Google Play fires sneaky data-gathering apps • The Register

in letter Google has pulled a slew of Android apps with over 46 million downloads from its Google Play Store after security researchers informed the cloud giant that the code contained sneaky data-collecting code.

The apps included radar radar, multiple Muslim prayer apps, QR scanner, WiFi mouse tool, weather app and others.

A Panama-based company, Measurement Systems, developed the code, according to AppCensus co-founder Joel Reardon, whose mobile app testing firm discovered the software was too curious, reported it to Google and reported it to Google. published research on how it works.

According to the wall street journalwhich first reported the story, Measurement Systems has ties to a Virginia defense contractor that performs cyber intelligence, network defense and intelligence interception work for security agencies American national.

Google removed the apps on March 25, but said they could be re-listed if they removed questionable code to comply with Google Play Store rules on collecting user data. Some of the apps did and were already back on sale on April 6.

“All apps on Google Play must comply with our policies, regardless of developer. When we determine that an app violates these policies, we take appropriate action,” a Google spokesperson said. The register.

Popular Infosec spot opens Fox News Database

Fox News said it secured an open database after Security Discovery bug hunters alerted the news agency to the impending security incident.

For its part, Fox News said the open database was in a development environment, not a live production environment, and no customer records were exposed.

“We were contacted in October 2021 by Security Dynamic regarding what would be properly characterized as a general enterprise development environment containing primarily a snapshot of public video metadata archives such as program descriptions and talent biographies “said a spokesperson in an email to The register.

“In addition, there was a list of work email addresses as well as URLs, other identifiers and environments that were no longer in use at the time of discovery,” the statement continued. “This environment did not service any Fox News applications or systems. The database was secured within hours of receipt of Security Dynamic’s report in accordance with our Responsible Disclosure Policy.”

Security Discovery co-founder Jeremiah Fowler, working with the research team at website building information firm Website Planet, discovered the non-password-protected database. They said the 58GB dataset contained nearly 13 million records covering storage information, internal emails, usernames, employee ID numbers and information about affiliated stations.

“One folder contained 65,000 names of celebrities, cast and production crew members and their internal FOX ID reference numbers,” the threat researchers wrote. “The recordings also captured a wide range of data points, including event logging, host names, host account numbers, IP addresses, interface, device data, and even more.”

Despite assurances from Fox News that this was a test environment, Fowler and friends noted that many of the recordings were labeled “prod”, which is usually an abbreviation for production recordings.

But even in a development environment, this data could pose a security risk because these environments often use the same storage repositories, middleware and infrastructure as live production environments, the threat researchers added.

Additionally, the security researchers made it clear that they were not implying that customer or user data was at risk, and they applauded Fox’s security team for acting “quickly and professionally” to shut down the exposed database. Still, “any database not protected by a password could potentially allow someone to insert malicious code into the network,” they noted.

Autodesk fixes very serious bugs

Autodesk has fixed several very serious vulnerabilities which, if exploited, could allow attackers to execute any malicious code on infected machines and steal sensitive information.

Security firm Fortinet’s threat research team discovered the bugs, which affect Autodesk’s DWG TrueView, Design Review and Navisworks, and reported them to the software vendor. His research team also provided an overview of the seven vulnerabilities.

Both companies urge users to apply patches as soon as possible.

The first five bugs, CVE-2022-27525, CVE-2021-40167, CVE-2022-27526, CVE-2022-27527, and CVE-2022-25797, are memory corruption vulnerabilities.

CVE-2022-27525 affects Autodesk Design Review. This is caused by a malformed Design Web Format (DWF) file, “which causes out-of-bounds writing due to improper bounds checking,” Fortinet explained.

If exploited, this bug could allow cybercriminals to execute arbitrary malicious code through a specially crafted DWF file.

CVE-2021-40167 affects the same product and is also caused by a buggy DWF file. This could allow an attacker to leak memory in the application context.

CVE-2022-27526, which could also be exploited to cause memory leaks, affects Autodesk’s Design Review product. A malformed Truevision (TGA) file causes this bug. Specifically, the TGA file “causes out-of-bounds memory access, due to improper bounds checking when manipulating a pointer to an allocated buffer,” Fortinet said.

CVE-2022-27527 affects Autodesk Navisworks. This is caused by a malformed PDF file, which also results in out-of-bounds memory access.

The fifth memory corruption bug, CVE-2022-25797, caused by a malformed DWG file, affects DWG Trueview and could allow a criminal to execute arbitrary code using a specially crafted DWG file.

CVE-2022-27523, a buffer overread vulnerability in Autodesk DWG TrueView, could allow a remote attacker to leak sensitive data using a malicious DWG file.

And finally CVE-2022-27524, is an out of bounds vulnerability in DWG TrueView that could be exploited to leak sensitive data.

CISA and D-Link call for retirement of end-of-life routers

CISA has advised anyone using certain older D-Link routers to take them offline before criminals find and exploit a critical remote control execution vulnerability.

On Monday, CISA added the RCE bug, dubbed CVE-2021-45382, to its catalog of known exploited vulnerabilities. It exists in all H/W revisions of the D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L series routers via the Dynamic Domain Name System (DDNS) feature in the ncc2 binary file.

The ncc2 service allows some firmware and language file upgrades through the web interface. But as Malwarebytes Labs researcher Pieter Arntz explained, “the ncc2 service on affected devices appears to have shipped with a number of diagnostic hooks available.”

If exploited, this would allow an attacker to call these hooks without authentication. “These files appear to be rendered when queried and can be used both to query the given device for information, as well as to enable on-demand diagnostic services,” he added.

The software bug received a CVSS score of 9.8, which means it is essential that users fix it immediately. But since the affected routers are end of life, D-Link is not releasing any patches for the vulnerable devices.

CISA and D-Link suggest that you remove these models as soon as possible, before a cybercriminal finds the vulnerability.

And if you’re still not convinced, there’s a proof-of-concept on GitHub, which allows any malefactor to remotely take control of vulnerable devices and then execute malicious code.

Cybercriminals are still exploiting Spring4Shell

Malefactors are continuing to exploit the Spring Java framework’s remote code execution vulnerability a week after security researchers discovered the nasty software bug.

A week after the initial outbreak, Check Point Research said it saw around 37,000 attempts to assign the vulnerability, dubbed “Spring4Shell”.

While organizations around the world have been affected by the bug, Europe has been hit the hardest, according to the security outlet.

In the first four days after discovery, 16% of organizations worldwide experienced exploit attempts. But in Europe, that number has risen to 20%. Australia and New Zealand rank second with 17%, followed by Africa (16%), Asia (15%), Latin America (13%) and South America. North (11%).

Unsurprisingly, the ISV industry has been the hardest hit by Spring4Shell. According to Check Point, 28% of companies in this sector have been affected by the vulnerability. Education and research organizations were the second most affected, with 26% impact. And Insurance/Legal, ISP/MSP, and Financial Institutions/Banking tied for third at 25%.

While noting that its own CloudGuard AppSec customers were not vulnerable, “If your organization uses Java Spring and does not use CloudGuard AppSec, immediately review your software and update to the latest versions following official Spring Project guidelines” , advised the security company. ®