Home Tags Text message

Tag: text message

VU#251927: CalAmp LMU-3030 devices may not authenticate SMS interface

OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device,manufactured by CalAmp,has an SMS(text message)interface. We have found multiple deployments where no password was configured for this interface by the integrator/reseller.

Companies using the CalAmp hardware should be aware that they need to set a password or disable SMS.
Vendors were notified and the SMS interface was disabled or password-protected by all vendors known to be affected.

Samsung develops emoji-based chat app for people with language disorders

For when emojis are even more necessary than words.

Half-baked security: Hackers can hijack your smart Aga oven ‘with a...

This IoT goose is cooked Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned.…

Travel routers are a hot mess of security flaws

One of the worst offenders only needs a text message sent to turn over the router's admin credentials.

TP-Link 3G/Wi-Fi modem spills credentials to an evil text message

So why can it read scripts sent by SMS anyhow? TP-Link's M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares.…

Ransomware scammers exploited Safari bug to extort porn-viewing iOS users

Apple fixes flaw attackers used to trick uninformed users into paying a fine.

Vigilante who conspired to hack local football website sentenced to 2...

Local prosecutor: Deric Lostutter got story wrong, hurt rape investigation.

Dear Kaspersky Lab: Yours is a very bad installer

Installing Kaspersky Internet Security reveals some gaps in software security practices.

Forgotten passwords are bane of the Internet. Facebook wants to fix...

New Facebook service aims to make security questions a thing of the past.

At trial, Zuckerberg is “highly confident” Oculus built its own technology

Enlarge / Facebook CEO Mark Zuckerberg wanders past oblivious people in Samsung Gear VR headsets in a photo that is not from this trial.Facebook reader comments 41 Share this story In what he said was his first time testifying in a courtroom, Facebook CEO Mark Zuckerberg said he was "highly confident that Oculus products are built on Oculus technology." The testimony came during a trial in which ZeniMax Media, parent company of Bethesda Softworks and Id Software, alleges that Doom co-creator John Carmack stole trade secrets and destroyed evidence when he took VR technology developed as a ZeniMax employee over to Oculus when he became its Chief Technology Officer in 2013. Zuckerberg rebutted that idea flatly on the stand, saying, "the idea that Oculus products are based on someone else’s technology is just wrong" (as reported by The New York Times). In his testimony, Zuckerberg hinted that ZeniMax was simply looking to latch on to Oculus' success in the wake of the company's $2 billion acquisition by Facebook in 2014. "It is pretty common when you announce a big deal or do something that all kinds of people just kind of come out of the woodwork and claim that they just own some portion of the deal," Zuckerberg said (as reported by The New York Times' Mike Isaac in this tweet). "Like most people in the court, I’ve never even heard of ZeniMax before.
I know that our legal team would look into this and examine, but they aren’t going to take a lot of my time on something they don’t think is credible." Based on reports from journalists in the audience at the Dallas trial, ZeniMax lawyers tried to press the case that Facebook didn't do enough due diligence to detect any alleged IP theft between Oculus and ZeniMax before purchasing the VR company for $2 billion in 2014. To support that argument, ZeniMax presented into evidence a text message to Zuckerberg from Amin Zoufounoun, Facebook's vice president of corporate development, saying that "there are things [Oculus] told us that are simply not true." In response, Zuckerberg texted back that he should "keep pushing forward until we have something we can sign on a moment’s notice, then we can figure out how long we wait for diligence," according to a courtroom report from Gizmodo's William Turton. On the stand, Zuckerberg also confirmed ZeniMax's incredulous assertion that Facebook's "plan was to begin legal diligence on Friday and sign the deal on Monday." In a followup, Zuckerberg suggested that Oculus was a smaller company at the time and didn't need as much time for due diligence as other large Facebook acquisitions, such as WhatsApp. ZeniMax's lawyers established that Zuckerberg was not aware of an earlier non-disclosure agreement outlining the collaboration between Carmack and Oculus founder Palmer Luckey until 2016, when he was told about it by lawyers involved in the case. The prosecution presented other evidence to show how eager Facebook was to get in on VR through an Oculus acquisition. "I wanted to just give him all my money on the spot," venture capitalist and Facebook board member Marc Andreessen reportedly said of John Carmack in introducing Zuckerberg to the idea of an Oculus purchase.

After seeing Oculus' technology in action, Zuckerberg wrote in an e-mail that the company was "miles ahead" of the competition. ZeniMax also tried to make some legal hay of Facebook's longstanding motto "move fast and break things," suggesting that Facebook may have "broken" some things in quickly signing the Oculus deal. Zuckerberg joked that the motto has changed and that Facebook now tries to "move fast and build stable infrastructure" (a modification Facebook has publicized at least since 2014). Aside from the questions about IP ownership, Zuckerberg also revealed in the trial that in addition to the $2 billion purchase price, Facebook had to spend an additional $700 million to retain key Oculus team members and another $300 million in deliverable milestone bonuses. In a statement provided to the press, Oculus said, "We're disappointed that another company is using wasteful litigation to attempt to take credit for technology that it did not have the vision, expertise, or patience to build."

