Connect with us

Biz & IT

File-storage app 4shared caught serving invisible ads and making purchases without consent

Published

on

With more than 100 million installs, file-sharing service 4shared is one of the most popular apps in the Android app store.

But security researchers say the app is secretly displaying invisible ads and subscribes users to paid services, racking up charges without the user’s knowledge — or their permission — collectively costing millions of dollars.

“It all happens in the background… nothing appears on the screen,” said Guy Krief, chief executive of London-based Upstream, which shared its research exclusively with TechCrunch.

The researchers say the app contains suspicious third-party code that allowed the app to automate clicks and make fraudulent purchases. They said the component, built by Hong Kong-based Elephant Data, downloads code which is “directly responsible” for generating the automated clicks without the user’s knowledge. The code also sets a cookie to determine if a device has previously been used to make a purchase, likely as a way to hide the activity.

Upstream also said the code deliberately obfuscates the web addresses it accesses and uses redirection chains to hide the suspicious activity.

Over the past few weeks Upstream said it’s blocked more than 114 million suspicious transactions originating from two million unique devices, according to data from its proprietary security platform, which the company said would cost consumers if they are not blocked. Upstream only has visibility in certain parts of the world — Brazil, Indonesia and Malaysia to name a few — suggesting the number of observed suspicious transactions was likely a fraction of the total number.

Then in mid-April, 4shared’s app suddenly disappeared from Google Play and was replaced with a near-identical app with the suspicious components removed.

At the time of writing, 4shared’s new app has more than 10 million users.

Irin Len, a spokesperson for 4shared, told TechCrunch that the company was “unaware” of the fraudulent ad activity in its app until we reached out, but confirmed the company no longer works with Elephant Data.

Len said the old app was removed by Google “without reason,” but its suspicions quickly fell on the third-party components, which the company removed and resubmitted the app for approval. But because their old app was pulled from Android’s app store, 4shared said it wasn’t allowed to push an update to existing users to remove the suspicious components from their devices.

Google did not respond to TechCrunch’s request for comment.

We sent Elephant Data several questions and follow-up emails prior to publication but we did not hear back.

4shared, owned by New IT Solutions based in the British Virgin Islands, makes a brief reference to Elephant Data in its privacy policy but doesn’t explicitly say what the service does. 4shared said since it’s unable to control or disable Elephant Data’s components in its old app, “we’re bound to keep the detailed overview of which data may be processed and how it may be shared” in its privacy policy.

Little else is known about Elephant Data, except that it bills itself as a “market intelligence” solution designed to “maximize ad revenue.”

The ad firm has drawn criticism in several threads on Reddit, one of which accused the company of operating a “scam” and another called the offering “dodgy.” One developer said he removed the components from his app after it began to suffer from battery-life issues, but Elephant Data was “still collecting data” from users who hadn’t updated their apps.

The developer said Google also banned his app, forcing him to resubmit an entirely new version of his app to the store.

It’s the latest app in recent months to be accused of using invisible ads to generate fraudulent revenue. In May, BuzzFeed News reported similar suspicious behavior and fraudulent purchases in Chinese video app VidMate.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Donald Trump is one of 15,000 Gab users whose account just got hacked

Published

on

The founder of the far-right social media platform Gab said that the private account of former President Donald Trump was among the data stolen and publicly released by hackers who recently breached the site.

In a statement on Sunday, founder Andrew Torba used a transphobic slur to refer to Emma Best, the co-founder of Distributed Denial of Secrets. The statement confirmed claims the WikiLeaks-style group made on Monday that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in its code.

“My account and Trump’s account were compromised, of course as Trump is about to go on stage and speak,” Torba wrote on Sunday as Trump was about to speak at the CPAC conference in Florida. “The entire company is all hands investigating what happened and working to trace and patch the problem.”

An important data set

GabLeaks, as DDoSecrets is calling the leak, comes almost eight weeks after pro-Trump insurrectionists stormed the US Capitol. The rioters took hundreds of thousands of videos and photos of the siege and posted them online. Mainstream social media sites removed much of the content because it violated their terms of service.

