Mobile Security | SC Media

Mobile Security

'KorBanker' steals SMS messages, takes authentication codes in the process

Researcher uncovered passwordless database used for SMS bombing

A researcher uncovered a massive SMS Bombing Operation in a passwordless database that exposed the sensitive information of millions of users. Security researcher Bob Diachenko discovered an open and unprotected MongoDB instance containing a massive amount of data including MD5 hashed emails, first and last names, location data, IP address, phone number, mobile network carrier…

No, VPNs Aren’t Dead — They’re More Essential Than Ever

A few weeks ago, a particular SC Media Executive Insight claimed it’s time to say good-bye to VPNs. Among other things, the writer claimed that application access was more effective, and that zero trust architecture is an essential ‘alternate model’ for access. While I agree with Mr. Sullivan that application access and zero trust architecture…

Google unveils new controls for automatically deleting data after 3 or 18 months

Google on Wednesday announced an upcoming, privacy-friendly feature that will automatically delete user location history and web and app activity data after a specified period of time. The new controls will be rolled out in the coming weeks, Google revealed in a blog post authored by David Monsees, “Search” product manager, and Marlo McGriff, “Maps”…

High-volume eGobbler malvertising campaign exploits zero-day Chrome bug

A malicious actor has been leveraging a Google Chrome browser exploit to deliver malvertisements to iOS users, including a campaign earlier this month during which 500 million user sessions were exposed to a session hijacking attack. Dubbed eGobbler by researchers at Confiant, the threat actor from April 6-10 ran a massive operation consisting of eight…

Three apps claiming to improve Instagram exposed as an insta-scam

A trio of Android applications that supposedly helped Instagram account owners increase likes and followers, boost security and improve the overall user experience were actually stealing their usernames and passwords, Malwarebytes has reported. The apps, which were designed to target users based in Iran, had been available for download via the Google Play store as…

Zeus-in-the-mobile variant uses security firm's name to gain victims' trust

Massive SIM swap fraud leaves traditional 2FA users at risk

As two-factor authentication becomes more popular, threat actors have proven once again how this security feature can be exploited if not implemented properly. Kaspersky researchers uncovered large-scale SIM swap fraud operations targeting users in both the Portugese-speaking nations of Brazil and Mozambique were able to use social engineering, bribery,  and simple phishing attacks to ultimately…

Possible link discovered that ties together Wi-Fi routers with backdoors

Verizon FIOS, TP Link patch major vulnerabilities in routers

Researchers have revealed that certain Verizon and TP Link routers have severe vulnerabilities that that could lead to remote command injection in the former and a zero-day attack on the latter. Tenable Research found three vulnerabilities in Verizon’s Fios Quantum Gateway routers, which are supplied to almost every new Verizon Fios customer, while IBM Security…

Security update removes hard-coded credentials from MyCar Controls app

Motor vehicle technology and equipment provider AutoMobility Distribution Inc. has updated its MyCar Controls telematics mobile application for iOS and Android in order to eliminate the use of insecure hard-coded credentials. The MyCar app offers geolocation services as well as remote start/stop and lock/unlock capabilities to vehicles that come with a compatible remote start unit.…