Facebook 'Instant Verification' Speeds Up Android App Logins

Sign into an app using your phone number, and Facebook will cross-check it with the one on your Facebook account. Signing in to apps on your phone can be a hassle, but a new tool from Facebook is intended to help speed up the process for those who au...

The banker that encrypted files

Many mobile bankers can block a device in order to extort money from its user.

But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.
In addition to that, this modification is attacking more than 2,000 financial apps around the world. We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.

According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand. Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player. Preparing the groundwork The Trojan is capable of interacting with protection mechanisms in the operating system.

For example, it requests rights to overlay other apps or the right to be a default SMS application.

This allows Faketoken to steal user data even in the latest versions of Android. Once the Trojan becomes active, it requests administrator rights.
If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice. The Trojan imitating “Yandex.Navigator” to request administrator rights Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls.

These requests will also be repeatedly displayed until the user agrees to provide access. The Trojan then requests the right to display its windows on top of other applications.

This is necessary to block the device and steal user data by displaying phishing pages. The Trojan requesting the right to display its windows on top of other applications The final request at the preparatory stage is for the right to be the default SMS application – this allows Faketoken to covertly steal text messages on the latest versions of Android.

The Trojan integrates the options necessary for the user to work with SMS. However, on some Android devices and versions when the user attempts to send an SMS via Faketoken it returns an error.

As a result, the user cannot send SMS messages until they manually change the SMS application.

The Trojan doesn’t like that, and will start requesting the right again. Manipulations with application shortcuts can also be added to the preparatory stage.

After launching, Faketoken starts downloading an archive containing file icons of several applications (the version being analyzed here has eight) related to social networks, instant messengers and browsers.

Then it tries to delete the previous shortcuts to these applications and create new ones. On the test devices the Trojan failed to remove the previous shortcuts which eventually led to the appearance of duplicates It is not clear why it does this because the shortcuts created by Faketoken lead to the original applications. Data theft Once the shortcuts are installed, the next stage of the Trojan’s work begins – the theft of user data.

Faketoken downloads a database from the server containing phrases in 77 languages for different device localizations. Screenshot of the database with phrases in different languages Using these or other phrases from the database, depending on the operating system language, the Trojan will show the user various phishing messages. Examples of phishing messages displayed by the Trojan If the user clicks on the message, the Trojan opens a phishing page designed to steal passwords from Gmail accounts.
In addition to that, the Trojan overlays the original Gmail application with this page for the same purpose – to steal the password. Phishing page imitating the login page of the Gmail mail service However, the Trojan doesn’t limit itself to Gmail. Like most modern mobile Trojans, Faketoken overlays the original Google Play app with its phishing window to steal the victim’s bank card details. Phishing page used by the Trojan to steal credit card details The Trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server.
In our case, Faketoken received a list of 2,249 financial applications from around the world. Example of the Trojan’s phishing pages designed for different applications It should be noted that the Trojan integrates functionality enabling it to call some of the methods from the HTML page it received from the C&C server.

As a result, in addition to the phishing functionality, the pages described above can get certain information about the device including the address of the Gmail account and, even worse, reset the device to factory settings. What’s more, Faketoken can perform the following actions upon command from the C&C server: Change masks to intercept incoming text messages; Send text messages to a specified number with a specified text; Send text messages with a specified text to a specified list of recipients; Send a specified text message to all contacts; Upload all text messages from the device to the malicious server; Upload all the contacts from the device to the malicious server; Upload the list of installed applications to the malicious server; Reset the device to factory settings; Make a call to a specified number; Download a file to the device following a specified link; Remove specified applications; Create a notification on the phone to open a specified page or run a specified application; Start overlaying specified applications with a specified phishing window; Open a specified link in its own window; Run an application; Block the device in order to extort money for unblocking it.

This command may include an option indicating the need to encrypt files. Ransomware banker As mentioned above, the ransomware functionality in mobile banking Trojans is now commonplace, after being pioneered by Svpeng in early 2014. However, the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files. Screenshot of the Trojan code that renames and then encrypts files. Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them.

The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom.

The Trojan receives the encryption key and the initialization vector from the C&C server.

The encrypted files include both media files (pictures, music, videos) and documents.

The Trojan changes the extension of the encrypted files to .cat. In conclusion, we would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently), which may be because most files stored on a mobile device are copied to the cloud.
In other words, demanding a ransom in return for decrypting them is pointless.