“The Gab data is an important, but complicated dataset,” DDoSecrets personnel wrote in a post on Monday morning. “In addition to being a corpus of the public discourse on Gab, it includes every private post and many private messages, as well. In a simpler or more ordinary time, it’d be an important sociological resource. In 2021, it’s also a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup.”

Gab and a competing site called Parler were some of the last refuges that allowed much of the content to remain publicly available. Amazon and web hosting providers later cited a lack of adequate content moderation in suspending service to Parler.

Shortly before the shuttering, however, somebody found a way to use Parler’s publicly available programming interfaces to scrape about 99 percent of the user content from the site and subsequently make it publicly available.

While law enforcement groups likely had other ways to obtain the Parler data, its public availability enabled a much wider body of people to do their own research and investigations. The leak was especially valuable because materials contained metadata that’s usually stripped out before users can download videos and images. The metadata gave people the ability to track the precise timelines and locations of filmed participants.

DDoSecrets said that the 70GB GabLeaks contains over 70,000 plaintext messages in more than 19,000 chats by over 15,000 users. The dump also shows passwords that are “hashed,” a cryptographic process that converts plaintext into unintelligible characters. While hashes can’t be converted back into plaintext, cracking them can be trivial when websites choose weak hashing schemes. (Best told Ars they didn’t know what hashing scheme was used.) The leak also includes plaintext passwords for user groups.

Hate-speech haven

Gab has long been criticized as a haven for hate speech. In 2018, Google banned the Gab app from its Play Store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.

Gab has also been investigated by Pennsylvania’s attorney general. In January, the Anti-Defamation League called on the US Justice Department to investigate Gab for its role in the insurrectionist attack on the capitol.

Attempts to reach Torba for comment didn’t succeed.

Best said that DDoSecrets is making GabLeaks available only to journalists and researchers with a documented history of covering leaks. People can use this link to request access.

Continue Reading

Biz & IT

Verizon tells users to disable 5G to preserve battery, then deletes tweet

Published

on

Enlarge / A Verizon booth at Mobile World Congress Americas in Los Angeles in September 2018.

Verizon has spent years hyping 5G despite it bringing just a minor speed upgrade outside the limited areas where millimeter-wave spectrum has been deployed, but the carrier’s support team advised users yesterday to shut 5G off if their phones are suffering from poor battery life.

The tweet from VZWSupport, now deleted, said, “Are you noticing that your battery life is draining faster than normal? One way to help conserve battery life is to turn on LTE. Just go to Cellular > Cellular Data Options > Voice & Data and tap LTE.”

While Verizon didn’t mention 5G in the tweet, people who responded to Verizon on Twitter and journalists writing stories noted that the effect of these instructions is to shut 5G off. “LTE is active by default as a backup for those times when 5G isn’t available. Following these instructions actually has the effect of turning off 5G,” Mashable noted. (Verizon’s instructions are for iOS, but it’s also possible to disable 5G on Android phones.)

Apple fights 5G battery drain with “Smart Data” mode

An Ars story in December 2018 warned that 5G components would take up precious space inside smartphones, reducing the size of batteries. In October 2020, the Ars review of the iPhone 12 and 12 Pro noted that “5G seems to have a big impact on battery life, especially when you’re riding that ultra-fast mmWave.”

Apple said it implemented a “Smart Data mode” that shifts each phone from 5G to LTE when 5G speeds aren’t necessary, saving on battery life while letting phones use 5G when the speed boost would provide a noticeable difference. Enabling “5G Auto” in the iPhone settings turns Smart Data mode on; the other choices are “5G On” and “LTE.” Apple notes that the 5G On mode “Always uses 5G network when it’s available. This might reduce battery life.”

We asked Verizon for more details on the impact 5G is having on its users’ battery life today and will update this article if we get a response.

