Sneaky Android malware, more CashApps scams and a report shows how easy it is to track smartphones

Welcome to Cyber Security Today. It’s Friday May 15th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

To hear the podcast click on the arrow below:

Cyb er Security Today on Amazon AlexaCyber Security Today on Google PodcastsSubscribe to Cyber Security Today on Apple Podcasts

Android users have another reason to be careful about the apps they download. A security company called Bitdefender issued a report yesterday about a sneaky piece of malware it calls Mandrake that’s very good at hiding on mobile devices. It gets installed by people clicking on phishing emails that pretend to come from a number of companies, including Canada’s Bank of Montreal, the Bank of America, PayPal, Gmail and Amazon. In addition, seven apps on the Google Play store were distributing the malware, including apps that offered car news, a currency conversion calculator, a document scanner and a video player. These apps have now been deleted but to hide the malware they apps actually worked and when bugs were found they got fixed. That way comments from unsuspecting reviewers were genuine. But behinds the scenes these apps stole your passwords and data. Bitdefender thinks the number of devices infected could be in the hundreds of thousands. There are some tip-offs such as logins refused and then your app asking you to log in again or authenticate. These bad mobile apps are another reminder of how cautious you have to be in downloading apps.

Last October I told you about CashApp scams. Well, now criminals are taking advantage of COVID-19 related CashApp raffles to also steal your money. If you don’t recall, CashApp is an application that lets people give away money in an online raffle. CashApp is legitimate. What scammers do is create fake offers that ask for a payment in advance to participate in a raffle. The payment can be small or big but there’s a promise of doubling, tripling, quadrupling the fee or more. Because troubled companies are laying off workers, more people need money. So more CashApp offers are appearing, including some from celebrities. And as might be expected, criminals are taking advantage. A new report this week from a security firm called Tenable outlines the ways in which scammers are trying to hijack recent CashApp and other offers for free money. So here’s a warning: If you play CashApp and get an offer that promises to increase the money being given away, it’s a scam. If you get asked for money on Cash App, Venmo or Pay Pal asking you to verify a win by paying a fee, it’s a scam. Remember that scammers also impersonate celebrities and notable figures on Twitter and Facebook pretending to be in the CashApp game. And beware of messages asking you to contact a so-called “agent” by text message. What criminals want to do is get victims off a social media platform and onto a text messaging platform, where it’s more private and victims can’t see warnings.

In some cases scammers use an image from CashApp saying a bank declined a payment. This is a trick to get victims into believing they can’t send the money by their cashtags. What the criminal wants is the login credentials for a victim’s credit card application.

For more details on CashApp scams there’s a link to the report here.

Another news report is out showing how easy it is for someone to track your movements thanks to the apps on your smartphone. The report comes from Norway’s public broadcaster NRK. What it did was buy a chunk of data for Norway from a data broker, which buys the data from mobile app developers for resale to advertisers. Then it used that data to identify people. While in many countries privacy laws demand this data be anonymized it often can be linked to one mobile device, and then used to track people. So if a piece of data shows a mobile device is regularly in one place overnight, it’s logical to assume that’s the owner’s residence. A check of public records will show who lives at that address. If the device daily goes to an office, logically that’s where the device owner works. From there you can go to Facebook or LinkedIn and learn more about that person. What to make of this report? Be careful about the apps you download. Be particularly careful about giving apps permission to access the location feature of your phone. First, turn off the “Location Services” feature until you need it, for things like maps. You can also turn off location services for each app. You can also turn off ad tracking. On Android phones that’s under Settings/Google/Ads/ and then turn on “Opt out of ads rationalization. On Apple devices it’s under Privacy.

That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.