(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / A list of the 13 malicious apps in the Brain Test family found hosted on Google Play. (credit: Lookout)

Google has banished 13 Android apps from its Play marketplace after security researchers found the apps made unauthorized downloads and attempted to gain root privileges that allowed them to survive factory resets.

One of the 13 apps, which was known as Honeycomb, had as many as one million downloads before it was removed, according to researchers from Lookout, the mobile security provider that spotted the malicious entries. The apps boasted a large number of downloads and highly favorable user ratings, presumably thanks to the ability of one app to automatically download other apps and then leave rave user reviews for them. In a blog post, Lookout researcher Chris Dehghanpoor wrote:

The explanation for the apps’ high ratings and hundreds-of-thousands of downloads is the malware itself. First off, some of the apps are fully-functioning games. Some are highly rated because they are fun to play. Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors. This helps increase the download figures in the Play Store. Specifically, it attempts to detect if a device is rooted, and if so, copies several files to the /system partition in an effort to ensure persistence, even after a complete factory reset. This behavior is very similar to several other malware families we’ve seen recently, specifically Shedun, ShiftyBug, and Shuanet.

As Ars reported in November, members of the Shedun, Shuanet, and ShiftyBug families expose phones to potentially dangerous root exploits that can make app removal extremely hard for many users. That's because the apps are often able to root the infected device and install themselves as system applications. That can make them hard to remove using conventional methods, such as the uninstall button or factory reset in the Android options menu.

Read 2 remaining paragraphs | Comments

Possible vulnerability in F5 BIG-IP LTM - Improper input validation of the HTTP version number of the HTTP reqest allows any payload size and conent to pass through
[CVE-2015-7242] AVM FRITZ!Box: HTML Injection Vulnerability
Serendipity Security Advisory - XSS Vulnerability - CVE-2015-8603

Mozilla has warned Firefox users that its decision to reject SHA-1 certificates has caused an unfortunate side effect: some man-in-the-middle devices, such as security scanners and antivirus products, are failing to connect to HTTPS sites.

The browser maker advised any netizens affected by the interference to install the latest version of Firefox, which reinstates support for SHA-1.

Indeed, 'tis the season for browser upgrades. As Ars reported on Tuesday, Microsoft has been furiously nudging Internet Explorer holdouts over to the latest versions of its browser.

Read 7 remaining paragraphs | Comments


(credit: Comcast)

Time Warner Cable is warning that login credentials for 320,000 customers may have been stolen. The TV cable and Internet service provider told Reuters that e-mail passwords may have been harvested by malware installed on customers' computers or that the potentially compromised passcodes may have been the result of data breaches of other companies that stored Time Warner Cable customer information. The company is still investigating how the data was obtained, but so far has found no indications that its systems were breached.

A Time Warner spokesman told the news agency that the company issued the warning after receiving notification from the FBI that some customer e-mail addresses and passwords "may have been compromised." As a precaution, company officials are sending e-mails and direct mail correspondence advising customers to update their passwords.

The Time Warner advisory comes a day after Web host provider Linode said it was resetting user passwords following signs of a breach. The reset came after an investigation of "the unauthorized login of three accounts [that] has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point." The database contains usernames, e-mail addresses, "securely hashed" passwords, and encrypted two-factor seeds.

Read 1 remaining paragraphs | Comments

[RT-SA-2015-001] AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
[RT-SA-2014-014] AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images
Executable installers are vulnerable^WEVIL (case 18): EMSISoft's installers allow arbitrary (remote) code execution and escalation of privilege
[SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)
Executable installers are vulnerable^WEVIL (case 19): ZoneAlarm's installers allow arbitrary (remote) code execution and escalation of privilege
[security bulletin] HPSBGN03530 rev.1 - HPE UCMDB Browser, Remote Disclosure of Sensitive Information, Local Unauthorized Access
Internet Storm Center Infocon Status