Verizon’s tweet came just a few days after its latest 5G announcement that “parts of Sacramento, Seattle, and Pensacola” are the newest areas targeted by Verizon’s “aggressive rollout of its transformational 5G Ultra Wideband service.” Verizon also just committed to spend $45.45 billion in an auction for mid-band spectrum that it plans to use with 5G.

Samsung, Huawei also warn users of 5G battery drain

Other phone makers have acknowledged 5G-related battery drains in support pages. Samsung tells users, “You may notice that your phone’s battery drains faster than usual while you are connected to a 5G network. This is a limitation of the current 5G networks, and will be improved as the networks expand.” Samsung’s support page continues:

At this time, the 5G networks are only used for data connections, and are not yet capable of carrying phone calls and messages. Your phone will need to maintain a connection to the 3G or LTE network in addition to the 5G network so that phone calls, text messages, and data will be delivered consistently.

Because your phone is connected to multiple networks simultaneously, the battery will drain faster than one would typically expect, and the phone may get warmer than when solely on 3G or LTE.

As the 5G networks grow in capacity and capability, they will be able to handle more of your phone’s functions with less battery drain.

The Institute of Electrical and Electronics Engineers (IEEE) backs the multiple-networks explanation. Hopping between 3G, 4G, and LTE uses a lot of battery life, and the “present limited infrastructure of 5G exacerbates this [battery-drain] problem,” the IEEE says. “Current 5G smartphones need to maintain a connection to multiple networks in order to ensure consistent phone call, text message, and data delivery. And this multiplicity of connections contributes to battery drain.”

A Huawei support page tells users they may suffer faster battery drain on 5G compared to 4G, especially when streaming video. “On a 5G network, more bandwidth is required to create a smooth user experience when using the Internet,” Huawei says. “Therefore, more power may be consumed, especially when using the Internet to watch online videos.”

The wireless industry deployed 5G before carriers were ready to use the “standalone 5G” version that doesn’t require a connection to 4G networks. But that’s changing, as T-Mobile launched standalone 5G throughout much of the US in August 2020, while Verizon and AT&T have plans to follow suit.

Continue Reading

Biz & IT

Hackers tied to Russia’s GRU targeted the US grid for years

Published

on

Yuri Smityuk | Getty Images

For all the nation-state hacker groups that have targeted the United States power grid—and even successfully breached American electric utilities—only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016. Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the US energy system for years.

On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems. Three of those newly named groups have targeted industrial control systems in the US, according to Dragos. But most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU’s Sandworm. Kamacite has in the past served as Sandworm’s “access” team, the Dragos researchers write, focused on gaining a foothold in a target network before handing off that access to a different group of Sandworm hackers, who have then sometimes carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms since as early as 2017.

“They are continuously operating against US electric entities to try to maintain some semblance of persistence” inside their IT networks, says Dragos vice president of threat intelligence and former NSA analyst Sergio Caltagirone. In a handful of cases over those four years, Caltagirone says, the group’s attempts to breach those US targets’ networks have been successful, leading to access to those utilities that’s been intermittent, if not quite persistent.

Caltagirone says Dragos has only confirmed successful Kamacite breaches of US networks prior, however, and has never seen those intrusions in the US lead to disruptive payloads. But because Kamacite’s history includes working as part of Sandworm’s operations that triggered blackouts in Ukraine not once, but twice—turning off the power to a quarter million Ukrainians in late 2015 and then to a fraction of the capital of Kyiv in late 2016—its targeting of the US grid should raise alarms. “If you see Kamacite in an industrial network or targeting industrial entities, you clearly can’t be confident they’re just gathering information. You have to assume something else follows,” Caltagirone says. “Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations.”

Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany’s electric sector in 2017. Caltagirone adds that there have been “a couple of successful intrusions between 2017 and 2018 by Kamacite of industrial environments in Western Europe.”

