Risky Biz News: Google removes app permissions from the Play Store

In other news: Denmark bans Google Workspace; Tor Browser gets built-in HTTPS-Only Mode; WatchDog botnet still going strong.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

If you haven't visited the Google Play Store in recent weeks, the official Android OS app store is going through a major change through the phase-out of the old section that listed permissions an app would require before installation.

Replacing the App Permissions section is a new one called Data Safety.

In a support page and a YouTube video, Google says this new section will list what data the app developer collects from their users, how they handle the data, and if they share it with third parties. See an example of a live Data Safety section here.

As Mishaal Rahman, the former editor-in-chief at XDA Developers, points out in a Twitter thread, the change is a major shift in policy for the Google Team—for two reasons.

The first is that Google is moving away from a hard-to-understand list of technical permissions to something that's easier to understand by more of the laymen. An app using a weird permission doesn't always correlate in the app developer's collecting user data because of it. The permission might be needed for some banal on-device operation that might not be damaging to a user's privacy at all. Google's plan for the Data Safety section is to tell users what data is actually collected and how that data is being handled or shared by the app developer.

But here comes the second reason why this change is a big deal—namely, that the Data Safety section won't be automatically parsed from an app's manifest file and code, but it will be written by the app developer.

As Ron Amadeo writes in his ArsTechnica piece, Google is moving away from a highly technical and trusted procedure to an "honor system" where users must hope that app developers don't lie about what permissions their apps use.

This is problematic in so many ways, and the overwhelming response has been very critical of Google's latest decision.

The data trading industry has been center-stage in recent weeks because of the Roe-v-Wade overturn, with users finding out that app makers have been collecting huge troves of insanely personal details with almost no oversight from government agencies.

Sure, Google threatens app developers with "enforcement" if they lie in their Data Safety section, but this latest controversy just shows once again the lack of regulation, oversight, and insight we all have over some data brokers' practices.

Breaches and hacks

Ruh-roh: Chinese government officials have summoned Alibaba executives to a meeting following a major data breach last week that exposed the personal data of one billion Chinese citizens and foreigners. The data leaked from an Elasticsearch database hosted on Alibaba Cloud servers that was left exposed online without authentication. It's unclear why Alibaba execs are being hauled in front of authorities since it was the Shanghai Police Department who rented and misconfigured the server in the first place.

LendingTree breach update: Financial services giant LendingTree told The Record on Friday that the data breach disclosed to US authorities last week is not connected to the 200,000 records that were advertised on a hacking forum earlier this year. LendingTree said it wasn't able to confirm the authenticity of the data sold online earlier this year and that the data breach disclosed to US authorities is a totally different incident that took place earlier this year in February, involved its website, and only impacted 70,000 customers.

Experian fail: If a lowly fantasy soccer app can deploy MFA, why can't you, Experian?

General tech and privacy

Denmark bans Google Workspace: The Danish data protection agency banned the use of Google Workspace (formerly known as Google Apps and later G Suite) by local governments. The agency's decision came in a case involving the city of Helsingør, which was using Chromebooks and Google Workspace apps to for administrative tasks, including for the management of local schools. The Datatilsynet banned the use of Google Workspace, citing Google's hidden data collection practices, which transferred the personal details of Danish citizens abroad to US servers, contrary to EU and Danish legislation.

TikTok security chief steps down: TikTok announced major changes to its security leadership on Friday as the social media platform faces renewed scrutiny from US lawmakers over its ties to China. Security chief Roland Cloutier will step down in September, while current security executive Kim Albarella will replace him on an interim basis, TikTok said. [More coverage in The Record]

Russia prepares Twitch ban: Russia's telecommunications watchdog said in a press release last week that the Twitch video streaming platform has refused to take down "fakes" about Russia's "special operation" in Ukraine. These types of press releases usually come before Roskomnadzor moves in to block a service inside Russia's borders.

Tor Browser update: The Tor Project has released v11.5 of the Tor Browser. This new release comes with:

  • Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.
  • New connection settings: A redesigned connects settings section with more information and connection options.
  • HTTPS-Only Mode, by default: HTTPS-Only Mode is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.

