This article is more than 1 year old

Google Play pulls sneaky data-harvesting apps with 46m+ downloads

Plus: Fox News learns to use database passwords, Autodesk patches high-severity bugs, and CISA says retire old D-Link routers

In brief Google pulled a slew of Android apps with more than 46 million downloads from its Google Play Store after security researchers notified the cloud giant that the code contained some sneaky data-harvesting code.

Apps included a speed camera radar, several Muslim prayer apps, a QR scanner, a WiFi mouse tool, a weather app and others. 

A Panama-based company Measurement Systems developed the code, according to AppCensus co-founder Joel Reardon, whose mobile app testing firm discovered the overly nosy software, reported it to Google, and published research about how it works. 

According to the Wall Street Journal, which first reported the story, Measurement Systems has ties to a Virginia defense contractor that does cyber-intelligence, network-defense and intelligence-intercept work for US national security agencies. 

Google removed the apps as of March 25, but said they could be re-listed if they removed the dodgy code to comply with Google Play Store's rules for collecting users' data. Some of the apps did this, and were already back for sale as of April 6.

"All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action," a Google spokesperson told The Register.  

Infosec folk spot open Fox News database

Fox News said it has secured an open database after bug hunters at Security Discovery alerted the news organization about the security incident waiting to happen.

For its part, Fox News said the open database was in a development environment, not a live, production environment, and that no customer records were exposed.

"We were contacted in October of 2021 by Security Dynamic about what would correctly be characterized as a general company development environment primarily containing an archival snapshot of public video metadata such as program descriptions and talent bios," a spokesperson said in an email to The Register

"Additionally, there was a list of business email addresses as well as URLs, other ID's and environments that were no longer in use at the time of discovery," the statement continued. "This environment did not service any Fox News applications or systems. The database was secured within hours following the receipt of the report from Security Dynamic in accordance with our responsible disclosure policy."

Security Discovery co-founder Jeremiah Fowler, working with the research team at website building info firm Website Planet, discovered the non-password protected database. They said the 58GB dataset contained almost 13 million records that spanned storage information, internal emails, usernames, employee ID numbers and affiliate station information.

"One folder contained 65k names of celebrities, cast and production crew members and their internal FOX ID reference numbers," the threat researchers wrote. "The records also captured a wide range of data points including event logging, host names, host account numbers, IP addresses, interface, device data, and much more."

Despite Fox News' assurances that this was a test environment, Fowler and friends noted that many records were labeled "prod," which is typically an abbreviation for production records. 

But even in a development environment, this data could pose a security risk as these environments often use the same storage repositories, middleware and infrastructure as live production environments, the threat researchers added.

Additionally, the security researchers made it clear that they aren't implying any customer or user data was at risk, and they applauded the Fox security team for acting "fast and professional" to close the exposed database. Still, "any non-password protected database could potentially allow someone to insert malicious code into the network," they noted. 

Autodesk patches high-severity bugs

Autodesk has patched multiple high-severity vulnerabilities that, if exploited, could allow attackers to run any malicious code on infected machines and steal sensitive information. 

Security firm Fortinet's threat research team discovered the bugs, which affect Autodesk's  DWG TrueView, Design Review and Navisworks, and reported them to the software provider. Its research team also provided a run-down of all seven vulns.

Both companies urge users to apply the patches ASAP.

The first five bugs, CVE-2022-27525, CVE-2021-40167, CVE-2022-27526, CVE-2022-27527 and CVE-2022-25797, are memory corruption vulnerabilities. 

CVE-2022-27525 affects Autodesk Design Review. It's caused by a malformed Design Web Format (DWF) file, "which causes an out-of-bounds memory write due to an improper bounds check," Fortinet explained.

If exploited, this bug can allow cybercriminals to execute arbitrary, malicious code via a specially crafted DWF file. 

CVE-2021-40167 affects the same product and is also caused by a buggy DWF file. It could allow an attacker to leak memory within the context of the application.

CVE-2022-27526, which could also be exploited to leak memory, affects Autodesk's Design Review product. A malformed Truevision (TGA) file causes this bug. Specifically, the TGA file "causes an out-of-bounds memory access, due to improper bounds checking when manipulating a pointer to an allocated buffer," Fortinet said.

CVE-2022-27527 effects Autodesk Navisworks. It's caused by a malformed PDF file, which also leads to out-of-bounds memory access.

The fifth memory corruption bug, CVE-2022-25797, caused by a malformed DWG file, affects DWG Trueview and could allow a criminal to execute arbitrary code using a crafted DWG file.

CVE-2022-27523, a buffer over-read vulnerability in Autodesk DWG TrueView, could allow a remote attacker to leak sensitive data using a malicious DWG file.

And finally CVE-2022-27524, is an out-of-bounds vuln in DWG TrueView that could be exploited to leak sensitive data.

CISA, D-Link urge end-of-life router retirement

CISA has advised anyone using certain older D-Link routers to take them offline before miscreants find and exploit a critical remote control execution vulnerability.

On Monday, CISA added the RCE bug, dubbed CVE-2021-45382, to its catalog of known exploited vulnerabilities. It exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the dynamic domain name system (DDNS) function in the ncc2 binary file.

The ncc2 service allows for some firmware and language file upgrades via the web interface. But as Malwarebytes Labs researcher Pieter Arntz explained, "the ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available."

If exploited, this would allow an attacker to call these hooks without authentication. "These files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand," he added. 

The software bug received a 9.8 CVSS score, which means it's critical that users address it immediately. But because the affected routers are end-of-life, D-Link isn't issuing any patches for the vulnerable devices. 

Both CISA and D-Link suggest that you retire these models ASAP, before a cyber criminal finds the vuln.

And if you still aren't convinced, there's a proof-of-concept on GitHub, which makes it really easy for any evil doers to remotely take over the vulnerable devices and then execute malicious code.

Cybercriminals still exploiting Spring4Shell

Miscreants continue to exploit the Java Spring framework remote code execution vulnerability a week after security researchers discovered the nasty software bug.

A week after the initial outbreak, Check Point Research said it's seen about 37,000 attempts to allocate the vulnerability, dubbed "Spring4Shell."

While organizations around the globe have been affected by the bug, Europe was the hardest hit, according to the security shop. 

In the first four days after post discovery, 16 percent of orgs worldwide experienced exploitation attempts. But in Europe, that number jumped to 20 percent. Australia and New Zealand ranked second, at 17 percent, followed by Africa (16 percent), Asia (15 percent), Latin Americas (13 percent) and North America (11 percent).

Perhaps unsurprisingly, the software vendor industry felt the most pain from Spring4Shell.  According to Check Point, 28 percent of companies in this sector were impacted by the vulnerability. Education and research orgs were the second-most affected, with 26 percent impacted. And insurance/legal, ISPs/MSPs, and finance/banking institutions tied for third place at 25 percent.

While noting its own CloudGuard AppSec customers were not vulnerable, "If your organization is using Java Spring and not using CloudGuard AppSec, immediately review your software and update to the latest versions by following the official Spring project guidance," the security firm advised. ®

More about

TIP US OFF

Send us news


Other stories you might like