Dragos warns that Kamacite’s main intrusion tools have been spear-phishing emails with malware payloads and brute-forcing the cloud-based logins of Microsoft services like Office 365 and Active Directory as well as virtual private networks. Once the group gains an initial foothold, it exploits valid user accounts to maintain access, and has used the credential-stealing tool Mimikatz to spread further into victims’ networks.

Kamacite’s relationship to the hackers known as Sandworm—which has been identified by the NSA and US Justice Department as Unit 74455 of the GRU—isn’t exactly clear. Threat intelligence companies’ attempts to define distinct hacker groups within shadowy intelligence agencies like the GRU have always been murky. By naming Kamacite as a distinct group, Dragos is seeking to break down Sandworm’s activities differently from others who have publicly reported on it, separating Kamacite as an access-focused team from another Sandworm-related group it calls Electrum. Dragos describes Electrum as an “effects” team, responsible for destructive payloads like the malware known as Crash Override or Industroyer, which triggered the 2016 Kyiv blackout and may have been intended to disable safety systems and destroy grid equipment.

Together, in other words, the groups Dragos call Kamacite and Electrum make up what other researchers and government agencies collectively call Sandworm. “One group gets in, the other group knows what to do when they get in,” says Caltagirone. “And when they operate separately, which we also watch them do, we clearly see that neither is very good at the other’s job.”

When WIRED reached out to other threat-intelligence firms including FireEye and CrowdStrike, none could confirm seeing a Sandworm-related intrusion campaign targeting US utilities as reported by Dragos. But FireEye has previously confirmed seeing a widespread US-targeted intrusion campaign tied to another GRU group known as APT28 or Fancy Bear, which WIRED revealed last year after obtaining an FBI notification email sent to targets of that campaign. Dragos pointed out at the time that the APT28 campaign shared command-and-control infrastructure with another intrusion attempt that had targeted a US “energy entity” in 2019, according to an advisory from the US Department of Energy. Given that APT28 and Sandworm have worked hand-in-hand in the past, Dragos now pins that 2019 energy-sector targeting on Kamacite as part of its larger multiyear US-targeted hacking spree.

Dragos’ report goes on to name two other new groups targeting US industrial control systems. The first, which it calls Vanadinite, appears to be have connections to the broad group of Chinese hackers known as Winnti. Dragos blames Vanadinite for attacks that used the ransomware known as ColdLock to disrupt Taiwanese victim organizations, including state-owned energy firms. But it also points to Vanadinite targeting energy, manufacturing, and transportation targets around the world, including in Europe, North America, and Australia, in some cases by exploiting vulnerabilities in VPNs.

The second newly named group, which Dragos calls Talonite, appears to have targeted North American electric utilities, too, using malware-laced spear phishing emails. It ties that targeting to previous phishing attempts using malware known as Lookback identified by Proofpoint in 2019. Yet another group Dragos has dubbed Stibnite has targeted Azerbaijani electric utilities and wind farms using phishing websites and malicious email attachments, but has not hit the US to the security firm’s knowledge.

While none among the ever-growing list of hacker groups targeting industrial control systems around the world appears to have used those control systems to trigger actual disruptive effects in 2020, Dragos warns that the sheer number of those groups represents a disturbing trend. Caltagirone points to a rare but relatively crude intrusion targeting a small water treatment plant in Oldsmar, Florida earlier this month, in which a still-unidentified hacker attempted to vastly increase the levels of caustic lye in the 15,000-person city’s water. Given the lack of protections on those sorts of small infrastructure targets, a group like Kamacite, Caltagirone argues, could easily trigger widespread, harmful effects even without the industrial-control system expertise of a partner group like Electrum.

That means the rise in even relatively unskilled groups poses a real threat, Caltagirone says. The number of groups targeting industrial control systems has been continually growing, he adds, ever since Stuxnet showed at the beginning of the last decade that industrial hacking with physical effects is possible. “A lot of groups are appearing, and there are not a lot going away,” says Caltagirone. “In three to four years, I feel like we’re going to reach a peak, and it will be an absolute catastrophe.”

This story originally appeared on wired.com.

Continue Reading

Trending