iOS Malware Trojan Found on Apple App Store

Though it is a relatively small number of apps. iOS Clicker Trojan Malware Found in 17 Apps in Apple’s App Store

More than a dozen iOS apps infected with clicker Trojan malware and distributed via the Apple App Store were found to perform ad fraud-related tasks in the background, using the command and control servers of a similar Android ad fraud campaign.

The malware was distributed in apps that were diverse. Body Mass Index calculator. Travel. Speedometer. And more.

iPhone Security?

People love to lecture me about how superior their iPhone is to my Android phone. (Or they used to.) Google says iPhone security flaws let websites hack them for years.

Once upon a time, they would tell me how GREAT Apple was at keeping their phone’s battery alive. Then it turned out that Apple was doing that by throttling the processor. (I haven’t heard much about that in recent years.)

Next it was how a closed-source, software-system that had never been subject to an outside audit was just so superior to open source. Then it was revealed that their messaging app, for which they wrote their own cryptography, was leaking data all over the internet, and they were forced to implement the open-source functions found in Signal.

And now we have this.

Google’s Project Zero security researchers revealed that they found several hacked websites that slipped malware onto people’s iPhone for years. If people visited one of the sites, their messages, photos and location data could be compromised. The team reported their findings to Apple earlier this year, and the vulnerability was patched in the same update that fixed the FaceTime eavesdropping bug.

This was a serious breach of security.

This hack gave attackers full control of the victims’ iPhone, allowing hackers to install malicious apps, get real-time location data, as well as stealing photos and messages, even if they are encrypted. Because of the malware’s deep level of access, it could get contents of messages before they were even encrypted, Google explained. The implant could access the device’s keychain, which includes passwords and database files used by end-to-end encrypted messaging apps like WhatsApp, Telegram and iMessage.

So is Android better? Probably not in practice, which is why the only apps I use on my phone revolve around listening to music. And I doubt this will stop the Fanbois from telling me how completely secure the iPhone is.

Never Use Any “Found” USB or Lightning Cables

Or anything found for that matter. And you probably need to be aware of anything offered at an incredibly low price. These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer.

Because you are not smarter than the hackers.

It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

The prototypes (released at Def Con) were hand made from purchased Lightning cables. Not only did they provide a way to access them remotely (via the internet if connected to a PC so connected) but you could also remotely “self-destruct” the cable if it looked like it was going to be found out. (It would still work as a Lightning cable, just not as a “persistent threat.”) And in close-range, you don’t need the internet, just a phone and an app.

There’s a Hak5 talk about how they did a “USB drive” drop – which were actually Hak5 Rubber Duckies – at a security conference. 60 percent (or more) were plugged into a computer. They were dropped at a security conference. Don’t plug stuff into your computer if you just find it.

Apple Only Cares About Your Privacy When They Get Bad Press

So they’re just like every other tech giant. And they did get bad press. Apple suspends Siri response grading in response to privacy concerns.

In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide. Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake.

In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.

This is similar to mess Google is in.

Privacy is such a 19th Century concept.

The Apple $1 Billion Suit Over Facial Recognition Gone Wrong

The story from earlier already has a broken link. So here it is again from a different source. Teen hits Apple with $1B lawsuit over facial recognition arrest.

Ousmane Bah was arrested by New York Police Department officers on Nov. 29 after being accused of thefts at Apple Stores in Manhattan, Boston, New Jersey and Delaware, according to his lawsuit.

The lawsuit says the actual thief was caught stealing $1,200 worth of merchandise — specifically Apple Pencils — from the Boston store on May 31, 2018. The person then used a stolen ID that included Bah’s name, address and other personal details, but not his photo, according to the suit. This may actually have been a non-photo learner’s permit that Bah previously lost, the suit says. Bah is African American.

The lawsuit accuses Apple of negligence, emotional distress, defamation, slander, libel and fraudulent concealment.

Because they didn’t bother to look at the guy they arrested vs the security camera footage BEFORE they arrested him. Though that’s as much on the cops as on Apple.

Apple Defamed a Kid, He Wants His Payday

Facial recognition gone wrong. A teenager is suing Apple for $1 billion over facial recognition tech. OK that link is broken in a day. Here’s the CNET story. Teen hits Apple with $1B lawsuit over facial recognition arrest. Quotes are from the original. Not sure why that source booted the story…

An 18-year-old from New York is currently trying to take Apple for around 0.1 per cent of the company worth – $1 billion – for a facial recognition faux pas that has allegedly seen him charged in New York, Massachusetts, Delaware and New Jersey for thefts that were nothing to do with him.

The only way to get the tech giants to change their ways – short of antitrust action, which I don’t see happening – is to cause them real financial harm.

Facial recognition not being a reliable tool in law enforcement? We’re shocked. Absolutely shocked.

Apple Doesn’t Think They Should Play By the Same Rules as Everyone Else

They are Apple after all. Researcher Declines to Share Zero-Day macOS Keychain Exploit with Apple.

