One might have thought the low watermark for digital security headlines came the week before last, with the near-continuous revelations that Jack Dorsey had fallen victim to a SIM swap identity theft attack and Apple had accidentally left a large exploit in iOS for the last two or so years.
But as it turned out, that would have been a bit early to call the game – because despite last week being shortened by the Labor Day holiday in the U.S., all kinds of security news managed to find its way into the headlines.
Most of it was less than inspiring, as more security flaws bubbled to the surface and the effects of previously detected ones were debated. Specifically, it seems Apple and Google are butting heads over the seriousness of Apple’s recently discovered security lapse.
Apple Claps Back on Cyberattack Claims
Apple pushed back on Google’s description of its iOS security flaw and the ways in which it was leveraged to pursue cyberattacks – though it did confirm that the Uighur Muslim minority were the victims of digital crime due to the iPhone flaw. However, according to Apple, those attacks took place over the course of two months, not two years as Google’s security research team Project Zero had indicated.
According to Project Zero research, the security issues led to a “sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” before noting that China also recently hacked Asian telecommunications companies to spy on the Uighurs, as it considers them a security threat.
Apple said the attack was “narrowly focused” and affected “fewer than a dozen websites that focus on content related to the Uighur community.” Moreover, Apple noted, the problem was fixed in February soon after it was reported.
“Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time, stoking fear among all iPhone users that their devices had been compromised,” Apple said. “This was never the case.”
Google has responded that their research is sound: “We stand by our in-depth research, which was written to focus on the technical aspects of these vulnerabilities.”
The Project Zero team maintains it is looking for security problems on devices from all companies, not just Apple, and that their findings are unmotivated by Google and Apple’s professional rivalry. Last year, the group helped to find security exploits in Intel Corp chips.
But squabbling with Apple wasn’t Alphabet’s only security-related issue this week.
The CamScanner Exploit
According to new research from Kaspersky Lab, there is an unfortunate bit of malware hiding in CamScanner, an app with over 100 million downloads in the Google Play store. According to Kaspersky, the malware’s purpose is to push ads and download things on Android devices without a user’s permission.
The malicious module is a trojan dropper, which means it will extract and run a secondary component inside the app that essentially allows the owner of the malware to “use an infected device to their benefit in any way they see fit.”
That could include showing intrusive advertising or stealing money from the victim’s mobile account by charging paid subscriptions, according to Kaspersky.
Google removed the app listing after news of the malware was reported, but Kaspersky said the latest CamScanner update removed the malicious code. The issue illustrates the problem with policing apps in the Google Play store. Smarter cybercriminals have started putting bad code behind encryption barriers so Google wouldn’t see it when vetting the app.
The case of CamScanner is interesting, Kaspersky noted, because it has not always been a malware distribution point.
“CamScanner was actually a legitimate app with no malicious intentions whatsoever, for quite some time,” Kaspersky noted. “It used ads for monetization and even allowed in-app purchases. However, at some point, that changed, and recent versions of the app shipped with an advertising library containing a malicious module.”
As it turned out last week, once-benign apps aren't the only things being kidnapped to the dark side. Voice AI is getting grabbed, too.
Having Voice AI for Fraud
If it can make life easier for a consumer, it can also make life easier for a cybercriminal – an aphorism demonstrated in the field this week when cybercriminals leveraged artificial intelligence (AI) to impersonate the voice of an energy company’s chief executive and demand an urgent transfer of $243,000.
The CEO of the company reportedly thought he was speaking on the phone with the chief executive of the energy firm’s parent company, who asked him to send the money to a supplier in Hungary. The names of the firms involved have not been disclosed.
The scammed CEO said he made the transfer of funds to be sent within the hour, despite it being such an unusual request, because the slight German accent and patterns of his voice seemed familiar – an effect generated with AI. The scammers then called back and asked for more money, which aroused suspicion. That next payment was never made. After the first payment was sent, it went to Mexico and other locations around the world, according to reports.
As of yet, there are not any suspects. Philipp Amann, head of strategy at Europol’s European Cybercrime Center, said it is hard to tell whether this is the first incident or if there are others that haven’t been reported. If the attacks are increasingly successful, they could increase in frequency.
So, what did we learn this week?
Never underestimate the creativity of cybercriminals, who are always looking for the next entry point. Whether that’s an app or voice AI, it is probably always a better idea to fix it than to fight about it.