A new ransomware variant dubbed Cry Tekk uses a phishing tactic in it’s ransom note, which allows users to bypass bitcoin payment and pay the ransom of $40 via a “Buy Now” option. The “Buy Now” option appears in a PayPal window and when users click it they are taken to purported PayPal dialog, which is a phishing page designed to steal payment information as follows:

Screenshoot of a spoofed PayPal dialog requesting a credit card confirmation for more security

Image courtesy of MalwareHunterTeam

Further, the next dialog requests the victim’s personally identifiable information (PII) as a PayPal confirmation as follows:

Screenshot of a spoofed PayPal dialog requesting a confirmation of personal information including name, DOB, address and phone number

Image courtesy of MalwareHunterTeam

Finally, the victim will receive a fake confirmation alerting them that their PayPal account has been fully restored, although the need for Paypal account restoration was not at issue. At this point, malicious actors have stolen both payment card and PII and the victim is directed to the legitimate PayPal login page, where s/he can pay the requested ransom.

There are few details available at this time about how Cry Tekk ransomware is delivered, but please be alerted to this “threat within a threat” scheme as victims anxious to receive a decryption key may not be scrutinizing payment options and the URLs associated with the payment pages to their own detriment.

Please be reminded of the following:

  • Ransom payment does not guarantee the receipt of a decryption key.
  • The appearance of a ransom message on your device does not necessarily mean you’ve been infected with ransomware. The message may be a lie in an attempt to extort payment. The telltale sign of ransomware is encryption of files and replacement of file extensions. 
  • If you suspect your device has been infected with ransomware (e.g., you notice some of the file extensions of your documents have changed), immediately disconnect from the network and any other connected systems, such as cloud accounts and mounted systems, such as flash drives.
  • Alert your local IT Admin and the NYU IT Service Desk of the issue.
  • The best way to recover from ransomware is via a wipe of the device at issue and a restoration from back-ups. Before restoring from back-ups, confirm that ransomware did not spread to any mounted devices or connected systems.

Resources: