A United States–funded mobile carrier that offers phones via the Lifeline Assistance program is selling a mobile device pre-installed with not one, but two malicious applications. Assurance Wireless by Virgin Mobile offers the UMX U686CL phone as their most budget conscious option. At only $35 under the government-funded program, it’s an attractive offering.

by Ecular Xu and Joseph C Chen We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack i

The bevy of mobile device sensors in modern smartphones and tablets make them more akin to pocket-sized laboratories and media studios than mere communication devices. Cameras, microphones, accelerometers, and gyroscopes give incredible flexibility to app developers and utility to mobile device users. But the variety of inputs also give clever hackers new me

byLisa Vaas“Fragile?” “Handle with care?”“Meh! Looks like a football to me,” workers for the UK parcel delivery company Yodel must have said around the time – 2016 – they were caught on video, apparently tossing packages around.Have they grown more tender? Dunno, but FWIW, a year after the football exposé, they made it to the top of the country&#

byJohn E DunnFor anyone lucky enough to get them, Android’s December 2019 updates arrived this week, patching a small list of system and Qualcomm flaws across the operating system’s two patch levels.In Google’s estimation, at the top of the urgent list on the 2019-12-01 patch level (see below for explanation) is CVE-2019-2232, a critical flaw affecting Andro

We found a new spyware family disguised as chat apps on a phishing website. We believe that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. We first came across the threat in May on the site http://gooogle[.]press/, which was advertising a chat app called “Chatrious.” Users can download the malicious

byLisa VaasThe dry facts: A US court has come down in favor of Fifth Amendment protections against forced disclosure of a 64-character passcode in a child abuse imagery case = an important interpretation of whether forced password disclosure is the modern equivalent of an unconstitutionally coerced confession.The gut punch: The defendant is a man previously

By Lance Jiang and Jesse Chang CVE-2019-11932, which is a vulnerability in WhatsApp for Android, was first disclosed to the public on October 2, 2019 after a researcher named Awakened discovered that attackers could use maliciously crafted GIF files to allow remote code execution. The vulnerability was patched with version 2.19.244 of WhatsApp, but the under

By Jessie Huang We recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps are typical adware, hiding themselves within mobile devices to show ads and deploying anti-uninstall and evasion functions. These apps are no longer live but before they were taken down by Google, the total number of downloads was more tha

Several news outlets over the last few days are talking about how TikTok, the viral short video app where millions of teens post comedy skits set to music, is under fire from U.S. lawmakers.   CNN reports US lawmakers on both sides of the aisle warn that the app could pose a national security risk, and are calling on regulators and intelligence agencies to

Last week on Malwarebytes Labs, we announced the launch of Malwarebytes 4.0, tackled data privacy legislation, and explored some of the ways robocalls come gunning for your data and your money. We also laid out the steps involved in popular vendor email compromise attacks. Other cybersecurity news Bug bounty bonanza: Rockstar Games open up their bounty prog

As we gear up to feast with family and friends this Thanksgiving, we also get our wallets ready for Black Friday and Cyber Monday. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from turkey and pumpkin pie to holiday shopping. Let’s take a look at these two holidays, and how their

By Song Wang (Mobile Threat Analyst) At the start of the year, Google updated its permission requests in Android applications, and in particular, restricted access to SMS and CALL Log permissions. Google also added requirements for non-default applications (or those that don’t provide critical core features), allowing them to prompt and ask users for permiss

A researcher has published a proof-of-concept (PoC) exploit code for the CVE-2019-2215 zero-day flaw in Android recently addressed by Google Earlier October, Google Project Zero researchers Maddie Stone publicly disclosed a zero-day vulnerability, tracked as CVE-2019-2215, in Android. According to the expert, the bug was allegedly being used or sold by

byDanny BradburyJailbreaking iPhones has become a lot harder with each new version of the hardware, but this weekend saw two new announcements that enable people to install apps on their phones. One of them is a traditional jailbreak, while the other is an alternative app store that uses a loophole in Apple’s code-signing process.Jailbreaking is a form