So this guy found a zero-day in the current version of Apple’s password manager. And he built a proof-of-concept. (You can see it demoed in a 1.5 minute video if you click the link above.) But he won’t share it with Apple because they don’t have a bug-bounty program. Because Apple is different from the rest of the tech companies in the world. Or something. (They are certainly more arrogant than your average tech company, and THAT is saying something.)

The vulnerability found by Henze in Apple’s macOS operating system last week is present “in the keychain’s access control” and it could allow a potential attacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges nor the keychain master password.

This isn’t the first time Apple has built an encrypted system for which the cryptography was substandard. The original version of Messenger was supposed to be secure, but the encryption – developed by Apple, not industry standard – was substandard. (The rewrote it using an open-source encryption.)

As for the security researcher, Linus Henze…

Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)

If he was just in it for the money, I’m sure that Zerodium would have been willing to pay him big bucks before his disclosure. (They will pay as much as $2 million for a zero day.)

But Apple expects you to spend weeks or months researching problems with their code, and then you should just hand over your findings to them free of charge. Because Apple.

He hasn’t given anything away, but now that people know about the existence of the zero-day, it is only a matter of time before the exploit is discovered by someone less ethical, and put to nefarious use.

“The Great Wall of Cupertino” – OR – How Not to Pitch to Bankers

Apple likes secrecy. Apple wants to do business with banks. Banking has all these pesky “transparency” regulations. Apple’s secret banking play hits a privacy pothole.

This is a pretty big story in and of itself, but the real issue is how Apple tripped over their collective – inflated – ego.

The first problem, as noted at Fudzilla, is that these people are not the idiots Apple expected them to be.

Apple turned everyone out the favorite lounge at the show and instituted secrecy – behind that Great Wall – for a pitch to the banking industry.

Apple thought it could resolve the issue by holding an exclusive presentation in the middle of a trade show for the bankers. This backfired because Apple bodged it by holding the secret presentation in the middle of an Aussie trade show and kicking out all the other riff-raff.

It tried to do its usual trick of hyping itself up and expect the bankers to follow like adoring children. Unfortunately for Apple, high-level Bankers did not get where the are today by believing that sort of rubbish. In fact, while Bankers might be Satan’s little helpers, at least they are not stupid Apple fanboys who think buying the iPhoneX is great because its maker tells them that it is.

Or as ITnews noted…(from the first link at the top of the post)

A gentleman from Switzerland seemed less impressed and described the Apple event as one giant stage managed ad and said it revolved around Apple talking about how good it was, how good its privacy is, and how nice its products are.

Our Geneva-based source added it appeared all the mystery and conspicuous exclusion had been engineered to create a buzz that was let down by a, well, an hour long ad.

“Apparantly I can also do some banking on my iPad and you can use an iPad in a bank,” the gentleman drolly said. “Great.”

Welcome to the Real World™ where people buying (or not) your services actually know what they are doing, and have to do a cost/benefit analysis before they do buy it (or don’t – as the case may be).

If the App is Free, That Means YOU Are the Product

They have to make money somehow, so it is by selling all of your information. Dozens of popular iPhone apps caught sending user location data to monetization firms.

A group of security researchers say dozens of popular iPhone apps are quietly sharing the location data of “tens of millions of mobile devices” with third-party data monetization firms.

Almost all require access to a user’s location data to work properly, like weather and fitness apps, but share that data often as a way to generate revenue for free-to-download apps.

There is a list of at least some of the apps involved, including those, like AccuWeather and NOAA Weather Radar that changed the code once they were busted. But some don’t.</p

Apple is demanding that all apps have a privacy policy by October 3, which will do nothing, but lets them pretend they are doing something. Have you EVER not installed an app or piece of software because something the privacy policy or the other disclaimers made you hesitant? And yes, I do read those and I do take them seriously. And when I don’t like something, I have been known to perpetrate misinformation. (You mean you don’t have disposable email addresses?)

What Price Lithium-Ion Batteries?

Do you care that children mine Cobalt in some of the worst conditions to produce those electric cars and cell phones? Would you care if wasn’t kids, just poor people in the Congo? Congo’s child labor spurs demand from Apple, Tesla for ethically produced cobalt

Good luck.

Cobalt helps power everything from smartphones to laptops to electric vehicles.

It’s a key ingredient in lithium batteries, a product that has seen an explosion in demand recently.

But 60 percent of the world’s cobalt comes from the Congo, where children often do much of the hard labor.

Of course that won’t eliminate the problem. It will just shift the distribution around. (It’s simple economics – there is so much cobalt available, and Apple/Tesla/Samsung/et al need it.) So that cobalt from the Congo will end up in your security camera, or the off-brand battery you order for your laptop. Or whatever. Anything with a memory that lives beyond a power outage probably has a lithium-ion battery today. While Apple can dictate terms, not every manufacturer can.