Government, politics, and policy

Russian hackers in Hungary: NATO and EU officials have expressed concern with the Hungarian government's silence following a report earlier this year that Russian hackers had been lurking in Budapest's government network for more than a decade, silently stealing confidential information. Now, western officials said they're more worried about Hungary's silence on the topic rather than the hacking itself, with the Orban regime failing to publicly address the incident and failing to share any details or notify its allies.

NDAA amendments impact NSO: The US House of Representatives has passed amendments to the National Defense Authorization Act (NDAA) for the Fiscal Year 2023, including a clause that will prevent American companies from acquiring sanctioned entities. One of the cases where this clause will apply is the case of US defense contractor L3Harris looking to buy Israeli spyware maker NSO Group.

Cybercrime and threat intel

Digium IP phones under attack: The cybersecurity arm of Palo Alto Networks published a report on Friday about a cybercrime group that has been compromising Asterisk VoIP servers and then deploying malware on connected IP phones. Palo Alto said the attackers enter servers via an unpatched vulnerability in Elastix, a GUI software package for Asterisk, and then they deploy malware on IP phones running the Digium software. The bulk of the campaign took place from late December 2021 till the end of March 2022, the company said.

Sality malware on PLC systems: Industrial security firm Dragos said that software advertised on social media as a password-recovery and password brute-forcing tool for programmable logic controllers (PLCs) also contains a version of the Sality malware. IT engineers working in industrial networks that download and run these tools when wanting to unlock PLC software to which they lost passwords may also end up compromising their ICS/OT environments, Dragos said.

Latin American hotels: HP's Wolf Security published a report last week on a novel malware campaign that used OpenDocument text (.odt) files to distribute malware to target the hotel industry in Latin America. HP said this was the same threat actor and campaign documented by Cisco Talos last summer.

Salesforce-themed malspam: ESET warned last week about a new malspam campaign using a lure of Salesforce update. The campaign, which delivered Sliver payloads, took place during the Patch Tuesday week—when most users would have been likely to fall for it.

APPX/MSIX threats explained: The team at SentinelOne has a report out explaining the ins and outs of cybercrime campaigns that abuse the APPX and MSIX file formats for malware distribution, which have been quite a few as of lately.

Trickbot: UK security firm Cyjax published a report last week on the inner workings of the Trickbot malware gang. The report is based on internal chats leaked on social media earlier this year, known as the "Trickbot Leaks."

WatchDog still going strong: Lacework has published a report on the recent operations of the WatchDog coinminer gang. In a 2021 report, Palo Alto Networks called WatchDog one of the oldest crypto-mining gangs in operation today, and according to Lacework's report, the group is still going strong.

DragonForce attacks in India continue: Threat intelligence company CloudSek reports that Malaysian hacktivist group DragonForce is using a remote code execution vulnerability tracked as CVE-2022-26134 to compromise the Confluence servers of Indian entities. The attacks are part of OpsPatuk, a campaign the group started last month after an Indian politician made derogatory comments against the Prophet Muhammad.

Vulnerabilities and bug bounty

Shanghai Police leak analysis: A Radio Free Asia feature argues that the recent leak of one billion records from a server managed by the Shanghai police department exposes the negative effect of the Chinese government's suppression of its white-hat security scene.

Netwrix Auditor vulnerability: BishopFox researchers have published details about a vulnerability in Netwrix Auditor, an IT auditing software package commonly used in corporate environments. BishopFox said the vulnerability can allow threat actors to run malicious code execution on Netwrix Auditor servers and, from there, take over entire Active Directory domains since the Auditor app typically runs with admin privileges.

Attack vector for GitHub projects: Security firm Checkmarx warns that the GitHub platform allows threat actors to spoof commits on hosted repositories. The company argues that threat actors could spoof code contributions to malicious projects using the identities of trusted open-source developers, luring users and companies into installing malicious libraries and software in their environments by making projects look more legitimate than they are.

Fingerprint sensors and crypto wallets: A team of German academics has developed a new technique that allows them to fuzz-test the protected memory areas in modern processors. The new method helped the team discover new vulnerabilities in fingerprint sensors and cryptocurrency wallets by looking at how they process data in Intel SGX enclaves. The vulnerabilities impact the Synaptics Fingerprint Driver and the SKALE crypto-wallet, and can be used to read biometric data or steal the entire balance of the stored cryptocurrency, the researchers said.