New WAPDropper malware abuses Android devices for WAP fraud



sms-phone.jpg

Security researchers have detected a new strain of Android malware being currently distributed in the wild, primarily targeting users located in Southeast Asia.

Discovered by security firm Check Point, this new malware is named WAPDropper and is currently spread via malicious apps hosted on third-party app stores.

Check Point said that once the malware infects a user, it starts signing them up for premium phone numbers that charge large fees for various types of services.

The end result is that all infected users would receive large phone bills each month until they unsubscribed from the premium number or reported the issue to their mobile provider.

This type of tactic, known as “WAP fraud,” was very popular in the late 2000s and early 2010s, died out with the rise of smartphones, but made a comeback in the late 2010s as malware authors realized that many modern phones and telcos still supported the older WAP standard.

WAPDropper gang most likely based in SE Asia

Check Point says that based on the premium phone numbers used in this scheme, the malware authors are most likely based or collaborating with someone in Thailand or Malaysia.

“In this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people,” the company said today in a report.

“It’s simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam.”

As for the malware itself, Check Point says WAPDropper operated using two different modules. The first was known as a dropper, while the second module was the component that performed the actual WAP fraud.

The first module was the only one packed inside the malicious apps, primarily to reduce the size and fingerprint of any malicious code inside them. Once the apps were downloaded and installed on a device, this module would download the second component and start defrauding victims.

But Check Point also wants to raise a sign of alarm about this particular piece of…

Source…

Apple Big Sur — learn more about it — The Hacker News



Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs

Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs

November 18, 2020Ravie Lakshmanan

Apple is facing the heat for a new feature in macOS Big Sur that allows many of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users’ systems and transmit them to remote servers. The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system. “Some Apple apps bypass some network extensions and VPN Apps,” Maxwell  tweeted . “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.” But now that the iPhone maker has released the latest version of macOS to the public on November 12, the behavior has been left unchanged, prompting concerns from security researchers, who say the change is ripe for abuse. Of particular note is the possibility that the bypass can leave macOS systems open to attack, not to mention the inability to limit or block net

Source…

Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs



Big Sur macOS Apps

Apple is facing the heat for a new feature in macOS Big Sur that allows many of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users’ systems and transmit them to remote servers.

The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system.

“Some Apple apps bypass some network extensions and VPN Apps,” Maxwell tweeted. “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.”

But now that the iPhone maker has released the latest version of macOS to the public on November 12, the behavior has been left unchanged, prompting concerns from security researchers, who say the change is ripe for abuse.

Of particular note is the possibility that the bypass can leave macOS systems open to attack, not to mention the inability to limit or block network traffic at users’ discretion.

According to Jamf security researcher Patrick Wardle, the company’s 50 Apple-specific apps and processes have been exempted from firewalls like Little Snitch and Lulu.

The change in behavior comes as Apple deprecated support for Network Kernel Extensions last year in favor of Network Extensions Framework.

“Previously, a comprehensive macOS firewall could be implemented via Network Kernel Extension (KEXTs),” Wardle noted in a tweet back in October. “Apple deprecated kexts, giving us Network Extensions… but apparently (many of their apps/ daemons bypass this filtering mechanism.”

NEFilterDataProvider makes it possible to monitor and control Mac’s network traffic either by opting to “pass or block the data when it receives a new flow, or it can ask the system to see more of the flow’s data in either the outbound or inbound direction before making a pass or block decision.”

Thus by circumventing NEFilterDataProvider, it makes it hard for VPNs to block Apple applications.

Wardle also demonstrated an instance of how malicious apps could exploit this firewall bypass to exfiltrate sensitive data to an attacker-controlled server using a simple Python script that piggybacked the traffic onto an Apple…

Source…

Security experts level criticism at Apple after Big Sur launch issues



Users took to social media to complain about slow systems with one report pointing to an OCSP responder as the culprit.

big-sur-nov-2020.jpg

Apple announced at its November 2020 event that macOS 11 Big Sur would arrive Nov. 12. 

Image: Apple

Apple was forced to issue a statement Monday on its data collection policies after the release last week of Big Sur led to complaints of slow systems, which morphed into a larger debate about privacy on Macs and iPhones. The release stated the process is part of its efforts to protect users from malware.

Apple released macOS Big Sur on Nov. 12 and hours later, hundreds of people took to social media to complain about problems they were having with certain applications on their Macs. Security expert Phil Vachon explained what happened on his blog Security Embedded, writing that an Online Certificate Status Protocol (OCSP) responder checking certificates of each and every application was to blame after an Apple server went down. 

Vachon said that in an effort to protect users and customers from malware, Apple uses an OCSP responder so that “at every launch of an app, macOS would dutifully check if the certificate used by the signer is still valid, per the OCSP responder. Of course, if macOS couldn’t reach the OCSP responder, it would go about its merry way launching an app. After all, a computer needs to work offline, too.”

“If Apple finds that an app they issued a certificate to is actually malware, they can rapidly revoke this certificate and prevent the malware from running, even on machines it has already installed itself on. This does put a lot of policy control in Apple’s hands. This is where you have to make a business decision as to whether or not you trust Apple to be benevolent or not,” Vachon wrote. 

“In the aftermath of the OCSP responder outage, and the dust settling on the macOS Big Sur release, there are a lot of folks reasonably asking if they can trust Apple to be in the loop of deciding what apps should or should not…

Source…

Apple Gatekeeper getting some big changes following privacy concerns



Last week, Apple had a bit of an issue on its hands among the flood of people attempting to update to macOS Big Sur. As Apple’s servers were overwhelmed, a number of Mac users discovered that they couldn’t launch apps. This turned out to be an issue with Apple Gatekeeper, which verifies that developer certificates are still valid before you run an app on your Mac, in an attempt to make sure that you’re about to run a legitimate application.

With Apple’s servers sidelined by the rush of people looking to download Big Sur, so too was Gatekeeper’s verification process. In the time since that incident, there’s been some concern that Apple is tracking users by way of Gatekeeper, and today the company updated its support page on the utility to describe just what it tracks and what it doesn’t.

“Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked,” Apple said. “We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.”

Furthermore, Apple says that the checks have “never included the user’s Apple ID or the identity of their device,” but the company says that it has nevertheless decided to stop “logging IP addresses associated with Developer ID certificate checks,” and that it will “ensure that any collected IP addresses are removed from logs.”

Beyond that, the company says that it will make a handful of changes to its Gatekeeper security checks over the course of the next year. Those changes include a “new encrypted protocol for Developer ID certificate revocation checks,” better protections against server failure (which will probably be a big relief for users after what happened last week), and a preference that gives users the ability to opt out of security checks.

While some users probably aren’t willing to take Apple at its word regarding these privacy issues, it’s worth pointing out that security researcher Jacopo Jannone has published…

Source…